summaryrefslogtreecommitdiff
path: root/gnu/services/authentication.scm
diff options
context:
space:
mode:
authorAttila Lendvai <attila@lendvai.name>2022-05-17 13:39:28 +0200
committerLudovic Courtès <ludo@gnu.org>2022-06-15 00:25:21 +0200
commit8cb1a49a3998c39f315a4199b7d4a121a6d66449 (patch)
tree6467f9cb21bc9f60b6f2a2f561d690b5cfdb3b3d /gnu/services/authentication.scm
parente11517052b1bbd9fa06891ad0b13b24494db757e (diff)
services: configuration: Use *unspecified* instead of 'disabled.
Use *unspecified* as a marker for field values that have not been set. Rationale: 'disabled may easily clash with user values for boolean fields, is confusing (i.e. its meaning is *not* boolean false, but unspecified) and it also passes silently through the symbol? predicate of a field of type symbol. * gnu/services/configuration.scm (configuration-missing-default-value): Renamed from configuration-no-default-value. (define-maybe-helper): Use *unspecified* instead of 'disabled, and make the default value optional. * gnu/home/services/desktop.scm (home-redshift-configuration): Change (maybe-xyz 'disabled) to maybe-xyz. * gnu/services/authentication.scm (nslcd-configuration): Likewise. * gnu/services/cgit.scm (repository-cgit-configuration): Likewise. * gnu/services/file-sharing.scm (serialize-maybe-string) (serialize-maybe-file-object): Use 'unspecified?' instead of (eq? val 'disabled). * gnu/services/messaging.scm (raw-content?): Likewise. (ssl-configuration): Change (maybe-xyz 'disabled) to maybe-xyz. (prosody-configuration): Likewise. * gnu/services/file-sharing.scm (transmission-daemon-configuration): Likewise. * gnu/services/messaging.scm (define-all-configurations): Use *unspecified* instead of 'disabled'. * gnu/services/networking.scm (opendht-configuration): Likewise. * gnu/services/pm.scm (tlp-configuration): Likewise. * gnu/services/telephony.scm (jami-account): Likewise. (jami-configuration): Likewise. * gnu/services/vpn.scm (openvpn-client-configuration): Likewise. * tests/services/configuration.scm ("maybe type, no default") ("maybe type, with default"): New tests. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'gnu/services/authentication.scm')
-rw-r--r--gnu/services/authentication.scm82
1 files changed, 41 insertions, 41 deletions
diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index cb0ef6d85a..f7becdfafb 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -218,7 +218,7 @@
;; Runtime options
(threads
- (maybe-number 'disabled)
+ maybe-number
"The number of threads to start that can handle requests and perform LDAP
queries. Each thread opens a separate connection to the LDAP server. The
default is to start 5 threads.")
@@ -243,45 +243,45 @@ messages with the specified log level or higher are logged.")
"The list of LDAP server URIs. Normally, only the first server will be
used with the following servers as fall-back.")
(ldap-version
- (maybe-string 'disabled)
+ maybe-string
"The version of the LDAP protocol to use. The default is to use the
maximum version supported by the LDAP library.")
(binddn
- (maybe-string 'disabled)
+ maybe-string
"Specifies the distinguished name with which to bind to the directory
server for lookups. The default is to bind anonymously.")
(bindpw
- (maybe-string 'disabled)
+ maybe-string
"Specifies the credentials with which to bind. This option is only
applicable when used with binddn.")
(rootpwmoddn
- (maybe-string 'disabled)
+ maybe-string
"Specifies the distinguished name to use when the root user tries to modify
a user's password using the PAM module.")
(rootpwmodpw
- (maybe-string 'disabled)
+ maybe-string
"Specifies the credentials with which to bind if the root user tries to
change a user's password. This option is only applicable when used with
rootpwmoddn")
;; SASL authentication options
(sasl-mech
- (maybe-string 'disabled)
+ maybe-string
"Specifies the SASL mechanism to be used when performing SASL
authentication.")
(sasl-realm
- (maybe-string 'disabled)
+ maybe-string
"Specifies the SASL realm to be used when performing SASL authentication.")
(sasl-authcid
- (maybe-string 'disabled)
+ maybe-string
"Specifies the authentication identity to be used when performing SASL
authentication.")
(sasl-authzid
- (maybe-string 'disabled)
+ maybe-string
"Specifies the authorization identity to be used when performing SASL
authentication.")
(sasl-canonicalize?
- (maybe-boolean 'disabled)
+ maybe-boolean
"Determines whether the LDAP server host name should be canonicalised. If
this is enabled the LDAP library will do a reverse host name lookup. By
default, it is left up to the LDAP library whether this check is performed or
@@ -289,7 +289,7 @@ not.")
;; Kerberos authentication options
(krb5-ccname
- (maybe-string 'disabled)
+ maybe-string
"Set the name for the GSS-API Kerberos credentials cache.")
;; Search / mapping options
@@ -302,11 +302,11 @@ not.")
default scope is subtree; base scope is almost never useful for name service
lookups; children scope is not supported on all servers.")
(deref
- (maybe-deref-option 'disabled)
+ maybe-deref-option
"Specifies the policy for dereferencing aliases. The default policy is to
never dereference aliases.")
(referrals
- (maybe-boolean 'disabled)
+ maybe-boolean
"Specifies whether automatic referral chasing should be enabled. The
default behaviour is to chase referrals.")
(maps
@@ -322,132 +322,132 @@ applies and an LDAP search filter expression.")
;; Timing / reconnect options
(bind-timelimit
- (maybe-number 'disabled)
+ maybe-number
"Specifies the time limit in seconds to use when connecting to the
directory server. The default value is 10 seconds.")
(timelimit
- (maybe-number 'disabled)
+ maybe-number
"Specifies the time limit (in seconds) to wait for a response from the LDAP
server. A value of zero, which is the default, is to wait indefinitely for
searches to be completed.")
(idle-timelimit
- (maybe-number 'disabled)
+ maybe-number
"Specifies the period if inactivity (in seconds) after which the con‐
nection to the LDAP server will be closed. The default is not to time out
connections.")
(reconnect-sleeptime
- (maybe-number 'disabled)
+ maybe-number
"Specifies the number of seconds to sleep when connecting to all LDAP
servers fails. By default one second is waited between the first failure and
the first retry.")
(reconnect-retrytime
- (maybe-number 'disabled)
+ maybe-number
"Specifies the time after which the LDAP server is considered to be
permanently unavailable. Once this time is reached retries will be done only
once per this time period. The default value is 10 seconds.")
;; TLS options
(ssl
- (maybe-ssl-option 'disabled)
+ maybe-ssl-option
"Specifies whether to use SSL/TLS or not (the default is not to). If
'start-tls is specified then StartTLS is used rather than raw LDAP over SSL.")
(tls-reqcert
- (maybe-tls-reqcert-option 'disabled)
+ maybe-tls-reqcert-option
"Specifies what checks to perform on a server-supplied certificate.
The meaning of the values is described in the ldap.conf(5) manual page.")
(tls-cacertdir
- (maybe-string 'disabled)
+ maybe-string
"Specifies the directory containing X.509 certificates for peer authen‐
tication. This parameter is ignored when using GnuTLS.")
(tls-cacertfile
- (maybe-string 'disabled)
+ maybe-string
"Specifies the path to the X.509 certificate for peer authentication.")
(tls-randfile
- (maybe-string 'disabled)
+ maybe-string
"Specifies the path to an entropy source. This parameter is ignored when
using GnuTLS.")
(tls-ciphers
- (maybe-string 'disabled)
+ maybe-string
"Specifies the ciphers to use for TLS as a string.")
(tls-cert
- (maybe-string 'disabled)
+ maybe-string
"Specifies the path to the file containing the local certificate for client
TLS authentication.")
(tls-key
- (maybe-string 'disabled)
+ maybe-string
"Specifies the path to the file containing the private key for client TLS
authentication.")
;; Other options
(pagesize
- (maybe-number 'disabled)
+ maybe-number
"Set this to a number greater than 0 to request paged results from the LDAP
server in accordance with RFC2696. The default (0) is to not request paged
results.")
(nss-initgroups-ignoreusers
- (maybe-ignore-users-option 'disabled)
+ maybe-ignore-users-option
"This option prevents group membership lookups through LDAP for the
specified users. Alternatively, the value 'all-local may be used. With that
value nslcd builds a full list of non-LDAP users on startup.")
(nss-min-uid
- (maybe-number 'disabled)
+ maybe-number
"This option ensures that LDAP users with a numeric user id lower than the
specified value are ignored.")
(nss-uid-offset
- (maybe-number 'disabled)
+ maybe-number
"This option specifies an offset that is added to all LDAP numeric user
ids. This can be used to avoid user id collisions with local users.")
(nss-gid-offset
- (maybe-number 'disabled)
+ maybe-number
"This option specifies an offset that is added to all LDAP numeric group
ids. This can be used to avoid user id collisions with local groups.")
(nss-nested-groups
- (maybe-boolean 'disabled)
+ maybe-boolean
"If this option is set, the member attribute of a group may point to
another group. Members of nested groups are also returned in the higher level
group and parent groups are returned when finding groups for a specific user.
The default is not to perform extra searches for nested groups.")
(nss-getgrent-skipmembers
- (maybe-boolean 'disabled)
+ maybe-boolean
"If this option is set, the group member list is not retrieved when looking
up groups. Lookups for finding which groups a user belongs to will remain
functional so the user will likely still get the correct groups assigned on
login.")
(nss-disable-enumeration
- (maybe-boolean 'disabled)
+ maybe-boolean
"If this option is set, functions which cause all user/group entries to be
loaded from the directory will not succeed in doing so. This can dramatically
reduce LDAP server load in situations where there are a great number of users
and/or groups. This option is not recommended for most configurations.")
(validnames
- (maybe-string 'disabled)
+ maybe-string
"This option can be used to specify how user and group names are verified
within the system. This pattern is used to check all user and group names
that are requested and returned from LDAP.")
(ignorecase
- (maybe-boolean 'disabled)
+ maybe-boolean
"This specifies whether or not to perform searches using case-insensitive
matching. Enabling this could open up the system to authorization bypass
vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow
denial of service.")
(pam-authc-ppolicy
- (maybe-boolean 'disabled)
+ maybe-boolean
"This option specifies whether password policy controls are requested and
handled from the LDAP server when performing user authentication.")
(pam-authc-search
- (maybe-string 'disabled)
+ maybe-string
"By default nslcd performs an LDAP search with the user's credentials after
BIND (authentication) to ensure that the BIND operation was successful. The
default search is a simple check to see if the user's DN exists. A search
filter can be specified that will be used instead. It should return at least
one entry.")
(pam-authz-search
- (maybe-string 'disabled)
+ maybe-string
"This option allows flexible fine tuning of the authorisation check that
should be performed. The search filter specified is executed and if any
entries match, access is granted, otherwise access is denied.")
(pam-password-prohibit-message
- (maybe-string 'disabled)
+ maybe-string
"If this option is set password modification using pam_ldap will be denied
and the specified message will be presented to the user instead. The message
can be used to direct the user to an alternative means of changing their