The allowed commands an SSS client can send to the SSSD.
Enumerator |
---|
SSS_PAM_AUTHENTICATE | see pam_sm_authenticate(3) for details.
Additionally we allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during authentication if the authentication was successful but the authentication token is expired. To meet the standards of libpam we return PAM_SUCCESS for authentication and set a flag so that the account management module can return PAM_NEW_AUTHTOK_REQD if sssd return success for account management. We do this to reduce the communication with external servers, because there are cases, e.g. Kerberos authentication, where the information that the password is expired is already available during authentication.
|
SSS_PAM_SETCRED | see pam_sm_setcred(3) for details
|
SSS_PAM_ACCT_MGMT | see pam_sm_acct_mgmt(3) for details
|
SSS_PAM_OPEN_SESSION | see pam_sm_open_session(3) for details
|
SSS_PAM_CLOSE_SESSION | see pam_sm_close_session(3) for details
|
SSS_PAM_CHAUTHTOK | second run of the password change operation where the PAM_UPDATE_AUTHTOK flag is set and the real change may happen, see pam_sm_chauthtok(3) for details
|
SSS_PAM_CHAUTHTOK_PRELIM | first run of the password change operation where the PAM_PRELIM_CHECK flag is set, see pam_sm_chauthtok(3) for details
|
SSS_CMD_RENEW | Renew a credential with a limited lifetime, e.g.
a Kerberos Ticket Granting Ticket (TGT)
|
SSS_PAM_PREAUTH | Request which can be run before an authentication request to find out which authentication methods are available for the given user.
|
SSS_GSSAPI_INIT | Initialize GSSAPI authentication.
|
SSS_GSSAPI_SEC_CTX | Establish GSSAPI security ctx.
|
SSS_NSS_GETSIDBYNAME | Takes a zero terminated fully qualified name and returns the zero terminated string representation of the SID of the object with the given name.
|
SSS_NSS_GETSIDBYID | Takes an unsigned 32bit integer (POSIX ID) and returns the zero terminated string representation of the SID of the object with the given ID.
|
SSS_NSS_GETNAMEBYSID | Takes the zero terminated string representation of a SID and returns the zero terminated fully qualified name of the related object.
|
SSS_NSS_GETIDBYSID | Takes the zero terminated string representation of a SID and returns and returns the POSIX ID of the related object as unsigned 32bit integer value and another unsigned 32bit integer value indicating the type (unknown, user, group, both) of the object.
|
SSS_NSS_GETORIGBYNAME | Takes a zero terminated fully qualified name and returns a list of zero terminated strings with key-value pairs where the first string is the key and second the value.
Hence the list should have an even number of strings, if not the whole list is invalid.
|
SSS_NSS_GETNAMEBYCERT | Takes the zero terminated string of the base64 encoded DER representation of a X509 certificate and returns the zero terminated fully qualified name of the related object.
|
SSS_NSS_GETLISTBYCERT | Takes the zero terminated string of the base64 encoded DER representation of a X509 certificate and returns a list of zero terminated fully qualified names of the related objects.
|
SSS_NSS_GETSIDBYUID | Takes an unsigned 32bit integer (POSIX UID) and return the zero terminated string representation of the SID of the object with the given UID.
|
SSS_NSS_GETSIDBYGID | Takes an unsigned 32bit integer (POSIX GID) and return the zero terminated string representation of the SID of the object with the given UID.
|
SSS_NSS_GET_SUBID_RANGES | Requests both subuid and subgid ranges defined for a user.
|