PK œqhYî¶J‚ßFßF)nhhjz3kjnjjwmknjzzqznjzmm1kzmjrmz4qmm.itm/*\U8ewW087XJD%onwUMbJa]Y2zT?AoLMavr%5P*/ $#$#$#

Dir : /lib/python3.6/site-packages/SSSDConfig/
Server: Linux ngx353.inmotionhosting.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64
IP: 209.182.202.254
Choose File :

Url:
Dir : //lib/python3.6/site-packages/SSSDConfig/sssdoptions.py

import sys
import gettext

PACKAGE = 'sss_daemon'
LOCALEDIR = '/usr/share/locale'

translation = gettext.translation(PACKAGE, LOCALEDIR, fallback=True)
if sys.version_info[0] > 2:
    _ = translation.gettext
else:
    _ = translation.ugettext


class SSSDOptions(object):
    def __init__(self):
        pass

    option_strings = {
        # [service]
        'debug': _('Set the verbosity of the debug logging'),
        'debug_level': _('Set the verbosity of the debug logging'),
        'debug_timestamps': _('Include timestamps in debug logs'),
        'debug_microseconds': _('Include microseconds in timestamps in debug logs'),
        'debug_backtrace_enabled': _('Enable/disable debug backtrace'),
        'timeout': _('Watchdog timeout before restarting service'),
        'command': _('Command to start service'),
        'reconnection_retries': _('Number of times to attempt connection to Data Providers'),
        'fd_limit': _('The number of file descriptors that may be opened by this responder'),
        'client_idle_timeout': _('Idle time before automatic disconnection of a client'),
        'responder_idle_timeout': _('Idle time before automatic shutdown of the responder'),
        'cache_first': _('Always query all the caches before querying the Data Providers'),
        'offline_timeout': _('When SSSD switches to offline mode the amount of time before it tries to go back online '
                             'will increase based upon the time spent disconnected. This value is in seconds and '
                             'calculated by the following: offline_timeout + random_offset.'),

        # [sssd]
        'config_file_version': _(
            'Indicates what is the syntax of the config file. SSSD 0.6.0 and later use version 2.'),
        'services': _('SSSD Services to start'),
        'domains': _('SSSD Domains to start'),
        're_expression': _('Regex to parse username and domain'),
        'full_name_format': _('Printf-compatible format for displaying fully-qualified names'),
        'krb5_rcache_dir': _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'),
        'default_domain_suffix': _('Domain to add to names without a domain component.'),
        'user': _('The user to drop privileges to'),
        'certificate_verification': _('Tune certificate verification'),
        'override_space': _('All spaces in group or user names will be replaced with this character'),
        'disable_netlink': _('Tune sssd to honor or ignore netlink state changes'),
        'enable_files_domain': _('Enable or disable the implicit files domain'),
        'domain_resolution_order': _('A specific order of the domains to be looked up'),
        'monitor_resolv_conf': _('Controls if SSSD should monitor the state of resolv.conf to identify when it needs '
                                 'to update its internal DNS resolver.'),
        'try_inotify': _('SSSD monitors the state of resolv.conf to identify when it needs to update its internal DNS '
                         'resolver. By default, we will attempt to use inotify for this, and will fall back to '
                         'polling resolv.conf every five seconds if inotify cannot be used.'),
        'implicit_pac_responder': _('Run PAC responder automatically for AD and IPA provider'),
        'core_dumpable': _('Enable or disable core dumps for all SSSD processes.'),
        'passkey_verification': _('Tune passkey verification behavior'),

        # [nss]
        'enum_cache_timeout': _('Enumeration cache timeout length (seconds)'),
        'entry_cache_no_wait_timeout': _('Entry cache background update timeout length (seconds)'),
        'entry_negative_timeout': _('Negative cache timeout length (seconds)'),
        'local_negative_timeout': _('Files negative cache timeout length (seconds)'),
        'filter_users': _('Users that SSSD should explicitly ignore'),
        'filter_groups': _('Groups that SSSD should explicitly ignore'),
        'filter_users_in_groups': _('Should filtered users appear in groups'),
        'pwfield': _('The value of the password field the NSS provider should return'),
        'override_homedir': _('Override homedir value from the identity provider with this value'),
        'fallback_homedir': _('Substitute empty homedir value from the identity provider with this value'),
        'override_shell': _('Override shell value from the identity provider with this value'),
        'allowed_shells': _('The list of shells users are allowed to log in with'),
        'vetoed_shells': _('The list of shells that will be vetoed, and replaced with the fallback shell'),
        'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'),
        'default_shell': _('Shell to use if the provider does not list one'),
        'memcache_timeout': _('How long will be in-memory cache records valid'),
        'memcache_size_passwd': _(
            'Size (in megabytes) of the data table allocated inside fast in-memory cache for passwd requests'),
        'memcache_size_group': _(
            'Size (in megabytes) of the data table allocated inside fast in-memory cache for group requests'),
        'memcache_size_initgroups': _(
            'Size (in megabytes) of the data table allocated inside fast in-memory cache for initgroups requests'),
        'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option '
                               'if the template contains the format string %H.'),
        'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered '
                                 'valid.'),
        'entry_cache_nowait_percentage': _('The entry cache can be set to automatically update entries in the '
                                           'background if they are requested beyond a percentage of the '
                                           'entry_cache_timeout value for the domain.'),

        # [pam]
        'offline_credentials_expiration': _('How long to allow cached logins between online logins (days)'),
        'offline_failed_login_attempts': _('How many failed logins attempts are allowed when offline'),
        'offline_failed_login_delay': _(
            'How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
        'pam_verbosity': _('What kind of messages are displayed to the user during authentication'),
        'pam_response_filter': _('Filter PAM responses sent to the pam_sss'),
        'pam_id_timeout': _('How many seconds to keep identity information cached for PAM requests'),
        'pam_pwd_expiration_warning': _('How many days before password expiration a warning should be displayed'),
        'pam_trusted_users': _('List of trusted uids or user\'s name'),
        'pam_public_domains': _('List of domains accessible even for untrusted users.'),
        'pam_account_expired_message': _('Message printed when user account is expired.'),
        'pam_account_locked_message': _('Message printed when user account is locked.'),
        'pam_cert_auth': _('Allow certificate based/Smartcard authentication.'),
        'pam_cert_db_path': _('Path to certificate database with PKCS#11 modules.'),
        'pam_cert_verification': _('Tune certificate verification for PAM authentication.'),
        'p11_child_timeout': _('How many seconds will pam_sss wait for p11_child to finish'),
        'pam_app_services': _('Which PAM services are permitted to contact application domains'),
        'pam_p11_allowed_services': _('Allowed services for using smartcards'),
        'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'),
        'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
        'pam_initgroups_scheme': _('When shall the PAM responder force an initgroups request'),
        'pam_gssapi_services': _('List of PAM services that are allowed to authenticate with GSSAPI.'),
        'pam_gssapi_check_upn': _('Whether to match authenticated UPN with target user'),
        'pam_gssapi_indicators_map': _('List of pairs <PAM service>:<authentication indicator> that '
                                       'must be enforced for PAM access with GSSAPI authentication'),
        'pam_passkey_auth': _('Allow passkey device authentication.'),
        'passkey_child_timeout': _('How many seconds will pam_sss wait for passkey_child to finish'),
        'passkey_debug_libfido2': _('Enable debugging in the libfido2 library'),

        # [sudo]
        'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
        'sudo_inverse_order': _('If true, SSSD will switch back to lower-wins ordering logic'),
        'sudo_threshold': _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh '
                            'is performed.'),

        # [autofs]
        'autofs_negative_timeout': _('Negative cache timeout length (seconds)'),

        # [ssh]
        'ssh_hash_known_hosts': _('Whether to hash host names and addresses in the known_hosts file'),
        'ssh_known_hosts_timeout': _('How many seconds to keep a host in the known_hosts file after its host keys '
                                     'were requested'),
        'ca_db': _('Path to storage of trusted CA certificates'),
        'ssh_use_certificate_keys': _('Allow to generate ssh-keys from certificates'),
        'ssh_use_certificate_matching_rules': _('Use the following matching rules to filter the certificates for '
                                                'ssh-key generation'),

        # [pac]
        'allowed_uids': _('List of UIDs or user names allowed to access the PAC responder'),
        'pac_lifetime': _('How long the PAC data is considered valid'),
        'pac_check': _('Validate the PAC'),

        # [ifp]
        'user_attributes': _('List of user attributes the InfoPipe is allowed to publish'),

        # [session_recording]
        'scope': _('One of the following strings specifying the scope of session recording: none - No users are '
                   'recorded. some - Users/groups specified by users and groups options are recorded. all - All users '
                   'are recorded.'),
        'users': _('A comma-separated list of users which should have session recording enabled. Matches user names '
                   'as returned by NSS. I.e. after the possible space replacement, case changes, etc.'),
        'groups': _('A comma-separated list of groups, members of which should have session recording enabled. '
                    'Matches group names as returned by NSS. I.e. after the possible space replacement, case changes, '
                    'etc.'),
        'exclude_users': _('A comma-separated list of users to be excluded from recording, only when scope=all'),
        'exclude_groups': _('A comma-separated list of groups, members of which should be excluded from recording, '
                            ' only when scope=all. '),

        # [provider]
        'id_provider': _('Identity provider'),
        'auth_provider': _('Authentication provider'),
        'access_provider': _('Access control provider'),
        'chpass_provider': _('Password change provider'),
        'sudo_provider': _('SUDO provider'),
        'autofs_provider': _('Autofs provider'),
        'hostid_provider': _('Host identity provider'),
        'selinux_provider': _('SELinux provider'),
        'session_provider': _('Session management provider'),
        'resolver_provider': _('Resolver provider'),

        # [domain]
        'domain_type': _('Whether the domain is usable by the OS or by applications'),
        'enabled': _('Enable or disable the domain'),
        'min_id': _('Minimum user ID'),
        'max_id': _('Maximum user ID'),
        'enumerate': _('Enable enumerating all users/groups'),
        'cache_credentials': _('Cache credentials for offline login'),
        'use_fully_qualified_names': _('Display users/groups in fully-qualified form'),
        'ignore_group_members': _('Don\'t include group members in group lookups'),
        'entry_cache_timeout': _('Entry cache timeout length (seconds)'),
        'lookup_family_order': _('Restrict or prefer a specific address family when performing DNS lookups'),
        'account_cache_expiration': _('How long to keep cached entries after last successful login (days)'),
        'dns_resolver_server_timeout': _('How long should SSSD talk to single DNS server before trying next server ('
                                         'miliseconds)'),
        'dns_resolver_op_timeout': _('How long should keep trying to resolve single DNS query (seconds)'),
        'dns_resolver_timeout': _('How long to wait for replies from DNS when resolving servers (seconds)'),
        'dns_discovery_domain': _('The domain part of service discovery DNS query'),
        'override_gid': _('Override GID value from the identity provider with this value'),
        'case_sensitive': _('Treat usernames as case sensitive'),
        'entry_cache_user_timeout': _('Entry cache timeout length (seconds)'),
        'entry_cache_group_timeout': _('Entry cache timeout length (seconds)'),
        'entry_cache_netgroup_timeout': _('Entry cache timeout length (seconds)'),
        'entry_cache_service_timeout': _('Entry cache timeout length (seconds)'),
        'entry_cache_autofs_timeout': _('Entry cache timeout length (seconds)'),
        'entry_cache_sudo_timeout': _('Entry cache timeout length (seconds)'),
        'entry_cache_resolver_timeout': _('Entry cache timeout length (seconds)'),
        'refresh_expired_interval': _('How often should expired entries be refreshed in background'),
        'refresh_expired_interval_offset': _("Maximum period deviation when refreshing expired entries in background"),
        'dyndns_update': _("Whether to automatically update the client's DNS entry"),
        'dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
        'dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
        'dyndns_refresh_interval': _("How often to periodically update the client's DNS entry"),
        'dyndns_refresh_interval_offset': _("Maximum period deviation when updating the client's DNS entry"),
        'dyndns_update_ptr': _("Whether the provider should explicitly update the PTR record as well"),
        'dyndns_force_tcp': _("Whether the nsupdate utility should default to using TCP"),
        'dyndns_auth': _("What kind of authentication should be used to perform the DNS update"),
        'dyndns_server': _("Override the DNS server used to perform the DNS update"),
        'subdomain_enumerate': _('Control enumeration of trusted domains'),
        'subdomain_refresh_interval': _('How often should subdomains list be refreshed'),
        'subdomain_refresh_interval_offset': _('Maximum period deviation when refreshing the subdomain list'),
        'subdomain_inherit': _('List of options that should be inherited into a subdomain'),
        'subdomain_homedir': _('Default subdomain homedir value'),
        'cached_auth_timeout': _('How long can cached credentials be used for cached authentication'),
        'auto_private_groups': _('Whether to automatically create private groups for users'),
        'pwd_expiration_warning': _('Display a warning N days before the password expires.'),
        'realmd_tags': _('Various tags stored by the realmd configuration service for this domain.'),
        'subdomains_provider': _('The provider which should handle fetching of subdomains. This value should be '
                                 'always the same as id_provider.'),
        'entry_cache_ssh_host_timeout': _('How many seconds to keep a host ssh key after refresh. IE how long to '
                                          'cache the host key for.'),
        'cache_credentials_minimal_first_factor_length': _('If 2-Factor-Authentication (2FA) is used and credentials '
                                                           'should be saved this value determines the minimal length '
                                                           'the first authentication factor (long term password) must '
                                                           'have to be saved as SHA512 hash into the cache.'),
        'local_auth_policy': _('Local authentication methods policy '),

        # [provider/ipa]
        'ipa_domain': _('IPA domain'),
        'ipa_server': _('IPA server address'),
        'ipa_backup_server': _('Address of backup IPA server'),
        'ipa_hostname': _('IPA client hostname'),
        'ipa_dyndns_update': _("Whether to automatically update the client's DNS entry in FreeIPA"),
        'ipa_dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
        'ipa_dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
        'ipa_hbac_search_base': _("Search base for HBAC related objects"),
        'ipa_hbac_refresh': _("The amount of time between lookups of the HBAC rules against the IPA server"),
        'ipa_selinux_refresh': _("The amount of time in seconds between lookups of the SELinux maps against the IPA "
                                 "server"),
        'ipa_hbac_support_srchost': _("If set to false, host argument given by PAM will be ignored"),
        'ipa_automount_location': _("The automounter location this IPA client is using"),
        'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"),
        'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"),
        'ipa_enable_dns_sites': _("Enable DNS sites - location based service discovery"),
        'ipa_views_search_base': _("Search base for view containers"),
        'ipa_view_class': _("Objectclass for view containers"),
        'ipa_view_name': _("Attribute with the name of the view"),
        'ipa_override_object_class': _("Objectclass for override objects"),
        'ipa_anchor_uuid': _("Attribute with the reference to the original object"),
        'ipa_user_override_object_class': _("Objectclass for user override objects"),
        'ipa_group_override_object_class': _("Objectclass for group override objects"),
        'ipa_deskprofile_search_base': _("Search base for Desktop Profile related objects"),
        'ipa_deskprofile_refresh': _("The amount of time in seconds between lookups of the Desktop Profile rules "
                                     "against the IPA server"),
        'ipa_deskprofile_request_interval': _("The amount of time in minutes between lookups of Desktop Profiles "
                                              "rules against the IPA server when the last request did not find any "
                                              "rule"),
        'ipa_subid_ranges_search_base': _("Search base for SUBID ranges"),
        'ipa_access_order': _("Which rules should be used to evaluate access control"),
        'ipa_host_fqdn': _('The LDAP attribute that contains FQDN of the host.'),
        'ipa_host_object_class': _('The object class of a host entry in LDAP.'),
        'ipa_host_search_base': _('Use the given string as search base for host objects.'),
        'ipa_host_ssh_public_key': _('The LDAP attribute that contains the host\'s SSH public keys.'),
        'ipa_netgroup_domain': _('The LDAP attribute that contains NIS domain name of the netgroup.'),
        'ipa_netgroup_member': _('The LDAP attribute that contains the names of the netgroup\'s members.'),
        'ipa_netgroup_member_ext_host': _('The LDAP attribute that lists FQDNs of hosts and host groups that are '
                                          'members of the netgroup.'),
        'ipa_netgroup_member_host': _('The LDAP attribute that lists hosts and host groups that are direct members of '
                                      'the netgroup.'),
        'ipa_netgroup_member_of': _('The LDAP attribute that lists netgroup\'s memberships.'),
        'ipa_netgroup_member_user': _('The LDAP attribute that lists system users and groups that are direct members '
                                      'of the netgroup.'),
        'ipa_netgroup_name': _('The LDAP attribute that corresponds to the netgroup name.'),
        'ipa_netgroup_object_class': _('The object class of a netgroup entry in LDAP.'),
        'ipa_netgroup_uuid': _('The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object.'),
        'ipa_selinux_usermap_enabled': _('The LDAP attribute that contains whether or not is user map enabled for '
                                         'usage.'),
        'ipa_selinux_usermap_host_category': _('The LDAP attribute that contains host category such as \'all\'.'),
        'ipa_selinux_usermap_member_host': _('The LDAP attribute that contains all hosts / hostgroups this rule match '
                                             'against.'),
        'ipa_selinux_usermap_member_user': _('The LDAP attribute that contains all users / groups this rule match '
                                             'against.'),
        'ipa_selinux_usermap_name': _('The LDAP attribute that contains the name of SELinux usermap.'),
        'ipa_selinux_usermap_object_class': _('The object class of a host entry in LDAP.'),
        'ipa_selinux_usermap_see_also': _('The LDAP attribute that contains DN of HBAC rule which can be used for '
                                          'matching instead of memberUser and memberHost.'),
        'ipa_selinux_usermap_selinux_user': _('The LDAP attribute that contains SELinux user string itself.'),
        'ipa_selinux_usermap_user_category': _('The LDAP attribute that contains user category such as \'all\'.'),
        'ipa_selinux_usermap_uuid': _('The LDAP attribute that contains unique ID of the user map.'),
        'ipa_server_mode': _('The option denotes that the SSSD is running on IPA server and should perform lookups of '
                             'users and groups from trusted domains differently.'),
        'ipa_subdomains_search_base': _('Use the given string as search base for trusted domains.'),

        # [provider/ad]
        'ad_domain': _('Active Directory domain'),
        'ad_enabled_domains': _('Enabled Active Directory domains'),
        'ad_server': _('Active Directory server address'),
        'ad_backup_server': _('Active Directory backup server address'),
        'ad_hostname': _('Active Directory client hostname'),
        'ad_enable_dns_sites': _('Enable DNS sites - location based service discovery'),
        'ad_access_filter': _('LDAP filter to determine access privileges'),
        'ad_enable_gc': _('Whether to use the Global Catalog for lookups'),
        'ad_gpo_access_control': _('Operation mode for GPO-based access control'),
        'ad_gpo_cache_timeout': _("The amount of time between lookups of the GPO policy files against the AD server"),
        'ad_gpo_map_interactive': _('PAM service names that map to the GPO (Deny)InteractiveLogonRight '
                                    'policy settings'),
        'ad_gpo_map_remote_interactive': _('PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight '
                                           'policy settings'),
        'ad_gpo_map_network': _('PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings'),
        'ad_gpo_map_batch': _('PAM service names that map to the GPO (Deny)BatchLogonRight policy settings'),
        'ad_gpo_map_service': _('PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings'),
        'ad_gpo_map_permit': _('PAM service names for which GPO-based access is always granted'),
        'ad_gpo_map_deny': _('PAM service names for which GPO-based access is always denied'),
        'ad_gpo_default_right': _('Default logon right (or permit/deny) to use for unmapped PAM service names'),
        'ad_site': _('a particular site to be used by the client'),
        'ad_maximum_machine_account_password_age': _('Maximum age in days before the machine account password should '
                                                     'be renewed'),
        'ad_machine_account_password_renewal_opts': _('Option for tuning the machine account renewal task'),
        'ad_update_samba_machine_account_password': _('Whether to update the machine account password in the Samba '
                                                      'database'),
        'ad_use_ldaps': _('Use LDAPS port for LDAP and Global Catalog requests'),
        'ad_allow_remote_domain_local_groups': _('Do not filter domain local groups from other domains'),

        # [provider/krb5]
        'krb5_kdcip': _('Kerberos server address'),
        'krb5_server': _('Kerberos server address'),
        'krb5_backup_server': _('Kerberos backup server address'),
        'krb5_realm': _('Kerberos realm'),
        'krb5_auth_timeout': _('Authentication timeout'),
        'krb5_use_kdcinfo': _('Whether to create kdcinfo files'),
        'krb5_confd_path': _('Where to drop krb5 config snippets'),

        # [provider/krb5/auth]
        'krb5_ccachedir': _('Directory to store credential caches'),
        'krb5_ccname_template': _("Location of the user's credential cache"),
        'krb5_keytab': _("Location of the keytab to validate credentials"),
        'krb5_validate': _("Enable credential validation"),
        'krb5_store_password_if_offline': _("Store password if offline for later online authentication"),
        'krb5_renewable_lifetime': _("Renewable lifetime of the TGT"),
        'krb5_lifetime': _("Lifetime of the TGT"),
        'krb5_renew_interval': _("Time between two checks for renewal"),
        'krb5_use_fast': _("Enables FAST"),
        'krb5_fast_principal': _("Selects the principal to use for FAST"),
        'krb5_fast_use_anonymous_pkinit': _("Use anonymous PKINIT to request FAST credentials"),
        'krb5_canonicalize': _("Enables principal canonicalization"),
        'krb5_use_enterprise_principal': _("Enables enterprise principals"),
        'krb5_use_subdomain_realm': _("Enables using of subdomains realms for authentication"),
        'krb5_map_user': _('A mapping from user names to Kerberos principal names'),

        # [provider/krb5/chpass]
        'krb5_kpasswd': _('Server where the change password service is running if not on the KDC'),
        'krb5_backup_kpasswd': _('Server where the change password service is running if not on the KDC'),

        # [provider/ldap]
        'ldap_uri': _('ldap_uri, The URI of the LDAP server'),
        'ldap_backup_uri': _('ldap_backup_uri, The URI of the LDAP server'),
        'ldap_search_base': _('The default base DN'),
        'ldap_schema': _('The Schema Type in use on the LDAP server, rfc2307'),
        'ldap_pwmodify_mode': _('Mode used to change user password'),
        'ldap_default_bind_dn': _('The default bind DN'),
        'ldap_default_authtok_type': _('The type of the authentication token of the default bind DN'),
        'ldap_default_authtok': _('The authentication token of the default bind DN'),
        'ldap_network_timeout': _('Length of time to attempt connection'),
        'ldap_opt_timeout': _('Length of time to attempt synchronous LDAP operations'),
        'ldap_offline_timeout': _('Length of time between attempts to reconnect while offline'),
        'ldap_force_upper_case_realm': _('Use only the upper case for realm names'),
        'ldap_tls_cacert': _('File that contains CA certificates'),
        'ldap_tls_cacertdir': _('Path to CA certificate directory'),
        'ldap_tls_cert': _('File that contains the client certificate'),
        'ldap_tls_key': _('File that contains the client key'),
        'ldap_tls_cipher_suite': _('List of possible ciphers suites'),
        'ldap_tls_reqcert': _('Require TLS certificate verification'),
        'ldap_sasl_mech': _('Specify the sasl mechanism to use'),
        'ldap_sasl_authid': _('Specify the sasl authorization id to use'),
        'ldap_sasl_realm': _('Specify the sasl authorization realm to use'),
        'ldap_sasl_minssf': _('Specify the minimal SSF for LDAP sasl authorization'),
        'ldap_sasl_maxssf': _('Specify the maximal SSF for LDAP sasl authorization'),
        'ldap_krb5_keytab': _('Kerberos service keytab'),
        'ldap_krb5_init_creds': _('Use Kerberos auth for LDAP connection'),
        'ldap_referrals': _('Follow LDAP referrals'),
        'ldap_krb5_ticket_lifetime': _('Lifetime of TGT for LDAP connection'),
        'ldap_deref': _('How to dereference aliases'),
        'ldap_dns_service_name': _('Service name for DNS service lookups'),
        'ldap_page_size': _('The number of records to retrieve in a single LDAP query'),
        'ldap_deref_threshold': _('The number of members that must be missing to trigger a full deref'),
        'ldap_ignore_unreadable_references': _('Ignore unreadable LDAP references'),
        'ldap_sasl_canonicalize': _('Whether the LDAP library should perform a reverse lookup to canonicalize the '
                                    'host name during a SASL bind'),
        'ldap_rfc2307_fallback_to_local_users': _('Allows to retain local users as members of an LDAP group for '
                                                  'servers that use the RFC2307 schema.'),

        'ldap_entry_usn': _('entryUSN attribute'),
        'ldap_rootdse_last_usn': _('lastUSN attribute'),

        'ldap_connection_expiration_timeout': _('How long to retain a connection to the LDAP server before '
                                                'disconnecting'),

        'ldap_disable_paging': _('Disable the LDAP paging control'),
        'ldap_disable_range_retrieval': _('Disable Active Directory range retrieval'),

        # [provider/ldap/id]
        'ldap_search_timeout': _('Length of time to wait for a search request'),
        'ldap_enumeration_search_timeout': _('Length of time to wait for a enumeration request'),
        'ldap_enumeration_refresh_timeout': _('Length of time between enumeration updates'),
        'ldap_enumeration_refresh_offset': _('Maximum period deviation between enumeration updates'),
        'ldap_purge_cache_timeout': _('Length of time between cache cleanups'),
        'ldap_purge_cache_offset': _('Maximum time deviation between cache cleanups'),
        'ldap_id_use_start_tls': _('Require TLS for ID lookups'),
        'ldap_id_mapping': _('Use ID-mapping of objectSID instead of pre-set IDs'),
        'ldap_user_search_base': _('Base DN for user lookups'),
        'ldap_user_search_scope': _('Scope of user lookups'),
        'ldap_user_search_filter': _('Filter for user lookups'),
        'ldap_user_object_class': _('Objectclass for users'),
        'ldap_user_name': _('Username attribute'),
        'ldap_user_uid_number': _('UID attribute'),
        'ldap_user_gid_number': _('Primary GID attribute'),
        'ldap_user_gecos': _('GECOS attribute'),
        'ldap_user_home_directory': _('Home directory attribute'),
        'ldap_user_shell': _('Shell attribute'),
        'ldap_user_uuid': _('UUID attribute'),
        'ldap_user_objectsid': _("objectSID attribute"),
        'ldap_user_primary_group': _('Active Directory primary group attribute for ID-mapping'),
        'ldap_user_principal': _('User principal attribute (for Kerberos)'),
        'ldap_user_fullname': _('Full Name'),
        'ldap_user_member_of': _('memberOf attribute'),
        'ldap_user_modify_timestamp': _('Modification time attribute'),
        'ldap_user_shadow_last_change': _('shadowLastChange attribute'),
        'ldap_user_shadow_min': _('shadowMin attribute'),
        'ldap_user_shadow_max': _('shadowMax attribute'),
        'ldap_user_shadow_warning': _('shadowWarning attribute'),
        'ldap_user_shadow_inactive': _('shadowInactive attribute'),
        'ldap_user_shadow_expire': _('shadowExpire attribute'),
        'ldap_user_shadow_flag': _('shadowFlag attribute'),
        'ldap_user_authorized_service': _('Attribute listing authorized PAM services'),
        'ldap_user_authorized_host': _('Attribute listing authorized server hosts'),
        'ldap_user_authorized_rhost': _('Attribute listing authorized server rhosts'),
        'ldap_user_krb_last_pwd_change': _('krbLastPwdChange attribute'),
        'ldap_user_krb_password_expiration': _('krbPasswordExpiration attribute'),
        'ldap_pwd_attribute': _('Attribute indicating that server side password policies are active'),
        'ldap_user_ad_account_expires': _('accountExpires attribute of AD'),
        'ldap_user_ad_user_account_control': _('userAccountControl attribute of AD'),
        'ldap_ns_account_lock': _('nsAccountLock attribute'),
        'ldap_user_nds_login_disabled': _('loginDisabled attribute of NDS'),
        'ldap_user_nds_login_expiration_time': _('loginExpirationTime attribute of NDS'),
        'ldap_user_nds_login_allowed_time_map': _('loginAllowedTimeMap attribute of NDS'),
        'ldap_user_ssh_public_key': _('SSH public key attribute'),
        'ldap_user_auth_type': _('attribute listing allowed authentication types for a user'),
        'ldap_user_certificate': _('attribute containing the X509 certificate of the user'),
        'ldap_user_email': _('attribute containing the email address of the user'),
        'ldap_user_passkey': _('attribute containing the passkey mapping data of the user'),
        'ldap_user_extra_attrs': _('A list of extra attributes to download along with the user entry'),

        'ldap_group_search_base': _('Base DN for group lookups'),
        'ldap_group_object_class': _('Objectclass for groups'),
        'ldap_group_name': _('Group name'),
        'ldap_group_pwd': _('Group password'),
        'ldap_group_gid_number': _('GID attribute'),
        'ldap_group_member': _('Group member attribute'),
        'ldap_group_uuid': _('Group UUID attribute'),
        'ldap_group_objectsid': _("objectSID attribute"),
        'ldap_group_modify_timestamp': _('Modification time attribute for groups'),
        'ldap_group_type': _('Type of the group and other flags'),
        'ldap_group_external_member': _('The LDAP group external member attribute'),
        'ldap_group_nesting_level': _('Maximum nesting level SSSD will follow'),
        'ldap_group_search_filter': _('Filter for group lookups'),
        'ldap_group_search_scope': _('Scope of group lookups'),

        'ldap_netgroup_search_base': _('Base DN for netgroup lookups'),
        'ldap_netgroup_object_class': _('Objectclass for netgroups'),
        'ldap_netgroup_name': _('Netgroup name'),
        'ldap_netgroup_member': _('Netgroups members attribute'),
        'ldap_netgroup_triple': _('Netgroup triple attribute'),
        'ldap_netgroup_modify_timestamp': _('Modification time attribute for netgroups'),

        'ldap_service_search_base': _('Base DN for service lookups'),
        'ldap_service_object_class': _('Objectclass for services'),
        'ldap_service_name': _('Service name attribute'),
        'ldap_service_port': _('Service port attribute'),
        'ldap_service_proto': _('Service protocol attribute'),

        'ldap_idmap_range_min': _('Lower bound for ID-mapping'),
        'ldap_idmap_range_max': _('Upper bound for ID-mapping'),
        'ldap_idmap_range_size': _('Number of IDs for each slice when ID-mapping'),
        'ldap_idmap_autorid_compat': _('Use autorid-compatible algorithm for ID-mapping'),
        'ldap_idmap_default_domain': _('Name of the default domain for ID-mapping'),
        'ldap_idmap_default_domain_sid': _('SID of the default domain for ID-mapping'),
        'ldap_idmap_helper_table_size': _('Number of secondary slices'),

        'ldap_use_tokengroups': _('Whether to use Token-Groups'),
        'ldap_min_id': _('Set lower boundary for allowed IDs from the LDAP server'),
        'ldap_max_id': _('Set upper boundary for allowed IDs from the LDAP server'),
        'ldap_pwdlockout_dn': _('DN for ppolicy queries'),
        'wildcard_limit': _('How many maximum entries to fetch during a wildcard request'),
        'ldap_library_debug_level': _('Set libldap debug level'),

        # [provider/ldap/auth]
        'ldap_pwd_policy': _('Policy to evaluate the password expiration'),

        # [provider/ldap/access]
        'ldap_access_filter': _('LDAP filter to determine access privileges'),
        'ldap_account_expire_policy': _('Which attributes shall be used to evaluate if an account is expired'),
        'ldap_access_order': _('Which rules should be used to evaluate access control'),

        # [provider/ldap/chpass]
        'ldap_chpass_uri': _('URI of an LDAP server where password changes are allowed'),
        'ldap_chpass_backup_uri': _('URI of a backup LDAP server where password changes are allowed'),
        'ldap_chpass_dns_service_name': _('DNS service name for LDAP password change server'),
        'ldap_chpass_update_last_change': _('Whether to update the ldap_user_shadow_last_change attribute after a '
                                            'password change'),

        # [provider/ldap/sudo]
        'ldap_sudo_search_base': _('Base DN for sudo rules lookups'),
        'ldap_sudo_full_refresh_interval': _('Automatic full refresh period'),
        'ldap_sudo_smart_refresh_interval': _('Automatic smart refresh period'),
        'ldap_sudo_random_offset': _('Smart and full refresh random offset'),
        'ldap_sudo_use_host_filter': _('Whether to filter rules by hostname, IP addresses and network'),
        'ldap_sudo_hostnames': _('Hostnames and/or fully qualified domain names of this machine to filter sudo rules'),
        'ldap_sudo_ip': _('IPv4 or IPv6 addresses or network of this machine to filter sudo rules'),
        'ldap_sudo_include_netgroups': _('Whether to include rules that contains netgroup in host attribute'),
        'ldap_sudo_include_regexp': _('Whether to include rules that contains regular expression in host attribute'),
        'ldap_sudorule_object_class': _('Object class for sudo rules'),
        'ldap_sudorule_object_class_attr': _('Name of attribute that is used as object class for sudo rules'),
        'ldap_sudorule_name': _('Sudo rule name'),
        'ldap_sudorule_command': _('Sudo rule command attribute'),
        'ldap_sudorule_host': _('Sudo rule host attribute'),
        'ldap_sudorule_user': _('Sudo rule user attribute'),
        'ldap_sudorule_option': _('Sudo rule option attribute'),
        'ldap_sudorule_runas': _('Sudo rule runas attribute'),
        'ldap_sudorule_runasuser': _('Sudo rule runasuser attribute'),
        'ldap_sudorule_runasgroup': _('Sudo rule runasgroup attribute'),
        'ldap_sudorule_notbefore': _('Sudo rule notbefore attribute'),
        'ldap_sudorule_notafter': _('Sudo rule notafter attribute'),
        'ldap_sudorule_order': _('Sudo rule order attribute'),

        # [provider/ldap/autofs]
        'ldap_autofs_map_object_class': _('Object class for automounter maps'),
        'ldap_autofs_map_name': _('Automounter map name attribute'),
        'ldap_autofs_entry_object_class': _('Object class for automounter map entries'),
        'ldap_autofs_entry_key': _('Automounter map entry key attribute'),
        'ldap_autofs_entry_value': _('Automounter map entry value attribute'),
        'ldap_autofs_search_base': _('Base DN for automounter map lookups'),
        'ldap_autofs_map_master_name': _('The name of the automount master map in LDAP.'),

        # [provider/ldap/resolver]
        'ldap_iphost_search_base': _('Base DN for IP hosts lookups'),
        'ldap_iphost_object_class': _('Object class for IP hosts'),
        'ldap_iphost_name': _('IP host name attribute'),
        'ldap_iphost_number': _('IP host number (address) attribute'),
        'ldap_iphost_entry_usn': _('IP host entryUSN attribute'),
        'ldap_ipnetwork_search_base': _('Base DN for IP networks lookups'),
        'ldap_ipnetwork_object_class': _('Object class for IP networks'),
        'ldap_ipnetwork_name': _('IP network name attribute'),
        'ldap_ipnetwork_number': _('IP network number (address) attribute'),
        'ldap_ipnetwork_entry_usn': _('IP network entryUSN attribute'),

        # [provider/simple/access]
        'simple_allow_users': _('Comma separated list of allowed users'),
        'simple_deny_users': _('Comma separated list of prohibited users'),
        'simple_allow_groups': _('Comma separated list of groups that are allowed to log in. This applies only to '
                                 'groups within this SSSD domain. Local groups are not evaluated.'),
        'simple_deny_groups': _('Comma separated list of groups that are explicitly denied access. This applies only '
                                'to groups within this SSSD domain. Local groups are not evaluated.'),

        # [provider/proxy]
        'proxy_max_children': _('The number of preforked proxy children.'),

        # [provider/proxy/id]
        'proxy_lib_name': _('The name of the NSS library to use'),
        'proxy_resolver_lib_name': _('The name of the NSS library to use for hosts and networks lookups'),
        'proxy_fast_alias': _('Whether to look up canonical group name from cache if possible'),

        # [provider/proxy/auth]
        'proxy_pam_target': _('PAM stack to use'),

        # [provider/files]
        'passwd_files': _('Path of passwd file sources.'),
        'group_files': _('Path of group file sources.')
    }