Hacked By AnonymousFox

[rule/allowed_sections]
validator = ini_allowed_sections
section = sssd
section = nss
section = pam
section = sudo
section = autofs
section = ssh
section = pac
section = ifp
section = kcm
section = session_recording
section_re = ^prompting/password$
section_re = ^prompting/password/[^/\@]\+$
section_re = ^prompting/2fa$
section_re = ^prompting/2fa/[^/\@]\+$
section_re = ^prompting/passkey$
section_re = ^prompting/passkey/[^/\@]\+$
section_re = ^domain/[^/\@]\+$
section_re = ^domain/[^/\@]\+/[^/\@]\+$
section_re = ^application/[^/\@]\+$
section_re = ^certmap/[^/\@]\+/[^/\@]\+$


[rule/allowed_sssd_options]
validator = ini_allowed_options
section_re = ^sssd$

option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_backtrace_enabled
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = description

# Monitor service
option = services
option = domains
option = timeout
option = re_expression
option = full_name_format
option = krb5_rcache_dir
option = user
option = default_domain_suffix
option = certificate_verification
option = override_space
option = config_file_version
option = disable_netlink
option = enable_files_domain
option = domain_resolution_order
option = try_inotify
option = monitor_resolv_conf
option = implicit_pac_responder
option = core_dumpable
option = passkey_verification

[rule/allowed_nss_options]
validator = ini_allowed_options
section_re = ^nss$

option = timeout
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_backtrace_enabled
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = description
option = responder_idle_timeout
option = cache_first

# Name service
option = user_attributes
option = enum_cache_timeout
option = entry_cache_nowait_percentage
option = entry_negative_timeout
option = local_negative_timeout
option = filter_users
option = filter_groups
option = filter_users_in_groups
option = pwfield
option = override_homedir
option = fallback_homedir
option = homedir_substring
option = override_shell
option = allowed_shells
option = vetoed_shells
option = shell_fallback
option = default_shell
option = get_domains_timeout
option = memcache_timeout
option = memcache_size_passwd
option = memcache_size_group
option = memcache_size_initgroups

[rule/allowed_pam_options]
validator = ini_allowed_options
section_re = ^pam$

option = timeout
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_backtrace_enabled
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = description
option = responder_idle_timeout
option = cache_first

# Authentication service
option = offline_credentials_expiration
option = offline_failed_login_attempts
option = offline_failed_login_delay
option = pam_verbosity
option = pam_response_filter
option = pam_id_timeout
option = pam_pwd_expiration_warning
option = get_domains_timeout
option = pam_trusted_users
option = pam_public_domains
option = pam_account_expired_message
option = pam_account_locked_message
option = pam_cert_auth
option = pam_cert_db_path
option = pam_cert_verification
option = p11_child_timeout
option = pam_app_services
option = pam_p11_allowed_services
option = p11_wait_for_card_timeout
option = p11_uri
option = pam_initgroups_scheme
option = pam_gssapi_services
option = pam_gssapi_check_upn
option = pam_gssapi_indicators_map
option = pam_passkey_auth
option = passkey_child_timeout
option = passkey_debug_libfido2

[rule/allowed_sudo_options]
validator = ini_allowed_options
section_re = ^sudo$

option = timeout
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_backtrace_enabled
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = description
option = responder_idle_timeout
option = cache_first

# sudo service
option = sudo_timed
option = sudo_inverse_order
option = sudo_threshold

[rule/allowed_autofs_options]
validator = ini_allowed_options
section_re = ^autofs$

option = timeout
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_backtrace_enabled
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = description
option = responder_idle_timeout
option = cache_first

# autofs service
option = autofs_negative_timeout

[rule/allowed_ssh_options]
validator = ini_allowed_options
section_re = ^ssh$

option = timeout
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_backtrace_enabled
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = description
option = responder_idle_timeout
option = cache_first

# ssh service
option = ssh_hash_known_hosts
option = ssh_known_hosts_timeout
option = ca_db
option = ssh_use_certificate_keys
option = ssh_use_certificate_matching_rules

[rule/allowed_pac_options]
validator = ini_allowed_options
section_re = ^pac$

option = timeout
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_backtrace_enabled
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = description
option = responder_idle_timeout
option = cache_first

# PAC responder
option = allowed_uids
option = pac_lifetime
option = pac_check

[rule/allowed_ifp_options]
validator = ini_allowed_options
section_re = ^ifp$

option = timeout
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_backtrace_enabled
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = description
option = responder_idle_timeout
option = cache_first

# InfoPipe responder
option = allowed_uids
option = user_attributes

# KCM responder
[rule/allowed_kcm_options]
validator = ini_allowed_options
section_re = ^kcm$

option = timeout
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_backtrace_enabled
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = description
option = socket_path
option = ccache_storage
option = responder_idle_timeout
option = max_ccaches
option = max_uid_ccaches
option = max_ccache_size
option = tgt_renewal
option = tgt_renewal_inherit
option = krb5_lifetime
option = krb5_renewable_lifetime
option = krb5_renew_interval
option = krb5_validate
option = krb5_canonicalize
option = krb5_auth_timeout

# Session recording
[rule/allowed_session_recording_options]
validator = ini_allowed_options
section_re = ^session_recording$

option = scope
option = users
option = groups
option = exclude_users
option = exclude_groups

# Prompting during authentication
[rule/allowed_prompting_password_options]
validator = ini_allowed_options
section_re = ^prompting/password$

option = password_prompt

[rule/allowed_prompting_2fa_options]
validator = ini_allowed_options
section_re = ^prompting/2fa$

option = single_prompt
option = first_prompt
option = second_prompt

[rule/allowed_prompting_passkey_options]
validator = ini_allowed_options
section_re = ^prompting/passkey$

option = interactive
option = interactive_prompt
option = touch
option = touch_prompt

[rule/allowed_prompting_password_subsec_options]
validator = ini_allowed_options
section_re = ^prompting/password/[^/\@]\+$

option = password_prompt

[rule/allowed_prompting_2fa_subsec_options]
validator = ini_allowed_options
section_re = ^prompting/2fa/[^/\@]\+$

option = single_prompt
option = first_prompt
option = second_prompt

[rule/allowed_prompting_passkey_subsec_options]
validator = ini_allowed_options
section_re = ^prompting/passkey/[^/\@]\+$

option = interactive
option = interactive_prompt
option = touch
option = touch_prompt

[rule/allowed_domain_options]
validator = ini_allowed_options
section_re = ^\(domain\|application\)/[^/]\+$

option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_backtrace_enabled
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = description

#Available provider types
option = id_provider
option = auth_provider
option = access_provider
option = chpass_provider
option = sudo_provider
option = autofs_provider
option = hostid_provider
option = subdomains_provider
option = selinux_provider
option = session_provider
option = resolver_provider

# Options available to all domains
option = enabled
option = domain_type
option = min_id
option = max_id
option = timeout
option = enumerate
option = subdomain_enumerate
option = offline_timeout
option = offline_timeout_max
option = offline_timeout_random_offset
option = cache_credentials
option = cache_credentials_minimal_first_factor_length
option = use_fully_qualified_names
option = ignore_group_members
option = entry_cache_timeout
option = lookup_family_order
option = account_cache_expiration
option = pwd_expiration_warning
option = filter_users
option = filter_groups
option = dns_resolver_server_timeout
option = dns_resolver_op_timeout
option = dns_resolver_timeout
option = dns_resolver_use_search_list
option = dns_discovery_domain
option = override_gid
option = case_sensitive
option = override_homedir
option = fallback_homedir
option = homedir_substring
option = override_shell
option = default_shell
option = description
option = realmd_tags
option = subdomain_refresh_interval
option = subdomain_refresh_interval_offset
option = subdomain_inherit
option = subdomain_homedir
option = cached_auth_timeout
option = wildcard_limit
option = full_name_format
option = re_expression
option = auto_private_groups
option = pam_gssapi_services
option = pam_gssapi_check_upn
option = pam_gssapi_indicators_map
option = local_auth_policy

#Entry cache timeouts
option = entry_cache_user_timeout
option = entry_cache_group_timeout
option = entry_cache_netgroup_timeout
option = entry_cache_service_timeout
option = entry_cache_autofs_timeout
option = entry_cache_sudo_timeout
option = entry_cache_ssh_host_timeout
option = entry_cache_computer_timeout
option = entry_cache_resolver_timeout
option = refresh_expired_interval
option = refresh_expired_interval_offset

# Dynamic DNS updates
option = dyndns_update
option = dyndns_ttl
option = dyndns_iface
option = dyndns_refresh_interval
option = dyndns_refresh_interval_offset
option = dyndns_update_ptr
option = dyndns_force_tcp
option = dyndns_auth
option = dyndns_auth_ptr
option = dyndns_server

# files provider specific options
option = passwd_files
option = group_files
option = fallback_to_nss

# proxy provider specific options
option = proxy_lib_name
option = proxy_resolver_lib_name
option = proxy_fast_alias
option = proxy_pam_target
option = proxy_max_children

# simple access provider specific options
option = simple_allow_users
option = simple_deny_users
option = simple_allow_groups
option = simple_deny_groups

# AD provider specific options
option = ad_access_filter
option = ad_backup_server
option = ad_domain
option = ad_enable_dns_sites
option = ad_enabled_domains
option = ad_enable_gc
option = ad_gpo_access_control
option = ad_gpo_implicit_deny
option = ad_gpo_ignore_unreadable
option = ad_gpo_cache_timeout
option = ad_gpo_default_right
option = ad_gpo_map_batch
option = ad_gpo_map_deny
option = ad_gpo_map_interactive
option = ad_gpo_map_network
option = ad_gpo_map_permit
option = ad_gpo_map_remote_interactive
option = ad_gpo_map_service
option = ad_hostname
option = ad_machine_account_password_renewal_opts
option = ad_maximum_machine_account_password_age
option = ad_server
option = ad_site
option = ad_update_samba_machine_account_password
option = ad_use_ldaps
option = ad_allow_remote_domain_local_groups

# IPA provider specific options
option = ipa_access_order
option = ipa_anchor_uuid
option = ipa_automount_location
option = ipa_backup_server
option = ipa_deskprofile_refresh
option = ipa_deskprofile_request_interval
option = ipa_deskprofile_search_base
option = ipa_subid_ranges_search_base
option = ipa_domain
option = ipa_dyndns_iface
option = ipa_dyndns_ttl
option = ipa_dyndns_update
option = ipa_enable_dns_sites
option = ipa_group_override_object_class
option = ipa_hbac_refresh
option = ipa_hbac_search_base
option = ipa_hbac_support_srchost
option = ipa_host_fqdn
option = ipa_hostgroup_memberof
option = ipa_hostgroup_member
option = ipa_hostgroup_name
option = ipa_hostgroup_objectclass
option = ipa_hostgroup_uuid
option = ipa_host_member_of
option = ipa_host_name
option = ipa_hostname
option = ipa_host_object_class
option = ipa_host_search_base
option = ipa_host_serverhostname
option = ipa_host_ssh_public_key
option = ipa_host_uuid
option = ipa_master_domain_search_base
option = ipa_netgroup_domain
option = ipa_netgroup_member_ext_host
option = ipa_netgroup_member_host
option = ipa_netgroup_member_of
option = ipa_netgroup_member
option = ipa_netgroup_member_user
option = ipa_netgroup_name
option = ipa_netgroup_object_class
option = ipa_netgroup_uuid
option = ipa_override_object_class
option = ipa_ranges_search_base
option = ipa_selinux_refresh
option = ipa_selinux_usermap_enabled
option = ipa_selinux_usermap_host_category
option = ipa_selinux_usermap_member_host
option = ipa_selinux_usermap_member_user
option = ipa_selinux_usermap_name
option = ipa_selinux_usermap_object_class
option = ipa_selinux_usermap_see_also
option = ipa_selinux_usermap_selinux_user
option = ipa_selinux_usermap_user_category
option = ipa_selinux_usermap_uuid
option = ipa_server_mode
option = ipa_server
option = ipa_subdomains_search_base
option = ipa_sudocmdgroup_entry_usn
option = ipa_sudocmdgroup_member
option = ipa_sudocmdgroup_name
option = ipa_sudocmdgroup_object_class
option = ipa_sudocmdgroup_uuid
option = ipa_sudocmd_memberof
option = ipa_sudocmd_object_class
option = ipa_sudocmd_sudoCmd
option = ipa_sudocmd_uuid
option = ipa_sudorule_allowcmd
option = ipa_sudorule_cmdcategory
option = ipa_sudorule_denycmd
option = ipa_sudorule_enabled_flag
option = ipa_sudorule_entry_usn
option = ipa_sudorule_externaluser
option = ipa_sudorule_hostcategory
option = ipa_sudorule_host
option = ipa_sudorule_name
option = ipa_sudorule_notafter
option = ipa_sudorule_notbefore
option = ipa_sudorule_object_class
option = ipa_sudorule_option
option = ipa_sudorule_runasextgroup
option = ipa_sudorule_runasextusergroup
option = ipa_sudorule_runasextuser
option = ipa_sudorule_runasgroupcategory
option = ipa_sudorule_runasgroup
option = ipa_sudorule_runasusercategory
option = ipa_sudorule_sudoorder
option = ipa_sudorule_usercategory
option = ipa_sudorule_user
option = ipa_sudorule_uuid
option = ipa_user_override_object_class
option = ipa_view_class
option = ipa_view_name
option = ipa_views_search_base

# krb5 provider specific options
option = krb5_auth_timeout
option = krb5_backup_kpasswd
option = krb5_backup_server
option = krb5_canonicalize
option = krb5_ccachedir
option = krb5_ccname_template
option = krb5_confd_path
option = krb5_fast_principal
option = krb5_fast_use_anonymous_pkinit
option = krb5_kdcinfo_lookahead
option = krb5_kdcip
option = krb5_keytab
option = krb5_kpasswd
option = krb5_lifetime
option = krb5_map_user
option = krb5_realm
option = krb5_renewable_lifetime
option = krb5_renew_interval
option = krb5_server
option = krb5_store_password_if_offline
option = krb5_use_enterprise_principal
option = krb5_use_subdomain_realm
option = krb5_use_fast
option = krb5_use_kdcinfo
option = krb5_validate

# ldap provider specific options
option = ldap_access_filter
option = ldap_access_order
option = ldap_account_expire_policy
option = ldap_autofs_entry_key
option = ldap_autofs_entry_object_class
option = ldap_autofs_entry_value
option = ldap_autofs_map_master_name
option = ldap_autofs_map_name
option = ldap_autofs_map_object_class
option = ldap_autofs_search_base
option = ldap_backup_uri
option = ldap_chpass_backup_uri
option = ldap_chpass_dns_service_name
option = ldap_chpass_update_last_change
option = ldap_chpass_uri
option = ldap_connection_expire_timeout
option = ldap_connection_expire_offset
option = ldap_connection_idle_timeout
option = ldap_default_authtok
option = ldap_default_authtok_type
option = ldap_default_bind_dn
option = ldap_deref
option = ldap_deref_threshold
option = ldap_ignore_unreadable_references
option = ldap_disable_paging
option = ldap_disable_range_retrieval
option = ldap_dns_service_name
option = ldap_entry_usn
option = ldap_enumeration_refresh_timeout
option = ldap_enumeration_refresh_offset
option = ldap_enumeration_search_timeout
option = ldap_force_upper_case_realm
option = ldap_group_entry_usn
option = ldap_group_external_member
option = ldap_group_gid_number
option = ldap_group_member
option = ldap_group_modify_timestamp
option = ldap_group_name
option = ldap_group_nesting_level
option = ldap_group_object_class
option = ldap_group_objectsid
option = ldap_group_search_base
option = ldap_group_search_filter
option = ldap_group_search_scope
option = ldap_group_type
option = ldap_group_uuid
option = ldap_idmap_autorid_compat
option = ldap_idmap_default_domain_sid
option = ldap_idmap_default_domain
option = ldap_idmap_helper_table_size
option = ldap_id_mapping
option = ldap_idmap_range_max
option = ldap_idmap_range_min
option = ldap_idmap_range_size
option = ldap_id_use_start_tls
option = ldap_krb5_init_creds
option = ldap_krb5_keytab
option = ldap_krb5_ticket_lifetime
option = ldap_library_debug_level
option = ldap_max_id
option = ldap_min_id
option = ldap_netgroup_member
option = ldap_netgroup_modify_timestamp
option = ldap_netgroup_name
option = ldap_netgroup_object_class
option = ldap_netgroup_search_base
option = ldap_netgroup_triple
option = ldap_network_timeout
option = ldap_ns_account_lock
option = ldap_offline_timeout
option = ldap_opt_timeout
option = ldap_page_size
option = ldap_purge_cache_timeout
option = ldap_purge_cache_offset
option = ldap_pwd_attribute
option = ldap_pwdlockout_dn
option = ldap_pwd_policy
option = ldap_referrals
option = ldap_rfc2307_fallback_to_local_users
option = ldap_rootdse_last_usn
option = ldap_sasl_authid
option = ldap_sasl_canonicalize
option = ldap_sasl_mech
option = ldap_sasl_minssf
option = ldap_sasl_maxssf
option = ldap_sasl_realm
option = ldap_schema
option = ldap_pwmodify_mode
option = ldap_search_base
option = ldap_search_timeout
option = ldap_service_entry_usn
option = ldap_service_name
option = ldap_service_object_class
option = ldap_service_port
option = ldap_service_proto
option = ldap_service_search_base
option = ldap_sudo_full_refresh_interval
option = ldap_sudo_hostnames
option = ldap_sudo_include_netgroups
option = ldap_sudo_include_regexp
option = ldap_sudo_ip
option = ldap_sudorule_command
option = ldap_sudorule_host
option = ldap_sudorule_name
option = ldap_sudorule_notafter
option = ldap_sudorule_notbefore
option = ldap_sudorule_object_class
option = ldap_sudorule_option
option = ldap_sudorule_order
option = ldap_sudorule_runasgroup
option = ldap_sudorule_runas
option = ldap_sudorule_runasuser
option = ldap_sudorule_user
option = ldap_sudo_search_base
option = ldap_sudo_smart_refresh_interval
option = ldap_sudo_random_offset
option = ldap_sudo_use_host_filter
option = ldap_tls_cacertdir
option = ldap_tls_cacert
option = ldap_tls_cert
option = ldap_tls_cipher_suite
option = ldap_tls_key
option = ldap_tls_reqcert
option = ldap_uri
option = ldap_user_ad_account_expires
option = ldap_user_ad_user_account_control
option = ldap_user_authorized_host
option = ldap_user_authorized_rhost
option = ldap_user_authorized_service
option = ldap_user_auth_type
option = ldap_user_certificate
option = ldap_user_email
option = ldap_user_entry_usn
option = ldap_user_extra_attrs
option = ldap_user_fullname
option = ldap_user_gecos
option = ldap_user_gid_number
option = ldap_user_home_directory
option = ldap_user_krb_last_pwd_change
option = ldap_user_krb_password_expiration
option = ldap_user_member_of
option = ldap_user_modify_timestamp
option = ldap_user_name
option = ldap_user_nds_login_allowed_time_map
option = ldap_user_nds_login_disabled
option = ldap_user_nds_login_expiration_time
option = ldap_user_object_class
option = ldap_user_objectsid
option = ldap_user_primary_group
option = ldap_user_principal
option = ldap_user_search_base
option = ldap_user_search_filter
option = ldap_user_search_scope
option = ldap_user_shadow_expire
option = ldap_user_shadow_flag
option = ldap_user_shadow_inactive
option = ldap_user_shadow_last_change
option = ldap_user_shadow_max
option = ldap_user_shadow_min
option = ldap_user_shadow_warning
option = ldap_user_shell
option = ldap_user_ssh_public_key
option = ldap_user_uid_number
option = ldap_user_uuid
option = ldap_use_tokengroups
option = ldap_host_object_class
option = ldap_host_name
option = ldap_host_fqdn
option = ldap_host_serverhostname
option = ldap_host_member_of
option = ldap_host_search_base
option = ldap_host_ssh_public_key
option = ldap_host_uuid
option = ldap_iphost_search_base
option = ldap_iphost_object_class
option = ldap_iphost_name
option = ldap_iphost_number
option = ldap_iphost_entry_usn
option = ldap_ipnetwork_search_base
option = ldap_ipnetwork_object_class
option = ldap_ipnetwork_name
option = ldap_ipnetwork_number
option = ldap_ipnetwork_entry_usn

# For application domains
option = inherit_from

[rule/allowed_subdomain_options]
validator = ini_allowed_options
section_re = ^domain/[^/\@]\+/[^/\@]\+$

option = ldap_search_base
option = ldap_user_search_base
option = ldap_group_search_base
option = ldap_netgroup_search_base
option = ldap_service_search_base
option = ldap_sasl_mech
option = ad_server
option = ad_backup_server
option = ad_site
option = use_fully_qualified_names
option = auto_private_groups
option = pam_gssapi_services
option = pam_gssapi_check_upn
option = pam_gssapi_indicators_map

[rule/sssd_checks]
validator = sssd_checks

[rule/allowed_certmap_options]
validator = ini_allowed_options
section_re = ^certmap/[^/\@]\+/[^/\@]\+$

option = matchrule
option = maprule
option = priority
option = domains