summaryrefslogtreecommitdiffabout
authorSergey Poznyakoff <gray@gnu.org.ua>2015-01-30 12:45:25 (GMT)
committer Sergey Poznyakoff <gray@gnu.org.ua>2015-01-30 12:45:25 (GMT)
commit30d6e72e175e1733b16860906550a24aca92440f (patch) (side-by-side diff)
tree6e5dbb23fe8adf8d67cc9cd8036fc15248d74c7f
parent946c85c169be274811cc60297be0172645835c34 (diff)
downloadpam-modules-30d6e72e175e1733b16860906550a24aca92440f.tar.gz
pam-modules-30d6e72e175e1733b16860906550a24aca92440f.tar.bz2
Document user-keys-boundary
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--NEWS18
-rw-r--r--doc/pam-modules.texi19
-rw-r--r--doc/pam_ldaphome.8in15
3 files changed, 50 insertions, 2 deletions
diff --git a/NEWS b/NEWS
index 5cb954e..79dbb71 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,4 @@
-pam-modules -- history of user-visible changes. 2015-01-28
+pam-modules -- history of user-visible changes. 2015-01-30
Copyright (C) 2001, 2004-2005, 2007-2012, 2015 Sergey Poznyakoff
See the end of file for copying conditions.
@@ -16,6 +16,22 @@ This is in addition to its regular configuration file.
To run the command with root privileges, the configuration
variable initrc-root must be set to true.
+* New pam_ldaphome variable: user-keys-boundary
+
+User key files can contain both keys managed by pam_ldaphome and
+added by the user. These two groups of keys must be separated by
+a special comment line, which informs pam_ldaphome that all keys
+below it must be retained.
+
+This feature is enabled by the user-keys-boundary configuration
+setting. Its value defines a string which, when used after a
+'#' character, forms the delimiting comment. E.g. if the
+configuration file contains:
+
+ user-keys-boundary :user
+
+then the line '#:user' can be used to delimit ldap-synchronized
+and user-specific keys.
Version 1.9, 2014-05-21
diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi
index be28285..a37a8ae 100644
--- a/doc/pam-modules.texi
+++ b/doc/pam-modules.texi
@@ -1338,6 +1338,25 @@ later with @command{ldappubkey} as @samp{AuthorizedKeysCommand}.
Sets the mode (octal) for the created authorized keys file.
@end deffn
+@deffn {pam_ldaphome config} user-keys-boundary @var{string}
+User key files can contain both keys managed by @command{pam_ldaphome}
+and added by the user. These two groups of keys must be separated by
+a special comment line, which informs the module that all keys
+below it must be retained.
+
+This feature is enabled by the @code{user-keys-boundary} setting.
+The delimiting comment is formed as @samp{#@var{string}}. E.g. if the
+configuration file contains:
+
+@example
+user-keys-boundary :user-defined
+@end example
+
+@noindent
+then the line @samp{#:user-defined} can be used to delimit
+ldap-synchronized and user-specific keys.
+@end deffn
+
@subheading Access control
@deffn {pam_ldaphome config} allow-groups @var{group} [@var{group}...]
Only handle members of the listed groups.
diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in
index f85eb75..01b0a1c 100644
--- a/doc/pam_ldaphome.8in
+++ b/doc/pam_ldaphome.8in
@@ -14,7 +14,7 @@
.\" You should have received a copy of the GNU General Public License
.\" along with PAM-Modules. If not, see <http://www.gnu.org/licenses/>.
.so config.so
-.TH PAM_LDAPHOME 8 "January 28, 2015" "PAM-MODULES" "Pam-Modules User Reference"
+.TH PAM_LDAPHOME 8 "January 30, 2015" "PAM-MODULES" "Pam-Modules User Reference"
.SH NAME
pam_ldaphome \- create and populate user home directories
.SH SYNOPSIS
@@ -149,6 +149,19 @@ later with \fBldappubkey\fR as \fBAuthorizedKeysCommand\fR.
.TP
.BI keyfile\-mode " MODE"
Defines the file mode (octal) for creation of authorized keys files.
+.TP
+.BI user\-keys\-boundary " STRING"
+User key files can contain both keys managed by \fBpam_ldaphome\fR and
+added by the user. These two groups of keys must be separated by
+a special comment line, which informs the module that all keys
+below it must be retained.
+
+This feature is enabled by the \fBuser\-keys\-boundary\fR setting.
+The delimiting comment is formed by \fB#\fR character immediately
+followed by \fISTRING\fR. E.g. if the configuration file contains
+.BR "user\-keys\-boundary :user-defined" ,
+then the line \fB#:user-defined\fR can be used to delimit ldap-synchronized
+and user-specific keys.
.SS Access control
.TP
\fBallow\-groups\fR \fIGROUP\fR [\fIGROUP\fR...]

Return to:

Send suggestions and report system problems to the System administrator.