[deployment-guide/comm-rel: 29/74] new changes to authconfig section and /etc/sysconfig/auth section
dsilas
dsilas at fedoraproject.org
Tue Jul 6 21:11:40 UTC 2010
commit 1d6a7d136c86b5a753d8eaf4522d0ad2b894ad83
Author: Martin Prpic <mprpic at redhat.com>
Date: Thu Jun 24 17:30:29 2010 +0200
new changes to authconfig section and /etc/sysconfig/auth section
en-US/Authentication_Configuration.xml | 866 ++++++++++++++++++++++++++------
en-US/The_sysconfig_Directory.xml | 34 ++-
en-US/images/authconfig_LDAP_kerb.png | Bin 0 -> 52573 bytes
en-US/images/authconfig_advanced.png | Bin 0 -> 44688 bytes
4 files changed, 742 insertions(+), 158 deletions(-)
---
diff --git a/en-US/Authentication_Configuration.xml b/en-US/Authentication_Configuration.xml
index 6015c71..b71a216 100644
--- a/en-US/Authentication_Configuration.xml
+++ b/en-US/Authentication_Configuration.xml
@@ -14,10 +14,10 @@
<primary>authentication</primary>
</indexterm>
<para>When a user logs in to a &MAJOROS; system, the username and password combination must be verified, or <firstterm>authenticated</firstterm>, as a valid and active user. Sometimes the information to verify the user is located on the local system, and other times the system defers the authentication to a user database on a remote system.</para>
- <para>The <application>Authentication Configuration Tool</application> provides a graphical interface for configuring user information retrieval from LDAP, NIS, and Winbind user account databases. This tool also allows you to configure Kerberos to be used as the authentication protocol when using LDAP or NIS.</para>
+ <para>The <application>Authentication Configuration Tool</application> provides a graphical interface for configuring user information retrieval from <firstterm>Lightweight Directory Access Protocol</firstterm> (LDAP), <firstterm> Network Information Service</firstterm> (NIS), and <firstterm>Winbind</firstterm> user account databases. This tool also allows you to configure Kerberos to be used as the authentication protocol when using LDAP or NIS.</para>
<note>
<title>Note</title>
- <para>If you configured a medium or high security level during installation (or with the <application>Security Level Configuration Tool</application>), then the firewall will prevent NIS (Network Information Service) authentication. <remark>Is this still true?</remark>
+ <para>If you configured a medium or high security level during installation (or with the <application>Security Level Configuration Tool</application>), then the firewall will prevent NIS authentication. For more information about Firewalls, refer to section <citetitle pubwork="section">Firewalls</citetitle> of the <citetitle>Security Guide</citetitle> <!-- TBD6 : link to section 2.8. Firewalls in Security Guide -->
</para>
</note>
<indexterm significance="normal">
@@ -36,7 +36,7 @@
<application>Authentication Configuration Tool</application>
</see>
</indexterm>
- <para>To start the graphical version of the <application>Authentication Configuration Tool</application> from the desktop, select the System (on the panel) > <guimenuitem>Administration</guimenuitem> > <guimenuitem>Authentication</guimenuitem> or type the command <command>system-config-authentication</command> at a shell prompt (for example, in an <application>XTerm</application> or a <application>GNOME</application> terminal).</para>
+ <para>To start the graphical version of the <application>Authentication Configuration Tool</application> from the desktop, click <menuchoice><guimenu>System</guimenu> <guimenuitem>Administration</guimenuitem> <guimenuitem>Authentication</guimenuitem></menuchoice> or type the command <command>system-config-authentication</command> at a shell prompt (for example, in an <application>XTerm</application> or a <application>GNOME</application> terminal).</para>
<important>
<title>Important</title>
<para>After exiting the authentication program, any changes you made take effect immediately.</para>
@@ -46,6 +46,14 @@
<para>
The <guilabel>Identity & Authentication</guilabel> tab allows you to configure how users should be authenticated, and has several options for each method of authentication. To select which user account database should be used, select an option from the drop-down list.
</para>
+ <figure>
+ <title><guilabel>Identity & Authentication</guilabel>; changing the option in the <guilabel>User Account Database</guilabel> drop-down list changes the contents of the tab.</title>
+ <mediaobject id="mediaobj-authconfig_LDAP_kerb">
+ <imageobject>
+ <imagedata align="center" fileref="images/authconfig_LDAP_kerb.png" format="PNG" />
+ </imageobject>
+ </mediaobject>
+ </figure>
<para>
The following list explains what each option configures:
</para>
@@ -59,173 +67,188 @@
</listitem>
<listitem>
<para>
- <guilabel>LDAP Server</guilabel> — Specifies the IP address of the <systemitem class="service">LDAP</systemitem>server.
+ <guilabel>LDAP Server</guilabel> — Specifies the IP address of the <systemitem class="service">LDAP</systemitem> server.
</para>
</listitem>
<listitem>
<para>
- <guilabel>Use TLS to encrypt connections</guilabel> — When enabled, <systemitem class="protocol">Transport Layer Security</systemitem> will be used to encrypt passwords sent to the <systemitem class="service">LDAP</systemitem> server. The <guibutton>Download CA Certificate</guibutton> option allows you to specify a URL from which to download a valid <firstterm>CA (Certificate Authority) Certificate</firstterm>. A valid CA Certificate must be in PEM (Privacy Enhanced Mail) format.</para>
+ <guilabel>Use TLS to encrypt connections</guilabel> — When enabled, <systemitem class="protocol">Transport Layer Security</systemitem> (TLC) will be used to encrypt passwords sent to the <systemitem class="service">LDAP</systemitem> server. The <guibutton>Download CA Certificate</guibutton> option allows you to specify a URL from which to download a valid <firstterm>Certificate Authority certificate</firstterm> (CA). A valid CA certificate must be in the <firstterm>Privacy Enhanced Mail</firstterm> (PEM) format.</para>
<important>
<title>Important</title>
<para>
The <guilabel>Use TLS to encrypt connections</guilabel> option must not be ticked if an <systemitem class="protocol">ldaps://</systemitem> server address is specified in the <guilabel>LDAP Server</guilabel> field.
</para>
</important>
- <para>For more information about CA Certificates, refer to <citetitle pubwork="section">Section 22.8.2, "An Overview of Certificates and Security"</citetitle> in the <citetitle>Deployment Guide</citetitle><!--TBD6: link to the Section 22.8.2, “An Overview of Certificates and Security” section of the Deployment Guide -->.</para>
+ <para>For more information about CA Certificates, refer to <xref linkend="s2-secureserver-overview-certs"/>
+ </para>
</listitem>
</itemizedlist>
<para>The <filename>openldap-clients</filename> package must be installed for this option to work.</para>
- <para>For more information about LDAP, refer to <citetitle pubwork="chapter">Chapter 25, "Lightweight Directory Access Protocol (LDAP)"</citetitle> in the <citetitle>Deployment Guide</citetitle><!-- TBD6: link to the Chapter 25, "Lightweight Directory Access Protocol (LDAP)" chapter in DG. -->
+ <para>For more information about LDAP, refer to <xref linkend="ch-Lightweight_Directory_Access_Protocol_LDAP"/>
</para>
- <para>
+ <para>
LDAP provides the following methods of authentication:
</para>
- <itemizedlist>
- <listitem>
- <para>
- <guilabel>Kerberos password</guilabel> — This option enables Kerberos authentication. It contains the following specifications:
+ <itemizedlist>
+ <listitem>
+ <para>
+ <guilabel>Kerberos password</guilabel> — This option enables Kerberos authentication. It contains the following specifications:
<itemizedlist>
<listitem>
<para>
<guilabel>Realm</guilabel> — Configures the realm for the Kerberos server. The realm is the network that uses Kerberos, composed of one or more KDCs and a potentially large number of clients.
</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>KDCs</guilabel> — Defines the Key Distribution Centers (KDC), which are servers that issue Kerberos tickets.
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>KDCs</guilabel> — Defines the Key Distribution Centers (KDC), which are servers that issue Kerberos tickets.
</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>Admin Servers</guilabel> — Specifies the administration server(s) running <command>kadmind</command>.
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>Admin Servers</guilabel> — Specifies the administration server(s) running <command>kadmind</command>.
</para>
- </listitem>
- </itemizedlist>
- </para>
- <para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ <para>
The <guimenu>Kerberos Settings</guimenu> dialog also allows you to use DNS to resolve hosts to realms and locate KDCs for realms.
</para>
- <para>
- The <filename>krb5-libs</filename> and <filename>krb5-workstation</filename> packages must be installed for this option to work. For more information about Kerberos, refer to <citetitle pubwork="section">Section 43.6, “Kerberos”</citetitle> in the <citetitle>Deployment Guide</citetitle><!-- TBD6: link to the Section 43.6, “Kerberos” section in DG -->.
+ <para>
+ The <filename>krb5-libs</filename> and <filename>krb5-workstation</filename> packages must be installed for this option to work. For more information about Kerberos, refer to section<citetitle pubwork="section"> "Kerberos"</citetitle> of the <citetitle>Security Guide</citetitle><!-- TBD6: link to the section "2.6. Kerberos" of the Security Guide -->.
</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>LDAP password</guilabel> — This option instructs standard PAM-enabled applications to use LDAP authentication with options specified in the User Account Configuration of LDAP. When using this option, you must provide an <systemitem class="protocol">ldaps://</systemitem> server address or use TLS for LDAP authentication.
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>LDAP password</guilabel> — This option instructs standard PAM-enabled applications to use LDAP authentication with options specified in the User Account Configuration of LDAP. When using this option, you must provide an <systemitem class="protocol">ldaps://</systemitem> server address or use TLS for LDAP authentication.
</para>
- </listitem>
- </itemizedlist>
-
- <bridgehead>NIS</bridgehead>
- <para>
- The <guilabel>NIS</guilabel> option configures the system to connect to an NIS server (as an NIS client) for user and password authentication. To configure this option, specify the NIS domain and NIS server. If the NIS server is not specified, the daemon attempts to find it via broadcast.
+ </listitem>
+ </itemizedlist>
+
+ <bridgehead>NIS</bridgehead>
+ <para>
+ The <guilabel>NIS</guilabel> option configures the system to connect to a NIS server (as an NIS client) for user and password authentication. To configure this option, specify the NIS domain and NIS server. If the NIS server is not specified, the daemon attempts to find it via broadcast.
</para>
- <para>The <package>ypbind</package> package must be installed for this option to work. If the NIS user account databse is used, the <systemitem class="daemon">portmap</systemitem> and <systemitem class="daemon">ypbind</systemitem> services are started and are also enabled to start at boot time.</para>
- <para>For more information about NIS, refer to <citetitle pubwork="section">"Section 43.2.3, Securing NIS"</citetitle> in the <citetitle>Deployment Guide</citetitle><!-- TBD6: link to Section 43.2.3, “Securing NIS” section of the DG -->.</para>
- <para>
+ <para>The <package>ypbind</package> package must be installed for this option to work. If the NIS user account databse is used, the <systemitem class="daemon">portmap</systemitem> and <systemitem class="daemon">ypbind</systemitem> services are started and are also enabled to start at boot time.</para>
+ <para>For more information about NIS, refer to section <citetitle pubwork="section">"Securing NIS"</citetitle> of the <citetitle>Security Guide</citetitle><!-- TBD6: link to Section 2.2.3., “Securing NIS” section of the Security Guide -->.</para>
+ <para>
NIS provides the following methods of authentication:
</para>
<itemizedlist>
<listitem>
<para>
- <guilabel>Kerberos password</guilabel> — This option enables Kerberos authentication. For more information about configuration of the Kerberos authentication method, refer to previous section on LDAP<!-- TBD6: link to the Kerberos password option in the previous section on LDAP -->
- </para>
- </listitem>
- <listitem>
- <para>
- <guilabel>NIS password</guilabel> — TODO <remark>How does NIS password authenticate? Does it store password info on the NIS server and access that?</remark>
- </para>
- </listitem>
- </itemizedlist>
-
- <bridgehead>Winbind</bridgehead>
- <para>The <guilabel>Winbind</guilabel> option configures the system to connect to a Windows Active Directory or a Windows domain controller. User information from the specified directory or domain controller can then be accessed, and server authentication options can be configured. It contains the following specifications:</para>
- <itemizedlist>
- <listitem>
- <para>
- <guilabel>Winbind Domain</guilabel> — Specifies the Windows Active Directory or domain controller to connect to.</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>Security Model</guilabel> — Allows you to select a security model, which configures how clients should respond to Samba. The drop-down list allows you to select any of the following:
+ <guilabel>Kerberos password</guilabel> — This option enables Kerberos authentication. For more information about configuration of the Kerberos authentication method, refer to the previous section on LDAP.<!-- TBD6: link to the Kerberos password option in the previous section on LDAP -->
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>NIS password</guilabel> — This option enables NIS authentication. NIS can provide authentication information to outside processes to authenticate users.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <bridgehead>Winbind</bridgehead>
+ <para>The <guilabel>Winbind</guilabel> option configures the system to connect to a Windows Active Directory or a Windows domain controller. User information from the specified directory or domain controller can then be accessed, and server authentication options can be configured. It contains the following specifications:</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <guilabel>Winbind Domain</guilabel> — Specifies the Windows Active Directory or domain controller to connect to.</para>
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>Security Model</guilabel> — Allows you to select a security model, which configures how clients should respond to Samba. The drop-down list allows you to select any of the following:
<itemizedlist>
<listitem>
<para>
<guilabel>ads</guilabel> — This mode instructs Samba to act as a domain member in an Active Directory Server (ADS) realm. To operate in this mode, the <filename>krb5-server</filename> package must be installed, and Kerberos must be configured properly.</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>domain</guilabel> — In this mode, Samba will attempt to validate the username/password by authenticating it through a Windows NT Primary or Backup Domain Controller, similar to how a Windows NT Server would.</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>server</guilabel> — In this mode, Samba will attempt to validate the username/password by authenticating it through another SMB server (for example, a Windows NT Server). If the attempt fails, the <guilabel>user</guilabel> mode will take effect instead.</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>user</guilabel> — This is the default mode. With this level of security, a client must first log in with a valid username and password. Encrypted passwords can also be used in this security mode.</para>
- </listitem>
- </itemizedlist>
- </para>
- </listitem>
- <listitem>
- <para>
- <guilabel>Winbind ADS Realm</guilabel> — When the <guilabel>ads</guilabel> Security Model is selected, this allows you to specify the ADS Realm the Samba server should act as a domain member of.</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>Winbind Domain Controllers</guilabel> — Use this option to specify which domain controller <command>winbind</command> should use. For more information about domain controllers, please refer to <citetitle pubwork="section">Section 20.6.3, "Domain Controller"</citetitle>of the<citetitle>Deployment Guide</citetitle> <!-- TBD6: link to Section 20.6.3, “Domain Controller” section of the DG-->
- </para>
- </listitem>
- <listitem>
- <para>
- <guilabel>Template Shell</guilabel> — When filling out the user information for a Windows NT user, the <command>winbindd</command> daemon uses the value chosen here to to specify the login shell for that user.</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>Allow offline login</guilabel> — TODO <remark>What does this option do?</remark>
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>domain</guilabel> — In this mode, Samba will attempt to validate the username/password by authenticating it through a Windows NT Primary or Backup Domain Controller, similar to how a Windows NT Server would.</para>
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>server</guilabel> — In this mode, Samba will attempt to validate the username/password by authenticating it through another SMB server (for example, a Windows NT Server). If the attempt fails, the <guilabel>user</guilabel> mode will take effect instead.</para>
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>user</guilabel> — This is the default mode. With this level of security, a client must first log in with a valid username and password. Encrypted passwords can also be used in this security mode.</para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>Winbind ADS Realm</guilabel> — When the <guilabel>ads</guilabel> Security Model is selected, this allows you to specify the ADS Realm the Samba server should act as a domain member of.</para>
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>Winbind Domain Controllers</guilabel> — Use this option to specify which domain controller <command>winbind</command> should use. For more information about domain controllers, please refer to <xref linkend="s2-samba-domain-controller"/>.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>Template Shell</guilabel> — When filling out the user information for a Windows NT user, the <command>winbindd</command> daemon uses the value chosen here to to specify the login shell for that user.</para>
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>Allow offline login</guilabel> — By checking this option, you allow authentication information to be stored in a local cache (provided by SSSD). This information is then used when a user attempts to authenticate while offline.
</para>
- </listitem>
- </itemizedlist>
-
+ </listitem>
+ </itemizedlist>
- <para>For more information about the <command>winbindd</command> service, refer to <citetitle pubwork="section">Section 20.2, "Samba Daemons and Related Services"</citetitle> in the <citetitle>Deployment Guide</citetitle>. <!--TBD6 : linke to section Section 20.2, “Samba Daemons and Related Services” in the DG -->
- </para>
- <para>
+
+ <para>For more information about the <command>winbindd</command> service, refer to <xref linkend="s1-samba-daemons"/>.
+ </para>
+ <para>
Winbind provides only one method of authentication, <guilabel>Winbind password</guilabel>. This method of authentication uses the options specified in the User Account Configuration of Winbind to connect to a Windows Active Directory or a Windows domain controller.
</para>
-
- </section>
- <section id="sect-The_Authentication_Configuration_Tool-Advanced_Options">
- <title>Advanced Options</title>
- <para>
- The Advanced Options tab allows you to configure the following:
- </para>
- <bridgehead>Local Authentication Options</bridgehead>
- <itemizedlist>
- <listitem>
- <para>
- <guilabel>Enable fingerprint reader support</guilabel> — By checking this option, you enable fingerprint authentication to log in by scanning your finger with the fingerprint reader.
+ <note>
+ <title>Note</title>
+ <para>
+ The SSSD service handles all the authentication procedures by default (except for Winbind). No user interaction is needed to set up the SSSD service with the <application>Authentication Configuration Tool</application>. For more information about the SSSD service, refer to <xref linkend="chap-SSSD_User_Guide-Introduction"/>
+ </para>
+ </note>
+
+ </section>
+ <section id="sect-The_Authentication_Configuration_Tool-Advanced_Options">
+ <title>Advanced Options</title>
+ <para>
+ This tab allows you to configure advanced options, as listed below.
+ </para>
+ <figure>
+ <title><guilabel>Advanced Options</guilabel></title>
+ <mediaobject id="mediaobj-authconfig_advanced">
+ <imageobject>
+ <imagedata align="center" fileref="images/authconfig_advanced.png" format="PNG" />
+ </imageobject>
+ </mediaobject>
+ </figure>
+ <bridgehead>Local Authentication Options</bridgehead>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <guilabel>Enable fingerprint reader support</guilabel> — By checking this option, you enable fingerprint authentication to log in by scanning your finger with the fingerprint reader.
</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>Enable local access control</guilabel> — When enabled, <filename>/etc/security/access.conf</filename> is consulted for authorization of a user.
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>Enable local access control</guilabel> — When enabled, <filename>/etc/security/access.conf</filename> is consulted for authorization of a user.
</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>Password Hashing Algorithm</guilabel> — This option lets you specify which hashing or cryptographic algorithm should be used to encrypt locally stored passwords.
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>Password Hashing Algorithm</guilabel> — This option lets you specify which hashing or cryptographic algorithm should be used to encrypt locally stored passwords.
</para>
- </listitem>
- </itemizedlist>
- <bridgehead>Other Authentication Options</bridgehead>
- <para>
- <guilabel>Create home directories on the first login</guilabel> — When enabled, a home directory of a user is created automatically on his first login if it does not already exist.
+ </listitem>
+ </itemizedlist>
+ <bridgehead>Other Authentication Options</bridgehead>
+ <para>
+ <guilabel>Create home directories on the first login</guilabel> — When enabled, the user's home directory is automatically created when they log in if it does not already exist.
</para>
- <bridgehead>Smart Card Authentication Options</bridgehead>
- <para>
- <guilabel>Enable smart card support</guilabel> — This option enables smart card authentication. Smart card authentication allows you to log in using a certificate and a key associated with a smart card.
+ <bridgehead>Smart Card Authentication Options</bridgehead>
+ <para>
+ <guilabel>Enable smart card support</guilabel> — This option enables smart card authentication. Smart card authentication allows you to log in using a certificate and a key associated with a smart card.
</para>
<para>
When the <guilabel>Enable smart card support</guilabel> option is checked, the following options can be specified:
@@ -238,41 +261,574 @@
<para>
<guilabel>Ignore</guilabel> — The card removal is ignored and the system continues to function as normal.
</para>
- </listitem>
- <listitem>
- <para>
- <guilabel>Lock</guilabel> — The current session is immediately locked.
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>Lock</guilabel> — The current session is immediately locked.
</para>
- </listitem>
- </itemizedlist>
- </para>
- </listitem>
- <listitem>
- <para>
- <guilabel>Require smart card login</guilabel> — Requires the user to login and authenticate with a smart card. It essentially disables any other type of password authentication. This option should not be selected until after you have successfully logged in using a smart card.
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <guilabel>Require smart card login</guilabel> — Requires the user to login and authenticate with a smart card. It essentially disables any other type of password authentication. This option should not be selected until after you have successfully logged in using a smart card.
</para>
- </listitem>
- </itemizedlist>
- </para>
- <para>
- The <package>pam_pkcs11</package> and the <package>coolkey</package> packages must be installed for this option to work. For more information about smart cards, refer to <citetitle pubwork="section">section "4.1. Enabling Smart Card Login on Red Hat Enterprise Linux</citetitle>of the<citetitle>Managing Smart Cards with the Enterprise Security Client</citetitle> guide<!-- TBD6: link to: section "4.1. Enabling Smart Card Login on Red Hat Enterprise Linux" of the "Managing Smart Cards with the Enterprise Security Client" guide found on http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards_with_the_Enterprise_Security_Client/Using_Enterprise_Security_Client_Keys_for_SSL_Client_Authentication_and_SMIME.html#enabling-smart-card-login or section "2.3.2. Getting Started with your new Smart Card" of the "Security Guide" found on http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Securit
y_Guide/#sect-Security_Guide-Single_Sign_on_SSO-->
-
- </para>
- </section>
- <section id="sect-The_Authentication_Configuration_Tool-Command_Line_Version">
- <title>Command Line Version</title>
- <para>
- The <application>Authentication Configuration Tool</application> can also be run as a command line tool with no interface. The command line version can be used in a configuration script or a kickstart script. The authentication options are summarized in <!--<xref linkend="tb-authconfig-cmd-line"/>-->.
+ </listitem>
+ </itemizedlist>
</para>
+ <para>
+ The <package>pam_pkcs11</package> and the <package>coolkey</package> packages must be installed for this option to work. For more information about smart cards, refer to <citetitle pubwork="section">section "Enabling Smart Card Login on Red Hat Enterprise Linux"</citetitle> of the <citetitle>Managing Smart Cards with the Enterprise Security Client</citetitle> guide. <!-- TBD6: link to: section "4.1. Enabling Smart Card Login on Red Hat Enterprise Linux" of the "Managing Smart Cards with the Enterprise Security Client" guide found on http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards_with_the_Enterprise_Security_Client/Using_Enterprise_Security_Client_Keys_for_SSL_Client_Authentication_and_SMIME.html#enabling-smart-card-login OR section "2.3.2. Getting Started with your new Smart Card" of the "Security Guide" found on http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Securit
y_Guide/#sect-Security_Guide-Single_Sign_on_SSO-->
+
<note>
- <title>Tip</title>
- <para>These options can also be found in the <command>authconfig</command> man page or by typing <command>authconfig --help</command> at the shell prompt.</para>
+ <title>Note</title>
+ <para>
+ You can restore all of the options specified in the <application>Authentication Configuration Tool</application> to the previous configuration setup by clicking <guibutton>Revert</guibutton>.
+ </para>
</note>
- <remark>I have some questions about the commands listed under "authconfig --help". Is there a need for a "--enablemd5" option if the option "--passalgo=<descrypt|bigcrypt|md5|sha256|sha512>" chooses the algorithm to be used? Same goes for some commands that are not present in the new GUI, like "--enablesmbauth" (and all SMB related commands), "--enablehesiod" or "--enablewins". Are these features you can still use but are not present in the GUI? </remark>
-
- </section>
+
+ </para>
+ </section>
+ <section id="sect-The_Authentication_Configuration_Tool-Command_Line_Version">
+ <title>Command Line Version</title>
+ <para>
+ The <application>Authentication Configuration Tool</application> also supports a command line interface. The command line version can be used in a configuration script or a kickstart script. The authentication options are summarized in <xref linkend="tb-authconfig-cmd-line"/>.
+ </para>
+ <note>
+ <title>Tip</title>
+ <para>These options can also be found in the <command>authconfig</command> man page or by typing <command>authconfig --help</command> at the shell prompt.</para>
+ </note>
+
+ <table id="tb-authconfig-cmd-line">
+ <title>Command Line Options</title>
+ <tgroup cols="2">
+ <colspec colname="option" colnum="1" colwidth="15*"/>
+ <colspec colname="description" colnum="2" colwidth="10*"/>
+ <thead>
+ <row>
+ <entry>
+ Option
+ </entry>
+ <entry>
+ Description
+ </entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>
+ <command>--enableshadow, --useshadow</command>
+ </entry>
+ <entry>
+ Enable shadow passwords
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disableshadow</command>
+ </entry>
+ <entry>
+ Disable shadow passwords
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--passalgo=<replaceable><descrypt|bigcrypt|md5|sha256|sha512></replaceable></command>
+ </entry>
+ <entry>
+ Hash/crypt algorithm to be used
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablenis</command>
+ </entry>
+ <entry>
+ Enable NIS for user account configuration
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablenis</command>
+ </entry>
+ <entry>
+ Disable NIS for user account configuration
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--nisdomain=<replaceable><domain></replaceable>
+ </command>
+ </entry>
+ <entry>Specify an NIS domain</entry>
+ </row>
+ <row>
+ <entry>
+ <command>--nisserver=<replaceable><server></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Specify an NIS server
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enableldap</command>
+ </entry>
+ <entry>
+ Enable LDAP for user account configuration
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disableldap</command>
+ </entry>
+ <entry>
+ Disable LDAP for user account configuration
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enableldaptls</command>
+ </entry>
+ <entry>
+ Enable use of TLS with LDAP
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disableldaptls</command>
+ </entry>
+ <entry>
+ Disable use of TLS with LDAP
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enableldapauth</command>
+ </entry>
+ <entry>
+ Enable LDAP for authentication
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disableldapauth</command>
+ </entry>
+ <entry>
+ Disable LDAP for authentication
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--ldapserver=<replaceable><server></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Specify an LDAP server
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--ldapbasedn=<replaceable><dn></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Specify an LDAP base DN (Distinguished Name)
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--ldaploadcacert=<replaceable><URL></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Load a CA certificate from the specified URL
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablekrb5</command>
+ </entry>
+ <entry>
+ Enable Kerberos for authentication
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablekrb5</command>
+ </entry>
+ <entry>
+ Disable Kerberos for authentication
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--krb5kdc=<replaceable><server></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Specify Kerberos KDC server
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--krb5adminserver=<replaceable><server></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Specify Kerberos administration server
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--krb5realm=<replaceable><realm></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Specify Kerberos realm
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablekrb5kdcdns</command>
+ </entry>
+ <entry>
+ Enable use of DNS to find Kerberos KDCs
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablekrb5kdcdns</command>
+ </entry>
+ <entry>
+ Disable use of DNS to find Kerberos KDCs
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablekrb5realmdns</command>
+ </entry>
+ <entry>
+ Enable use of DNS to find Kerberos realms
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablekrb5realmdns</command>
+ </entry>
+ <entry>
+ Disable use of DNS to find Kerberos realms
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablewinbind</command>
+ </entry>
+ <entry>
+ Enable winbind for user account configuration
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablewinbind</command>
+ </entry>
+ <entry>
+ Disable winbind for user account configuration
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablewinbindauth</command>
+ </entry>
+ <entry>
+ Enable winbindauth for authentication
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablewinbindauth</command>
+ </entry>
+ <entry>
+ Disable winbindauth for authentication
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--winbindseparator=<replaceable><\></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Character used to separate the domain and user part of winbind usernames if <command>winbindusedefaultdomain</command> is not enabled
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--winbindtemplatehomedir=<replaceable></home/%D/%U></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Directory that winbind users have as their home
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--winbindtemplateprimarygroup=<replaceable><nobody></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Group that winbind users have as their primary group
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--winbindtemplateshell=<replaceable></bin/false></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Shell that winbind users have as their default login shell
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablewinbindusedefaultdomain</command>
+ </entry>
+ <entry>
+ Configures winbind to assume that users with no domain in their usernames are domain users
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablewinbindusedefaultdomain</command>
+ </entry>
+ <entry>
+ Configures winbind to assume that users with no domain in their usernames are not domain users
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--winbindjoin=<replaceable><Administrator></replaceable>
+ </command>
+ </entry>
+ <entry>
+ Joins the winbind domain or ADS realm as the specified administrator
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablewinbindoffline</command>
+ </entry>
+ <entry>
+ Configures winbind to allow offline login
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablewinbindoffline</command>
+ </entry>
+ <entry>
+ Configures winbind to prevent offline login
+ </entry>
+ </row>
+
+ <row>
+ <entry>
+ <command>--enablecache</command>
+ </entry>
+ <entry>
+ Enable <command>nscd</command>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablecache</command>
+ </entry>
+ <entry>
+ Disable <command>nscd</command>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablelocauthorize</command>
+ </entry>
+ <entry>
+ Local authorization is sufficient for local users
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablelocauthorize</command>
+ </entry>
+ <entry>
+ Local users are also authorized through a remote service
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablepamaccess</command>
+ </entry>
+ <entry>
+ Check <filename>/etc/security/access.conf</filename> during account authorization
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablepamaccess</command>
+ </entry>
+ <entry>
+ Do not check <filename>/etc/security/access.conf</filename> during account authorization
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablemkhomedir</command>
+ </entry>
+ <entry>
+ Create a home directory for a user on the first login
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablemkhomedir</command>
+ </entry>
+ <entry>
+ Do not create a home directory for a user on the first login
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablesmartcard</command>
+ </entry>
+ <entry>
+ Enable authentication with a smart card
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablesmartcard</command>
+ </entry>
+ <entry>
+ Disable authentication with a smart card
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablerequiresmartcard</command>
+ </entry>
+ <entry>
+ Require smart card for authentication
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablerequiresmartcard</command>
+ </entry>
+ <entry>
+ Do not require smart card for authentication
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--smartcardmodule=<replaceable><module></replaceable></command>
+ </entry>
+ <entry>
+ Default smart card module to use
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--smartcardaction=<replaceable><0=Lock|1=Ignore></replaceable></command>
+ </entry>
+ <entry>
+ Action to be taken when smart card removal is detected
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--enablefingerprint</command>
+ </entry>
+ <entry>
+ Enable fingerprint authentication
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--disablefingerprint</command>
+ </entry>
+ <entry>
+ Disnable fingerprint authentication
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--nostart</command>
+ </entry>
+ <entry>
+ Do not start or stop the <command>portmap</command>, <command>ypbind</command>, or <command>nscd</command> services even if they are configured
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--test</command>
+ </entry>
+ <entry>
+ Do not update the configuration files, only print the new settings
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--update, --kickstart</command>
+ </entry>
+ <entry>
+ Opposite of <command>--test</command>, update configuration files with changed settings
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--updateall</command>
+ </entry>
+ <entry>
+ Update all configuration files
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--probe</command>
+ </entry>
+ <entry>
+ Probe and display network defaults
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--savebackup=<replaceable><name></replaceable></command>
+ </entry>
+ <entry>
+ Save a backup of all configuration files
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--restorebackup=<replaceable><name></replaceable></command>
+ </entry>
+ <entry>
+ Restore a backup of all configuration files
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>--restorelastbackup</command>
+ </entry>
+ <entry>
+ Restore the backup of configuration files saved before the previous configuration change
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
</section>
+ </section>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="SSSD.xml" />
- </chapter>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="SSSD.xml" />
+</chapter>
diff --git a/en-US/The_sysconfig_Directory.xml b/en-US/The_sysconfig_Directory.xml
index 0dc49c0..c289b25 100644
--- a/en-US/The_sysconfig_Directory.xml
+++ b/en-US/The_sysconfig_Directory.xml
@@ -64,17 +64,29 @@
<itemizedlist>
<listitem>
<para>
- <command>USEMD5=<replaceable><value></replaceable>
+ <command>PASSWORDALGORITHM=<replaceable><value></replaceable>
</command>, where <command><replaceable><value></replaceable>
</command> is one of the following:</para>
<itemizedlist>
<listitem>
<para>
- <command>yes</command> — MD5 is used for authentication.</para>
+ <command>descrypt</command> — DESCRYPT is used for authentication.</para>
</listitem>
<listitem>
<para>
- <command>no</command> — MD5 is not used for authentication.</para>
+ <command>bigcrypt</command> — BIGCRYPT is used for authentication.</para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>md5</command> — MD5 is used for authentication.</para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>sha256</command> — SHA256 is used for authentication.</para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>sha512</command> — SHA512 is used for authentication.</para>
</listitem>
</itemizedlist>
</listitem>
@@ -110,6 +122,22 @@
</listitem>
</itemizedlist>
</listitem>
+ <listitem>
+ <para>
+ <command>FORCELEGACY=<replaceable><value></replaceable>
+ </command>, where <command><replaceable><value></replaceable>
+ </command> is one of the following:</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <command>yes</command> — The implicit use of SSSD by the <application>Authentication Configuration Tool</application> is disabled.</para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>no</command> — The implicit use of SSSD by the <application>Authentication Configuration Tool</application> is enabled.</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
</itemizedlist>
</section>
<section
diff --git a/en-US/images/authconfig_LDAP_kerb.png b/en-US/images/authconfig_LDAP_kerb.png
new file mode 100644
index 0000000..0da191d
Binary files /dev/null and b/en-US/images/authconfig_LDAP_kerb.png differ
diff --git a/en-US/images/authconfig_advanced.png b/en-US/images/authconfig_advanced.png
new file mode 100644
index 0000000..1fa30ce
Binary files /dev/null and b/en-US/images/authconfig_advanced.png differ
More information about the docs-commits
mailing list