????

Your IP : 216.73.216.67

Current Path : /proc/thread-self/root/proc/self/root/proc/thread-self/root/usr/share/locale/ko/LC_MESSAGES/
Upload File :
Current File : //proc/thread-self/root/proc/self/root/proc/thread-self/root/usr/share/locale/ko/LC_MESSAGES/ipa.mo

���,�<:�MP�M6
N�I[��m$��������|��J����۲������n������8����TW����ta�������G%�Fm���(��)��."�Q�3Z���	����������
������
��
�)�15�5g�/������� �"6�8Y�0��\��0 �$Q�v�%������0��($�5M�%��&��(��
���$ �5E�1{�*����	�����%�2B�u�D��P���J&�Lq���"����1�+7�0c�7��
��*��*�-�$F�k������	��������1�"8�[�%r�8����������$�3�*@�k�(��?��3��!�-�J�c�t�(������9��	�% �HF�)���� ��&��H�IW����� ����"�5�I�Y�!v�)������
��
����
"�#-�Q�^�k�����
����
����	����
�	���0�B�?W�������2��$�
=�K�+g�.��!����1��1�E�V�h�x������������
"�0�E�!T�
v�9����������[�w����� ����������.�H�Z�Ep�����M��O%�u���'�������-�2J�'}�'��/��0��*.�)Y�9��-��W��'C�k�����������������:�Q�e�*k�)������-��2(�
[�,i�:��;��

� �<�W�s����� �������,�C�b�#y���$���%��$�0@�,q������&�(�&C�)j�"��%��$�!�"$�G�d�k�w�
������=��5�3�G�V�i�8y�1���s��Tj���
������$�C�^�|���
�����
�%��$�8�M�^�.j�
��!��*��$
�2�	O�3Y�������(���,��
)�+4�`�s�����
����
�/�2�A�P�*`�#��
������3+Nz�+��8�2
I
Wb
o	}D��I�'64^%���0�+7
C%Q8w�����0E[p��
�	�'�"�$-6JV
c	q{�
�H�(")5L��	�����!V<�����"0;l�����	&	;	K	`	~	�	�	�	 �	"
*
<
H
T
`
q
�

�
�
�
	�
�
�
�
J�
C4V��
'4K'a���-�-�3'
 [
|
)�
8�
�
+7Oim����=�!0@Rh��
�
�=�%�;Lb�'���2�%,!E g������ud
��5"3X��7��
�C�P<����B�+(T$]/��5�#R%&x	����
���):L^n��������&7IYhz��������
=Wco{�:�=�8;W3�#��,�-$+R'~,�3�1'9*a/�,�4�5,T,�-�1�-3<8p*�
�5�> W n u %� � � <� 8!L![!p!>�!9�!:"=@"~"J�"+�"1#E#]#	d#	n#	x#�#�#�#
�#
�#�#�#�#$$$=$	I$
S$
^$i$r$
$
�$
�$�$�$�$�$�$�$% %2/%b%�%#�%�%�%2�%!"&D&!a&�&�&�&�&.�&+',E'1r'-�'-�'1(02(:c(�(�(�(�(�(�(W�([R)�)3�)2�))*=*)I*#s*�*�*�*�*$�*�*+++*+�A+
�+�+*�+4%,Z,n,
s,L~,�,�,,�,-
2-=-I-Q-i-q--�-�-	�-�-!�-.%.
8.F.R.
^.
l.w.~.�.,�.	�.b�.)B/l/*�/P�/00470:l0G�0M�0(=1
f1q1�1%�1�1�1�1%�1'2F2K2'e2"�2u�2&3-D3#r39�3W�3<(4e4�4'�4�4�4"�4545	N5X5d5w5�5
�5!�5
�5�5!�5
66-)6W6]6y6�6�6�6�6�6�6&7L57�71�7�7�7	�7�7�7&	808&78+^8"�8,�8$�8�8'9=9V9q9+�9�9)�9,�9:8:;A:}:
�:�:�:�:�:�:�:
�:;#;@;Y;n;�;8�;�;�; <6<R<p<y<'�<�<�<�<===0=<=M=\=e=w=%�=+�=�=(�=>7>C>%T>
z>�>�>�>�>D�>??#?23?�f?U5A7
�A��N�sa$t	���������r��c��G���������ƹ�U�Y��?�u��a�r���	��D��G��!;�<]�:��D���8&�_�s�������
��
��
�������
�
�A-�Io�A��)��%�!C�e�2~�I��B��p>�H��D��'=�6e�2��#��F��4:�No�-��7��:$�_�"q�)��=��<��99�s���������>��
&�?4�Nt�
��s��sE���,��'��+�#A�(e�R�������$�+?�k�����������	��"	�6,�(c�(��=��Y��M�_�r���������@��2�9>�Lx�=���
��
7�E�+V�
����B����+�R2�4����5��3��J+�Kv�)��+��/�,H�/u�'����2��/�<C�������������
��G�S�`�p�
��"��
����������
/�=�J�Q�b�t�P����+��(�;G�!��
��(��5��+�;�!Z�>|���
��
��
��
��%�+�7�W�t�(��
������+���T)�!~�����)��l��%f�(��$�� ������
)�
7�%E�k�%��R����}0�s��"�7�9M���(����9��?!�+a�5��8��:��37�1k�<��<��w�)��������"��"�">�a�y�����$��$���:�+N�'z���8��A��8�9I�?��5����+�)?�i�%������/��$�%=�(c�$��(��$��+��5+�9a�/��;�� �;(�9d�"��$��1��4�5M�7��5��-��+�+K�%w�&��'������
���	�$�e+�E��h�@�Q�l�D|�<������i���
"�0�E�^�m���%��%���
*�8�Q�m�:y������>�A�-R�:��*��6� �>�7O�����	��7��-��2&�	Y�>c������-�� �%3�Y�<h������@�"�
8�F�&Z�%����W��C�[�'v�B��!�SWl�
����f�$1jV+�B�20
cn8��E�
E(:n
������)8
GR
g
u+�&����
�

"2?C)T
~I�!��;Sq	�"�����&
�
�(�#� !7!Y-{"�%��+�(*	-S	+�	�	�	�	)
"0
(S
(|
!�
%�
(�


$2BObv�������`�X;s��l
�
�
�
&�
�
)/<BlB�S�<F �7�+�? `{� ��
���FI\o���&�	��

S!.u^�5 BcwL�3� *-*X+�G�����.�
��6�5/e�?���Q�_6
�
� ��i�BU��5�(�F$(ko�05BVfz������'<Sk������(>Uj~������+A
VAd���	�
�K�N= � L� I� 94!;n!
�!?�!D�!==":{"?�"K�"DB#D�#9�#=$+D$0p$I�$?�$?+%Dk%D�%A�%K7&Q�&9�&'< 'X]'�'�'�';�')0(Z(Ea(8�(�(-�(.%)BT)?�)B�)E**`*a�*1�*7+ W+x+
+
�+
�+�+%�+�+
,
,
,',C,_,~,�,
�,�,
�,
�,�,
�,
�,

--'-=-M-`-m-�-
�-L�-*�-.)7.a.x.J�.)�.#/+/#K/o/~/'�/;�/6�/@20Cs09�09�0=+19i1T�1�1
2"2
42
?2	J2dT2j�2$3?>3E~3�3
�3D�3.)4X4	g4q4�4-�4�4�4	�4�4*5�.5�5!�5,	6;66r6�6
�6l�67%7;77$s7	�7
�7�7�7�7�7.8!58W8d8s8�8�8�8�8�8�8
�89

9#9B?9�9��9?:/[::�:X�:$;VD;>�;Q�;H,<7u<
�<�<�<D�<'(=	P=Z=;w==�=�= �=3>-M>�{>1?7H?7�?Z�?�@a�@-A40A4eA �A �A8�AB/BFBZBnB�B�B�B*�B�B8�B%'CMCdC8|C	�C$�C!�C$D+DBDWD&wD�D2�D`�DCEFJE�E�E�E�E�E,F-F-4F4bF)�F@�F0G:3G7nG�G)�G!�G>HPH9WH:�H#�H�HP�HNI`IwI �I �I�I�I�IJ&J7AJ yJ�J�J%�JS�JMKgK �K�K�K�K%�K,L <L]L"vL�L�L�L�L�LMM&M:MNNM>�M�M7�M+1N]NlN7�N�N�N
�N!�N
OYOxO|O�OD�O'%����+�U��1��ab��e�|�\)���3�@,3_�R����VB������[��X����E���~�9[�&���I��1|
��NaY��h�2I��8��?M�6m��ZghE2	?0<D#CF%^Z�7x�����=�"�D��vfaj��0pqh���{\� }�������	�P�e�d�����P{u�r"L�NV��&�c����Ki�����A?�U�QFL��v���'��l�Wz��5��c��T�_��AE���gI�C����-dK������Qi��
�rT����-����/Mf:�#=�S���;������:�jB��n�L���q4	;������N���n�$���*O<}�,`)]��(�W�yf{�OO�!��7P�'���2j>��G�����@��!68|,����J}�\�E��~)X���8z����!���H����l�/��Q��a���
M`G�>A1W��)��S �~$e�oO	�����s�
��X��7�S\�u�y�l�G5�onk�m�%|�J�;��k���Y�[7f�-ckH����{�
�-�����^KmCWR����0P�����d9p�`Cv�qwBD�=u�R4.�d���b��5 ��`��%��,*tSsZ�83��4'F�z�A��q�<[w�/���?k
RoJm�3Iz"_�
n�^�~l������Tvg�������wZ�����0>5��2o=�:�$.t�&D$�F(�>UT*�#�(hc�L��}+��Kt
Bgxp� �����@�]��G](6&�:���/]������6����!�<��X�r���1��y�bx���V��es#MY��.+x�Y49r���_���t���.i�wU���j��b+;y�9�Q��Hs"iupJ�����������*�@�NH^V
 Add a new token:
   ipa otptoken-add-yubikey --owner=jdoe --desc="My YubiKey"

Automount

Stores automount(8) configuration for autofs(8) in IPA.

The base of an automount configuration is the configuration file auto.master.
This is also the base location in IPA. Multiple auto.master configurations
can be stored in separate locations. A location is implementation-specific
with the default being a location named 'default'. For example, you can have
locations by geographic region, by floor, by type, etc.

Automount has three basic object types: locations, maps and keys.

A location defines a set of maps anchored in auto.master. This allows you
to store multiple automount configurations. A location in itself isn't
very interesting, it is just a point to start a new automount map.

A map is roughly equivalent to a discrete automount file and provides
storage for keys.

A key is a mount point associated with a map.

When a new location is created, two maps are automatically created for
it: auto.master and auto.direct. auto.master is the root map for all
automount maps for the location. auto.direct is the default map for
direct mounts and is mounted on /-.

An automount map may contain a submount key. This key defines a mount
location within the map that references another map. This can be done
either using automountmap-add-indirect --parentmap or manually
with automountkey-add and setting info to "-type=autofs :<mapname>".

EXAMPLES:

Locations:

  Create a named location, "Baltimore":
    ipa automountlocation-add baltimore

  Display the new location:
    ipa automountlocation-show baltimore

  Find available locations:
    ipa automountlocation-find

  Remove a named automount location:
    ipa automountlocation-del baltimore

  Show what the automount maps would look like if they were in the filesystem:
    ipa automountlocation-tofiles baltimore

  Import an existing configuration into a location:
    ipa automountlocation-import baltimore /etc/auto.master

    The import will fail if any duplicate entries are found. For
    continuous operation where errors are ignored, use the --continue
    option.

Maps:

  Create a new map, "auto.share":
    ipa automountmap-add baltimore auto.share

  Display the new map:
    ipa automountmap-show baltimore auto.share

  Find maps in the location baltimore:
    ipa automountmap-find baltimore

  Create an indirect map with auto.share as a submount:
    ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.man

    This is equivalent to:

    ipa automountmap-add-indirect baltimore --mount=/man auto.man
    ipa automountkey-add baltimore auto.man --key=sub --info="-fstype=autofs ldap:auto.share"

  Remove the auto.share map:
    ipa automountmap-del baltimore auto.share

Keys:

  Create a new key for the auto.share map in location baltimore. This ties
  the map we previously created to auto.master:
    ipa automountkey-add baltimore auto.master --key=/share --info=auto.share

  Create a new key for our auto.share map, an NFS mount for man pages:
    ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man"

  Find all keys for the auto.share map:
    ipa automountkey-find baltimore auto.share

  Find all direct automount keys:
    ipa automountkey-find baltimore --key=/-

  Remove the man key from the auto.share map:
    ipa automountkey-del baltimore auto.share --key=man

Directory Server Access Control Instructions (ACIs)

ACIs are used to allow or deny access to information. This module is
currently designed to allow, not deny, access.

The aci commands are designed to grant permissions that allow updating
existing entries or adding or deleting new ones. The goal of the ACIs
that ship with IPA is to provide a set of low-level permissions that
grant access to special groups called taskgroups. These low-level
permissions can be combined into roles that grant broader access. These
roles are another type of group, roles.

For example, if you have taskgroups that allow adding and modifying users you
could create a role, useradmin. You would assign users to the useradmin
role to allow them to do the operations defined by the taskgroups.

You can create ACIs that delegate permission so users in group A can write
attributes on group B.

The type option is a map that applies to all entries in the users, groups or
host location. It is primarily designed to be used when granting add
permissions (to write new entries).

An ACI consists of three parts:
1. target
2. permissions
3. bind rules

The target is a set of rules that define which LDAP objects are being
targeted. This can include a list of attributes, an area of that LDAP
tree or an LDAP filter.

The targets include:
- attrs: list of attributes affected
- type: an object type (user, group, host, service, etc)
- memberof: members of a group
- targetgroup: grant access to modify a specific group. This is primarily
  designed to enable users to add or remove members of a specific group.
- filter: A legal LDAP filter used to narrow the scope of the target.
- subtree: Used to apply a rule across an entire set of objects. For example,
  to allow adding users you need to grant "add" permission to the subtree
  ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option
  is a fail-safe for objects that may not be covered by the type option.

The permissions define what the ACI is allowed to do, and are one or
more of:
1. write - write one or more attributes
2. read - read one or more attributes
3. add - add a new entry to the tree
4. delete - delete an existing entry
5. all - all permissions are granted

Note the distinction between attributes and entries. The permissions are
independent, so being able to add a user does not mean that the user will
be editable.

The bind rule defines who this ACI grants permissions to. The LDAP server
allows this to be any valid LDAP entry but we encourage the use of
taskgroups so that the rights can be easily shared through roles.

For a more thorough description of access controls see
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html

EXAMPLES:

NOTE: ACIs are now added via the permission plugin. These examples are to
demonstrate how the various options work but this is done via the permission
command-line now (see last example).

 Add an ACI so that the group "secretaries" can update the address on any user:
   ipa group-add --desc="Office secretaries" secretaries
   ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses"

 Show the new ACI:
   ipa aci-show --prefix=none "Secretaries write addresses"

 Add an ACI that allows members of the "addusers" permission to add new users:
   ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users"

 Add an ACI that allows members of the editors manage members of the admins group:
   ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins"

 Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group:
   ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street --attrs=postalcode --prefix=none "admins edit the address of editors"

 Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss:
   ipa aci-add --permissions=write --group=admins --attrs=street --attrs=postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss"

 Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
   ipa permission-add  --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange


The show command shows the raw 389-ds ACI.

IMPORTANT: When modifying the target attributes of an existing ACI you
must include all existing attributes as well. When doing an aci-mod the
targetattr REPLACES the current attributes, it does not add to them.

Directory Server Access Control Instructions (ACIs)

ACIs are used to allow or deny access to information. This module is
currently designed to allow, not deny, access.

The aci commands are designed to grant permissions that allow updating
existing entries or adding or deleting new ones. The goal of the ACIs
that ship with IPA is to provide a set of low-level permissions that
grant access to special groups called taskgroups. These low-level
permissions can be combined into roles that grant broader access. These
roles are another type of group, roles.

For example, if you have taskgroups that allow adding and modifying users you
could create a role, useradmin. You would assign users to the useradmin
role to allow them to do the operations defined by the taskgroups.

You can create ACIs that delegate permission so users in group A can write
attributes on group B.

The type option is a map that applies to all entries in the users, groups or
host location. It is primarily designed to be used when granting add
permissions (to write new entries).

An ACI consists of three parts:
1. target
2. permissions
3. bind rules

The target is a set of rules that define which LDAP objects are being
targeted. This can include a list of attributes, an area of that LDAP
tree or an LDAP filter.

The targets include:
- attrs: list of attributes affected
- type: an object type (user, group, host, service, etc)
- memberof: members of a group
- targetgroup: grant access to modify a specific group. This is primarily
  designed to enable users to add or remove members of a specific group.
- filter: A legal LDAP filter used to narrow the scope of the target.
- subtree: Used to apply a rule across an entire set of objects. For example,
  to allow adding users you need to grant "add" permission to the subtree
  ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option
  is a fail-safe for objects that may not be covered by the type option.

The permissions define what the ACI is allowed to do, and are one or
more of:
1. write - write one or more attributes
2. read - read one or more attributes
3. add - add a new entry to the tree
4. delete - delete an existing entry
5. all - all permissions are granted

Note the distinction between attributes and entries. The permissions are
independent, so being able to add a user does not mean that the user will
be editable.

The bind rule defines who this ACI grants permissions to. The LDAP server
allows this to be any valid LDAP entry but we encourage the use of
taskgroups so that the rights can be easily shared through roles.

For a more thorough description of access controls see
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html

EXAMPLES:

NOTE: ACIs are now added via the permission plugin. These examples are to
demonstrate how the various options work but this is done via the permission
command-line now (see last example).

 Add an ACI so that the group "secretaries" can update the address on any user:
   ipa group-add --desc="Office secretaries" secretaries
   ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses"

 Show the new ACI:
   ipa aci-show --prefix=none "Secretaries write addresses"

 Add an ACI that allows members of the "addusers" permission to add new users:
   ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users"

 Add an ACI that allows members of the editors manage members of the admins group:
   ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins"

 Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group:
   ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode --prefix=none "admins edit the address of editors"

 Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss:
   ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss"

 Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
   ipa permission-add  --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange


The show command shows the raw 389-ds ACI.

IMPORTANT: When modifying the target attributes of an existing ACI you
must include all existing attributes as well. When doing an aci-mod the
targetattr REPLACES the current attributes, it does not add to them.

Domain Name System (DNS)

Manage DNS zone and resource records.

SUPPORTED ZONE TYPES

 * Master zone (dnszone-*), contains authoritative data.
 * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders
 (a set of DNS servers).

USING STRUCTURED PER-TYPE OPTIONS

There are many structured DNS RR types where DNS data stored in LDAP server
is not just a scalar value, for example an IP address or a domain name, but
a data structure which may be often complex. A good example is a LOC record
[RFC1876] which consists of many mandatory and optional parts (degrees,
minutes, seconds of latitude and longitude, altitude or precision).

It may be difficult to manipulate such DNS records without making a mistake
and entering an invalid value. DNS module provides an abstraction over these
raw records and allows to manipulate each RR type with specific options. For
each supported RR type, DNS module provides a standard option to manipulate
a raw records with format --<rrtype>-rec, e.g. --mx-rec, and special options
for every part of the RR structure with format --<rrtype>-<partname>, e.g.
--mx-preference and --mx-exchanger.

When adding a record, either RR specific options or standard option for a raw
value can be used, they just should not be combined in one add operation. When
modifying an existing entry, new RR specific options can be used to change
one part of a DNS record, where the standard option for raw value is used
to specify the modified value. The following example demonstrates
a modification of MX record preference from 0 to 1 in a record without
modifying the exchanger:
ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1


EXAMPLES:

 Add new zone:
   ipa dnszone-add example.com --admin-email=admin@example.com

 Add system permission that can be used for per-zone privilege delegation:
   ipa dnszone-add-permission example.com

 Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM:
   ipa dnszone-mod example.com --dynamic-update=TRUE

   This is the equivalent of:
     ipa dnszone-mod example.com --dynamic-update=TRUE       --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"

 Modify the zone to allow zone transfers for local network only:
   ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24

 Add new reverse zone specified by network IP address:
   ipa dnszone-add --name-from-ip=192.0.2.0/24

 Add second nameserver for example.com:
   ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com

 Add a mail server for example.com:
   ipa dnsrecord-add example.com @ --mx-rec="10 mail1"

 Add another record using MX record specific options:
  ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2

 Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod,
 or dnsrecord-del are executed with no options):
  ipa dnsrecord-add example.com @
  Please choose a type of DNS resource record to be added
  The most common types for this type of zone are: NS, MX, LOC

  DNS resource record type: MX
  MX Preference: 30
  MX Exchanger: mail3
    Record name: example.com
    MX record: 10 mail1, 20 mail2, 30 mail3
    NS record: nameserver.example.com., nameserver2.example.com.

 Delete previously added nameserver from example.com:
   ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.

 Add LOC record for example.com:
   ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m"

 Add new A record for www.example.com. Create a reverse record in appropriate
 reverse zone as well. In this case a PTR record "2" pointing to www.example.com
 will be created in zone 2.0.192.in-addr.arpa.
   ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse

 Add new PTR record for www.example.com
   ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com.

 Add new SRV records for LDAP servers. Three quarters of the requests
 should go to fast.example.com, one quarter to slow.example.com. If neither
 is available, switch to backup.example.com.
   ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com"
   ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com"
   ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com"

 The interactive mode can be used for easy modification:
  ipa dnsrecord-mod example.com _ldap._tcp
  No option to modify specific record provided.
  Current DNS record contents:

  SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com

  Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No):
  Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y
  SRV Priority [0]:                     (keep the default value)
  SRV Weight [1]: 2                     (modified value)
  SRV Port [389]:                       (keep the default value)
  SRV Target [slow.example.com]:        (keep the default value)
  1 SRV record skipped. Only one value per DNS record type can be modified at one time.
    Record name: _ldap._tcp
    SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com

 After this modification, three fifths of the requests should go to
 fast.example.com and two fifths to slow.example.com.

 An example of the interactive mode for dnsrecord-del command:
   ipa dnsrecord-del example.com www
   No option to delete specific record provided.
   Delete all? Yes/No (default No):     (do not delete all records)
   Current DNS record contents:

   A record: 192.0.2.2, 192.0.2.3

   Delete A record '192.0.2.2'? Yes/No (default No):
   Delete A record '192.0.2.3'? Yes/No (default No): y
     Record name: www
     A record: 192.0.2.2               (A record 192.0.2.3 has been deleted)

 Show zone example.com:
   ipa dnszone-show example.com

 Find zone with "example" in its domain name:
   ipa dnszone-find example

 Find records for resources with "www" in their name in zone example.com:
   ipa dnsrecord-find example.com www

 Find A records with value 192.0.2.2 in zone example.com
   ipa dnsrecord-find example.com --a-rec=192.0.2.2

 Show records for resource www in zone example.com
   ipa dnsrecord-show example.com www

 Delegate zone sub.example to another nameserver:
   ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1
   ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.

 Delete zone example.com with all resource records:
   ipa dnszone-del example.com

 If a global forwarder is configured, all queries for which this server is not
 authoritative (e.g. sub.example.com) will be routed to the global forwarder.
 Global forwarding configuration can be overridden per-zone.

 Semantics of forwarding in IPA matches BIND semantics and depends on the type
 of zone:
   * Master zone: local BIND replies authoritatively to queries for data in
   the given zone (including authoritative NXDOMAIN answers) and forwarding
   affects only queries for names below zone cuts (NS records) of locally
   served zones.

   * Forward zone: forward zone contains no authoritative data. BIND forwards
   queries, which cannot be answered from its local cache, to configured
   forwarders.

 Semantics of the --forward-policy option:
   * none - disable forwarding for the given zone.
   * first - forward all queries to configured forwarders. If they fail,
   do resolution using DNS root servers.
   * only - forward all queries to configured forwarders and if they fail,
   return failure.

 Disable global forwarding for given sub-tree:
   ipa dnszone-mod example.com --forward-policy=none

 This configuration forwards all queries for names outside the example.com
 sub-tree to global forwarders. Normal recursive resolution process is used
 for names inside the example.com sub-tree (i.e. NS records are followed etc.).

 Forward all requests for the zone external.example.com to another forwarder
 using a "first" policy (it will send the queries to the selected forwarder
 and if not answered it will use global root servers):
   ipa dnsforwardzone-add external.example.com --forward-policy=first                                --forwarder=203.0.113.1

 Change forward-policy for external.example.com:
   ipa dnsforwardzone-mod external.example.com --forward-policy=only

 Show forward zone external.example.com:
   ipa dnsforwardzone-show external.example.com

 List all forward zones:
   ipa dnsforwardzone-find

 Delete forward zone external.example.com:
   ipa dnsforwardzone-del external.example.com

 Resolve a host name to see if it exists (will add default IPA domain
 if one is not included):
   ipa dns-resolve www.example.com
   ipa dns-resolve www


GLOBAL DNS CONFIGURATION

DNS configuration passed to command line install script is stored in a local
configuration file on each IPA server where DNS service is configured. These
local settings can be overridden with a common configuration stored in LDAP
server:

 Show global DNS configuration:
   ipa dnsconfig-show

 Modify global DNS configuration and set a list of global forwarders:
   ipa dnsconfig-mod --forwarder=203.0.113.113

EXAMPLES:

Group to Group Delegation

A permission enables fine-grained delegation of permissions. Access Control
Rules, or instructions (ACIs), grant permission to permissions to perform
given tasks such as adding a user, modifying a group, etc.

Group to Group Delegations grants the members of one group to update a set
of attributes of members of another group.

EXAMPLES:

 Add a delegation rule to allow managers to edit employee's addresses:
   ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"

 When managing the list of attributes you need to include all attributes
 in the list, including existing ones. Add postalCode to the list:
   ipa delegation-mod --attrs=street --attrs=postalCode --group=managers --membergroup=employees "managers edit employees' street"

 Display our updated rule:
   ipa delegation-show "managers edit employees' street"

 Delete a rule:
   ipa delegation-del "managers edit employees' street"

Group to Group Delegation

A permission enables fine-grained delegation of permissions. Access Control
Rules, or instructions (ACIs), grant permission to permissions to perform
given tasks such as adding a user, modifying a group, etc.

Group to Group Delegations grants the members of one group to update a set
of attributes of members of another group.

EXAMPLES:

 Add a delegation rule to allow managers to edit employee's addresses:
   ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"

 When managing the list of attributes you need to include all attributes
 in the list, including existing ones. Add postalCode to the list:
   ipa delegation-mod --attrs=street,postalCode --group=managers --membergroup=employees "managers edit employees' street"

 Display our updated rule:
   ipa delegation-show "managers edit employees' street"

 Delete a rule:
   ipa delegation-del "managers edit employees' street"

Groups of hosts.

Manage groups of hosts. This is useful for applying access control to a
number of hosts by using Host-based Access Control.

EXAMPLES:

 Add a new host group:
   ipa hostgroup-add --desc="Baltimore hosts" baltimore

 Add another new host group:
   ipa hostgroup-add --desc="Maryland hosts" maryland

 Add members to the hostgroup (using Bash brace expansion):
   ipa hostgroup-add-member --hosts={box1,box2,box3} baltimore

 Add a hostgroup as a member of another hostgroup:
   ipa hostgroup-add-member --hostgroups=baltimore maryland

 Remove a host from the hostgroup:
   ipa hostgroup-remove-member --hosts=box2 baltimore

 Display a host group:
   ipa hostgroup-show baltimore

 Add a member manager:
   ipa hostgroup-add-member-manager --users=user1 baltimore

 Remove a member manager
   ipa hostgroup-remove-member-manager --users=user1 baltimore

 Delete a hostgroup:
   ipa hostgroup-del baltimore

Groups of hosts.

Manage groups of hosts. This is useful for applying access control to a
number of hosts by using Host-based Access Control.

EXAMPLES:

 Add a new host group:
   ipa hostgroup-add --desc="Baltimore hosts" baltimore

 Add another new host group:
   ipa hostgroup-add --desc="Maryland hosts" maryland

 Add members to the hostgroup (using Bash brace expansion):
   ipa hostgroup-add-member --hosts={box1,box2,box3} baltimore

 Add a hostgroup as a member of another hostgroup:
   ipa hostgroup-add-member --hostgroups=baltimore maryland

 Remove a host from the hostgroup:
   ipa hostgroup-remove-member --hosts=box2 baltimore

 Display a host group:
   ipa hostgroup-show baltimore

 Delete a hostgroup:
   ipa hostgroup-del baltimore

HBAC Service Groups

HBAC service groups can contain any number of individual services,
or "members". Every group must have a description.

EXAMPLES:

 Add a new HBAC service group:
   ipa hbacsvcgroup-add --desc="login services" login

 Add members to an HBAC service group:
   ipa hbacsvcgroup-add-member --hbacsvcs=sshd --hbacsvcs=login login

 Display information about a named group:
   ipa hbacsvcgroup-show login

 Delete an HBAC service group:
   ipa hbacsvcgroup-del login

HBAC Services

The PAM services that HBAC can control access to. The name used here
must match the service name that PAM is evaluating.

EXAMPLES:

 Add a new HBAC service:
   ipa hbacsvc-add tftp

 Modify an existing HBAC service:
   ipa hbacsvc-mod --desc="TFTP service" tftp

 Search for HBAC services. This example will return two results, the FTP
 service and the newly-added tftp service:
   ipa hbacsvc-find ftp

 Delete an HBAC service:
   ipa hbacsvc-del tftp

HBAC Services

The PAM services that HBAC can control access to. The name used here
must match the service name that PAM is evaluating.

EXAMPLES:

 Add a new HBAC service:
   ipa hbacsvc-add tftp

 Modify an existing HBAC service:
   ipa hbacsvc-mod --desc="TFTP service" tftp

 Search for HBAC services. This example will return two results, the FTP
 service and the newly-added tftp service:
   ipa hbacsvc-find ftp

 Delete an HBAC service:
   ipa hbacsvc-del tftp


Host-based access control

Control who can access what services on what hosts. You
can use HBAC to control which users or groups can
access a service, or group of services, on a target host.

You can also specify a category of users and target hosts.
This is currently limited to "all", but might be expanded in the
future.

Target hosts in HBAC rules must be hosts managed by IPA.

The available services and groups of services are controlled by the
hbacsvc and hbacsvcgroup plug-ins respectively.

EXAMPLES:

 Create a rule, "test1", that grants all users access to the host "server" from
 anywhere:
   ipa hbacrule-add --usercat=all test1
   ipa hbacrule-add-host --hosts=server.example.com test1

 Display the properties of a named HBAC rule:
   ipa hbacrule-show test1

 Create a rule for a specific service. This lets the user john access
 the sshd service on any machine from any machine:
   ipa hbacrule-add --hostcat=all john_sshd
   ipa hbacrule-add-user --users=john john_sshd
   ipa hbacrule-add-service --hbacsvcs=sshd john_sshd

 Create a rule for a new service group. This lets the user john access
 the FTP service on any machine from any machine:
   ipa hbacsvcgroup-add ftpers
   ipa hbacsvc-add sftp
   ipa hbacsvcgroup-add-member --hbacsvcs=ftp --hbacsvcs=sftp ftpers
   ipa hbacrule-add --hostcat=all john_ftp
   ipa hbacrule-add-user --users=john john_ftp
   ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp

 Disable a named HBAC rule:
   ipa hbacrule-disable test1

 Remove a named HBAC rule:
   ipa hbacrule-del allow_server

Hosts/Machines

A host represents a machine. It can be used in a number of contexts:
- service entries are associated with a host
- a host stores the host/ service principal
- a host can be used in Host-based Access Control (HBAC) rules
- every enrolled client generates a host entry

ENROLLMENT:

There are three enrollment scenarios when enrolling a new client:

1. You are enrolling as a full administrator. The host entry may exist
   or not. A full administrator is a member of the hostadmin role
   or the admins group.
2. You are enrolling as a limited administrator. The host must already
   exist. A limited administrator is a member a role with the
   Host Enrollment privilege.
3. The host has been created with a one-time password.

RE-ENROLLMENT:

Host that has been enrolled at some point, and lost its configuration (e.g. VM
destroyed) can be re-enrolled.

For more information, consult the manual pages for ipa-client-install.

A host can optionally store information such as where it is located,
the OS that it runs, etc.

EXAMPLES:

 Add a new host:
   ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com

 Delete a host:
   ipa host-del test.example.com

 Add a new host with a one-time password:
   ipa host-add --os='Fedora 12' --password=Secret123 test.example.com

 Add a new host with a random one-time password:
   ipa host-add --os='Fedora 12' --random test.example.com

 Modify information about a host:
   ipa host-mod --os='Fedora 12' test.example.com

 Remove SSH public keys of a host and update DNS to reflect this change:
   ipa host-mod --sshpubkey= --updatedns test.example.com

 Disable the host Kerberos key, SSL certificate and all of its services:
   ipa host-disable test.example.com

 Add a host that can manage this host's keytab and certificate:
   ipa host-add-managedby --hosts=test2 test

 Allow user to create a keytab:
   ipa host-allow-create-keytab test2 --users=tuser1

Manage YubiKey tokens.

Plugin to make multiple ipa calls via one remote procedure call

To run this code in the lite-server

curl   -H "Content-Type:application/json"          -H "Accept:application/json" -H "Accept-Language:en"        --negotiate -u :          --cacert /etc/ipa/ca.crt           -d  @batch_request.json -X POST       http://localhost:8888/ipa/json

where the contents of the file batch_request.json follow the below example

{"method":"batch","params":[[
        {"method":"group_find","params":[[],{}]},
        {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]},
        {"method":"user_show","params":[["admin"],{"all":true}]}
        ],{}],"id":1}

The format of the response is nested the same way.  At the top you will see
  "error": null,
    "id": 1,
    "result": {
        "count": 3,
            "results": [


And then a nested response for each IPA command method sent in the request

Plugin to make multiple ipa calls via one remote procedure call

To run this code in the lite-server

curl   -H "Content-Type:application/json"          -H "Accept:application/json" -H "Accept-Language:en"        --negotiate -u :          --cacert /etc/ipa/ca.crt           -d  @batch_request.json -X POST       http://localhost:8888/ipa/json

where the contents of the file batch_request.json follow the below example

{"method":"batch","params":[[
        {"method":"group_find","params":[[],{}]},
        {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]},
        {"method":"user_show","params":[["admin"],{"all":true}]}
        ],{}],"id":1}

The format of the response is nested the same way.  At the top you will see
  "error": null,
    "id": 1,
    "result": {
        "count": 3,
            "results": [


And then a nested response for each IPA command method sent in the request


Search for ACIs.

    Returns a list of ACIs

    EXAMPLES:

     To find all ACIs that apply directly to members of the group ipausers:
       ipa aci-find --memberof=ipausers

     To find all ACIs that grant add access:
       ipa aci-find --permissions=add

    Note that the find command only looks for the given text in the set of
    ACIs, it does not evaluate the ACIs to see if something would apply.
    For example, searching on memberof=ipausers will find all ACIs that
    have ipausers as a memberof. There may be other ACIs that apply to
    members of that group indirectly.
    
Server configuration

Manage the default values that IPA uses and some of its tuning parameters.

NOTES:

The password notification value (--pwdexpnotify) is stored here so it will
be replicated. It is not currently used to notify users in advance of an
expiring password.

Some attributes are read-only, provided only for information purposes. These
include:

Certificate Subject base: the configured certificate subject base,
  e.g. O=EXAMPLE.COM.  This is configurable only at install time.
Password plug-in features: currently defines additional hashes that the
  password will generate (there may be other conditions).

When setting the order list for mapping SELinux users you may need to
quote the value so it isn't interpreted by the shell.

EXAMPLES:

 Show basic server configuration:
   ipa config-show

 Show all configuration options:
   ipa config-show --all

 Change maximum username length to 99 characters:
   ipa config-mod --maxusername=99

 Increase default time and size limits for maximum IPA server search:
   ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000

 Set default user e-mail domain:
   ipa config-mod --emaildomain=example.com

 Enable migration mode to make "ipa migrate-ds" command operational:
   ipa config-mod --enable-migration=TRUE

 Define SELinux user map order:
   ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'

This code is an extension to the otptoken plugin and provides support for
reading/writing YubiKey tokens directly.

YubiKey Tokens
${product}, version: ${version}A Create reverseA IP AddressA comma-separated list of fields to search in when searching for groupsA comma-separated list of fields to search in when searching for usersA description of this hostA host willing to act as a key exchangerA host willing to act as a mail exchangerA hostname which this alias hostname points toA recordA string searched in all relevant object attributesA6 Record dataA6 recordAAAA Create reverseAAAA IP AddressAAAA recordACI nameACI prefixACL nameAFSDB HostnameAFSDB SubtypeAFSDB recordAPL recordActive zoneAdd HBAC services into HBAC rule '${primary_key}'Add RunAs user groups into sudo rule '${primary_key}'Add RunAs users into sudo rule '${primary_key}'Add a new HBAC service group.Add a new HBAC service.Add a new YubiKey OTP token.Add a new delegation.Add a new self-service permission.Add a permission for per-forward zone access delegation.Add a permission for per-zone access delegation.Add an attribute/value pair. Format is attr=value. The attribute
must be part of the schema.Add host groups into host group '${primary_key}'Add hosts that can manage this host.Add members to a hostgroup.Add members to an HBAC service group.Add new DNS resource record.Add services to an HBAC rule.Add target hosts and hostgroups to an HBAC rule.Add the host to DNS with this IP addressAdd user ID override into user group '${primary_key}'Add users and groups to an HBAC rule.Add users into CA ACL '${primary_key}'Add users into netgroup '${primary_key}'Added %(map)sAdded %(src)s to %(dst)sAdded automount location "%(value)s"Added new resource delegation to the host "%(value)s"Added option "%(option)s" to Sudo Rule "%(rule)s"Added passkey mappings to user "%(value)s"Administrator e-mail addressAlgorithmAllow PTR syncAllow dynamic updates.Allow in-line DNSSEC signingAllow inline DNSSEC signing of records in the zoneAllow queryAllow synchronization of forward (A, AAAA) and reverse (PTR) recordsAllow synchronization of forward (A, AAAA) and reverse (PTR) records in the zoneAllow transferAllow users, groups, hosts or host groups to create a keytab of this host.Allow users, groups, hosts or host groups to retrieve a keytab of this host.AltitudeApply ACI to your own entry (self)Archive data into a vault.Are you sure you want to activate selected users?Are you sure you want to disable ${object}?Are you sure you want to restore selected users?Asks for a non-random password to use for the principalAttributesAttributes to which the delegation appliesAttributes to which the permission appliesAuthoritative nameserverAuthoritative nameserver domain nameAutomount key name.Automount location name.Automount map name.Automount master file.AvailableBIND update policyBase DNBase DN on remote LDAP serverBase for certificate subjects (OU=Test,O=Example)Base-64 encoded server certificateBinary data to archiveBind password already provided (-w).
Bind password required when using a bind DN (-w or -W).
CERT AlgorithmCERT Certificate TypeCERT Certificate/CRLCERT Key TagCERT recordCNAME HostnameCNAME recordCannot decode file '%(filename)s': %(exc)sCannot get host's FQDN!
Cannot read file '%(filename)s': %(exc)sCannot specify both SASL mechanism and bind DN simultaneously.
Cannot specify server and LDAP uri simultaneously.
CertificateCertificate Association DataCertificate Subject baseCertificate TypeCertificate UsageCertificate(s) stored in file '%(file)s'Certificate/CRLChange passwordChecks if any of the servers has the DNS service enabled.Closing keytab failed
Comma separated encryption types listComma-separated list of attributes to be ignored for group entries in DSComma-separated list of raw NAPTR recordsConfirmationContact this specific KDC ServerContinuous mode: Don't stop on errors.Continuous operation mode. Errors are reported but the process continuesContinuous operation mode. Errors are reported but the process continues.Create a new HBAC rule.Create a new automount key.Create a new automount location.Create a new automount map.Create a new indirect mount point.Create a new vault.Create new ACI.Create new DNS forward zone.Create new DNS zone (SOA record).Create reverse record for this IP AddressCurrent DNS record contents:
DHCID recordDLV AlgorithmDLV DigestDLV Digest TypeDLV Key TagDLV recordDN to bind as if not using kerberosDNAME TargetDNAME recordDNS Discovery failed
DNS ServersDNS discovery for domain %s
DNS forwarderDNS resource record typeDNSKEY recordDS AlgorithmDS DigestDS Digest TypeDS Key TagDS recordDataDebugging outputDefault PAC typesDefault SELinux userDefault SELinux user when no match is found in SELinux map ruleDefault e-mail domainDefault group for new usersDefault group objectclassesDefault group objectclasses (comma-separated list)Default location of home directoriesDefault shellDefault shell for new usersDefault types of PAC supported for servicesDefault types of supported user authenticationDefault user authentication typesDefault user objectclassesDefault user objectclasses (comma-separated list)Default users groupDegrees LatitudeDegrees LongitudeDelegation nameDelegation principalDelete %(name)s '%(value)s'?Delete ACI.Delete DNS forward zone.Delete DNS record entry.Delete DNS resource record.Delete DNS zone (SOA record).Delete ServerDelete a delegation.Delete a host.Delete a self-service permission.Delete a userDelete a user, keeping the entry available for future useDelete all associated recordsDelete all?Delete an HBAC rule.Delete an HBAC service group.Delete an attribute/value pair. The option will be evaluated
last, after all sets and adds.Delete an automount key.Delete an automount location.Delete an automount map.Delete an existing HBAC service.DescriptionDigestDigest TypeDirection LatitudeDirection LongitudeDisable DNS Forward Zone.Disable DNS Zone.Disable an HBAC rule.Disable the Kerberos key, SSL certificate and all services of a host.DisabledDisabled Sudo Rule "%s"Disallow users, groups, hosts or host groups to create a keytab of this host.Disallow users, groups, hosts or host groups to retrieve a keytab of this host.Discovered server %s
Display DNS resource.Display a single ACI given an ACI name.Display an automount key.Display an automount location.Display an automount map.Display information about a DNS forward zone.Display information about a DNS zone (SOA record).Display information about a delegation.Display information about a help topic.Display information about an Group ID override.Display information about an HBAC service group.Display information about an HBAC service.Display information about an ID override.Display information about an Identity Provider reference.Display information about an automember rule.Display the access rights of this entry (requires --all). See ipa man page for details.Display the properties of an HBAC rule.Duplicate keys skipped:Duplicate maps skipped:Dynamic updateEnable DNS Forward Zone.Enable DNS Zone.Enable an HBAC rule.Enable migration modeEnabledEnabled Sudo Rule "%s"Encryption types to requestEnrollment failed. %s
Enter LDAP passwordErrorError getting default Kerberos realm: %s.
Error obtaining initial credentials: %s.
Error parsing "%1$s": %2$s.
Error resolving keytab: %s.
Error storing creds in credential cache: %s.
Expanding buffer in jsonrpc_handle_response failedExternal hostExtra hashes to generate in password plug-inExtracting the data from the JSON-RPC response failed: %s
Extracting the error from the JSON-RPC response failed: %s
Failed to addFailed to add key to the keytab
Failed to bind to server!
Failed to close the keytab
Failed to create control!
Failed to create key material
Failed to create key!
Failed to decode control reply!
Failed to get keytab
Failed to get keytab!
Failed to get result: %s
Failed to open Keytab
Failed to open config file %s
Failed to open keytab
Failed to open keytab '%1$s': %2$s
Failed to parse config file %s
Failed to parse extended result: %s
Failed to parse result: %s
Failed to resolve symlink to keytab.
Failed to retrieve any keysFailed to retrieve encryption type %1$s (#%2$d)
Failed to retrieve encryption type type #%d
Failed to set cursor '%1$s'
File %(file)s not foundFile containing data to archiveFile containing the new vault passwordFile containing the new vault public keyFile containing the old vault passwordFile containing the old vault private keyFile containing the vault passwordFile containing the vault private keyFile containing the vault public keyFile to load the certificate fromFile to load the certificate from.File to store retrieved dataFilterFingerprintFingerprint TypeFirst CodeFlagsForceForce DNS zone creation even if nameserver is not resolvable.Force nameserver change even if nameserver not in DNSForce the host join. Rejoin even if already joined.Forward policyForward zones onlyGSSAPI|EXTERNALGenerate a random password to be used in bulk enrollmentGenerate automount files for a specific location.Global forwardersGlobal forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"Global forwarding policy. Set to "none" to disable any configured global forwarders.GoogleGroup OptionsGroup search fieldsGroup to apply ACI toHBAC serviceHBAC service descriptionHBAC service group descriptionHBAC service groups to addHBAC service groups to removeHBAC services to addHBAC services to removeHIP recordHOTP authentication skip-aheadHOTP synchronization skip-aheadHTTP ErrorHardware MAC address(es) on this hostHome directory baseHorizontal PrecisionHost CertificateHost GroupsHost Groups allowed to add resource delegationHost categoryHost category the rule applies toHost hardware platform (e.g. "Lenovo T61")Host is already joined.
Host locality (e.g. "Baltimore, MD")Host location (e.g. "Lab 2")Host nameHost operating system and version (e.g. "Fedora 9")HostnameHostname of this serverHostsHosts allowed to add resource delegationHosts allowed to create keytabHow long should negative responses be cachedIP AddressIP network to create reverse zone name fromIPA CA certificateIPA Location descriptionIPA Server to useIPA namingContext not found
IPA role nameIPSECKEY recordIgnored %(src)s to %(dst)sIgnored keys:Import automount files for a specific location.Imported keys:Imported maps:Include EnabledIncompatible options provided (-r and -P)
Input data specified multiple timesInput fileInput filenameInvalid SASL bind mechanism
Invalid Service Principal Name
Invalid credentialsInvalid or unsupported type. Allowed values are: %sInvalid or unsupported vault public key: %sInvalid vault typeIs zone active?JSON-RPC call failed with status code: %li
JSON-RPC call failed: %s
JSON-RPC call was unauthorized. Check your credentials.
JSON-RPC request:
%s
JSON-RPC response:
%s
KEY AlgorithmKEY recordKX ExchangerKX PreferenceKX recordKerberos Credential Cache not found. Do you have a Kerberos Ticket?
Kerberos Service Principal NameKerberos User Principal not found. Do you have a valid Credential Cache?
Kerberos context initialization failed
Kerberos context initialization failed: %1$s (%2$d)
Kerberos principal name for this hostKey TagKeytab File NameKeytab successfully retrieved and stored in: %s
LDAP DNLDAP SASL bind mechanism if no bindd/bindpwLDAP basednLDAP passwordLDAP password (if not using Kerberos)LDAP uri to connect to. Mutually exclusive with --serverLOC AltitudeLOC Degrees LatitudeLOC Degrees LongitudeLOC Direction LatitudeLOC Direction LongitudeLOC Horizontal PrecisionLOC Minutes LatitudeLOC Minutes LongitudeLOC Seconds LatitudeLOC Seconds LongitudeLOC SizeLOC Vertical PrecisionLOC recordLeft nodeLegal LDAP filter (e.g. ou=Engineering)Length of TOTP token code validityList of deletions that failedLocalityLocationLocation of the ACIMAC addressMX ExchangerMX PreferenceMX recordMapMaster fileMatch cn attribute in subjectMatching TypeMaximum amount of time (seconds) for a search (> 0, or -1 for unlimited)Maximum number of agreements per replicaMaximum number of entries returnedMaximum number of records to search (-1 is unlimited)Maximum username lengthMember HBAC serviceMember ofMember of HBAC service groupsMember of a groupMember user groupMembers that could not be addedMembers that could not be removedMigration mode is disabled.
Use 'ipa config-mod --enable-migration=TRUE' to enable it.Minutes LatitudeMinutes LongitudeMissing new vault public keyMissing reply control list!
Missing reply control!
Missing vault private keyMissing vault public keyModified Identity Provider reference "%(value)s"Modified netgroup "%(value)s"Modify %(name)s '%(value)s'?Modify ACI.Modify DNS forward zone.Modify DNS zone (SOA record).Modify Passkey configuration.Modify a DNS resource record.Modify a delegation.Modify a vault.Modify an HBAC rule.Modify an HBAC service group.Modify an HBAC service.Modify an automount key.Modify an automount map.Modify configuration options.Modify global DNS configuration.Modify global trust configuration.Mount informationMount pointNAPTR FlagsNAPTR OrderNAPTR PreferenceNAPTR Regular ExpressionNAPTR ReplacementNAPTR ServiceNAPTR recordNS HostnameNS recordNSEC recordNSEC3 recordNSEC3PARAM recordNSEC3PARAM record for zone in format: hash_algorithm flags iterations saltName of host-groupName of parent automount map (default: auto.master).Neither --del-all nor options to delete a specific record provided.
Command help may be consulted for all supported record types.Nested Methods to executeNew ACI nameNew Principal PasswordNew mount informationNew public key specified multiple timesNew vault passwordNo free YubiKey slot!No keys accepted by KDC
No option to delete specific record provided.No option to modify specific record provided.No permission to join this host to the IPA domain.
No system preferred enctypes ?!
No values for %sNo write permissions on keytab file '%s'
Number of days's notice of impending password expirationNumber of entries returnedNumber of hosts the ID View was applied to:Number of members addedNumber of members removedOTPOld vault passwordOld vault private keyOperating systemOperation failed: %s
OrderOrder in increasing priority of SELinux users, delimited by $Out of Memory!
Out of memory 
Out of memory!Out of memory!
Output debug infoOutput only on errorsOverride existing passwordOwnerPTR HostnamePTR recordParent mapParse all raw DNS records and return them in a structured wayParsing JSON-RPC response failed: %s
Parsing JSON-RPC response failed: no 'result' value found.
Passkey ConfigurationPasskey configuration optionsPasswordPassword Expiration Notification (days)Password PoliciesPassword PolicyPassword can be specified only for symmetric vaultPassword migration was not successfulPassword plugin featuresPassword specified multiple timesPassword used in bulk enrollmentPasswords do not match!
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.Path to the IPA CA certificatePer-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"PermissionPermission ACI grants access toPermission valuePermissionsPermissions to grant (read, write). Default is write.Permissions to grant(read, write, add, delete, all)Permitted Encryption TypesPlatformPlease choose a type of DNS resource record to be addedPortPreferencePreference given to this exchanger. Lower values are more preferredPrefix used to distinguish ACI types (permission, delegation, selfservice, none)Primary key onlyPrincipal namePrint as little as possiblePrint debugging informationPrint entries as stored on the server. Only affects output format.Print the raw XML-RPC output in GSSAPI modePriorityPrivate key specified multiple timesProfile configuration stored in file '%(file)s'Prompt for LDAP passwordPublic key can be specified only for asymmetric vaultPublic key specified multiple timesQR code width is greater than that of the output tty. Please resize your terminal.Quiet mode. Only errors are displayed.RP recordRRSIG Type CoveredRRSIG recordRandom passwordRaw A recordsRaw A6 recordsRaw AAAA recordsRaw AFSDB recordsRaw APL recordsRaw CERT recordsRaw CNAME recordsRaw DHCID recordsRaw DLV recordsRaw DNAME recordsRaw DNSKEY recordsRaw DS recordsRaw HIP recordsRaw IPSECKEY recordsRaw KEY recordsRaw KX recordsRaw LOC recordsRaw MX recordsRaw NAPTR recordsRaw NS recordsRaw NSEC recordsRaw NSEC3 recordsRaw PTR recordsRaw RP recordsRaw RRSIG recordsRaw SIG recordsRaw SPF recordsRaw SRV recordsRaw SSHFP recordsRaw TA recordsRaw TKEY recordsRaw TLSA recordsRaw TSIG recordsRaw TXT recordsRealm nameRecommended maximum number of agreements per replica exceededRecord dataRecord nameRecord typeRecordsRegular ExpressionRemove HBAC service groups from HBAC rule '${primary_key}'Remove HBAC services from HBAC service group '${primary_key}'Remove PasskeyRemove RunAs user groups from sudo rule '${primary_key}'Remove a permission for per-forward zone access delegation.Remove a permission for per-zone access delegation.Remove all principals in this realmRemove holdRemove host '${primary_key}' from HBAC rulesRemove host '${primary_key}' from host groupsRemove host '${primary_key}' from netgroupsRemove host '${primary_key}' from rolesRemove host '${primary_key}' from sudo rulesRemove host group '${primary_key}' from host groupsRemove host group '${primary_key}' from netgroupsRemove hosts that can manage this host.Remove members from an HBAC service group.Remove netgroup '${primary_key}' from netgroupsRemove roles from privilege '${primary_key}'Remove service and service groups from an HBAC rule.Remove target hosts and hostgroups from an HBAC rule.Remove user '${primary_key}' from HBAC rulesRemove user '${primary_key}' from sudo rulesRemove user '${primary_key}' from user groupsRemove user group '${primary_key}' from netgroupsRemove user group '${primary_key}' from rolesRemove user group '${primary_key}' from user groupsRemove user groups from owners of vault '${primary_key}'Remove users and groups from an HBAC rule.Remove vaultsRemoved option "%(option)s" from Sudo Rule "%(rule)s"Removing %(servers)s from replication topology, please wait...Removing principal %s
RenameRename an ACI.Rename the DNS resource record objectRename the automount key objectReplacementReplication topology of suffix "%(suffix)s" contains errors.Replication topology of suffix "%(suffix)s" is in order.Reset PasswordReset your password.Resolve a host name in DNS.Results should contain primary key attribute only ("location")Results should contain primary key attribute only ("map")Results should contain primary key attribute only ("name")Results should contain primary key attribute only ("service")Retrieve a data from a vault.Retrieve and print all attributes from the server. Affects command output.Retrieve current keys without changing themRetrying with pre-4.0 keytab retrieval method...
Reverse zone IP networkRightsRole nameRule nameRule typeRule type (allow)SASL Bind failed
SELinux user map orderSIG recordSOA expireSOA minimumSOA record expire timeSOA record refresh timeSOA record retry timeSOA record serial numberSOA refreshSOA retrySOA serialSPF recordSRV PortSRV PrioritySRV TargetSRV WeightSRV recordSSH public keySSH public key fingerprintSSH public key:SSHFP AlgorithmSSHFP FingerprintSSHFP Fingerprint TypeSSHFP recordSearch OptionsSearch for %1$s on rootdse failed with error %2$d
Search for DNS forward zones.Search for DNS resources.Search for DNS zones (SOA records).Search for HBAC rules.Search for HBAC services.Search for IPA namingContext failed with error %d
Search for an HBAC service group.Search for an automount key.Search for an automount location.Search for an automount map.Search for classes.Search for delegations.Search for forward zones onlySearch for hosts with these enrolled by users.Search for hosts with these managing hosts.Search for hosts with these member of roles.Search for hosts without these enrolled by users.Search for netgroups with these member hosts.Search for netgroups with these member users.Search for netgroups without these member groups.Search for netgroups without these member users.Search for stage users without these member of HBAC rules.Search size limitSearch time limitSecond CodeSeconds LatitudeSeconds LongitudeSelectorSemicolon separated list of IP addresses or networks which are allowed to issue queriesSemicolon separated list of IP addresses or networks which are allowed to transfer the zoneSerial number (hex)Server "%(srv)s" has %(n)d agreements with servers:Server %(srv)s can't contact servers: %(replicas)sServer DNS locationServer NameServer name not provided and unavailable
Server will check DNS forwarder(s).Servers details:ServiceService GroupsService categoryService category the rule applies toService group nameService nameServicesSet SSH keySet a user's password.Set an attribute to a name/value pair. Format is attr=value.
For multi-valued attributes, the command replaces the values already present.Shared VaultsShow the current configuration.Show the current global DNS configuration.Show the list of permitted encryption types and exitSimple bind failed
SizeSize LimitSize of data exceeds the limit. Current vault data size limit is %(limit)d BSkipped %(key)sSkipped %(map)sSpecifies where to store keytab information.Split DNS record to partsStructuredSubject OIDSubtreeSubtree to apply ACI toSubtypeSupported encryption types:
Suppress processing of membership attributes.Synchronize an OTP token.TA recordTKEY recordTLSA Certificate Association DataTLSA Certificate UsageTLSA Matching TypeTLSA SelectorTLSA recordTSIG recordTXT Text DataTXT recordTargetTarget groupTarget your own entry (self)Test the ACI syntax but don't write anythingText DataThe domain name of the target host or '.' if the service is decidedly not available at this domainThe hostname must be fully-qualified: %s
The hostname must not be: %s
The hostname this reverse record points toThe keytab file to append the new key to (will be created if it does not exist).The keytab file to remove the principcal(s) fromThe most common types for this type of zone are: %s
The primary_key value of the entry, e.g. 'jdoe' for a userThe principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)The principal to remove from the keytab (ex: ftp/ftp.example.com@EXAMPLE.COM)This may take some time, please wait ...Time LimitTime limit of search in secondsTime to liveTime to live for records at zone apexTimeout exceeded.Token IDTopology is disconnectedTrue if not all results were returnedTrue means the operation was successfulTypeUnable to archive key: %sUnable to determine IPA server from %s
Unable to determine root DN of %s
Unable to display QR code using the configured output encoding. Please use the token URI to configure your OTP deviceUnable to enable SSL in LDAP
Unable to generate Kerberos Credential Cache
Unable to initialize ldap library!
Unable to join host: Kerberos Credential Cache not found
Unable to join host: Kerberos User Principal not found and host password not provided.
Unable to join host: Kerberos context initialization failed
Unable to parse principal
Unable to parse principal name
Unable to parse principal: %1$s (%2$d)
Unable to remove entry
Unable to retrieve key: %sUnenroll this host from IPA serverUnenrollment failed.
Unenrollment successful.
UnrevokedUnspecifiedUpdate DNS entriesUser GroupsUser IDUser categoryUser category the rule applies toUser groupUser group ACI grants access toUser group to apply delegation toUser passwordUser search fieldsUser-friendly description of action performedUsersUsing discovered server %s
Using provided server %s
Using server from config %s
Vault passwordVault private keyVerify PasswordVerify Principal PasswordVertical PrecisionWarning: failed to convert type (#%d)
Warning: salt types are not honored with randomized passwords (see opt. -P)
WeightWrite certificate (chain if --chain used) to fileYubiKey slotZone forwardersZone nameZone name (FQDN)Zone refresh intervalaccess() on %1$s failed: errno = %2$d
basednber_init() failed, Invalid control ?!
ber_scanf() failed, unable to find kvno ?!
cannot open configuration file %s
cannot specify both raw certificate and filecannot stat() configuration file %s
child exited with %d
comma-separated list of hosts to removecurl_easy_init() failed
curl_easy_setopt() failed
curl_global_init() failed
curl_slist_append() failed for value: '%s'
descriptionexecuting ipa-getkeytab failed, errno %d
file to store DNS records in nsupdate formatfile to store certificate infilenameforce NS record creation even if its hostname is not in DNSfork() failed
groups to addgroups to removehost groups to addhost groups to removehostnamehosts to addhosts to removeid range typeinvalid domain nameipa-getkeytab has bad permissions?
ipa-getkeytab not found
json_dumps() failed
json_pack_ex() failed: %s
key %(key)s already existskeytab is a dangling symlink and owned by another user.
krb5_kt_close %1$d: %2$s
krb5_kt_get_entry %1$d: %2$s
krb5_kt_remove_entry %1$d: %2$s
krb5_parse_name %1$d: %2$s
krb5_unparse_name %1$d: %2$s
kvno %d
map %(map)s already existsmaps not connected to /etc/auto.master:member Certificate Profilemember HBAC servicemember HBAC service groupmember groupmember hostmember host groupmember usernetgroups to addout of memory
passwordpassword policiespassword policypassword to use if not using kerberospreserve and no-preserve cannot be both setprincipal not found
principal not found in XML-RPC response
python-yubico is not installed.read error
realm not found
result not found in XML-RPC response
runAs userrunAs usersserver rolesskip reverse DNS detectiontrust configurationtype of IPA object (user, group, host, hostgroup, service, netgroup)urlusers to addusers to remove{algo} is not a supported vault wrapping algorithmProject-Id-Version: freeipa 4.10.0.dev202206291425+git9a97f9b40
Report-Msgid-Bugs-To: https://pagure.io/freeipa/new_issue
PO-Revision-Date: 2024-09-27 09:59+0000
Last-Translator: 김인수 <simmon@nplob.com>
Language-Team: Korean <https://translate.fedoraproject.org/projects/freeipa/master/ko/>
Language: ko
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Plural-Forms: nplurals=1; plural=0;
X-Generator: Weblate 5.7.2

 신규 토큰 추가:
   ipa otptoken-add-yubikey --owner=jdoe --desc="My YubiKey"

Automount

IPA에서 autofs(8)을 위한 저장소 자동적재(8) 구성

The base of an automount configuration is the configuration file auto.master.
This is also the base location in IPA. Multiple auto.master configurations
can be stored in separate locations. A location is implementation-specific
with the default being a location named 'default'. For example, you can have
locations by geographic region, by floor, by type, etc.

Automount has three basic object types: locations, maps and keys.

A location defines a set of maps anchored in auto.master. This allows you
to store multiple automount configurations. A location in itself isn't
very interesting, it is just a point to start a new automount map.

A map is roughly equivalent to a discrete automount file and provides
storage for keys.

A key is a mount point associated with a map.

When a new location is created, two maps are automatically created for
it: auto.master and auto.direct. auto.master is the root map for all
automount maps for the location. auto.direct is the default map for
direct mounts and is mounted on /-.

An automount map may contain a submount key. This key defines a mount
location within the map that references another map. This can be done
either using automountmap-add-indirect --parentmap or manually
with automountkey-add and setting info to "-type=autofs :<mapname>".

예제:

위치:

  Create a named location, "Baltimore":
    ipa automountlocation-add baltimore

  Display the new location:
    ipa automountlocation-show baltimore

  Find available locations:
    ipa automountlocation-find

  Remove a named automount location:
    ipa automountlocation-del baltimore

  Show what the automount maps would look like if they were in the filesystem:
    ipa automountlocation-tofiles baltimore

  Import an existing configuration into a location:
    ipa automountlocation-import baltimore /etc/auto.master

    The import will fail if any duplicate entries are found. For
    continuous operation where errors are ignored, use the --continue
    option.

Maps:

  Create a new map, "auto.share":
    ipa automountmap-add baltimore auto.share

  Display the new map:
    ipa automountmap-show baltimore auto.share

  Find maps in the location baltimore:
    ipa automountmap-find baltimore

  Create an indirect map with auto.share as a submount:
    ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.man

    This is equivalent to:

    ipa automountmap-add-indirect baltimore --mount=/man auto.man
    ipa automountkey-add baltimore auto.man --key=sub --info="-fstype=autofs ldap:auto.share"

  Remove the auto.share map:
    ipa automountmap-del baltimore auto.share

키:

  Create a new key for the auto.share map in location baltimore. This ties
  the map we previously created to auto.master:
    ipa automountkey-add baltimore auto.master --key=/share --info=auto.share

  Create a new key for our auto.share map, an NFS mount for man pages:
    ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man"

  Find all keys for the auto.share map:
    ipa automountkey-find baltimore auto.share

  Find all direct automount keys:
    ipa automountkey-find baltimore --key=/-

  Remove the man key from the auto.share map:
    ipa automountkey-del baltimore auto.share --key=man

Directory Server Access Control Instructions (ACIs)

ACIs are used to allow or deny access to information. This module is
currently designed to allow, not deny, access.

The aci commands are designed to grant permissions that allow updating
existing entries or adding or deleting new ones. The goal of the ACIs
that ship with IPA is to provide a set of low-level permissions that
grant access to special groups called taskgroups. These low-level
permissions can be combined into roles that grant broader access. These
roles are another type of group, roles.

For example, if you have taskgroups that allow adding and modifying users you
could create a role, useradmin. You would assign users to the useradmin
role to allow them to do the operations defined by the taskgroups.

You can create ACIs that delegate permission so users in group A can write
attributes on group B.

The type option is a map that applies to all entries in the users, groups or
host location. It is primarily designed to be used when granting add
permissions (to write new entries).

An ACI consists of three parts:
1. target
2. permissions
3. bind rules

The target is a set of rules that define which LDAP objects are being
targeted. This can include a list of attributes, an area of that LDAP
tree or an LDAP filter.

The targets include:
- attrs: list of attributes affected
- type: an object type (user, group, host, service, etc)
- memberof: members of a group
- targetgroup: grant access to modify a specific group. This is primarily
  designed to enable users to add or remove members of a specific group.
- filter: A legal LDAP filter used to narrow the scope of the target.
- subtree: Used to apply a rule across an entire set of objects. For example,
  to allow adding users you need to grant "add" permission to the subtree
  ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option
  is a fail-safe for objects that may not be covered by the type option.

The permissions define what the ACI is allowed to do, and are one or
more of:
1. write - write one or more attributes
2. read - read one or more attributes
3. add - add a new entry to the tree
4. delete - delete an existing entry
5. all - all permissions are granted

Note the distinction between attributes and entries. The permissions are
independent, so being able to add a user does not mean that the user will
be editable.

The bind rule defines who this ACI grants permissions to. The LDAP server
allows this to be any valid LDAP entry but we encourage the use of
taskgroups so that the rights can be easily shared through roles.

For a more thorough description of access controls see
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html

EXAMPLES:

NOTE: ACIs are now added via the permission plugin. These examples are to
demonstrate how the various options work but this is done via the permission
command-line now (see last example).

 Add an ACI so that the group "secretaries" can update the address on any user:
   ipa group-add --desc="Office secretaries" secretaries
   ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses"

 Show the new ACI:
   ipa aci-show --prefix=none "Secretaries write addresses"

 Add an ACI that allows members of the "addusers" permission to add new users:
   ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users"

 Add an ACI that allows members of the editors manage members of the admins group:
   ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins"

 Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group:
   ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street --attrs=postalcode --prefix=none "admins edit the address of editors"

 Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss:
   ipa aci-add --permissions=write --group=admins --attrs=street --attrs=postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss"

 Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
   ipa permission-add  --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange


The show command shows the raw 389-ds ACI.

IMPORTANT: When modifying the target attributes of an existing ACI you
must include all existing attributes as well. When doing an aci-mod the
targetattr REPLACES the current attributes, it does not add to them.

디렉토리 서버 접근 제어 지시(ACIs)

ACIs are used to allow or deny access to information. This module is
currently designed to allow, not deny, access.

The aci commands are designed to grant permissions that allow updating
existing entries or adding or deleting new ones. The goal of the ACIs
that ship with IPA is to provide a set of low-level permissions that
grant access to special groups called taskgroups. These low-level
permissions can be combined into roles that grant broader access. These
roles are another type of group, roles.

For example, if you have taskgroups that allow adding and modifying users you
could create a role, useradmin. You would assign users to the useradmin
role to allow them to do the operations defined by the taskgroups.

You can create ACIs that delegate permission so users in group A can write
attributes on group B.

The type option is a map that applies to all entries in the users, groups or
host location. It is primarily designed to be used when granting add
permissions (to write new entries).

An ACI consists of three parts:
1. target
2. permissions
3. bind rules

The target is a set of rules that define which LDAP objects are being
targeted. This can include a list of attributes, an area of that LDAP
tree or an LDAP filter.

The targets include:
- attrs: list of attributes affected
- type: an object type (user, group, host, service, etc)
- memberof: members of a group
- targetgroup: grant access to modify a specific group. This is primarily
  designed to enable users to add or remove members of a specific group.
- filter: A legal LDAP filter used to narrow the scope of the target.
- subtree: Used to apply a rule across an entire set of objects. For example,
  to allow adding users you need to grant "add" permission to the subtree
  ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option
  is a fail-safe for objects that may not be covered by the type option.

The permissions define what the ACI is allowed to do, and are one or
more of:
1. write - write one or more attributes
2. read - read one or more attributes
3. add - add a new entry to the tree
4. delete - delete an existing entry
5. all - all permissions are granted

Note the distinction between attributes and entries. The permissions are
independent, so being able to add a user does not mean that the user will
be editable.

The bind rule defines who this ACI grants permissions to. The LDAP server
allows this to be any valid LDAP entry but we encourage the use of
taskgroups so that the rights can be easily shared through roles.

For a more thorough description of access controls see
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html

EXAMPLES:

NOTE: ACIs are now added via the permission plugin. These examples are to
demonstrate how the various options work but this is done via the permission
command-line now (see last example).

 Add an ACI so that the group "secretaries" can update the address on any user:
   ipa group-add --desc="Office secretaries" secretaries
   ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses"

 Show the new ACI:
   ipa aci-show --prefix=none "Secretaries write addresses"

 Add an ACI that allows members of the "addusers" permission to add new users:
   ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users"

 Add an ACI that allows members of the editors manage members of the admins group:
   ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins"

 Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group:
   ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode --prefix=none "admins edit the address of editors"

 Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss:
   ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss"

 Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
   ipa permission-add  --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange


The show command shows the raw 389-ds ACI.

IMPORTANT: When modifying the target attributes of an existing ACI you
must include all existing attributes as well. When doing an aci-mod the
targetattr REPLACES the current attributes, it does not add to them.

도메인 이름 체계 (DNS)

Manage DNS zone and resource records.

SUPPORTED ZONE TYPES

 * Master zone (dnszone-*), contains authoritative data.
 * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders
 (a set of DNS servers).

USING STRUCTURED PER-TYPE OPTIONS

There are many structured DNS RR types where DNS data stored in LDAP server
is not just a scalar value, for example an IP address or a domain name, but
a data structure which may be often complex. A good example is a LOC record
[RFC1876] which consists of many mandatory and optional parts (degrees,
minutes, seconds of latitude and longitude, altitude or precision).

It may be difficult to manipulate such DNS records without making a mistake
and entering an invalid value. DNS module provides an abstraction over these
raw records and allows to manipulate each RR type with specific options. For
each supported RR type, DNS module provides a standard option to manipulate
a raw records with format --<rrtype>-rec, e.g. --mx-rec, and special options
for every part of the RR structure with format --<rrtype>-<partname>, e.g.
--mx-preference and --mx-exchanger.

When adding a record, either RR specific options or standard option for a raw
value can be used, they just should not be combined in one add operation. When
modifying an existing entry, new RR specific options can be used to change
one part of a DNS record, where the standard option for raw value is used
to specify the modified value. The following example demonstrates
a modification of MX record preference from 0 to 1 in a record without
modifying the exchanger:
ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1


EXAMPLES:

 Add new zone:
   ipa dnszone-add example.com --admin-email=admin@example.com

 Add system permission that can be used for per-zone privilege delegation:
   ipa dnszone-add-permission example.com

 Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM:
   ipa dnszone-mod example.com --dynamic-update=TRUE

   This is the equivalent of:
     ipa dnszone-mod example.com --dynamic-update=TRUE       --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;"

 Modify the zone to allow zone transfers for local network only:
   ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24

 Add new reverse zone specified by network IP address:
   ipa dnszone-add --name-from-ip=192.0.2.0/24

 Add second nameserver for example.com:
   ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com

 Add a mail server for example.com:
   ipa dnsrecord-add example.com @ --mx-rec="10 mail1"

 Add another record using MX record specific options:
  ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2

 Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod,
 or dnsrecord-del are executed with no options):
  ipa dnsrecord-add example.com @
  Please choose a type of DNS resource record to be added
  The most common types for this type of zone are: NS, MX, LOC

  DNS resource record type: MX
  MX Preference: 30
  MX Exchanger: mail3
    Record name: example.com
    MX record: 10 mail1, 20 mail2, 30 mail3
    NS record: nameserver.example.com., nameserver2.example.com.

 Delete previously added nameserver from example.com:
   ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com.

 Add LOC record for example.com:
   ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m"

 Add new A record for www.example.com. Create a reverse record in appropriate
 reverse zone as well. In this case a PTR record "2" pointing to www.example.com
 will be created in zone 2.0.192.in-addr.arpa.
   ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse

 Add new PTR record for www.example.com
   ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com.

 Add new SRV records for LDAP servers. Three quarters of the requests
 should go to fast.example.com, one quarter to slow.example.com. If neither
 is available, switch to backup.example.com.
   ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com"
   ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com"
   ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com"

 The interactive mode can be used for easy modification:
  ipa dnsrecord-mod example.com _ldap._tcp
  No option to modify specific record provided.
  Current DNS record contents:

  SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com

  Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No):
  Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y
  SRV Priority [0]:                     (keep the default value)
  SRV Weight [1]: 2                     (modified value)
  SRV Port [389]:                       (keep the default value)
  SRV Target [slow.example.com]:        (keep the default value)
  1 SRV record skipped. Only one value per DNS record type can be modified at one time.
    Record name: _ldap._tcp
    SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com

 After this modification, three fifths of the requests should go to
 fast.example.com and two fifths to slow.example.com.

 An example of the interactive mode for dnsrecord-del command:
   ipa dnsrecord-del example.com www
   No option to delete specific record provided.
   Delete all? Yes/No (default No):     (do not delete all records)
   Current DNS record contents:

   A record: 192.0.2.2, 192.0.2.3

   Delete A record '192.0.2.2'? Yes/No (default No):
   Delete A record '192.0.2.3'? Yes/No (default No): y
     Record name: www
     A record: 192.0.2.2               (A record 192.0.2.3 has been deleted)

 Show zone example.com:
   ipa dnszone-show example.com

 Find zone with "example" in its domain name:
   ipa dnszone-find example

 Find records for resources with "www" in their name in zone example.com:
   ipa dnsrecord-find example.com www

 Find A records with value 192.0.2.2 in zone example.com
   ipa dnsrecord-find example.com --a-rec=192.0.2.2

 Show records for resource www in zone example.com
   ipa dnsrecord-show example.com www

 Delegate zone sub.example to another nameserver:
   ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1
   ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com.

 Delete zone example.com with all resource records:
   ipa dnszone-del example.com

 If a global forwarder is configured, all queries for which this server is not
 authoritative (e.g. sub.example.com) will be routed to the global forwarder.
 Global forwarding configuration can be overridden per-zone.

 Semantics of forwarding in IPA matches BIND semantics and depends on the type
 of zone:
   * Master zone: local BIND replies authoritatively to queries for data in
   the given zone (including authoritative NXDOMAIN answers) and forwarding
   affects only queries for names below zone cuts (NS records) of locally
   served zones.

   * Forward zone: forward zone contains no authoritative data. BIND forwards
   queries, which cannot be answered from its local cache, to configured
   forwarders.

 Semantics of the --forward-policy option:
   * none - disable forwarding for the given zone.
   * first - forward all queries to configured forwarders. If they fail,
   do resolution using DNS root servers.
   * only - forward all queries to configured forwarders and if they fail,
   return failure.

 Disable global forwarding for given sub-tree:
   ipa dnszone-mod example.com --forward-policy=none

 This configuration forwards all queries for names outside the example.com
 sub-tree to global forwarders. Normal recursive resolution process is used
 for names inside the example.com sub-tree (i.e. NS records are followed etc.).

 Forward all requests for the zone external.example.com to another forwarder
 using a "first" policy (it will send the queries to the selected forwarder
 and if not answered it will use global root servers):
   ipa dnsforwardzone-add external.example.com --forward-policy=first                                --forwarder=203.0.113.1

 Change forward-policy for external.example.com:
   ipa dnsforwardzone-mod external.example.com --forward-policy=only

 Show forward zone external.example.com:
   ipa dnsforwardzone-show external.example.com

 List all forward zones:
   ipa dnsforwardzone-find

 Delete forward zone external.example.com:
   ipa dnsforwardzone-del external.example.com

 Resolve a host name to see if it exists (will add default IPA domain
 if one is not included):
   ipa dns-resolve www.example.com
   ipa dns-resolve www


GLOBAL DNS CONFIGURATION

DNS configuration passed to command line install script is stored in a local
configuration file on each IPA server where DNS service is configured. These
local settings can be overridden with a common configuration stored in LDAP
server:

 Show global DNS configuration:
   ipa dnsconfig-show

 Modify global DNS configuration and set a list of global forwarders:
   ipa dnsconfig-mod --forwarder=203.0.113.113

예제:

그룹간 위임

A permission enables fine-grained delegation of permissions. Access Control
Rules, or instructions (ACIs), grant permission to permissions to perform
given tasks such as adding a user, modifying a group, etc.

Group to Group Delegations grants the members of one group to update a set
of attributes of members of another group.

예제:

 Add a delegation rule to allow managers to edit employee's addresses:
   ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"

 When managing the list of attributes you need to include all attributes
 in the list, including existing ones. Add postalCode to the list:
   ipa delegation-mod --attrs=street --attrs=postalCode --group=managers --membergroup=employees "managers edit employees' street"

 Display our updated rule:
   ipa delegation-show "managers edit employees' street"

 Delete a rule:
   ipa delegation-del "managers edit employees' street"

그룹간 위임

A permission enables fine-grained delegation of permissions. Access Control
Rules, or instructions (ACIs), grant permission to permissions to perform
given tasks such as adding a user, modifying a group, etc.

Group to Group Delegations grants the members of one group to update a set
of attributes of members of another group.

EXAMPLES:

 Add a delegation rule to allow managers to edit employee's addresses:
   ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street"

 When managing the list of attributes you need to include all attributes
 in the list, including existing ones. Add postalCode to the list:
   ipa delegation-mod --attrs=street,postalCode --group=managers --membergroup=employees "managers edit employees' street"

 Display our updated rule:
   ipa delegation-show "managers edit employees' street"

 Delete a rule:
   ipa delegation-del "managers edit employees' street"

호스트 그룹.

호스트 그룹을 관리합니다. 이는 호스트-기반 접근 제어를 사용하여
여러 호스트에 접근 제어를 적용하는 데 유용합니다.

예제:

 Add a new host group:
   ipa hostgroup-add --desc="Baltimore hosts" baltimore

 Add another new host group:
   ipa hostgroup-add --desc="Maryland hosts" maryland

 Add members to the hostgroup (using Bash brace expansion):
   ipa hostgroup-add-member --hosts={box1,box2,box3} baltimore

 Add a hostgroup as a member of another hostgroup:
   ipa hostgroup-add-member --hostgroups=baltimore maryland

 Remove a host from the hostgroup:
   ipa hostgroup-remove-member --hosts=box2 baltimore

 Display a host group:
   ipa hostgroup-show baltimore

 Add a member manager:
   ipa hostgroup-add-member-manager --users=user1 baltimore

 Remove a member manager
   ipa hostgroup-remove-member-manager --users=user1 baltimore

 Delete a hostgroup:
   ipa hostgroup-del baltimore

호스트 그룹.

Manage groups of hosts. This is useful for applying access control to a
number of hosts by using Host-based Access Control.

예제:

 Add a new host group:
   ipa hostgroup-add --desc="Baltimore hosts" baltimore

 Add another new host group:
   ipa hostgroup-add --desc="Maryland hosts" maryland

 Add members to the hostgroup (using Bash brace expansion):
   ipa hostgroup-add-member --hosts={box1,box2,box3} baltimore

 Add a hostgroup as a member of another hostgroup:
   ipa hostgroup-add-member --hostgroups=baltimore maryland

 Remove a host from the hostgroup:
   ipa hostgroup-remove-member --hosts=box2 baltimore

 Display a host group:
   ipa hostgroup-show baltimore

 Delete a hostgroup:
   ipa hostgroup-del baltimore

HBAC 서비스 그룹

HBAC service groups can contain any number of individual services,
or "members". Every group must have a description.

예제:

 Add a new HBAC service group:
   ipa hbacsvcgroup-add --desc="login services" login

 Add members to an HBAC service group:
   ipa hbacsvcgroup-add-member --hbacsvcs=sshd --hbacsvcs=login login

 Display information about a named group:
   ipa hbacsvcgroup-show login

 Delete an HBAC service group:
   ipa hbacsvcgroup-del login

HBAC 서비스

The PAM services that HBAC can control access to. The name used here
must match the service name that PAM is evaluating.

예제:

 Add a new HBAC service:
   ipa hbacsvc-add tftp

 Modify an existing HBAC service:
   ipa hbacsvc-mod --desc="TFTP service" tftp

 Search for HBAC services. This example will return two results, the FTP
 service and the newly-added tftp service:
   ipa hbacsvc-find ftp

 Delete an HBAC service:
   ipa hbacsvc-del tftp

HBAC 서비스

The PAM services that HBAC can control access to. The name used here
must match the service name that PAM is evaluating.

예제:

 Add a new HBAC service:
   ipa hbacsvc-add tftp

 Modify an existing HBAC service:
   ipa hbacsvc-mod --desc="TFTP service" tftp

 Search for HBAC services. This example will return two results, the FTP
 service and the newly-added tftp service:
   ipa hbacsvc-find ftp

 Delete an HBAC service:
   ipa hbacsvc-del tftp


호스트-기반 접근 제어

Control who can access what services on what hosts. You
can use HBAC to control which users or groups can
access a service, or group of services, on a target host.

You can also specify a category of users and target hosts.
This is currently limited to "all", but might be expanded in the
future.

Target hosts in HBAC rules must be hosts managed by IPA.

The available services and groups of services are controlled by the
hbacsvc and hbacsvcgroup plug-ins respectively.

EXAMPLES:

 Create a rule, "test1", that grants all users access to the host "server" from
 anywhere:
   ipa hbacrule-add --usercat=all test1
   ipa hbacrule-add-host --hosts=server.example.com test1

 Display the properties of a named HBAC rule:
   ipa hbacrule-show test1

 Create a rule for a specific service. This lets the user john access
 the sshd service on any machine from any machine:
   ipa hbacrule-add --hostcat=all john_sshd
   ipa hbacrule-add-user --users=john john_sshd
   ipa hbacrule-add-service --hbacsvcs=sshd john_sshd

 Create a rule for a new service group. This lets the user john access
 the FTP service on any machine from any machine:
   ipa hbacsvcgroup-add ftpers
   ipa hbacsvc-add sftp
   ipa hbacsvcgroup-add-member --hbacsvcs=ftp --hbacsvcs=sftp ftpers
   ipa hbacrule-add --hostcat=all john_ftp
   ipa hbacrule-add-user --users=john john_ftp
   ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp

 Disable a named HBAC rule:
   ipa hbacrule-disable test1

 Remove a named HBAC rule:
   ipa hbacrule-del allow_server

호스트/장비(machines)

A host represents a machine. It can be used in a number of contexts:
- service entries are associated with a host
- a host stores the host/ service principal
- a host can be used in Host-based Access Control (HBAC) rules
- every enrolled client generates a host entry

등록:

There are three enrollment scenarios when enrolling a new client:

1. You are enrolling as a full administrator. The host entry may exist
   or not. A full administrator is a member of the hostadmin role
   or the admins group.
2. You are enrolling as a limited administrator. The host must already
   exist. A limited administrator is a member a role with the
   Host Enrollment privilege.
3. The host has been created with a one-time password.

재-등록:

Host that has been enrolled at some point, and lost its configuration (e.g. VM
destroyed) can be re-enrolled.

For more information, consult the manual pages for ipa-client-install.

A host can optionally store information such as where it is located,
the OS that it runs, etc.

예제:

 Add a new host:
   ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com

 Delete a host:
   ipa host-del test.example.com

 Add a new host with a one-time password:
   ipa host-add --os='Fedora 12' --password=Secret123 test.example.com

 Add a new host with a random one-time password:
   ipa host-add --os='Fedora 12' --random test.example.com

 Modify information about a host:
   ipa host-mod --os='Fedora 12' test.example.com

 Remove SSH public keys of a host and update DNS to reflect this change:
   ipa host-mod --sshpubkey= --updatedns test.example.com

 Disable the host Kerberos key, SSL certificate and all of its services:
   ipa host-disable test.example.com

 Add a host that can manage this host's keytab and certificate:
   ipa host-add-managedby --hosts=test2 test

 Allow user to create a keytab:
   ipa host-allow-create-keytab test2 --users=tuser1

YubiKey 토큰 관리.

Plugin to make multiple ipa calls via one remote procedure call

To run this code in the lite-server

curl   -H "Content-Type:application/json"          -H "Accept:application/json" -H "Accept-Language:en"        --negotiate -u :          --cacert /etc/ipa/ca.crt           -d  @batch_request.json -X POST       http://localhost:8888/ipa/json

where the contents of the file batch_request.json follow the below example

{"method":"batch","params":[[
        {"method":"group_find","params":[[],{}]},
        {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]},
        {"method":"user_show","params":[["admin"],{"all":true}]}
        ],{}],"id":1}

The format of the response is nested the same way.  At the top you will see
  "error": null,
    "id": 1,
    "result": {
        "count": 3,
            "results": [


And then a nested response for each IPA command method sent in the request

Plugin to make multiple ipa calls via one remote procedure call

To run this code in the lite-server

curl   -H "Content-Type:application/json"          -H "Accept:application/json" -H "Accept-Language:en"        --negotiate -u :          --cacert /etc/ipa/ca.crt           -d  @batch_request.json -X POST       http://localhost:8888/ipa/json

where the contents of the file batch_request.json follow the below example

{"method":"batch","params":[[
        {"method":"group_find","params":[[],{}]},
        {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]},
        {"method":"user_show","params":[["admin"],{"all":true}]}
        ],{}],"id":1}

The format of the response is nested the same way.  At the top you will see
  "error": null,
    "id": 1,
    "result": {
        "count": 3,
            "results": [


And then a nested response for each IPA command method sent in the request


ACIs 검색.

    ACIs의 목록을 반환합니다

    예제:

     To find all ACIs that apply directly to members of the group ipausers:
       ipa aci-find --memberof=ipausers

     To find all ACIs that grant add access:
       ipa aci-find --permissions=add

    Note that the find command only looks for the given text in the set of
    ACIs, it does not evaluate the ACIs to see if something would apply.
    For example, searching on memberof=ipausers will find all ACIs that
    have ipausers as a memberof. There may be other ACIs that apply to
    members of that group indirectly.
    
서버 구성

Manage the default values that IPA uses and some of its tuning parameters.

NOTES:

The password notification value (--pwdexpnotify) is stored here so it will
be replicated. It is not currently used to notify users in advance of an
expiring password.

Some attributes are read-only, provided only for information purposes. These
include:

Certificate Subject base: the configured certificate subject base,
  e.g. O=EXAMPLE.COM.  This is configurable only at install time.
Password plug-in features: currently defines additional hashes that the
  password will generate (there may be other conditions).

When setting the order list for mapping SELinux users you may need to
quote the value so it isn't interpreted by the shell.

예제:

 Show basic server configuration:
   ipa config-show

 Show all configuration options:
   ipa config-show --all

 Change maximum username length to 99 characters:
   ipa config-mod --maxusername=99

 Increase default time and size limits for maximum IPA server search:
   ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000

 Set default user e-mail domain:
   ipa config-mod --emaildomain=example.com

 Enable migration mode to make "ipa migrate-ds" command operational:
   ipa config-mod --enable-migration=TRUE

 Define SELinux user map order:
   ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'

이 코드는 otptoken 플러그인의 확장과 YubiKey 토큰을 직접
읽고/쓸 수 있도록 지원합니다.

YubiKey 토큰
${product}, 버전: ${version}A 역방향 생성IP 주소그룹을 찾을 때에 검색 할 쉼표로-구분된 부분 목록사용자를 찾을 때에 검색 할 쉼표로-구분된 부분 목록이와 같은 호스트의 설명키 교환기와 같은 역할을 하고자 하는 호스트전자우편 교환기로 동작하고자 하는 호스트이와 같은 별칭 호스트이름을 지칭하는 호스트이름A 레코드모든 연관된 객체 속성에서 검색된 문자열A6 레코드 자료A6 레코드AAAA 역방향 생성AAAA IP 주소AAAA 레코드ACI 이름ACI 접두사ACL 이름AFSDB 호스트이름AFSDB 하위유형AFSDB 레코드APL 레코드활성 영역HBAC 규칙 '${primary_key}'에 HBAC 서비스를 추가합니다sudo 규칙 '${primary_key}'에 RunAS 사용자 그룹을 추가합니다sudo 규칙'${primary_key}'애 RunAS 사용자를 추가합니다신규 HBAC 서비스를 추가합니다.신규 HBAC 서비스 추가.신규 Yubikey OTP 토큰 추가.새로운 위임 추가.신규 셀프-서비스 권한을 추가합니다.전달 영역(zone)별 접근 위임을 위한 권한을 추가합니다.영역(zone)별 접근 위임을 위한 권한을 추가합니다.속성/값 쌍을 추가합니다. 형식은 속성=값입니다. 속성은
스키마의 일부여야 합니다.호스트 그룹 '${primary_key}'에 호스트 그룹을 추가합니다이 호스트를 관리 할 수 있는 호스트를 추가합니다.구성원을 호스트그룹에 추가.구성원을 HBAC 서비스 그룹에 추가합니다.신규 DNS 리소스 레코드를 추가합니다.서비스를 HBAC 규칙에 추가.HBAC 규칙에 대상 호스트와 호스트그룹을 추가합니다.이 IP 주소인 DNS에 호스트를 추가합니다사용자 그룹 '${primary_key}'에 사용자 ID 재정의를 추가합니다사용자와 그룹을 HBAC 규칙에 추가.CA ACL '${primary_key}'에 사용자를 추가합니다넷그룹 '${primary_key}'에 사용자를 추가합니다추가된 %(map)s%(src)s를 %(dst)s으로 추가함추가된 자동적재 위치 "%(value)s"신규 리소스 위임을 호스트 "%(value)s"로 추가됨옵션 "%(option)s"이 추가됨 (sudo 규칙 "%(rule)s"에)사용자 "%(value)s"에게 통과키 대응이 추가됨관리자 전자우편 주소알고리즘PTR sync 허용동적 최신화 허용.인-라인 DNSSEC 서명 허용영역(zone)에서 레코드의 인라인 DNSSEC 서명 허용질의 허용포워드(A, AAAA)와 역(PTR) 레코드의 동기화를 허용영역(zone)에서 순방향(A, AAAA)와 역방향(PTR)의 동기화를 허용전송 허용사용자, 그룹, 호스트 또는 호스트 그룹이 이 호스트의 키탭을 생성하도록 허용합니다.사용자, 그룹, 호스트 또는 호스트 그룹이 이 호스트의 키탭을 검색하도록 허용합니다.고도ACI를 자신의 항목(자신)으로 적용자료를 저장소에 보관합니다.선택된 사용자를 활성화 할까요?${object}를 비활성화할까요?선택된 사용자를 복구 할까요?보안 주체에 사용 할 임의적이지 않은 비밀번호를 요청합니다속성위임이 적용되는 속성권한이 적용되는 속성권한 있는 네임서버권한 있는 네임서버 도메인 이름자동적재 키 이름.자동적재 위치 이름.자동적재 맵 이름.자동적재 마스터 파일.사용 가능한BIND 최신화 정책기본 DN원격 LDAP 서버에서 기본 DN인증서 주제에 대한 기반 (OU=시험,O=예제)Base-64로 인코딩된 서버 인증서보관 해야 하는 바이너리 자료바인드 비밀번호는 이미 제공되었습니다 (-w).
바인드 비밀번호는 바인드 DN (-w 또는 -W) 사용 할 때에 필요합니다.
CERT 알고리즘CERT 인증 유형CERT 인증서/CRLCERT 키 태그CERT 레코드CNAME 호스트이름CNAME 레코드파일을 디코드 할 수 없습니다 '%(filename)s': %(exc)s호스트의 FQDN을 가져 올 수 없습니다!
파일을 읽을 수 없습니다 '%(filename)s': %(exc)sSASL 동작원리와 바인드 DN을 동시에 지정 할 수 없습니다.
서버와 LDAP uri를 동시에 지정 할 수 없습니다.
인증인증 연관 자료인증서 주제 기반인증 유형인증 사용법파일 '%(file)s'에서 저장된 인증서인증서/CRL비밀번호 변경DNS 서비스가 활성화된 서버가 있는지 확인합니다.키탭을 닫는데 실패함
쉼표로 구분된 암호화 유형 목록DS에서 그룹 항목을 위해 무시되는 속성의 쉼표로-구분된 목록단순 NAPTR 레코드의 쉼표로-구분된 목록확인이와 같은 지정된 KDC 서버와 연락합니다연속된 방식: 오류에 멈추지 않습니다.연속 동작 방식. 오류는 보고 되지만 처리는 계속됩니다연속 동작 방식. 오류는 보고 되지만 처리는 계속됩니다.새로운 HBAC 규칙을 생성합니다.신규 자동적재 키를 생성합니다.신규 자동 적재 위치를 생성합니다.신규 자동 적재 맵를 생성합니다.새로운 간접 적재 지점을 만듭니다.새로운 저장소를 생성합니다.신규 ACI 생성.신규 DNS 전달 영역(zone)을 생성합니다.신규 DNS 영역(zone) 생성 (SOA 레코드).이와 같은 IP 주소를 위한 역방향 레코드 생성현재 DNS 레코드 내용:
DHCID 레코드DLV 알고리즘DLV 다이제스트DLV 다이제스트 유형DLV 키 태그DLV 레코드만약 커버러스를 사용하지 않는 것같이 바인드하는 DNDNAME 대상DNAME 레코드DNS 검색 실패함
DNS 서버도메인 %s를 위한 DNS 검색
DNS 전달자DNS 리소스 레코드 유형DNSKEY 레코드DS 알고리즘DS 다이제스트DS 다이제스트 유형DS 키 태그DS 레코드자료디버깅 출력기본 PAC 유형기본 SELinux 사용자SELinux 맵 규칙에 일치하는 항목이 없을 때 기본 SELinux 사용자기본 전자우편 도메인새로운 사용자를 위한 기본 그룹기본 그룹 객체 클래스기본 그룹 객체 클래스 (쉼표로-구분된 목록)홈 디렉토리의 기본 위치기본 쉘새로운 사용자를 위한 기본 쉘서비스를 위해 지원되는 PAC의 기본 유형지원되는 사용자 인증 기본 유형기본 사용자 인증 유형기본 사용자 객체 클래스기본 사용자 객체 클래스 (쉼표로-구분된 목록)기본 사용자 그룹도 위도도 위도위임 이름위임 주체%(name)s '%(value)s' 삭제할까요?ACI 삭제.DNS 전달 영역(zone) 삭제.DNS 레코드 항목 삭제.DNS 리소스 레코드 삭제.DNS 영역(zone) 삭제 (SOA 레코드).서버 삭제위임 삭제.호스트 삭제.셀프-서비스 권한을 삭제합니다.사용자 삭제사용자를 삭제하고, 다음에 사용 할 수 있도록 항목을 유지하기모든 연관 레코드를 삭제모두 삭제?HBAC 규칙을 삭제합니다.HBAC 서비스 그룹을 삭제합니다.속성/값 쌍을 삭제합니다. 옵션이 모든 설정과 추가 후에
마지막으로 평가됩니다.자동 적재 키를 삭제합니다.자동 적재 위치를 삭제합니다.자동적재 맵을 삭제합니다.기존 HBAC 서비스를 삭제.설명다이제스트다이제스트 유형방향 위도방향 위도DNS 전달 영역(zone) 비활성화.DNS 영역(zone) 비활성화.HBAC 규칙을 비활성화합니다.커버러스 키, SSL 인증서 및 호스트의 모든 서비스를 비활성화.사용불가비활성화된 suo 규칙 "%s"사용자, 그룹, 호스트 또는 호스트 그룹을 이 호스트의 키탭을 생성하도록 허용하지 않습니다.사용자, 그룹, 또는 호스트 그룹을 이 호스트의 키탭을 검색하도록 허용하지 않습니다.검색된 서버 %s
DNS 리소스 표시.ACI 이름으로 주어진 단인 ACI를 표시합니다.자동 적재 키 표시.자동 적재 위치를 표시합니다.자동 적재 맵을 표시.DNS 전달 영역에 대하여 정보를 표시합니다.DNS 영역(zone)에 대하여 정보를 표시 (SOA 레코드).위임에 대한 정보를 표시합니다.도움말 주제에 대한 정보를 표시합니다.그룹 ID 재정의에 대해 정보를 표시합니다.HBAC 서비스 그룹에 대해 정보를 표시합니다.HBAC 서비스에 대해 정보를 표시합니다.ID 재정의에 대한 정보를 표시합니다.식별 공급자 참조에 대한 정보를 표시합니다.자동 구성원 규칙에 대해 정보를 표시합니다.이 항목(--all가 필요)의 접근 권한을 표시합니다. 자세한 내용은 ipa man 부분을 참조하세요.HBAC 규칙의 속성을 표시합니다.중복된 키 건너뜀:중복된 맵 건너띄기:동적 최신화DNS 전달 영역(zone) 활성화.DNS 영역(zone) 활성화.HBAC 규칙을 활성화합니다.이전 방식 활성화활성화됨활성화된 sudo 규칙 "%s"요청하는 암호화 유형등록에 실패하였습니다. %s
LDAP 비밀번호를 입력합니다오류기본 커버러스 realm을 가져오는 중 오류: %s.
초기 인증서를 획득 중 오류: %s.
구문 분석 중 오류 "%1$s": %2$s.
키탭 해석 오류: %s.
인증서 캐쉬에서 인증서 저장 중 오류: %s.
jsonrpc_handle_response에서 버퍼 확장이 실패했습니다외부 호스트비밀번호 플러그-인에서 생성 할 추가 해쉬JSON-RPC 응답에서 자료를 추출 하는데 실패함: %s
JSON-RPC 응답에서 오류 추출이 실패함: %s
추가하는데 실패함키를 키탭에 추가하는데 실패함
서버로 바인드 하는데 실패함!
키탭을 닫는데 실패함
제어를 생성하는데 실패함!
키 재료 생성에 실패함
키 생성에 실패함!
제어 응답을 디코드 하는데 실패함
키탭을 가져오는데 실패함
키탭을 가져오는데 실패함!
결과를 가져오는데 실패함: %s
키탭을 가져오는데 실패함
구성 파일 %s를 여는데 실패함
키탭을 가져오는데 실패함
키탭을 여는데 실패함 '%1$s': %2$s
구성 파일 %s를 구문 분석하는데 실패함
확장된 결과를 구문 분석하는데 실패함: %s
결과를 구문 분석하는데 실패함: %s
심볼릭링크를 키탭으로 결정 하는데 실패함
키를 검색하는데 실패함암호화 유형 %1$s (#%2$d)를 검색하는데 실패함
암호화 형태 유형 #%d를 검색하는데 실패함
커서 '%1$s' 설정에 실패함
파일 %(file)s을 찾을 수 없음보관해야 하는 자료를 포함하는 파일신규 저장소 비밀번호를 포함하는 파일새로운 저장소 공용 키를 포함하는 파일오래된 저장소 비밀번호를 포함하는 파일오래된 저장소 개인 키를 포함하는 파일저장소 비밀번호를 포함하는 파일저장소 개인 키를 포함하는 파일저장소 공용 키를 포함하는 파일해당 인증서에 적재 할 파일해당 인증서에 적재 할 파일.검색된 자료를 저장하는 파일필터지문지문 유형첫 번째 코드플래그강제만약 네임서버를 확인 할 수 없는 경우에도 DNS 영역(zone) 생성을 강제합니다.만약 네임서버가 DNS가 아니라면 네임서버 변경 강제호스트 참여를 강제합니다. 만약 이미 참여 중이라 할지라도 다시 참여합니다.포워드 정책전달 영역(zone) 전용GSSAPI|EXTERNAL대량 등록에 사용되는 임의 비밀번호를 생성합니다지정된 위치로 자동 적재 파일을 발생합니다.전역 전달자전역 전달자. 사용자 지정 포트는 표준 형식 "IP_주소 포트용 포트"를 사용하여 각각의 전달자에 대해 지정 할 수 있습니다전역 포워딩 정책. 구성된 전역 전달자를 비활성하려면 "없음"으로 설정합니다.구글그룹 옵션그룹 검색 부분ACI를 적용 할 그룹HBAC 서비스HBAC 서비스 설명HBAC 서비스 그룹 설명추가하려는 HBAC 서비스 그룹제거하려는 HBAC 서비스 그룹추가하려는 HBAC 서비스제거하려는 HBAC 서비스HIP 레코드HOTP 인증 건너뛰기HOTP 동기화 건너뛰기HTTP 오류이와 같은 호스트에서 하드웨어 맥(mac) 주소홈 디렉토리 기반수평 정밀도호스트 인증서호스트 그룹리소스 위임을 추가하도록 허용된 호스트 그룹호스트 범주호스트 범주를 규칙에 적용합니다호스트 하드웨어 기술환경 (예: "레노버 T61")호스트는 이미 참여되었습니다
호스트 지역 (예: "메릴랜드주 볼티모어")호스트 위치 (예: " Lab 2")호스트 이름호스트 운영 체제 및 버전 (예: "페도라 9")호스트이름이 서버의 호스트 이름호스트리소스 위임을 추가하도록 허용된 호스트키탭을 생성하는데 허용된 호스트부정적인 응답을 캐쉬 해야 하는 시간IP 주소역방향 영역 이름으로 생성해야 할 IP 네트워크IPA CA 인증서IPA 위치 설명사용하려는 IPA 서버IPA namingContext를 찾을 수 없습니다
IPA 역할 이름IPSECKEY 레코드%(src)s에서 %(dst)s까지 무시함무시된 키:지정된 위치로 자동 적재 파일을 가져옵니다.가져온 키:가져온 맵:활성화 포함호환되지 않는 옵션이 제공되었습니다 (-r 과 -P)
여러 번 지정된 입력 자료입력 파일파일이름 입력잘못된 SASL 바인드 동작원리
잘못된 서비스 사용자 이름
잘못된 인증 정보잘못되거나 지원되지 않는 유형. 허용된 값은 다음과 같습니다: %s유효하지 않거나 지원되지 않는 저장소 공용 키: %s잘못된 저장소 유형영역(zone)이 활성화 되었나요?JSON-RPC 호출은 상태 코드에서 실패하였습니다: %li
JSON-RPC 호출이 실패함: %s
JSON-RPC 호출은 허용되지 않습니다. 자신의 인증을 점검하세요.
JSON-RPC 요청:
%s
JSON-RPC 응답:
%s
키 알고리즘키 레코드KX 교환기KX 기본설정KX 레코드커버러스 인증된 캐쉬는 찾을 수 없습니다. 커버러스 티켓을 가지고 있나요?
커버러스 서비스 주체 이름커버러스 사용자 주체를 찾을 수 없습니다. 유효한 인증 캐쉬를 가지고 있나요?
커버러스 문맥 초기화에 실패함
커버러스 문맥을 초기화 하는데 실패함: %1$s (%2$d)
이 호스트를 위한 커버러스 주체 이름키 태그키탭 파일 이름키탭은 성공적으로 검색되었고 저장됨: %s
LDAP DN만약 bindd/bindpw가 없는 경우 LDAP SASL 바인드 동작원리LDAP basednLDAP 비밀번호LDAP 비밀번호 (만약 커버로스를 사용 중이 아니라면)연결 할 LDAP URI입니다. --server와 상호 배타적LOC 고도LOC 도 위도LOC 도 위도LOC 방향 위도LOC 방향 위도LOC 수평 정밀도LOC 분 위도LOC 분 위도LOC 초 위도LOC 초 위도LOC 크기LOC 수직 정밀도LOC 레코드왼쪽 노드적절한 LDAP 필터 (예: ou=Engineering)TOTP 토큰 코드 유효성의 길이실패한 삭제 목록지역위치ACI의 위치MAC 주소MX 교환기MX 기본설정MX 레코드맵마스터 파일주제에서 cn 속성을 일치합니다일치 유형검색(> 0, 또는 제한 없는 -1)을 위한 최대 적재 시간 (초)복제본당 계약의 최대 수반환된 항목의 최대 수검색 할 최대 레코드의 수 (-1은 제한이 없음)최대 사용자이름 길이구성원 HBAC 서비스구성원HBAC 서비스 그룹의 구성원그룹의 구성원사용자 그룹 구성원추가 할 수 없는 구성원제거 할 수 없는 구성원이전 방식(migration mode)이 비활성화 되었습니다.
이를 활성화 하도록 'ipa config-mod --enable-migration=TRUE'를 사용하세요.분 위도분 위도신규 저장소 공용 키가 누락됨응답 제어 목록이 누락됨!
응답 제어 누락!
저장소 개인 키가 누락됨저장소 공용 키가 누락됨수정된 식별 공급자 참조 "%(value)s"넷그룹 "%(value)s"가 수정됨%(name)s '%(value)s' 수정할까요?ACI 수정.DNS 전달 영역(zone)을 수정합니다.DNS 영역(zone) 수정 (SOA 레코드).통과키(passkey) 구성을 수정합니다.DNS 리소스 레코드를 수정합니다.위임을 수정합니다.저장소를 수정합니다.HBAC 규칙을 수정합니다.HBAC 서비스 그룹을 수정합니다.HBAC 서비스를 수정합니다.자동 적재된 키를 수정합니다.자동 적재된 맵을 수정합니다.구성 옵션을 수정합니다.전역 DNS 구성을 수정합니다.전역 신뢰 구성을 수정합니다.적재 정보적재 지점NAPTR 플래그NAPTR 순서NAPTR 환경설정NAPTR 정규 표현NAPTR 교체NAPTR 서비스NAPTR 레코드NS 호스트이름NS 레코드NSEC 레코드NSEC3 레코드NSEC3PARAM 레코드형식에서 영역(zone)을 위한 NSEC3PARAM 레코드: hash_algorithm 플래그 반복 솔트호스트-그룹의 이름상위 자동 적재 맵의 이름(기본값: auto.master).--del-all 또는 특정한 레코드를 삭제하는 선택이 제공되지 않았습니다.
명령 도움말은 지원되는 모든 레코드 유형을 위해 참조 할 수 있습니다.실행 할 중첩 방법새로운 ACI 이름신규 주체 비밀번호새로운 적재 정보여러 번 지정된 신규 공용 키신규 저장소 비밀번호Yubikey 슬롯은 무료가 아닙니다!KDC에 의해 허용하는 키가 없습니다
제공된 특정 레코드를 삭제하는 옵션이 없습니다.제공된 특정 레코드를 수정하는 옵션이 없습니다.이 호스트를 IPA 도메인으로 가입 할 수 있는 권한이 없습니다.
시스템에 선호하는 암호화유형이 없습니다?!
%s를 위한 값이 없습니다키탭 파일 '%s'에서 쓰기 권한이 없습니다
임박한 비밀번호 만료 통지 일수반환된 항목의 수호스트 ID 보기의 수는 다음과 같이 적용됩니다:추가된 구성원의 수제거된 구성원의 수OTP오래된 저장소 비밀번호오래된 저장소 개인 키운영 체제작업 실패: %s
순서SELinux 사용자의 우선 순위가 높은 순서로, $로 구분됨메모리 부족!
메모리 부족 
메모리 부족!메모리 부족!
디버그 정보 출력오류에서만 출력기존 비밀번호를 무시합니다소유자PTR 호스트이름PTR 레코드상위 맵모든 단순 DNS 레코드 구문분석과 구조화된 방식에서 이를 반환JSON-RPC 응답 구문분석이 실패함: %s
JSON-RPC 응답을 구문 분석하는데 실패함: '결과' 값을 찾을 수 없습니다.
통과키(passkey) 구성통과키 구성 옵션비밀번호비밀번호 만료 통지 (일)비밀번호 정책비밀번호 정책비밀번호는 대칭 저장소를 위해서만 지정 될 수 있습니다비밀번호 이전이 성공하지 못했습니다비밀번호 플러그인 기능비밀번호는 여러 번 지정됩니다대량 등록에 사용되는 비밀번호비밀번호가 일치하지 않습니다!
비밀번호는 사전-해시된 형식으로 이전되었습니다.
IPA는 일반 텍스트 비밀번호로 제공되지 않는 한 커버러스 키를
생성 할 수 없습니다. 모든 이전된 사용자는 이들 커버러스
계정을 사용하기 전에 https://your.domain/ipa/migration/에
로그인 해야 합니다.IPA CA 인증서 경로영역(zone) 별 상태에 따른 전달 정책. 이와 같은 영역에 대해 전역 전달자로의 전달을 비활성화하려면 "없음"으로 설정합니다. 이와 같은 경우에, 상태에 따른 영역 전달자는 무시됩니다.영역(zone)별 전달자. 사용자 지정 포트는 표준 형식 "IP_주소 포트용 포트"를 사용하여 각각의 전달자에 대해 지정 할 수 있습니다권한권한 ACI가 접근 권한을 부여합니다권한 값권한권한을 부여함(읽기, 쓰기). 기본은 쓰기.권한(일기, 쓰기, 추가, 삭제, 모두) 부여허용되는 암호화 유형기술환경추가 되는 DNS 자원 레코드의 유형을 선택하세요포트환경설정이와 같은 교환기에 주어진 우선권. 낮은 값이 더 선호됩니다ACI 유형(권한, 위임, 셀프 서비스, 없음)을 구별하는 데 사용되는 접두사기본 키만주체 이름가능한 작게 출력합니다디버깅 정보 인쇄서버에서 저장된 것 같은 항목을 출력합니다. 단지 출력 형식에 영향을 줍니다.GSSAPI 방식에서 단순 XML-RPC 표준출력을 인쇄합니다우선순위여러 번 지정된 개인 키파일 '%(file)s'에서 저장된 프로파일 구성LDAP 비밀번호를 위한 프롬프트공용 키는 비대칭 저장소에서만 지정 될 수 있습니다공용 키는 여러 번 지정됩니다QR 코드 폭이 출력 tty의 너비보다 큽니다. 사용하고 있는 터미널 크기를 조정하세요.정숙 방식. 단지 오류만 표시됩니다.RP 레코드RRSIG 유형 적용RRSIG 레코드임의 비밀번호단순 A 레코드단순 A6 레코드단순 AAAA 레코드단순 AFSDB 레코드단순 APL 레코드단순 CERT 레코드단순 CNAME 레코드단순 DHCID 레코드단순 DLV 레코드단순 DNAME 레코드단순 DNSKEY 레코드단순 DS 레코드단순 힙 레코드단순 IPSECKEY 레코드단순 키 레코드단순 KX 기록단순 LOC 레코드단순 MX 레코드단순 NAPTR 레코드단순 NS 레코드단순 NSEC 레코드단순 NSEC3 레코드단순 PTR 레코드단순 RP 레코드단순 RRSIG 레코드단순 SIG 레코드단순 SPF 레코드단순 SRV 레코드단순 SSHFP 레코드단순 TA 레코드단순 TKEY 레코드단순 TLSA 레코드단순 TSIG 레코드단순 TXT 레코드영역 이름복제본당 추천되는 최대 계약 수를 초과했습니다레코드 자료레코드 이름레코드 유형레코드정규 표현HBAC 규칙 '${primary_key}'에서 HBAC 서비스 그룹을 제거합니다HBAC 서비스 그룹 '${primary_key}'에서 HBAC 서비스를 제거합니다통과키 제거sudo 규칙 '${primary_key}'에서 RunAS 사용자 그룹을 제거합니다전달 영역(zone)별 접근 위임을 위한 권한을 제거합니다.영역(zone)별 접근 위임을 위한 권한을 제거.이와 같은 영역에서 모든 주체를 제거합니다보류 제거HBAC 규칙에서 호스트 '${primary_key}'를 제거합니다호스트 그룹에서 호스트 '${primary_key}'를 제거합니다넷그룹에서 호스트 '${primary_key}'를 제거합니다역할에서 호스트 '${primary_key}'를 제거합니다sudo 규칙에서 호스트 '${primary_key}'를 제거합니다호스트 그룹에서 호스트 그룹 '${primary_key}'를 제거합니다넷그룹에서 호스트 그룹 '${primary_key}'를 제거합니다이 호스트를 관리 할 수 있는 호스트를 제거합니다.HBAC 서비스 그룹에서 구성원을 제거합니다.넷그룹에서 넷그룹 '${primary_key}'를 제거합니다권한 '${primary_key}'에서 역할 제거HBAC 규칙에서 서비스와 그룹을 제거.HBAC 규칙에서 대상 호스트와 호스트그룹을 제거합니다.HBAC 규칙에서 사용자 '${primary_key}'를 제거합니다sudo 역할에서 사용자 '${primary_key}'를 제거합니다사용자 그룹에서 사용자 '${primary_key}'를 제거합니다넷그룹에서 사용자 그룹 '${primary_key}'를 제거합니다역할에서 사용자 그룹 '${primary_key}'를 제거합니다사용자 그룹에서 사용자 그룹 '${primary_key}'를 제거합니다저장소 '${primary_key}'의 소유자에서 사용자 그룹을 제거합니다HABC 규칙에서 사용자와 그룹을 제거합니다.저장소 제거제거된 option "%(option)s" (sudo 규칙 "%(rule)s"에서)복제된 형상에서 %(servers)s를 제거하는 중임. 잠시 기다려 주세요...주체 %s를 제거하기
이름변경ACI 이름 재지정.DNS 리소스 레코드 객체 이름을 재지정합니다자동 적재 키 객체 이름 바꾸기교체접미사 "%(suffix)s"의 복제 형상은 오류를 포함합니다.접미사 "%(suffix)s"의 복제 형상 순서입니다.비밀번호 재설정자신의 비밀번호를 초기화합니다.DNS에서 호스트 이름을 확인합니다.결과는 기본 키 속성("위치")만 포함되어야 합니다결과는 기본 키 속성("맵")만 포함되어야 합니다결과는 기본 키 속성("이름")만 포함되어야 합니다결과는 기본 키 속성("서비스")만 포함되어야 합니다저장소에서 자료를 검색합니다.서버에서 모든 속성을 검색하고 출력합니다. 명령 출력에 영향을 줍니다.변경하지 않고 현재 키를 검색합니다이전-4.0 키탭 검색 방법으로 재시도 중...
역방향 영역 IP 네트워크권한역할 이름규칙 이름규칙 유형규칙 유형 (허용)SASL 바인드가 실패했습니다
SELinux 사용자 맵 순서SIG 레코드SOA 만료SOA 최소SOA 레코드 만료 시간SOA 레코드 갱신 시간SOA 레코드 재시도 시간SOA 레코드 일련 번호SOA 새로고침SOA 재시도SOA 일련번호SPF 레코드SRV 포트SRV 우선순위SRV 대상SRV 무게SRV 레코드SSH 공개 키SSH 공유 키 지문SSH 공용 키:SSHFP 알고리즘SSHFP 지문SSHFP 지문 유형SSHFP 레코드검색 옵션rootdse에서 %1$s를 위한 검색은 오류 %2$d로 실패하였습니다
DNS 전달 영역(zones)을 위한 검색.DNS 리소스를 위한 검색.DNS 존을 위한 검사 (SOA 레코드).HBAC 규칙을 검색.HBAC 서비스를 검색.IPA namingContext를 위한 검색은 오류 %d 로 실패하였습니다
HBAC 서비스 그룹을 조사합니다.자동 적재 키를 위한 검색.자동 적재 위치를 검색.자동 적재 맵을 위한 검색.등급 검색.위임을 위한 검색.전달 영역(zone)만을 위한 검색사용자에 의해 등록된 호스트를 검색합니다.이들 관리 호스트가 있는 호스트를 검색.역할의 이들 구성원과 함께 호스트를 위한 검색.사용자에 의해 등록되지 않은 호스트를 위한 검색.이들 구성원 호스트와 함께 넷그룹을 검색.이들 구성원 사용자와 함께 넷그룹을 검색.이들 구성원 그룹이 없이 넷그룹를 위한 검색.이들 구성원 사용자가 없는 넷그룹을 검색.HBAC 규칙의 이들 구성원이 없이 스테이지 사용자를 검색합니다.검색 크기 제한검색 시간 제한두 번째 코드초 위도초 위도선택기질의를 실행 할 수 있는 IP 주소 또는 네트워크의 쌍반점(;)으로 구분된 목록영역(zone)을 전송 할 수 있는 IP 주소 또는 네트워크의 쌍반점(;)으로 구분된 목록일련 번호 (16 진수)서버 "%(srv)s"는 서버 %(n)d 계약을 갖고 있습니다:서버 %(srv)s는 서버와 연락 할 수 없습니다: %(replicas)s서버 DNS 위치서버 이름서버 이름은 제공되지 않으며 사용 할 수 없습니다
서버는 DNS 전달자(s)를 점검합니다.서버 상세:서비스서비스 그룹서비스 종류서비스 범주를 규칙에 적용합니다서비스 그룹 이름서비스 이름서비스SSH 키 설정사용자 비밀번호를 설정합니다.속성을 이름/값의 쌍으로 설정합니다. 형식은 attr=value입니다.
다중-값 속성을 위해, 명령은 이미 존재하는 값으로 교체합니다.공유 저장소현재 구성을 보여줍니다.현재 전역 DNS 구성을 보여줍니다.허용된 암호화 유형의 목록을 표시하고 종료단순 바인드에 실패함
크기크기 제한자료 크기가 제한을 초과했습니다. 현재 저장소 자료 크기 제한은 %(limit)d B입니다%(key)s 건너뜀%(map)s 건너뜀키탭 정보를 저장하려는 장소를 지정합니다.DNS 레코드를 부분으로 분할구조화대상 OID하위구조ACI를 적용 할 하위구조하위유형지원되는 암호화 유형:
멤버쉽 속성의 처리를 억제합니다.OTP 토큰을 동기화합니다.TA 레코드TKEY 레코드TLSA 인증 연관 자료TLSA 인증 사용법TLSA 일치 유형TLSA 선택기TLSA 레코드TSIG 레코드TXT 텍스트 자료TXT 레코드대상대상 그룹자신의 항목을 대상 (자신)ACI 구문을 시험하지만 아무 것도 작성하지 마세요텍스트 자료만약 서비스가 이와 같은 도메인에서 사용 할 수 없다고 판단되는 대상 호스트 또는 '.'의 도메인 이름호스트 이름은 완전하게-검증되어야 합니다: %s
호스트 이름이 아니어야 합니다: %s
이 역(reverse) 레코드가 지시하는 호스트이름신규 키를 (만약 존재 한다면 생성 될 것임)로 확장하는 키탭 파일.주체를 제거하는 키탭 파일이 유형의 zone을 위해 가장 일반적인 유형은 다음과 같습니다: %s
사용자를 위한 예제. 'jdoe'인 항목의 기본_키 값(예제: ftp/ftp.example.com@EXAMPLE.COM)를 위해 키탭에서 가져올 주체keytab에서 제거 할 주체 (예제: ftp/ftp.example.com@EXAMPLE.COM)시간이 걸립니다, 잠시만 기다려주세요...시간 제한검색 시간 제한 (초)유효기간영역 정점(zone apex)에서 레코드를 위한 유효시간(TTL)제한시간이 초과 되었습니다.토큰 ID형상이 끊어졌습니다모든 결과가 반환되지 않은 경우라면 참(true)참(True)은 작업이 성공했다는 것을 의미합니다유형키를 보관 할 수 없음: %s%s에서 IPA 서버를 결정 할 수 없습니다
%s의 root DN을 결정 할 수 없습니다
구성된 출력 인코딩을 사용하여 QR 코드를 표시 할 수 없습니다. 자신의 OTP 장치를 구성하려면 토큰 URI를 사용하세요LDAP에서 SSL을 활성화 할 수 없습니다
커버러스 인증서 캐쉬를 생성 할 수 없음
ldap 라이브러리를 초기화 할 수 없습니다
호스트에 참여 할 수 없음: 커버러스 인증 캐쉬를 찾을 수 없습니다
호스에 참여 할 수 없음: 커버러스 사용자 주체를 찾을 수 없고 호스트 비밀번호가 제공되지 않았습니다.
호스트에 참여 할 수 없습니다: 커버러스 문맥 초기화가 실패하였습니다
주체를 구문 분석 할 수 없습니다
주요 이름을 구문 분석 할 수 없습니다
주체를 구문 분석 할 수 없음: %1$s (%2$d)
항목을 제거 할 수 없음
키를 검색 할 수 없음: %sIPA 서버에서 이 호스트를 등록 취소합니다등록 취소 실패함.
등록 취소 성공.
취소되지 않음지정되지 않음DNS 항목 최신화사용자 그룹사용자 ID사용자 범주사용자 범주 규칙을 적용합니다사용자 그룹사용자 그룹 ACI가 접근 권한을 부여합니다위임을 적용 할 사용자 그룹사용자 비밀번호사용자 검색 부분수행된 동작에 대한 사용자 친화적인 설명사용자검색된 서버 %s를 사용하기
제공된 서버 %s 사용하기
config %s에서 서버 사용하기
저장소 비밀번호저장소 개인 키비밀번호를 확인합니다주체 비밀번호를 확인합니다수직 정밀도경고: 유형 (#%d)를 전환하는데 실패함
경고: 임의의 비밀번호는 솔트 유형을 지원하지 않습니다 (-P 옵션 참조)
무게파일에 인증서 쓰기 (만약 --chain이 사용된 경우 체인)YubiKey 슬롯영역(zone) 전달자영역(zone) 이름영역(zone) 이름(FQDN)영역(zone) 갱신 간격%1$s에서 access() 실패함: errno = %2$d
basednber_init() 실패하고, 잘못된 제어 ?!
ber_scanf() 실패하고, kvno 찾을 수 없음 ?!
구성 파일 %s를 열 수 없습니다
단순 인증서와 파일 모두 상세화 할 수 없습니다구성 파일 %s을 stat() 할 수 없습니다
자식 프로세서가 %d와 힘께 종료되었습니다
제거하려는 호스트의 쉼표로-구분된 목록curl_easy_init()가 실패함
curl_easy_setopt()가 실패했습니다
curl_global_init() 가 실패함
값에 대한 curl_slist_append()가 실패했습니다: '%s'
설명ipa-getkeytab 실행하는데 실패함, 오류번호 %d
nsupdate 형식에서 DNS 레코드를 저장하는 파일인증서를 저장하려는 파일파일이름만약 호스트 이름이 DNS에 없는 경우에도 강제 NS 레코드 생성fork() 실패함
추가하려는 그룹제거하려는 그룹추가하려는 호스트 그룹제거하려는 호스트 그룹호스트 이름추가하려는 호스트제거하려는 호스트id 범위 유형잘못된 도메인 이름ipa-getkeytab은 잘못된 권한을 갖고 있나요?
ipa-getkeytab 찾을 수 없음
json_dumps()가 실패함
json_pack_ex() 실패함: %s
키 %(key)s가 이미 존재합니다키탭은 매달린 심볼릭 링크와 다른 사용자에 의해 소유됩니다
krb5_kt_close %1$d: %2$s
krb5_kt_get_entry %1$d: %2$s
krb5_kt_remove_entry %1$d: %2$s
krb5_parse_name %1$d: %2$s
krb5_unparse_name %1$d: %2$s
kvno %d
맵 %(map)s이 이미 존재합니다/etc/auto.master로 연결되지 않은 맵:구성원 인증서 프로파일구성원 HBAC 서비스HBAC 서비스 그룹의 구성원구성원 그룹구성원 호스트호스트 그룹 구성원구성원 사용자추가하려는 넷그룹메모리 부족
비밀번호비밀번호 정책비밀번호 정책만약 커버러스를 사용하지 않는 것을 사용하려는 비밀번호보존과 보존-없음을 둘 다 설정 할 수 없습니다주체를 찾을 수 없음
XML-RPC 응답에서 주체를 찾을 수 없습니다
python-yubico은 설치되지 않습니다.읽기 오류
realm을 찾을 수 없음
결과는 XML-RPC 응답에서 찾을 수 없습니다
runAs 사용자runAs 사용자서버 역할역 DNS 탐지를 건너뜁니다신뢰 구성IPA 객체(사용자, 그룹, 호스트, 호스트그룹, 서비스, 넷그룹)의 유형url추가하려는 사용자제거하려는 사용자{algo}는 지원되는 저장소 포장 알고리즘이 아닙니다