Units
Translation components API.
See the Weblate's Web API documentation for detailed description of the API.
GET /api/translations/freeipa/ipa-4-8/zh_CN/units/?format=api&page=92
{ "count": 4657, "next": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/units/?format=api&page=93", "previous": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/units/?format=api&page=91", "results": [ { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "Input file" ], "previous_source": "Input filename", "target": [ "输入文件名" ], "id_hash": -7752661649040452358, "content_hash": -7752661649040452358, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 185, "has_suggestion": true, "has_comment": false, "has_failing_check": false, "num_words": 2, "source_unit": "https://translate.fedoraproject.org/api/units/2719669/?format=api", "priority": 100, "id": 4803284, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=1469034e392654fa", "url": "https://translate.fedoraproject.org/api/units/4803284/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.235292Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "File to load the certificate from" ], "previous_source": "File to load the certificate from.", "target": [ "从文件加载证书" ], "id_hash": -8200113499426123875, "content_hash": -8200113499426123875, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 186, "has_suggestion": true, "has_comment": false, "has_failing_check": false, "num_words": 6, "source_unit": "https://translate.fedoraproject.org/api/units/2719329/?format=api", "priority": 100, "id": 4803286, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=0e335837e4d20f9d", "url": "https://translate.fedoraproject.org/api/units/4803286/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.261535Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nCommands to build certificate requests automatically\n" ], "previous_source": "", "target": [ "" ], "id_hash": 2047306553156449743, "content_hash": 2047306553156449743, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 188, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 6, "source_unit": "https://translate.fedoraproject.org/api/units/2717697/?format=api", "priority": 100, "id": 4803288, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=9c697e76873835cf", "url": "https://translate.fedoraproject.org/api/units/4803288/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.289658Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "Gather data for a certificate signing request." ], "previous_source": "Check the status of a certificate signing request.", "target": [ "检查证书签名请求的状态。" ], "id_hash": 1913796369711469908, "content_hash": 1913796369711469908, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 189, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 7, "source_unit": "https://translate.fedoraproject.org/api/units/2719403/?format=api", "priority": 100, "id": 4803289, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=9a8f2ba895159554", "url": "https://translate.fedoraproject.org/api/units/4803289/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.317561Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "CSR Generation Profile to use" ], "previous_source": "Certificate Profile to use", "target": [ "待使用的证书配置文件" ], "id_hash": -2050608317031264649, "content_hash": -2050608317031264649, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 193, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 5, "source_unit": "https://translate.fedoraproject.org/api/units/2718471/?format=api", "priority": 100, "id": 4803291, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=638ac699a9e3ce77", "url": "https://translate.fedoraproject.org/api/units/4803291/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.340041Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "Subject Public Key Info" ], "previous_source": "Public Key", "target": [ "公钥" ], "id_hash": 5486548184707013374, "content_hash": 5486548184707013374, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 194, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 4, "source_unit": "https://translate.fedoraproject.org/api/units/2721037/?format=api", "priority": 100, "id": 4803292, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=cc24228148869afe", "url": "https://translate.fedoraproject.org/api/units/4803292/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.372378Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "DER-encoded SubjectPublicKeyInfo structure" ], "previous_source": "", "target": [ "" ], "id_hash": 198082634427046632, "content_hash": 198082634427046632, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 195, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 3, "source_unit": "https://translate.fedoraproject.org/api/units/2718673/?format=api", "priority": 100, "id": 4803294, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=82bfbb1b45329ae8", "url": "https://translate.fedoraproject.org/api/units/4803294/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.403723Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "Write CertificationRequestInfo to file" ], "previous_source": "Write profile configuration to file", "target": [ "将配置文件配置写进文件" ], "id_hash": 3298929639700009011, "content_hash": 3298929639700009011, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 196, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 4, "source_unit": "https://translate.fedoraproject.org/api/units/2721411/?format=api", "priority": 100, "id": 4803296, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=adc8270761539033", "url": "https://translate.fedoraproject.org/api/units/4803296/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.430630Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "CertificationRequestInfo structure" ], "previous_source": "Certificate requested", "target": [ "证书请求" ], "id_hash": 8272977321636952032, "content_hash": 8272977321636952032, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 198, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 2, "source_unit": "https://translate.fedoraproject.org/api/units/2718553/?format=api", "priority": 100, "id": 4803297, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=f2cf850abb0877e0", "url": "https://translate.fedoraproject.org/api/units/4803297/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.457789Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "python-yubico is not installed." ], "previous_source": "", "target": [ "" ], "id_hash": -5178620988656122971, "content_hash": -5178620988656122971, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 204, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 4, "source_unit": "https://translate.fedoraproject.org/api/units/2721816/?format=api", "priority": 100, "id": 4803300, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=3821d7a5f8c503a5", "url": "https://translate.fedoraproject.org/api/units/4803300/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.500942Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "DNS forwarder" ], "previous_source": "DNS forward zone", "target": [ "DNS正向区域" ], "id_hash": -3646613564788329788, "content_hash": -3646613564788329788, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 243, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 2, "source_unit": "https://translate.fedoraproject.org/api/units/2718706/?format=api", "priority": 100, "id": 4803306, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=4d64a0488dabb2c4", "url": "https://translate.fedoraproject.org/api/units/4803306/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.738443Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "file to store DNS records in nsupdate format" ], "previous_source": "System DNS records updated", "target": [ "系统DNS记录已更新" ], "id_hash": -1772871091558438651, "content_hash": -1772871091558438651, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 244, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 8, "source_unit": "https://translate.fedoraproject.org/api/units/2721568/?format=api", "priority": 100, "id": 4803308, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=67657f22a319a905", "url": "https://translate.fedoraproject.org/api/units/4803308/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.761498Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "Time limit of search in seconds" ], "previous_source": "Time limit of search in seconds (0 is unlimited)", "target": [ "时间限制在几秒钟内的搜索(0代表无限制)" ], "id_hash": -8593528147696132382, "content_hash": -8593528147696132382, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 352, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 6, "source_unit": "https://translate.fedoraproject.org/api/units/2716975/?format=api", "priority": 100, "id": 4803310, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=08bda7ae1d405ee2", "url": "https://translate.fedoraproject.org/api/units/4803310/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.796430Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nPlugin to make multiple ipa calls via one remote procedure call\n\nTo run this code in the lite-server\n\ncurl -H \"Content-Type:application/json\" -H \"Accept:application/json\" -H \"Accept-Language:en\" --negotiate -u : --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST http://localhost:8888/ipa/json\n\nwhere the contents of the file batch_request.json follow the below example\n\n{\"method\":\"batch\",\"params\":[[\n {\"method\":\"group_find\",\"params\":[[],{}]},\n {\"method\":\"user_find\",\"params\":[[],{\"whoami\":\"true\",\"all\":\"true\"}]},\n {\"method\":\"user_show\",\"params\":[[\"admin\"],{\"all\":true}]}\n ],{}],\"id\":1}\n\nThe format of the response is nested the same way. At the top you will see\n \"error\": null,\n \"id\": 1,\n \"result\": {\n \"count\": 3,\n \"results\": [\n\n\nAnd then a nested response for each IPA command method sent in the request\n" ], "previous_source": "", "target": [ "" ], "id_hash": 7922620161662418248, "content_hash": 7922620161662418248, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 379, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 91, "source_unit": "https://translate.fedoraproject.org/api/units/2727915/?format=api", "priority": 100, "id": 4803313, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=edf2cd0faa3c7d48", "url": "https://translate.fedoraproject.org/api/units/4803313/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.875092Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nServer configuration\n\nManage the default values that IPA uses and some of its tuning parameters.\n\nNOTES:\n\nThe password notification value (--pwdexpnotify) is stored here so it will\nbe replicated. It is not currently used to notify users in advance of an\nexpiring password.\n\nSome attributes are read-only, provided only for information purposes. These\ninclude:\n\nCertificate Subject base: the configured certificate subject base,\n e.g. O=EXAMPLE.COM. This is configurable only at install time.\nPassword plug-in features: currently defines additional hashes that the\n password will generate (there may be other conditions).\n\nWhen setting the order list for mapping SELinux users you may need to\nquote the value so it isn't interpreted by the shell.\n\nEXAMPLES:\n\n Show basic server configuration:\n ipa config-show\n\n Show all configuration options:\n ipa config-show --all\n\n Change maximum username length to 99 characters:\n ipa config-mod --maxusername=99\n\n Increase default time and size limits for maximum IPA server search:\n ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000\n\n Set default user e-mail domain:\n ipa config-mod --emaildomain=example.com\n\n Enable migration mode to make \"ipa migrate-ds\" command operational:\n ipa config-mod --enable-migration=TRUE\n\n Define SELinux user map order:\n ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'\n" ], "previous_source": "", "target": [ "" ], "id_hash": 5044435619049702186, "content_hash": 5044435619049702186, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 381, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 178, "source_unit": "https://translate.fedoraproject.org/api/units/2722414/?format=api", "priority": 100, "id": 4803314, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=c6016f780dc9032a", "url": "https://translate.fedoraproject.org/api/units/4803314/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:52.900284Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nHBAC Services\n\nThe PAM services that HBAC can control access to. The name used here\nmust match the service name that PAM is evaluating.\n\nEXAMPLES:\n\n Add a new HBAC service:\n ipa hbacsvc-add tftp\n\n Modify an existing HBAC service:\n ipa hbacsvc-mod --desc=\"TFTP service\" tftp\n\n Search for HBAC services. This example will return two results, the FTP\n service and the newly-added tftp service:\n ipa hbacsvc-find ftp\n\n Delete an HBAC service:\n ipa hbacsvc-del tftp\n" ], "previous_source": "", "target": [ "" ], "id_hash": 1959964121138245420, "content_hash": 1959964121138245420, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 741, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 71, "source_unit": "https://translate.fedoraproject.org/api/units/2727838/?format=api", "priority": 100, "id": 4803321, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=9b3330fbdcf4af2c", "url": "https://translate.fedoraproject.org/api/units/4803321/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:53.145926Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nHosts/Machines\n\nA host represents a machine. It can be used in a number of contexts:\n- service entries are associated with a host\n- a host stores the host/ service principal\n- a host can be used in Host-based Access Control (HBAC) rules\n- every enrolled client generates a host entry\n\nENROLLMENT:\n\nThere are three enrollment scenarios when enrolling a new client:\n\n1. You are enrolling as a full administrator. The host entry may exist\n or not. A full administrator is a member of the hostadmin role\n or the admins group.\n2. You are enrolling as a limited administrator. The host must already\n exist. A limited administrator is a member a role with the\n Host Enrollment privilege.\n3. The host has been created with a one-time password.\n\nRE-ENROLLMENT:\n\nHost that has been enrolled at some point, and lost its configuration (e.g. VM\ndestroyed) can be re-enrolled.\n\nFor more information, consult the manual pages for ipa-client-install.\n\nA host can optionally store information such as where it is located,\nthe OS that it runs, etc.\n\nEXAMPLES:\n\n Add a new host:\n ipa host-add --location=\"3rd floor lab\" --locality=Dallas test.example.com\n\n Delete a host:\n ipa host-del test.example.com\n\n Add a new host with a one-time password:\n ipa host-add --os='Fedora 12' --password=Secret123 test.example.com\n\n Add a new host with a random one-time password:\n ipa host-add --os='Fedora 12' --random test.example.com\n\n Modify information about a host:\n ipa host-mod --os='Fedora 12' test.example.com\n\n Remove SSH public keys of a host and update DNS to reflect this change:\n ipa host-mod --sshpubkey= --updatedns test.example.com\n\n Disable the host Kerberos key, SSL certificate and all of its services:\n ipa host-disable test.example.com\n\n Add a host that can manage this host's keytab and certificate:\n ipa host-add-managedby --hosts=test2 test\n\n Allow user to create a keytab:\n ipa host-allow-create-keytab test2 --users=tuser1\n" ], "previous_source": "", "target": [ "" ], "id_hash": -765870475337667748, "content_hash": -765870475337667748, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 763, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 289, "source_unit": "https://translate.fedoraproject.org/api/units/2727847/?format=api", "priority": 100, "id": 4803323, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=755f14dc4589eb5c", "url": "https://translate.fedoraproject.org/api/units/4803323/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:53.198298Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "Managed by" ], "previous_source": "Manager", "target": [ "管理者" ], "id_hash": 1959411234926257283, "content_hash": 1959411234926257283, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 801, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 2, "source_unit": "https://translate.fedoraproject.org/api/units/2719824/?format=api", "priority": 100, "id": 4803326, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=9b313a2302b06483", "url": "https://translate.fedoraproject.org/api/units/4803326/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:53.283727Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nGroups of hosts.\n\nManage groups of hosts. This is useful for applying access control to a\nnumber of hosts by using Host-based Access Control.\n\nEXAMPLES:\n\n Add a new host group:\n ipa hostgroup-add --desc=\"Baltimore hosts\" baltimore\n\n Add another new host group:\n ipa hostgroup-add --desc=\"Maryland hosts\" maryland\n\n Add members to the hostgroup (using Bash brace expansion):\n ipa hostgroup-add-member --hosts={box1,box2,box3} baltimore\n\n Add a hostgroup as a member of another hostgroup:\n ipa hostgroup-add-member --hostgroups=baltimore maryland\n\n Remove a host from the hostgroup:\n ipa hostgroup-remove-member --hosts=box2 baltimore\n\n Display a host group:\n ipa hostgroup-show baltimore\n\n Delete a hostgroup:\n ipa hostgroup-del baltimore\n" ], "previous_source": "", "target": [ "" ], "id_hash": 2875035360512469728, "content_hash": 2875035360512469728, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 854, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 94, "source_unit": "https://translate.fedoraproject.org/api/units/2722347/?format=api", "priority": 100, "id": 4803332, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=a7e62d6d84086ae0", "url": "https://translate.fedoraproject.org/api/units/4803332/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:53.485295Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nMigration to IPA\n\nMigrate users and groups from an LDAP server to IPA.\n\nThis performs an LDAP query against the remote server searching for\nusers and groups in a container. In order to migrate passwords you need\nto bind as a user that can read the userPassword attribute on the remote\nserver. This is generally restricted to high-level admins such as\ncn=Directory Manager in 389-ds (this is the default bind user).\n\nThe default user container is ou=People.\n\nThe default group container is ou=Groups.\n\nUsers and groups that already exist on the IPA server are skipped.\n\nTwo LDAP schemas define how group members are stored: RFC2307 and\nRFC2307bis. RFC2307bis uses member and uniquemember to specify group\nmembers, RFC2307 uses memberUid. The default schema is RFC2307bis.\n\nThe schema compat feature allows IPA to reformat data for systems that\ndo not support RFC2307bis. It is recommended that this feature is disabled\nduring migration to reduce system overhead. It can be re-enabled after\nmigration. To migrate with it enabled use the \"--with-compat\" option.\n\nMigrated users do not have Kerberos credentials, they have only their\nLDAP password. To complete the migration process, users need to go\nto http://ipa.example.com/ipa/migration and authenticate using their\nLDAP password in order to generate their Kerberos credentials.\n\nMigration is disabled by default. Use the command ipa config-mod to\nenable it:\n\n ipa config-mod --enable-migration=TRUE\n\nIf a base DN is not provided with --basedn then IPA will use either\nthe value of defaultNamingContext if it is set or the first value\nin namingContexts set in the root of the remote LDAP server.\n\nUsers are added as members to the default user group. This can be a\ntime-intensive task so during migration this is done in a batch\nmode for every 100 users. As a result there will be a window in which\nusers will be added to IPA but will not be members of the default\nuser group.\n\nEXAMPLES:\n\n The simplest migration, accepting all defaults:\n ipa migrate-ds ldap://ds.example.com:389\n\n Specify the user and group container. This can be used to migrate user\n and group data from an IPA v1 server:\n ipa migrate-ds --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://ds.example.com:389\n\n Since IPA v2 server already contain predefined groups that may collide with\n groups in migrated (IPA v1) server (for example admins, ipausers), users\n having colliding group as their primary group may happen to belong to\n an unknown group on new IPA v2 server.\n Use --group-overwrite-gid option to overwrite GID of already existing groups\n to prevent this issue:\n ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://ds.example.com:389\n\n Migrated users or groups may have object class and accompanied attributes\n unknown to the IPA v2 server. These object classes and attributes may be\n left out of the migration process:\n ipa migrate-ds --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' --user-ignore-objectclass=radiusprofile --user-ignore-attribute=radiusgroupname ldap://ds.example.com:389\n\nLOGGING\n\nMigration will log warnings and errors to the Apache error log. This\nfile should be evaluated post-migration to correct or investigate any\nissues that were discovered.\n\nFor every 100 users migrated an info-level message will be displayed to\ngive the current progress and duration to make it possible to track\nthe progress of migration.\n\nIf the log level is debug, either by setting debug = True in\n/etc/ipa/default.conf or /etc/ipa/server.conf, then an entry will be printed\nfor each user added plus a summary when the default user group is\nupdated.\n" ], "previous_source": "", "target": [ "" ], "id_hash": 239708973183952315, "content_hash": 239708973183952315, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 953, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 542, "source_unit": "https://translate.fedoraproject.org/api/units/2722381/?format=api", "priority": 100, "id": 4803336, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=83539e0a841a65bb", "url": "https://translate.fedoraproject.org/api/units/4803336/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:53.656640Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "groups to exclude from migration" ], "previous_source": "%s to exclude from migration", "target": [ "不移植%s" ], "id_hash": 51939713693251686, "content_hash": 51939713693251686, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 987, "has_suggestion": true, "has_comment": false, "has_failing_check": false, "num_words": 5, "source_unit": "https://translate.fedoraproject.org/api/units/2726187/?format=api", "priority": 100, "id": 4803338, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=80b886e4f86bf866", "url": "https://translate.fedoraproject.org/api/units/4803338/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:53.686625Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "users to exclude from migration" ], "previous_source": "%s to exclude from migration", "target": [ "不移植%s" ], "id_hash": 750773267804554628, "content_hash": 750773267804554628, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 988, "has_suggestion": true, "has_comment": false, "has_failing_check": false, "num_words": 5, "source_unit": "https://translate.fedoraproject.org/api/units/2726507/?format=api", "priority": 100, "id": 4803340, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=8a6b484f2e598584", "url": "https://translate.fedoraproject.org/api/units/4803340/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:53.713662Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "Dictionary mapping plugin names to bases" ], "previous_source": "", "target": [ "" ], "id_hash": 1959795194712972686, "content_hash": 1959795194712972686, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1000, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 6, "source_unit": "https://translate.fedoraproject.org/api/units/2729418/?format=api", "priority": 100, "id": 4803342, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=9b3297589d625d8e", "url": "https://translate.fedoraproject.org/api/units/4803342/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:53.746102Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nOTP Tokens\n\nManage OTP tokens.\n\nIPA supports the use of OTP tokens for multi-factor authentication. This\ncode enables the management of OTP tokens.\n\nEXAMPLES:\n\n Add a new token:\n ipa otptoken-add --type=totp --owner=jdoe --desc=\"My soft token\"\n\n Examine the token:\n ipa otptoken-show a93db710-a31a-4639-8647-f15b2c70b78a\n\n Change the vendor:\n ipa otptoken-mod a93db710-a31a-4639-8647-f15b2c70b78a --vendor=\"Red Hat\"\n\n Delete a token:\n ipa otptoken-del a93db710-a31a-4639-8647-f15b2c70b78a\n" ], "previous_source": "", "target": [ "" ], "id_hash": -9184665594191245485, "content_hash": -9184665594191245485, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1048, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 55, "source_unit": "https://translate.fedoraproject.org/api/units/2722388/?format=api", "priority": 100, "id": 4803347, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=0089834df57a8f53", "url": "https://translate.fedoraproject.org/api/units/4803347/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:53.948246Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nYubiKey Tokens\n\nManage YubiKey tokens.\n\nThis code is an extension to the otptoken plugin and provides support for\nreading/writing YubiKey tokens directly.\n\nEXAMPLES:\n\n Add a new token:\n ipa otptoken-add-yubikey --owner=jdoe --desc=\"My YubiKey\"\n" ], "previous_source": "\nThis code is an extension to the otptoken plugin and provides support for\nreading/writing YubiKey tokens directly.\n", "target": [ "\n这段代码是otp令牌插件的一个扩展,并对读/写YubiKey令牌提供直接的支持。\n" ], "id_hash": 5312162563820132141, "content_hash": 5312162563820132141, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 1088, "has_suggestion": false, "has_comment": false, "has_failing_check": true, "num_words": 32, "source_unit": "https://translate.fedoraproject.org/api/units/2728005/?format=api", "priority": 100, "id": 4803349, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=c9b897b4eda0972d", "url": "https://translate.fedoraproject.org/api/units/4803349/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:53.992920Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nPermissions\n\nA permission enables fine-grained delegation of rights. A permission is\na human-readable wrapper around a 389-ds Access Control Rule,\nor instruction (ACI).\nA permission grants the right to perform a specific task such as adding a\nuser, modifying a group, etc.\n\nA permission may not contain other permissions.\n\n* A permission grants access to read, write, add, delete, read, search,\n or compare.\n* A privilege combines similar permissions (for example all the permissions\n needed to add a user).\n* A role grants a set of privileges to users, groups, hosts or hostgroups.\n\nA permission is made up of a number of different parts:\n\n1. The name of the permission.\n2. The target of the permission.\n3. The rights granted by the permission.\n\nRights define what operations are allowed, and may be one or more\nof the following:\n1. write - write one or more attributes\n2. read - read one or more attributes\n3. search - search on one or more attributes\n4. compare - compare one or more attributes\n5. add - add a new entry to the tree\n6. delete - delete an existing entry\n7. all - all permissions are granted\n\nNote the distinction between attributes and entries. The permissions are\nindependent, so being able to add a user does not mean that the user will\nbe editable.\n\nThere are a number of allowed targets:\n1. subtree: a DN; the permission applies to the subtree under this DN\n2. target filter: an LDAP filter\n3. target: DN with possible wildcards, specifies entries permission applies to\n\nAdditionally, there are the following convenience options.\nSetting one of these options will set the corresponding attribute(s).\n1. type: a type of object (user, group, etc); sets subtree and target filter.\n2. memberof: apply to members of a group; sets target filter\n3. targetgroup: grant access to modify a specific group (such as granting\n the rights to manage group membership); sets target.\n\nManaged permissions\n\nPermissions that come with IPA by default can be so-called \"managed\"\npermissions. These have a default set of attributes they apply to,\nbut the administrator can add/remove individual attributes to/from the set.\n\nDeleting or renaming a managed permission, as well as changing its target,\nis not allowed.\n\nEXAMPLES:\n\n Add a permission that grants the creation of users:\n ipa permission-add --type=user --permissions=add \"Add Users\"\n\n Add a permission that grants the ability to manage group membership:\n ipa permission-add --attrs=member --permissions=write --type=group \"Manage Group Members\"\n" ], "previous_source": "", "target": [ "" ], "id_hash": 2467052758254385956, "content_hash": 2467052758254385956, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1095, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 405, "source_unit": "https://translate.fedoraproject.org/api/units/2727910/?format=api", "priority": 100, "id": 4803352, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=a23cbb69a1e67b24", "url": "https://translate.fedoraproject.org/api/units/4803352/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.039712Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "Deprecated; use ipapermlocation" ], "previous_source": "Deprecated; use extratargetfilter", "target": [ "过时的;使用额外的目标过滤器" ], "id_hash": 2569929497068907006, "content_hash": 2569929497068907006, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 1119, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 3, "source_unit": "https://translate.fedoraproject.org/api/units/2729401/?format=api", "priority": 100, "id": 4803353, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=a3aa3942f29729fe", "url": "https://translate.fedoraproject.org/api/units/4803353/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.080454Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "Deprecated; use ipapermright" ], "previous_source": "Deprecated; use %s", "target": [ "已弃用;使用%s" ], "id_hash": 8669549929853091248, "content_hash": 8669549929853091248, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 1120, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 3, "source_unit": "https://translate.fedoraproject.org/api/units/2729403/?format=api", "priority": 100, "id": 4803355, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=f8506dba5b67fdb0", "url": "https://translate.fedoraproject.org/api/units/4803355/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.124222Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nKerberos pkinit options\n\nEnable or disable anonymous pkinit using the principal\nWELLKNOWN/ANONYMOUS@REALM. The server must have been installed with\npkinit support.\n\nEXAMPLES:\n\n Enable anonymous pkinit:\n ipa pkinit-anonymous enable\n\n Disable anonymous pkinit:\n ipa pkinit-anonymous disable\n\nFor more information on anonymous pkinit see:\n\nhttp://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit\n" ], "previous_source": "", "target": [ "" ], "id_hash": -4050608456129728643, "content_hash": -4050608456129728643, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1139, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 42, "source_unit": "https://translate.fedoraproject.org/api/units/2717753/?format=api", "priority": 100, "id": 4803358, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=47c95911f831af7d", "url": "https://translate.fedoraproject.org/api/units/4803358/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.206662Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nRADIUS Proxy Servers\n\nManage RADIUS Proxy Servers.\n\nIPA supports the use of an external RADIUS proxy server for krb5 OTP\nauthentications. This permits a great deal of flexibility when\nintegrating with third-party authentication services.\n\nEXAMPLES:\n\n Add a new server:\n ipa radiusproxy-add MyRADIUS --server=radius.example.com:1812\n\n Find all servers whose entries include the string \"example.com\":\n ipa radiusproxy-find example.com\n\n Examine the configuration:\n ipa radiusproxy-show MyRADIUS\n\n Change the secret:\n ipa radiusproxy-mod MyRADIUS --secret\n\n Delete a configuration:\n ipa radiusproxy-del MyRADIUS\n" ], "previous_source": "", "target": [ "" ], "id_hash": -8678263612514546238, "content_hash": -8678263612514546238, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1191, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 74, "source_unit": "https://translate.fedoraproject.org/api/units/2722400/?format=api", "priority": 100, "id": 4803360, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=07909d394cdf4dc2", "url": "https://translate.fedoraproject.org/api/units/4803360/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.281461Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nRealm domains\n\nManage the list of domains associated with IPA realm.\n\nEXAMPLES:\n\n Display the current list of realm domains:\n ipa realmdomains-show\n\n Replace the list of realm domains:\n ipa realmdomains-mod --domain=example.com\n ipa realmdomains-mod --domain={example1.com,example2.com,example3.com}\n\n Add a domain to the list of realm domains:\n ipa realmdomains-mod --add-domain=newdomain.com\n\n Delete a domain from the list of realm domains:\n ipa realmdomains-mod --del-domain=olddomain.com\n" ], "previous_source": "", "target": [ "" ], "id_hash": 8805162111605521468, "content_hash": 8805162111605521468, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1210, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 57, "source_unit": "https://translate.fedoraproject.org/api/units/2722404/?format=api", "priority": 100, "id": 4803362, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=fa323849ebf9bc3c", "url": "https://translate.fedoraproject.org/api/units/4803362/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.320596Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nServices\n\nA IPA service represents a service that runs on a host. The IPA service\nrecord can store a Kerberos principal, an SSL certificate, or both.\n\nAn IPA service can be managed directly from a machine, provided that\nmachine has been given the correct permission. This is true even for\nmachines other than the one the service is associated with. For example,\nrequesting an SSL certificate using the host service principal credentials\nof the host. To manage a service using host credentials you need to\nkinit as the host:\n\n # kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM\n\nAdding an IPA service allows the associated service to request an SSL\ncertificate or keytab, but this is performed as a separate step; they\nare not produced as a result of adding the service.\n\nOnly the public aspect of a certificate is stored in a service record;\nthe private key is not stored.\n\nEXAMPLES:\n\n Add a new IPA service:\n ipa service-add HTTP/web.example.com\n\n Allow a host to manage an IPA service certificate:\n ipa service-add-host --hosts=web.example.com HTTP/web.example.com\n ipa role-add-member --hosts=web.example.com certadmin\n\n Override a default list of supported PAC types for the service:\n ipa service-mod HTTP/web.example.com --pac-type=MS-PAC\n\n A typical use case where overriding the PAC type is needed is NFS.\n Currently the related code in the Linux kernel can only handle Kerberos\n tickets up to a maximal size. Since the PAC data can become quite large it\n is recommended to set --pac-type=NONE for NFS services.\n\n Delete an IPA service:\n ipa service-del HTTP/web.example.com\n\n Find all IPA services associated with a host:\n ipa service-find web.example.com\n\n Find all HTTP services:\n ipa service-find HTTP\n\n Disable the service Kerberos key and SSL certificate:\n ipa service-disable HTTP/web.example.com\n\n Request a certificate for an IPA service:\n ipa cert-request --principal=HTTP/web.example.com example.csr\n\n Allow user to create a keytab:\n ipa service-allow-create-keytab HTTP/web.example.com --users=tuser1\n\n Generate and retrieve a keytab for an IPA service:\n ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab\n" ], "previous_source": "", "target": [ "" ], "id_hash": -8256542117714809751, "content_hash": -8256542117714809751, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1264, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 309, "source_unit": "https://translate.fedoraproject.org/api/units/2727946/?format=api", "priority": 100, "id": 4803364, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=0d6adeb0608eac69", "url": "https://translate.fedoraproject.org/api/units/4803364/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.395684Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nSession Support for IPA\nJohn Dennis <jdennis@redhat.com>\n\nGoals\n=====\n\nProvide per-user session data caching which persists between\nrequests. Desired features are:\n\n* Integrates cleanly with minimum impact on existing infrastructure.\n\n* Provides maximum security balanced against real-world performance\n demands.\n\n* Sessions must be able to be revoked (flushed).\n\n* Should be flexible and easy to use for developers.\n\n* Should leverage existing technology and code to the maximum extent\n possible to avoid re-invention, excessive implementation time and to\n benefit from robustness in field proven components commonly shared\n in the open source community.\n\n* Must support multiple independent processes which share session\n data.\n\n* System must function correctly if session data is available or not.\n\n* Must be high performance.\n\n* Should not be tied to specific web servers or browsers. Should\n integrate with our chosen WSGI model.\n\nIssues\n======\n\nCookies\n-------\n\nMost session implementations are based on the use of cookies. Cookies\nhave some inherent problems.\n\n* User has the option to disable cookies.\n\n* User stored cookie data is not secure. Can be mitigated by setting\n flags indicating the cookie is only to be used with SSL secured HTTP\n connections to specific web resources and setting the cookie to\n expire at session termination. Most modern browsers enforce these.\n\nWhere to store session data?\n----------------------------\n\nSession data may be stored on either on the client or on the\nserver. Storing session data on the client addresses the problem of\nsession data availability when requests are serviced by independent web\nservers because the session data travels with the request. However\nthere are data size limitations. Storing session data on the client\nalso exposes sensitive data but this can be mitigated by encrypting\nthe session data such that only the server can decrypt it.\n\nThe more conventional approach is to bind session data to a unique\nname, the session ID. The session ID is transmitted to the client and\nthe session data is paired with the session ID on the server in a\nassociative data store. The session data is retrieved by the server\nusing the session ID when the receiving the request. This eliminates\nexposing sensitive session data on the client along with limitations\non data size. It however introduces the issue of session data\navailability when requests are serviced by more than one server\nprocess.\n\nMulti-process session data availability\n---------------------------------------\n\nApache (and other web servers) fork child processes to handle requests\nin parallel. Also web servers may be deployed in a farm where requests\nare load balanced in round robin fashion across different nodes. In\nboth cases session data cannot be stored in the memory of a server\nprocess because it is not available to other processes, either sibling\nchildren of a master server process or server processes on distinct\nnodes.\n\nTypically this is addressed by storing session data in a SQL\ndatabase. When a request is received by a server process containing a\nsession ID in it's cookie data the session ID is used to perform a SQL\nquery and the resulting data is then attached to the request as it\nproceeds through the request processing pipeline. This of course\nintroduces coherency issues.\n\nFor IPA the introduction of a SQL database dependency is undesired and\nshould be avoided.\n\nSession data may also be shared by independent processes by storing\nthe session data in files.\n\nAn alternative solution which has gained considerable popularity\nrecently is the use of a fast memory based caching server. Data is\nstored in a single process memory and may be queried and set via a\nlight weight protocol using standard socket mechanisms, memcached is\none example. A typical use is to optimize SQL queries by storing a SQL\nresult in shared memory cache avoiding the more expensive SQL\noperation. But the memory cache has distinct advantages in non-SQL\nsituations as well.\n\nPossible implementations for use by IPA\n=======================================\n\nApache Sessions\n---------------\n\nApache has 2.3 has implemented session support via these modules:\n\n mod_session\n Overarching session support based on cookies.\n\n See: http://httpd.apache.org/docs/2.3/mod/mod_session.html\n\n mod_session_cookie\n Stores session data in the client.\n\n See: http://httpd.apache.org/docs/2.3/mod/mod_session_cookie.html\n\n mod_session_crypto\n Encrypts session data for security. Encryption key is shared\n configuration parameter visible to all Apache processes and is\n stored in a configuration file.\n\n See: http://httpd.apache.org/docs/2.3/mod/mod_session_crypto.html\n\n mod_session_dbd\n Stores session data in a SQL database permitting multiple\n processes to access and share the same session data.\n\n See: http://httpd.apache.org/docs/2.3/mod/mod_session_dbd.html\n\nIssues with Apache sessions\n~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nAlthough Apache has implemented generic session support and Apache is\nour web server of preference it nonetheless introduces issues for IPA.\n\n * Session support is only available in httpd >= 2.3 which at the\n time of this writing is currently only available as a Beta release\n from upstream. We currently only ship httpd 2.2, the same is true\n for other distributions.\n\n * We could package and ship the sessions modules as a temporary\n package in httpd 2.2 environments. But this has the following\n consequences:\n\n - The code has to be backported. the module API has changed\n slightly between httpd 2.2 and 2.3. The backporting is not\n terribly difficult and a proof of concept has been\n implemented.\n\n - We would then be on the hook to package and maintain a special\n case Apache package. This is maintenance burden as well as a\n distribution packaging burden. Both of which would be best\n avoided if possible.\n\n * The design of the Apache session modules is such that they can\n only be manipulated by other Apache modules. The ability of\n consumers of the session data to control the session data is\n simplistic, constrained and static during the period the request\n is processed. Request handlers which are not native Apache modules\n (e.g. IPA via WSGI) can only examine the session data\n via request headers and reset it in response headers.\n\n * Shared session data is available exclusively via SQL.\n\nHowever using the 2.3 Apache session modules would give us robust\nsession support implemented in C based on standardized Apache\ninterfaces which are widely used.\n\nPython Web Frameworks\n---------------------\n\nVirtually every Python web framework supports cookie based sessions,\ne.g. Django, Twisted, Zope, Turbogears etc. Early on in IPA we decided\nto avoid the use of these frameworks. Trying to pull in just one part\nof these frameworks just to get session support would be problematic\nbecause the code does not function outside it's framework.\n\nIPA implemented sessions\n------------------------\n\nOriginally it was believed the path of least effort was to utilize\nexisting session support, most likely what would be provided by\nApache. However there are enough basic modular components available in\nnative Python and other standard packages it should be possible to\nprovide session support meeting the aforementioned goals with a modest\nimplementation effort. Because we're leveraging existing components\nthe implementation difficulties are subsumed by other components which\nhave already been field proven and have community support. This is a\nsmart strategy.\n\nProposed Solution\n=================\n\nOur interface to the web server is via WSGI which invokes a callback\nper request passing us an environmental context for the request. For\nthis discussion we'll name the WSGI callback \"application()\", a\nconventional name in WSGI parlance.\n\nShared session data will be handled by memcached. We will create one\ninstance of memcached on each server node dedicated to IPA\nexclusively. Communication with memcached will be via a UNIX socket\nlocated in the file system under /var/run/ipa_memcached. It will be\nprotected by file permissions and optionally SELinux policy.\n\nIn application() we examine the request cookies and if there is an IPA\nsession cookie with a session ID we retrieve the session data from our\nmemcached instance.\n\nThe session data will be a Python dict. IPA components will read or\nwrite their session information by using a pre-agreed upon name\n(e.g. key) in the dict. This is a very flexible system and consistent\nwith how we pass data in most parts of IPA.\n\nIf the session data is not available an empty session data dict will\nbe created.\n\nHow does this session data travel with the request in the IPA\npipeline? In IPA we use the HTTP request/response to implement RPC. In\napplication() we convert the request into a procedure call passing it\narguments derived from the HTTP request. The passed parameters are\nspecific to the RPC method being invoked. The context the RPC call is\nexecuting in is not passed as an RPC parameter.\n\nHow would the contextual information such as session data be bound to\nthe request and hence the RPC call?\n\nIn IPA when a RPC invocation is being prepared from a request we\nrecognize this will only ever be processed serially by one Python\nthread. A thread local dict called \"context\" is allocated for each\nthread. The context dict is cleared in between requests (e.g. RPC method\ninvocations). The per-thread context dict is populated during the\nlifetime of the request and is used as a global data structure unique to\nthe request that various IPA component can read from and write to with\nthe assurance the data is unique to the current request and/or method\ncall.\n\nThe session data dict will be written into the context dict under the\nsession key before the RPC method begins execution. Thus session data\ncan be read and written by any IPA component by accessing\n``context.session``.\n\nWhen the RPC method finishes execution the session data bound to the\nrequest/method is retrieved from the context and written back to the\nmemcached instance. The session ID is set in the response sent back to\nthe client in the ``Set-Cookie`` header along with the flags\ncontrolling it's usage.\n\nIssues and details\n------------------\n\nIPA code cannot depend on session data being present, however it\nshould always update session data with the hope it will be available\nin the future. Session data may not be available because:\n\n * This is the first request from the user and no session data has\n been created yet.\n\n * The user may have cookies disabled.\n\n * The session data may have been flushed. memcached operates with\n a fixed memory allocation and will flush entries on a LRU basis,\n like with any cache there is no guarantee of persistence.\n\n Also we may have have deliberately expired or deleted session\n data, see below.\n\nCookie manipulation is done via the standard Python Cookie module.\n\nSession cookies will be set to only persist as long as the browser has\nthe session open. They will be tagged so the browser only returns\nthe session ID on SSL secured HTTP requests. They will not be visible\nto Javascript in the browser.\n\nSession ID's will be created by using 48 bits of random data and\nconverted to 12 hexadecimal digits. Newly generated session ID's will\nbe checked for prior existence to handle the unlikely case the random\nnumber repeats.\n\nmemcached will have significantly higher performance than a SQL or file\nbased storage solution. Communication is effectively though a pipe\n(UNIX socket) using a very simple protocol and the data is held\nentirely in process memory. memcached also scales easily, it is easy\nto add more memcached processes and distribute the load across them.\nAt this point in time we don't anticipate the need for this.\n\nA very nice feature of the Python memcached module is that when a data\nitem is written to the cache it is done with standard Python pickling\n(pickling is a standard Python mechanism to marshal and unmarshal\nPython objects). We adopt the convention the object written to cache\nwill be a dict to meet our internal data handling conventions. The\npickling code will recursively handle nested objects in the dict. Thus\nwe gain a lot of flexibility using standard Python data structures to\nstore and retrieve our session data without having to author and debug\ncode to marshal and unmarshal the data if some other storage mechanism\nhad been used. This is a significant implementation win. Of course\nsome common sense limitations need to observed when deciding on what\nis written to the session cache keeping in mind the data is shared\nbetween processes and it should not be excessively large (a\nconfigurable option)\n\nWe can set an expiration on memcached entries. We may elect to do that\nto force session data to be refreshed periodically. For example we may\nwish the client to present fresh credentials on a periodic basis even\nif the cached credentials are otherwise within their validity period.\n\nWe can explicitly delete session data if for some reason we believe it\nis stale, invalid or compromised.\n\nmemcached also gives us certain facilities to prevent race conditions\nbetween different processes utilizing the cache. For example you can\ncheck of the entry has been modified since you last read it or use CAS\n(Check And Set) semantics. What has to be protected in terms of cache\ncoherency will likely have to be determined as the session support is\nutilized and different data items are added to the cache. This is very\nmuch data and context specific. Fortunately memcached operations are\natomic.\n\nControlling the memcached process\n---------------------------------\n\nWe need a mechanism to start the memcached process and secure it so\nthat only IPA components can access it.\n\nAlthough memcached ships with both an initscript and systemd unit\nfiles those are for generic instances. We want a memcached instance\ndedicated exclusively to IPA usage. To accomplish this we would install\na systemd unit file or an SysV initscript to control the IPA specific\nmemcached service. ipactl would be extended to know about this\nadditional service. systemd's cgroup facility would give us additional\nmechanisms to integrate the IPA memcached service within a larger IPA\nprocess group.\n\nProtecting the memcached data would be done via file permissions (and\noptionally SELinux policy) on the UNIX domain socket. Although recent\nimplementations of memcached support authentication via SASL this\nintroduces a performance and complexity burden not warranted when\ncached is dedicated to our exclusive use and access controlled by OS\nmechanisms.\n\nConventionally daemons are protected by assigning a system uid and/or\ngid to the daemon. A daemon launched by root will drop it's privileges\nby assuming the effective uid:gid assigned to it. File system access\nis controlled by the OS via the effective identity and SELinux policy\ncan be crafted based on the identity. Thus the memcached UNIX socket\nwould be protected by having it owned by a specific system user and/or\nmembership in a restricted system group (discounting for the moment\nSELinux).\n\nUnfortunately we currently do not have an IPA system uid whose\nidentity our processes operate under nor do we have an IPA system\ngroup. IPA does manage a collection of related processes (daemons) and\nhistorically each has been assigned their own uid. When these\nunrelated processes communicate they mutually authenticate via other\nmechanisms. We do not have much of a history of using shared file\nsystem objects across identities. When file objects are created they\nare typically assigned the identity of daemon needing to access the\nobject and are not accessed by other daemons, or they carry root\nidentity.\n\nWhen our WSGI application runs in Apache it is run as a WSGI\ndaemon. This means when Apache starts up it forks off WSGI processes\nfor us and we are independent of other Apache processes. When WSGI is\nrun in this mode there is the ability to set the uid:gid of the WSGI\nprocess hosting us, however we currently do not take advantage of this\noption. WSGI can be run in other modes as well, only in daemon mode\ncan the uid:gid be independently set from the rest of Apache. All\nprocesses started by Apache can be set to a common uid:gid specified\nin the global Apache configuration, by default it's\napache:apache. Thus when our IPA code executes it is running as\napache:apache.\n\nTo protect our memcached UNIX socket we can do one of two things:\n\n1. Assign it's uid:gid as apache:apache. This would limit access to\n our cache only to processes running under httpd. It's somewhat\n restricted but far from ideal. Any code running in the web server\n could potentially access our cache. It's difficult to control what the\n web server runs and admins may not understand the consequences of\n configuring httpd to serve other things besides IPA.\n\n2. Create an IPA specific uid:gid, for example ipa:ipa. We then configure\n our WSGI application to run as the ipa:ipa user and group. We also\n configure our memcached instance to run as the ipa:ipa user and\n group. In this configuration we are now fully protected, only our WSGI\n code can read & write to our memcached UNIX socket.\n\nHowever there may be unforeseen issues by converting our code to run as\nsomething other than apache:apache. This would require some\ninvestigation and testing.\n\nIPA is dependent on other system daemons, specifically Directory\nServer (ds) and Certificate Server (cs). Currently we configure ds to\nrun under the dirsrv:dirsrv user and group, an identity of our\ncreation. We allow cs to default to it's pkiuser:pkiuser user and\ngroup. Should these other cooperating daemons also run under the\ncommon ipa:ipa user and group identities? At first blush there would\nseem to be an advantage to coalescing all process identities under a\ncommon IPA user and group identity. However these other processes do\nnot depend on user and group permissions when working with external\nagents, processes, etc. Rather they are designed to be stand-alone\nnetwork services which authenticate their clients via other\nmechanisms. They do depend on user and group permission to manage\ntheir own file system objects. If somehow the ipa user and/or group\nwere compromised or malicious code somehow executed under the ipa\nidentity there would be an advantage in having the cooperating\nprocesses cordoned off under their own identities providing one extra\nlayer of protection. (Note, these cooperating daemons may not even be\nco-located on the same node in which case the issue is moot)\n\nThe UNIX socket behavior (ldapi) with Directory Server is as follows:\n\n * The socket ownership is: root:root\n\n * The socket permissions are: 0666\n\n * When connecting via ldapi you must authenticate as you would\n normally with a TCP socket, except ...\n\n * If autobind is enabled and the uid:gid is available via\n SO_PEERCRED and the uid:gid can be found in the set of users known\n to the Directory Server then that connection will be bound as that\n user.\n\n * Otherwise an anonymous bind will occur.\n\nmemcached UNIX socket behavior is as follows:\n\n * memcached can be invoked with a user argument, no group may be\n specified. The effective uid is the uid of the user argument and\n the effective gid is the primary group of the user, let's call\n this euid:egid\n\n * The socket ownership is: euid:egid\n\n * The socket permissions are 0700 by default, but this can be\n modified by the -a mask command line arg which sets the umask\n (defaults to 0700).\n\nOverview of authentication in IPA\n=================================\n\nThis describes how we currently authenticate and how we plan to\nimprove authentication performance. First some definitions.\n\nThere are 4 major players:\n\n 1. client\n 2. mod_auth_kerb (in Apache process)\n 3. wsgi handler (in IPA wsgi python process)\n 4. ds (directory server)\n\nThere are several resources:\n\n 1. /ipa/ui (unprotected, web UI static resources)\n 2. /ipa/xml (protected, xmlrpc RPC used by command line clients)\n 3. /ipa/json (protected, json RPC used by javascript in web UI)\n 4. ds (protected, wsgi acts as proxy, our LDAP server)\n\nCurrent Model\n-------------\n\nThis describes how things work in our current system for the web UI.\n\n 1. Client requests /ipa/ui, this is unprotected, is static and\n contains no sensitive information. Apache replies with html and\n javascript. The javascript requests /ipa/json.\n\n 2. Client sends post to /ipa/json.\n\n 3. mod_auth_kerb is configured to protect /ipa/json, replies 401\n authenticate negotiate.\n\n 4. Client resends with credentials\n\n 5. mod_auth_kerb validates credentials\n\n a. if invalid replies 403 access denied (stops here)\n\n b. if valid creates temporary ccache, adds KRB5CCNAME to request\n headers\n\n 6. Request passed to wsgi handler\n\n a. validates request, KRB5CCNAME must be present, referrer, etc.\n\n b. ccache saved and used to bind to ds\n\n c. routes to specified RPC handler.\n\n 7. wsgi handler replies to client\n\nProposed new session based optimization\n---------------------------------------\n\nThe round trip negotiate and credential validation in steps 3,4,5 is\nexpensive. This can be avoided if we can cache the client\ncredentials. With client sessions we can store the client credentials\nin the session bound to the client.\n\nA few notes about the session implementation.\n\n * based on session cookies, cookies must be enabled\n\n * session cookie is secure, only passed on secure connections, only\n passed to our URL resource, never visible to client javascript\n etc.\n\n * session cookie has a session id which is used by wsgi handler to\n retrieve client session data from shared multi-process cache.\n\nChanges to Apache's resource protection\n---------------------------------------\n\n * /ipa/json is no longer protected by mod_auth_kerb. This is\n necessary to avoid the negotiate expense in steps 3,4,5\n above. Instead the /ipa/json resource will be protected in our wsgi\n handler via the session cookie.\n\n * A new protected URI is introduced, /ipa/login. This resource\n does no serve any data, it is used exclusively for authentication.\n\nThe new sequence is:\n\n 1. Client requests /ipa/ui, this is unprotected. Apache replies with\n html and javascript. The javascript requests /ipa/json.\n\n 2. Client sends post to /ipa/json, which is unprotected.\n\n 3. wsgi handler obtains session data from session cookie.\n\n a. if ccache is present in session data and is valid\n\n - request is further validated\n\n - ccache is established for bind to ds\n\n - request is routed to RPC handler\n\n - wsgi handler eventually replies to client\n\n b. if ccache is not present or not valid processing continues ...\n\n 4. wsgi handler replies with 401 Unauthorized\n\n 5. client sends request to /ipa/login to obtain session credentials\n\n 6. mod_auth_kerb replies 401 negotiate on /ipa/login\n\n 7. client sends credentials to /ipa/login\n\n 8. mod_auth_kerb validates credentials\n\n a. if valid\n\n - mod_auth_kerb permits access to /ipa/login. wsgi handler is\n invoked and does the following:\n\n * establishes session for client\n\n * retrieves the ccache from KRB5CCNAME and stores it\n\n a. if invalid\n\n - mod_auth_kerb sends 403 access denied (processing stops)\n\n 9. client now posts the same data again to /ipa/json including\n session cookie. Processing repeats starting at step 2 and since\n the session data now contains a valid ccache step 3a executes, a\n successful reply is sent to client.\n\nCommand line client using xmlrpc\n--------------------------------\n\nThe above describes the web UI utilizing the json RPC mechanism. The\nIPA command line tools utilize a xmlrpc RPC mechanism on the same\nHTTP server. Access to the xmlrpc is via the /ipa/xml URI. The json\nand xmlrpc API's are the same, they differ only on how their procedure\ncalls are marshalled and unmarshalled.\n\nUnder the new scheme /ipa/xml will continue to be Kerberos protected\nat all times. Apache's mod_auth_kerb will continue to require the\nclient provides valid Kerberos credentials.\n\nWhen the WSGI handler routes to /ipa/xml the Kerberos credentials will\nbe extracted from the KRB5CCNAME environment variable as provided by\nmod_auth_kerb. Everything else remains the same.\n" ], "previous_source": "", "target": [ "" ], "id_hash": 5266842103080256542, "content_hash": 5266842103080256542, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1284, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 3811, "source_unit": "https://translate.fedoraproject.org/api/units/2727951/?format=api", "priority": 100, "id": 4803368, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=c91794fce22b841e", "url": "https://translate.fedoraproject.org/api/units/4803368/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.487835Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nSudo Commands\n\nCommands used as building blocks for sudo\n\nEXAMPLES:\n\n Create a new command\n ipa sudocmd-add --desc='For reading log files' /usr/bin/less\n\n Remove a command\n ipa sudocmd-del /usr/bin/less\n" ], "previous_source": "", "target": [ "" ], "id_hash": -2108216860654702479, "content_hash": -2108216860654702479, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1286, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 27, "source_unit": "https://translate.fedoraproject.org/api/units/2722426/?format=api", "priority": 100, "id": 4803369, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=62be1bef5f2ff071", "url": "https://translate.fedoraproject.org/api/units/4803369/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.530360Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nGroups of Sudo Commands\n\nManage groups of Sudo Commands.\n\nEXAMPLES:\n\n Add a new Sudo Command Group:\n ipa sudocmdgroup-add --desc='administrators commands' admincmds\n\n Remove a Sudo Command Group:\n ipa sudocmdgroup-del admincmds\n\n Manage Sudo Command Group membership, commands:\n ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less --sudocmds=/usr/bin/vim admincmds\n\n Manage Sudo Command Group membership, commands:\n ipa group-remove-member --sudocmds=/usr/bin/less admincmds\n\n Show a Sudo Command Group:\n ipa group-show localadmins\n" ], "previous_source": "", "target": [ "" ], "id_hash": 2306682720644878361, "content_hash": 2306682720644878361, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1296, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 58, "source_unit": "https://translate.fedoraproject.org/api/units/2722343/?format=api", "priority": 100, "id": 4803371, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=a002fbb68d91d019", "url": "https://translate.fedoraproject.org/api/units/4803371/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.568611Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nSudo Rules\n\nSudo (su \"do\") allows a system administrator to delegate authority to\ngive certain users (or groups of users) the ability to run some (or all)\ncommands as root or another user while providing an audit trail of the\ncommands and their arguments.\n\nFreeIPA provides a means to configure the various aspects of Sudo:\n Users: The user(s)/group(s) allowed to invoke Sudo.\n Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo.\n Allow Command: The specific command(s) permitted to be run via Sudo.\n Deny Command: The specific command(s) prohibited to be run via Sudo.\n RunAsUser: The user(s) or group(s) of users whose rights Sudo will be invoked with.\n RunAsGroup: The group(s) whose gid rights Sudo will be invoked with.\n Options: The various Sudoers Options that can modify Sudo's behavior.\n\nAn order can be added to a sudorule to control the order in which they\nare evaluated (if the client supports it). This order is an integer and\nmust be unique.\n\nFreeIPA provides a designated binddn to use with Sudo located at:\nuid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n\nTo enable the binddn run the following command to set the password:\nLDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D \"cn=Directory Manager\" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com\n\nEXAMPLES:\n\n Create a new rule:\n ipa sudorule-add readfiles\n\n Add sudo command object and add it as allowed command in the rule:\n ipa sudocmd-add /usr/bin/less\n ipa sudorule-add-allow-command readfiles --sudocmds /usr/bin/less\n\n Add a host to the rule:\n ipa sudorule-add-host readfiles --hosts server.example.com\n\n Add a user to the rule:\n ipa sudorule-add-user readfiles --users jsmith\n\n Add a special Sudo rule for default Sudo server configuration:\n ipa sudorule-add defaults\n\n Set a default Sudo option:\n ipa sudorule-add-option defaults --sudooption '!authenticate'\n" ], "previous_source": "", "target": [ "" ], "id_hash": 5243186759813810045, "content_hash": 5243186759813810045, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1312, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 271, "source_unit": "https://translate.fedoraproject.org/api/units/2727970/?format=api", "priority": 100, "id": 4803374, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=c8c38a9415bbc77d", "url": "https://translate.fedoraproject.org/api/units/4803374/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.656297Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nLockout status of a user account\n\n An account may become locked if the password is entered incorrectly too\n many times within a specific time period as controlled by password\n policy. A locked account is a temporary condition and may be unlocked by\n an administrator.\n\n This connects to each IPA master and displays the lockout status on\n each one.\n\n To determine whether an account is locked on a given server you need\n to compare the number of failed logins and the time of the last failure.\n For an account to be locked it must exceed the maxfail failures within\n the failinterval duration as specified in the password policy associated\n with the user.\n\n The failed login counter is modified only when a user attempts a log in\n so it is possible that an account may appear locked but the last failed\n login attempt is older than the lockouttime of the password policy. This\n means that the user may attempt a login again.\n " ], "previous_source": "", "target": [ "" ], "id_hash": -6390692798924054731, "content_hash": -6390692798924054731, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1423, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 160, "source_unit": "https://translate.fedoraproject.org/api/units/2727873/?format=api", "priority": 100, "id": 4803380, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=274fb2c23b7c1f35", "url": "https://translate.fedoraproject.org/api/units/4803380/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.860072Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nUnlock a user account\n\n An account may become locked if the password is entered incorrectly too\n many times within a specific time period as controlled by password\n policy. A locked account is a temporary condition and may be unlocked by\n an administrator.\n " ], "previous_source": "", "target": [ "" ], "id_hash": -1197286045834854404, "content_hash": -1197286045834854404, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1424, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 42, "source_unit": "https://translate.fedoraproject.org/api/units/2727990/?format=api", "priority": 100, "id": 4803381, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=6f6262af4f7b3ffc", "url": "https://translate.fedoraproject.org/api/units/4803381/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.878074Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nDomain Name System (DNS)\n\nManage DNS zone and resource records.\n\nSUPPORTED ZONE TYPES\n\n * Master zone (dnszone-*), contains authoritative data.\n * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders\n (a set of DNS servers).\n\nUSING STRUCTURED PER-TYPE OPTIONS\n\nThere are many structured DNS RR types where DNS data stored in LDAP server\nis not just a scalar value, for example an IP address or a domain name, but\na data structure which may be often complex. A good example is a LOC record\n[RFC1876] which consists of many mandatory and optional parts (degrees,\nminutes, seconds of latitude and longitude, altitude or precision).\n\nIt may be difficult to manipulate such DNS records without making a mistake\nand entering an invalid value. DNS module provides an abstraction over these\nraw records and allows to manipulate each RR type with specific options. For\neach supported RR type, DNS module provides a standard option to manipulate\na raw records with format --<rrtype>-rec, e.g. --mx-rec, and special options\nfor every part of the RR structure with format --<rrtype>-<partname>, e.g.\n--mx-preference and --mx-exchanger.\n\nWhen adding a record, either RR specific options or standard option for a raw\nvalue can be used, they just should not be combined in one add operation. When\nmodifying an existing entry, new RR specific options can be used to change\none part of a DNS record, where the standard option for raw value is used\nto specify the modified value. The following example demonstrates\na modification of MX record preference from 0 to 1 in a record without\nmodifying the exchanger:\nipa dnsrecord-mod --mx-rec=\"0 mx.example.com.\" --mx-preference=1\n\n\nEXAMPLES:\n\n Add new zone:\n ipa dnszone-add example.com --admin-email=admin@example.com\n\n Add system permission that can be used for per-zone privilege delegation:\n ipa dnszone-add-permission example.com\n\n Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM:\n ipa dnszone-mod example.com --dynamic-update=TRUE\n\n This is the equivalent of:\n ipa dnszone-mod example.com --dynamic-update=TRUE --update-policy=\"grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;\"\n\n Modify the zone to allow zone transfers for local network only:\n ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24\n\n Add new reverse zone specified by network IP address:\n ipa dnszone-add --name-from-ip=192.0.2.0/24\n\n Add second nameserver for example.com:\n ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com\n\n Add a mail server for example.com:\n ipa dnsrecord-add example.com @ --mx-rec=\"10 mail1\"\n\n Add another record using MX record specific options:\n ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2\n\n Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod,\n or dnsrecord-del are executed with no options):\n ipa dnsrecord-add example.com @\n Please choose a type of DNS resource record to be added\n The most common types for this type of zone are: NS, MX, LOC\n\n DNS resource record type: MX\n MX Preference: 30\n MX Exchanger: mail3\n Record name: example.com\n MX record: 10 mail1, 20 mail2, 30 mail3\n NS record: nameserver.example.com., nameserver2.example.com.\n\n Delete previously added nameserver from example.com:\n ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.\n\n Add LOC record for example.com:\n ipa dnsrecord-add example.com @ --loc-rec=\"49 11 42.4 N 16 36 29.6 E 227.64m\"\n\n Add new A record for www.example.com. Create a reverse record in appropriate\n reverse zone as well. In this case a PTR record \"2\" pointing to www.example.com\n will be created in zone 2.0.192.in-addr.arpa.\n ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse\n\n Add new PTR record for www.example.com\n ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com.\n\n Add new SRV records for LDAP servers. Three quarters of the requests\n should go to fast.example.com, one quarter to slow.example.com. If neither\n is available, switch to backup.example.com.\n ipa dnsrecord-add example.com _ldap._tcp --srv-rec=\"0 3 389 fast.example.com\"\n ipa dnsrecord-add example.com _ldap._tcp --srv-rec=\"0 1 389 slow.example.com\"\n ipa dnsrecord-add example.com _ldap._tcp --srv-rec=\"1 1 389 backup.example.com\"\n\n The interactive mode can be used for easy modification:\n ipa dnsrecord-mod example.com _ldap._tcp\n No option to modify specific record provided.\n Current DNS record contents:\n\n SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com\n\n Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No):\n Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y\n SRV Priority [0]: (keep the default value)\n SRV Weight [1]: 2 (modified value)\n SRV Port [389]: (keep the default value)\n SRV Target [slow.example.com]: (keep the default value)\n 1 SRV record skipped. Only one value per DNS record type can be modified at one time.\n Record name: _ldap._tcp\n SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com\n\n After this modification, three fifths of the requests should go to\n fast.example.com and two fifths to slow.example.com.\n\n An example of the interactive mode for dnsrecord-del command:\n ipa dnsrecord-del example.com www\n No option to delete specific record provided.\n Delete all? Yes/No (default No): (do not delete all records)\n Current DNS record contents:\n\n A record: 192.0.2.2, 192.0.2.3\n\n Delete A record '192.0.2.2'? Yes/No (default No):\n Delete A record '192.0.2.3'? Yes/No (default No): y\n Record name: www\n A record: 192.0.2.2 (A record 192.0.2.3 has been deleted)\n\n Show zone example.com:\n ipa dnszone-show example.com\n\n Find zone with \"example\" in its domain name:\n ipa dnszone-find example\n\n Find records for resources with \"www\" in their name in zone example.com:\n ipa dnsrecord-find example.com www\n\n Find A records with value 192.0.2.2 in zone example.com\n ipa dnsrecord-find example.com --a-rec=192.0.2.2\n\n Show records for resource www in zone example.com\n ipa dnsrecord-show example.com www\n\n Delegate zone sub.example to another nameserver:\n ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1\n ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.\n\n Delete zone example.com with all resource records:\n ipa dnszone-del example.com\n\n If a global forwarder is configured, all queries for which this server is not\n authoritative (e.g. sub.example.com) will be routed to the global forwarder.\n Global forwarding configuration can be overridden per-zone.\n\n Semantics of forwarding in IPA matches BIND semantics and depends on the type\n of zone:\n * Master zone: local BIND replies authoritatively to queries for data in\n the given zone (including authoritative NXDOMAIN answers) and forwarding\n affects only queries for names below zone cuts (NS records) of locally\n served zones.\n\n * Forward zone: forward zone contains no authoritative data. BIND forwards\n queries, which cannot be answered from its local cache, to configured\n forwarders.\n\n Semantics of the --forward-policy option:\n * none - disable forwarding for the given zone.\n * first - forward all queries to configured forwarders. If they fail,\n do resolution using DNS root servers.\n * only - forward all queries to configured forwarders and if they fail,\n return failure.\n\n Disable global forwarding for given sub-tree:\n ipa dnszone-mod example.com --forward-policy=none\n\n This configuration forwards all queries for names outside the example.com\n sub-tree to global forwarders. Normal recursive resolution process is used\n for names inside the example.com sub-tree (i.e. NS records are followed etc.).\n\n Forward all requests for the zone external.example.com to another forwarder\n using a \"first\" policy (it will send the queries to the selected forwarder\n and if not answered it will use global root servers):\n ipa dnsforwardzone-add external.example.com --forward-policy=first --forwarder=203.0.113.1\n\n Change forward-policy for external.example.com:\n ipa dnsforwardzone-mod external.example.com --forward-policy=only\n\n Show forward zone external.example.com:\n ipa dnsforwardzone-show external.example.com\n\n List all forward zones:\n ipa dnsforwardzone-find\n\n Delete forward zone external.example.com:\n ipa dnsforwardzone-del external.example.com\n\n Resolve a host name to see if it exists (will add default IPA domain\n if one is not included):\n ipa dns-resolve www.example.com\n ipa dns-resolve www\n\n\nGLOBAL DNS CONFIGURATION\n\nDNS configuration passed to command line install script is stored in a local\nconfiguration file on each IPA server where DNS service is configured. These\nlocal settings can be overridden with a common configuration stored in LDAP\nserver:\n\n Show global DNS configuration:\n ipa dnsconfig-show\n\n Modify global DNS configuration and set a list of global forwarders:\n ipa dnsconfig-mod --forwarder=203.0.113.113\n" ], "previous_source": "", "target": [ "" ], "id_hash": 1459475435192348195, "content_hash": 1459475435192348195, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 430, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 1223, "source_unit": "https://translate.fedoraproject.org/api/units/2727812/?format=api", "priority": 100, "id": 4803383, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=9441192cf90c6e23", "url": "https://translate.fedoraproject.org/api/units/4803383/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.911182Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "A Create reverse" ], "previous_source": "Create reverse", "target": [ "创建反向" ], "id_hash": 1419926074882558501, "content_hash": 1419926074882558501, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 456, "has_suggestion": true, "has_comment": false, "has_failing_check": false, "num_words": 3, "source_unit": "https://translate.fedoraproject.org/api/units/2722634/?format=api", "priority": 100, "id": 4803386, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=93b4973df4b08a25", "url": "https://translate.fedoraproject.org/api/units/4803386/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:54.972752Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "AAAA Create reverse" ], "previous_source": "Create reverse", "target": [ "创建反向" ], "id_hash": -2628943193230412683, "content_hash": -2628943193230412683, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 461, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 3, "source_unit": "https://translate.fedoraproject.org/api/units/2722668/?format=api", "priority": 100, "id": 4803388, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=5b841e1830d1f475", "url": "https://translate.fedoraproject.org/api/units/4803388/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:55.038973Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "LOC Degrees Latitude" ], "previous_source": "LOC Direction Latitude", "target": [ "LOC纬度方向" ], "id_hash": 485755059428716174, "content_hash": 485755059428716174, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 523, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 3, "source_unit": "https://translate.fedoraproject.org/api/units/2724299/?format=api", "priority": 100, "id": 4803400, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=86bdbfa72518ee8e", "url": "https://translate.fedoraproject.org/api/units/4803400/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:55.530941Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "LOC Degrees Longitude" ], "previous_source": "LOC Direction Longitude", "target": [ "LOC经度方向" ], "id_hash": -4186823378928952264, "content_hash": -4186823378928952264, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 10, "fuzzy": true, "translated": false, "approved": false, "position": 531, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 3, "source_unit": "https://translate.fedoraproject.org/api/units/2724301/?format=api", "priority": 100, "id": 4803403, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=45e56a51d1a39c38", "url": "https://translate.fedoraproject.org/api/units/4803403/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:55.597114Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nIPA certificate operations\n\nImplements a set of commands for managing server SSL certificates.\n\nCertificate requests exist in the form of a Certificate Signing Request (CSR)\nin PEM format.\n\nThe dogtag CA uses just the CN value of the CSR and forces the rest of the\nsubject to values configured in the server.\n\nA certificate is stored with a service principal and a service principal\nneeds a host.\n\nIn order to request a certificate:\n\n* The host must exist\n* The service must exist (or you use the --add option to automatically add it)\n\nSEARCHING:\n\nCertificates may be searched on by certificate subject, serial number,\nrevocation reason, validity dates and the issued date.\n\nWhen searching on dates the _from date does a >= search and the _to date\ndoes a <= search. When combined these are done as an AND.\n\nDates are treated as GMT to match the dates in the certificates.\n\nThe date format is YYYY-mm-dd.\n\nEXAMPLES:\n\n Request a new certificate and add the principal:\n ipa cert-request --add --principal=HTTP/lion.example.com example.csr\n\n Retrieve an existing certificate:\n ipa cert-show 1032\n\n Revoke a certificate (see RFC 5280 for reason details):\n ipa cert-revoke --revocation-reason=6 1032\n\n Remove a certificate from revocation hold status:\n ipa cert-remove-hold 1032\n\n Check the status of a signing request:\n ipa cert-status 10\n\n Search for certificates by hostname:\n ipa cert-find --subject=ipaserver.example.com\n\n Search for revoked certificates by reason:\n ipa cert-find --revocation-reason=5\n\n Search for certificates based on issuance date\n ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07\n\nIPA currently immediately issues (or declines) all certificate requests so\nthe status of a request is not normally useful. This is for future use\nor the case where a CA does not immediately issue a certificate.\n\nThe following revocation reasons are supported:\n\n * 0 - unspecified\n * 1 - keyCompromise\n * 2 - cACompromise\n * 3 - affiliationChanged\n * 4 - superseded\n * 5 - cessationOfOperation\n * 6 - certificateHold\n * 8 - removeFromCRL\n * 9 - privilegeWithdrawn\n * 10 - aACompromise\n\nNote that reason code 7 is not used. See RFC 5280 for more details:\n\nhttp://www.ietf.org/rfc/rfc5280.txt\n" ], "previous_source": "", "target": [ "" ], "id_hash": 7370572838123338567, "content_hash": 7370572838123338567, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1457, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 335, "source_unit": "https://translate.fedoraproject.org/api/units/2722357/?format=api", "priority": 100, "id": 4803420, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=e64988f1ff7bfb47", "url": "https://translate.fedoraproject.org/api/units/4803420/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:56.329141Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nAuto Membership Rule.\n\nBring clarity to the membership of hosts and users by configuring inclusive\nor exclusive regex patterns, you can automatically assign a new entries into\na group or hostgroup based upon attribute information.\n\nA rule is directly associated with a group by name, so you cannot create\na rule without an accompanying group or hostgroup.\n\nA condition is a regular expression used by 389-ds to match a new incoming\nentry with an automember rule. If it matches an inclusive rule then the\nentry is added to the appropriate group or hostgroup.\n\nA default group or hostgroup could be specified for entries that do not\nmatch any rule. In case of user entries this group will be a fallback group\nbecause all users are by default members of group specified in IPA config.\n\nThe automember-rebuild command can be used to retroactively run automember rules\nagainst existing entries, thus rebuilding their membership.\n\nEXAMPLES:\n\n Add the initial group or hostgroup:\n ipa hostgroup-add --desc=\"Web Servers\" webservers\n ipa group-add --desc=\"Developers\" devel\n\n Add the initial rule:\n ipa automember-add --type=hostgroup webservers\n ipa automember-add --type=group devel\n\n Add a condition to the rule:\n ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\\.example\\.com webservers\n ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel\n\n Add an exclusive condition to the rule to prevent auto assignment:\n ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\\.example\\.com webservers\n\n Add a host:\n ipa host-add web1.example.com\n\n Add a user:\n ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott\n\n Verify automembership:\n ipa hostgroup-show webservers\n Host-group: webservers\n Description: Web Servers\n Member hosts: web1.example.com\n\n ipa group-show devel\n Group name: devel\n Description: Developers\n GID: 1004200000\n Member users: tuser\n\n Remove a condition from the rule:\n ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\\.example\\.com webservers\n\n Modify the automember rule:\n ipa automember-mod\n\n Set the default (fallback) target group:\n ipa automember-default-group-set --default-group=webservers --type=hostgroup\n ipa automember-default-group-set --default-group=ipausers --type=group\n\n Remove the default (fallback) target group:\n ipa automember-default-group-remove --type=hostgroup\n ipa automember-default-group-remove --type=group\n\n Show the default (fallback) target group:\n ipa automember-default-group-show --type=hostgroup\n ipa automember-default-group-show --type=group\n\n Find all of the automember rules:\n ipa automember-find\n\n Display a automember rule:\n ipa automember-show --type=hostgroup webservers\n ipa automember-show --type=group devel\n\n Delete an automember rule:\n ipa automember-del --type=hostgroup webservers\n ipa automember-del --type=group devel\n\n Rebuild membership for all users:\n ipa automember-rebuild --type=group\n\n Rebuild membership for all hosts:\n ipa automember-rebuild --type=hostgroup\n\n Rebuild membership for specified users:\n ipa automember-rebuild --users=tuser1 --users=tuser2\n\n Rebuild membership for specified hosts:\n ipa automember-rebuild --hosts=web1.example.com --hosts=web2.example.com\n" ], "previous_source": "", "target": [ "" ], "id_hash": -4850043874430511456, "content_hash": -4850043874430511456, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1425, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 379, "source_unit": "https://translate.fedoraproject.org/api/units/2727785/?format=api", "priority": 100, "id": 4803423, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=3cb12ecaf78296a0", "url": "https://translate.fedoraproject.org/api/units/4803423/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:56.393205Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nGroups of users\n\nManage groups of users. By default, new groups are POSIX groups. You\ncan add the --nonposix option to the group-add command to mark a new group\nas non-POSIX. You can use the --posix argument with the group-mod command\nto convert a non-POSIX group into a POSIX group. POSIX groups cannot be\nconverted to non-POSIX groups.\n\nEvery group must have a description.\n\nPOSIX groups must have a Group ID (GID) number. Changing a GID is\nsupported but can have an impact on your file permissions. It is not necessary\nto supply a GID when creating a group. IPA will generate one automatically\nif it is not provided.\n\nEXAMPLES:\n\n Add a new group:\n ipa group-add --desc='local administrators' localadmins\n\n Add a new non-POSIX group:\n ipa group-add --nonposix --desc='remote administrators' remoteadmins\n\n Convert a non-POSIX group to posix:\n ipa group-mod --posix remoteadmins\n\n Add a new POSIX group with a specific Group ID number:\n ipa group-add --gid=500 --desc='unix admins' unixadmins\n\n Add a new POSIX group and let IPA assign a Group ID number:\n ipa group-add --desc='printer admins' printeradmins\n\n Remove a group:\n ipa group-del unixadmins\n\n To add the \"remoteadmins\" group to the \"localadmins\" group:\n ipa group-add-member --groups=remoteadmins localadmins\n\n Add multiple users to the \"localadmins\" group:\n ipa group-add-member --users=test1 --users=test2 localadmins\n\n Remove a user from the \"localadmins\" group:\n ipa group-remove-member --users=test2 localadmins\n\n Display information about a named group.\n ipa group-show localadmins\n\nExternal group membership is designed to allow users from trusted domains\nto be mapped to local POSIX groups in order to actually use IPA resources.\nExternal members should be added to groups that specifically created as\nexternal and non-POSIX. Such group later should be included into one of POSIX\ngroups.\n\nAn external group member is currently a Security Identifier (SID) as defined by\nthe trusted domain. When adding external group members, it is possible to\nspecify them in either SID, or DOM\\name, or name@domain format. IPA will attempt\nto resolve passed name to SID with the use of Global Catalog of the trusted domain.\n\nExample:\n\n1. Create group for the trusted domain admins' mapping and their local POSIX group:\n\n ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external\n ipa group-add --desc='<ad.domain> admins' ad_admins\n\n2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external\n group:\n\n ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'\n\n3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:\n\n ipa group-add-member ad_admins --groups ad_admins_external\n\n4. List members of external members of ad_admins_external group to see their SIDs:\n\n ipa group-show ad_admins_external\n" ], "previous_source": "", "target": [ "" ], "id_hash": 4607499835275223901, "content_hash": 4607499835275223901, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1488, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 412, "source_unit": "https://translate.fedoraproject.org/api/units/2727833/?format=api", "priority": 100, "id": 4803426, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=bff120b04840235d", "url": "https://translate.fedoraproject.org/api/units/4803426/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:56.512422Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nSimulate use of Host-based access controls\n\nHBAC rules control who can access what services on what hosts.\nYou can use HBAC to control which users or groups can access a service,\nor group of services, on a target host.\n\nSince applying HBAC rules implies use of a production environment,\nthis plugin aims to provide simulation of HBAC rules evaluation without\nhaving access to the production environment.\n\n Test user coming to a service on a named host against\n existing enabled rules.\n\n ipa hbactest --user= --host= --service=\n [--rules=rules-list] [--nodetail] [--enabled] [--disabled]\n [--sizelimit= ]\n\n --user, --host, and --service are mandatory, others are optional.\n\n If --rules is specified simulate enabling of the specified rules and test\n the login of the user using only these rules.\n\n If --enabled is specified, all enabled HBAC rules will be added to simulation\n\n If --disabled is specified, all disabled HBAC rules will be added to simulation\n\n If --nodetail is specified, do not return information about rules matched/not matched.\n\n If both --rules and --enabled are specified, apply simulation to --rules _and_\n all IPA enabled rules.\n\n If no --rules specified, simulation is run against all IPA enabled rules.\n By default there is a IPA-wide limit to number of entries fetched, you can change it\n with --sizelimit option.\n\nEXAMPLES:\n\n 1. Use all enabled HBAC rules in IPA database to simulate:\n $ ipa hbactest --user=a1a --host=bar --service=sshd\n --------------------\n Access granted: True\n --------------------\n Not matched rules: my-second-rule\n Not matched rules: my-third-rule\n Not matched rules: myrule\n Matched rules: allow_all\n\n 2. Disable detailed summary of how rules were applied:\n $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail\n --------------------\n Access granted: True\n --------------------\n\n 3. Test explicitly specified HBAC rules:\n $ ipa hbactest --user=a1a --host=bar --service=sshd \\\n --rules=myrule --rules=my-second-rule\n ---------------------\n Access granted: False\n ---------------------\n Not matched rules: my-second-rule\n Not matched rules: myrule\n\n 4. Use all enabled HBAC rules in IPA database + explicitly specified rules:\n $ ipa hbactest --user=a1a --host=bar --service=sshd \\\n --rules=myrule --rules=my-second-rule --enabled\n --------------------\n Access granted: True\n --------------------\n Not matched rules: my-second-rule\n Not matched rules: my-third-rule\n Not matched rules: myrule\n Matched rules: allow_all\n\n 5. Test all disabled HBAC rules in IPA database:\n $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled\n ---------------------\n Access granted: False\n ---------------------\n Not matched rules: new-rule\n\n 6. Test all disabled HBAC rules in IPA database + explicitly specified rules:\n $ ipa hbactest --user=a1a --host=bar --service=sshd \\\n --rules=myrule --rules=my-second-rule --disabled\n ---------------------\n Access granted: False\n ---------------------\n Not matched rules: my-second-rule\n Not matched rules: my-third-rule\n Not matched rules: myrule\n\n 7. Test all (enabled and disabled) HBAC rules in IPA database:\n $ ipa hbactest --user=a1a --host=bar --service=sshd \\\n --enabled --disabled\n --------------------\n Access granted: True\n --------------------\n Not matched rules: my-second-rule\n Not matched rules: my-third-rule\n Not matched rules: myrule\n Not matched rules: new-rule\n Matched rules: allow_all\n\n\nHBACTEST AND TRUSTED DOMAINS\n\nWhen an external trusted domain is configured in IPA, HBAC rules are also applied\non users accessing IPA resources from the trusted domain. Trusted domain users and\ngroups (and their SIDs) can be then assigned to external groups which can be\nmembers of POSIX groups in IPA which can be used in HBAC rules and thus allowing\naccess to resources protected by the HBAC system.\n\nhbactest plugin is capable of testing access for both local IPA users and users\nfrom the trusted domains, either by a fully qualified user name or by user SID.\nSuch user names need to have a trusted domain specified as a short name\n(DOMAIN\\Administrator) or with a user principal name (UPN), Administrator@ad.test.\n\nPlease note that hbactest executed with a trusted domain user as --user parameter\ncan be only run by members of \"trust admins\" group.\n\nEXAMPLES:\n\n 1. Test if a user from a trusted domain specified by its shortname matches any\n rule:\n\n $ ipa hbactest --user 'DOMAIN\\Administrator' --host `hostname` --service sshd\n --------------------\n Access granted: True\n --------------------\n Matched rules: allow_all\n Matched rules: can_login\n\n 2. Test if a user from a trusted domain specified by its domain name matches\n any rule:\n\n $ ipa hbactest --user 'Administrator@domain.com' --host `hostname` --service sshd\n --------------------\n Access granted: True\n --------------------\n Matched rules: allow_all\n Matched rules: can_login\n\n 3. Test if a user from a trusted domain specified by its SID matches any rule:\n\n $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-500 \\\n --host `hostname` --service sshd\n --------------------\n Access granted: True\n --------------------\n Matched rules: allow_all\n Matched rules: can_login\n\n 4. Test if other user from a trusted domain specified by its SID matches any rule:\n\n $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-1203 \\\n --host `hostname` --service sshd\n --------------------\n Access granted: True\n --------------------\n Matched rules: allow_all\n Not matched rules: can_login\n\n 5. Test if other user from a trusted domain specified by its shortname matches\n any rule:\n\n $ ipa hbactest --user 'DOMAIN\\Otheruser' --host `hostname` --service sshd\n --------------------\n Access granted: True\n --------------------\n Matched rules: allow_all\n Not matched rules: can_login\n" ], "previous_source": "", "target": [ "" ], "id_hash": -3951241149242460815, "content_hash": -3951241149242460815, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1526, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 775, "source_unit": "https://translate.fedoraproject.org/api/units/2722420/?format=api", "priority": 100, "id": 4803431, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=492a5f1bfd7f3571", "url": "https://translate.fedoraproject.org/api/units/4803431/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:56.706849Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nCross-realm trusts\n\nManage trust relationship between IPA and Active Directory domains.\n\nIn order to allow users from a remote domain to access resources in IPA\ndomain, trust relationship needs to be established. Currently IPA supports\nonly trusts between IPA and Active Directory domains under control of Windows\nServer 2008 or later, with functional level 2008 or later.\n\nPlease note that DNS on both IPA and Active Directory domain sides should be\nconfigured properly to discover each other. Trust relationship relies on\nability to discover special resources in the other domain via DNS records.\n\nExamples:\n\n1. Establish cross-realm trust with Active Directory using AD administrator\n credentials:\n\n ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password\n\n2. List all existing trust relationships:\n\n ipa trust-find\n\n3. Show details of the specific trust relationship:\n\n ipa trust-show <ad.domain>\n\n4. Delete existing trust relationship:\n\n ipa trust-del <ad.domain>\n\nOnce trust relationship is established, remote users will need to be mapped\nto local POSIX groups in order to actually use IPA resources. The mapping should\nbe done via use of external membership of non-POSIX group and then this group\nshould be included into one of local POSIX groups.\n\nExample:\n\n1. Create group for the trusted domain admins' mapping and their local POSIX group:\n\n ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external\n ipa group-add --desc='<ad.domain> admins' ad_admins\n\n2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external\n group:\n\n ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'\n\n3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:\n\n ipa group-add-member ad_admins --groups ad_admins_external\n\n4. List members of external members of ad_admins_external group to see their SIDs:\n\n ipa group-show ad_admins_external\n\n\nGLOBAL TRUST CONFIGURATION\n\nWhen IPA AD trust subpackage is installed and ipa-adtrust-install is run,\na local domain configuration (SID, GUID, NetBIOS name) is generated. These\nidentifiers are then used when communicating with a trusted domain of the\nparticular type.\n\n1. Show global trust configuration for Active Directory type of trusts:\n\n ipa trustconfig-show --type ad\n\n2. Modify global configuration for all trusts of Active Directory type and set\n a different fallback primary group (fallback primary group GID is used as\n a primary user GID if user authenticating to IPA domain does not have any other\n primary GID already set):\n\n ipa trustconfig-mod --type ad --fallback-primary-group \"alternative AD group\"\n\n3. Change primary fallback group back to default hidden group (any group with\n posixGroup object class is allowed):\n\n ipa trustconfig-mod --type ad --fallback-primary-group \"Default SMB Group\"\n" ], "previous_source": "", "target": [ "" ], "id_hash": 162152408473313216, "content_hash": 162152408473313216, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1539, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 404, "source_unit": "https://translate.fedoraproject.org/api/units/2722326/?format=api", "priority": 100, "id": 4803433, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=824014c1a2869fc0", "url": "https://translate.fedoraproject.org/api/units/4803433/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:56.728349Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nAdd new trust to use.\n\nThis command establishes trust relationship to another domain\nwhich becomes 'trusted'. As result, users of the trusted domain\nmay access resources of this domain.\n\nOnly trusts to Active Directory domains are supported right now.\n\nThe command can be safely run multiple times against the same domain,\nthis will cause change to trust relationship credentials on both\nsides.\n " ], "previous_source": "", "target": [ "" ], "id_hash": -2424005769728544750, "content_hash": -2424005769728544750, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1553, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 62, "source_unit": "https://translate.fedoraproject.org/api/units/2722309/?format=api", "priority": 100, "id": 4803434, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=5e5c339869d53012", "url": "https://translate.fedoraproject.org/api/units/4803434/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:56.766598Z" }, { "translation": "https://translate.fedoraproject.org/api/translations/freeipa/ipa-4-8/zh_CN/?format=api", "source": [ "\nModify a trust (for future use).\n\n Currently only the default option to modify the LDAP attributes is\n available. More specific options will be added in coming releases.\n " ], "previous_source": "", "target": [ "" ], "id_hash": -7374588998119403870, "content_hash": -7374588998119403870, "location": "", "context": "", "note": "", "flags": "", "labels": [], "state": 0, "fuzzy": false, "translated": false, "approved": false, "position": 1567, "has_suggestion": false, "has_comment": false, "has_failing_check": false, "num_words": 27, "source_unit": "https://translate.fedoraproject.org/api/units/2727896/?format=api", "priority": 100, "id": 4803437, "web_url": "https://translate.fedoraproject.org/translate/freeipa/ipa-4-8/zh_CN/?checksum=19a83260e296cea2", "url": "https://translate.fedoraproject.org/api/units/4803437/?format=api", "explanation": "", "extra_flags": "", "pending": false, "timestamp": "2020-08-04T08:48:56.820640Z" } ] }