[deployment-guide/comm-rel: 194/727] implement updates from SSSD review; BZ 618924

Jaromir Hradilek jhradile at fedoraproject.org
Tue Oct 19 12:40:39 UTC 2010 

commit caf72390a0b61e34a793a76d0e110893930cf65a
Author: David O'Brien <davido at redhat.com>
Date:   Thu Jul 29 23:09:51 2010 +1000

    implement updates from SSSD review; BZ 618924

 en-US/SSSD.xml |   57 +++++++++++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 48 insertions(+), 9 deletions(-)
---
diff --git a/en-US/SSSD.xml b/en-US/SSSD.xml
index 1027089..11e74f4 100644
--- a/en-US/SSSD.xml
+++ b/en-US/SSSD.xml
@@ -211,7 +211,7 @@
         <para>
           <command># service sssd start</command>
         </para>
-        <para>By default, SSSD is configured not to start automatically. You can use the <command>chkconfig</command> command to change this behavior. For example, run the following command to configure SSSD to start when the machine boots:</para>
+        <para>By default, SSSD is configured not to start automatically. There are two ways to change this behavior; if you use the Authentication Configuration tool to configure SSSD, it will reconfigure the default behavior so that SSSD starts when the machine boots. Alternatively, you can use the <command>chkconfig</command> command, as follows:</para>
         <para>
           <command># chkconfig sssd on</command>
         </para>
@@ -358,6 +358,12 @@ session     optional     pam_console.so
 access_provider = simple
 simple_allow_users = user1, user2</screen>
 
+        <note>
+          <para>
+            The Local ID provider does not support <option>simple</option> as an access provider.
+          </para>
+        </note>
+
         <formalpara>
           <title>Access Control Rules</title>
           <indexterm>
@@ -385,7 +391,7 @@ simple_allow_users = user1, user2</screen>
           </itemizedlist>
           <important>
             <para>
-              Defining both <option>simple_allow_users</option> and <option>simple_deny_users</option> is a configuration error. If this occurs, SSSD will output an error when loading the back end and will fail to start.
+              Defining both <option>simple_allow_users</option> and <option>simple_deny_users</option> is a configuration error. If this occurs, SSSD will output an error to the <filename>/var/log/sssd/sssd_default.log</filename> log file when loading the back end, but continue to start normally. Future versions of SSSD will output an error and fail to start.
             </para>
           </important>
           </para>
@@ -492,7 +498,7 @@ simple_allow_users = user1, user2</screen>
 
       <section id="sect-SSSD_User_Guide-Configuration_Options-NSS_Configuration_Options">
         <title>NSS Configuration Options</title>
-        <para>Use the following options to configure the Name Service Switch (NSS) service. Refer to the <citetitle>sssd.conf(5)</citetitle> manual page for full details about each option.</para>
+        <para>Use the following options to configure the <systemitem class="service">Name Service Switch (NSS)</systemitem> service. Refer to the <citetitle>sssd.conf(5)</citetitle> manual page for full details about each option.</para>
         <itemizedlist>
           <listitem>
             <para>
@@ -506,16 +512,16 @@ simple_allow_users = user1, user2</screen>
               <option>entry_cache_nowait_percentage <type>(integer)</type>
               </option>
             </para>
-            <para>Specifies for how long <package>sssd_nss</package> should return cached entries before initiating an out-of-band cache refresh (0 disables this feature).</para>
+            <para>Specifies for how long <package>sssd_nss</package> should return cached entries before initiating an out-of-band cache refresh (<literal>0</literal> disables this feature).</para>
             <para>You can configure the entry cache to automatically update entries in the background if they are requested beyond a percentage of the <option>entry_cache_timeout</option> value for the domain.</para>
-            <para>Valid values for this option are 0-99 and represent a percentage of the <option>entry_cache_timeout</option> value for each domain.</para>
+            <para>Valid values for this option are <literal>0-99</literal>, and represent a percentage of the <option>entry_cache_timeout</option> value for each domain.</para>
           </listitem>
           <listitem>
             <para>
               <option>entry_negative_timeout <type>(integer)</type>
               </option>
             </para>
-            <para>Specifies for how long (in seconds) <package>sssd_nss</package> should cache negative cache hits (that is, queries for invalid database entries, like nonexistent ones) before asking the back end again.</para>
+            <para>Specifies for how long (in seconds) <package>sssd_nss</package> should cache negative cache hits (that is, queries for invalid database entries, such as nonexistent ones) before asking the back end again.</para>
           </listitem>
           <listitem>
             <para>
@@ -530,21 +536,42 @@ simple_allow_users = user1, user2</screen>
               <option>filter_users_in_groups <type>(Boolean)</type>
               </option>
             </para>
-            <para>If set to TRUE, specifies that users listed in the <option>filter_users</option> list do not appear in group memberships when performing group lookups. If set to FALSE, group lookups return all users that are members of that group. If not specified, defaults to <literal>TRUE</literal>.</para>
+            <para>If set to <literal>TRUE</literal>, specifies that users listed in the <option>filter_users</option> list do not appear in group memberships when performing group lookups. If set to <literal>FALSE</literal>, group lookups return all users that are members of that group. If not specified, defaults to <literal>TRUE</literal>.</para>
           </listitem>
         </itemizedlist>
       </section>
 
       <section id="sect-SSSD_User_Guide-Configuration_Options-PAM_Configuration_Options">
         <title>PAM Configuration Options</title>
-        <para>Use these options to configure the <systemitem role="module">Pluggable Authentication Module</systemitem> (<acronym>PAM</acronym>) service.</para>
+        <para>Use the following options to configure the <systemitem class="service">Pluggable Authentication Module (<acronym>PAM</acronym>)</systemitem> service.</para>
         <itemizedlist>
           <listitem>
             <para>
               <option>offline_credentials_expiration <type>(integer)</type>
               </option>
             </para>
-            <para>If the authentication provider is offline, specifies for how long we should allow cached log ins (in days). If not specified, defaults to <literal>0</literal> (no limit).</para>
+            <para>If the authentication provider is offline, specifies for how long to allow cached log-ins (in days). This value is measured from the last successful online log-in. If not specified, defaults to <literal>0</literal> (no limit).</para>
+          </listitem>
+          <listitem>
+            <para>
+              <option>offline_failed_login_attempts <type>(integer)</type>
+              </option>
+            </para>
+            <para>
+              If the authentication provider is offline, specifies how many failed log in attempts are allowed. If not specified, defaults to <literal>0</literal> (no limit).
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              <option>offline_failed_login_delay <type>(integer)</type>
+              </option>
+            </para>
+            <para>
+              Specifies the time in minutes after the value of <option>offline_failed_login_attempts</option> has been reached before a new log in attempt is possible.
+            </para>
+            <para>
+              If set to <literal>0</literal>, the user cannot authenticate offline if the value of <option>offline_failed_login_attempts</option> has been reached. Only a successful online authentication can re-enable offline authentication. If not specified, defaults to <literal>5</literal>.
+            </para>
           </listitem>
         </itemizedlist>
       </section>
@@ -939,6 +966,13 @@ ldap_user_principal = userPrincipalName
 ldap_group_object_class = group
 ldap_group_name = msSFU30Name
 ldap_group_gid_number = msSFU30GidNumber</screen>
+
+<note>
+  <para>
+    The above configuration assumes that the certificates are stored in the default location (that is, in <filename>/etc/openldap/cacerts</filename>) and are c_rehash'ed.
+  </para>
+</note>
+
       </section>
 
       <section><title>Configuring Active Directory 2008 as an LDAP Back End</title>
@@ -969,6 +1003,11 @@ ldap_pwd_policy = none
 ldap_user_object_class = user
 ldap_group_object_class = group</screen>
 
+<note>
+  <para>
+    The above configuration assumes that the certificates are stored in the default location (that is, in <filename>/etc/openldap/cacerts</filename>) and that the <function>c_rehash</function> function has been used to create the appropriate symlinks.
+  </para>
+</note>
       </section>

More information about the docs-commits mailing list