1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
3
4
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13
14 [section]
15 key = value
16 key2 = value2,value3
17
18
19 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21
22 A line comment starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24
25 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27
28 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 Following options are usable in more than one configuration sections.
33
34 Options usable in all sections
35 debug_level (integer)
36 SSSD supports two representations for specifying the debug level.
37 The simplest is to specify a decimal value from 0-9, which
38 represents enabling that level and all lower-level debug messages.
39 The more comprehensive option is to specify a hexadecimal bitmask
40 to enable or disable specific levels (such as if you wish to
41 suppress a level).
42
43 Please note that each SSSD service logs into its own log file. Also
44 please note that enabling “debug_level” in the “[sssd]” section
45 only enables debugging just for the sssd process itself, not for
46 the responder or provider processes. The “debug_level” parameter
47 should be added to all sections that you wish to produce debug logs
48 from.
49
50 In addition to changing the log level in the config file using the
51 “debug_level” parameter, which is persistent, but requires SSSD
52 restart, it is also possible to change the debug level on the fly
53 using the sss_debuglevel(8) tool.
54
55 Currently supported debug levels:
56
57
58 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
59 starting up or causes it to cease running.
60
61
62 1, 0x0020: Critical failures. An error that doesn´t kill the SSSD,
63 but one that indicates that at least one major feature is not going
64 to work properly.
65
66
67 2, 0x0040: Serious failures. An error announcing that a particular
68 request or operation has failed.
69
70
71 3, 0x0080: Minor failures. These are the errors that would
72 percolate down to cause the operation failure of 2.
73
74
75 4, 0x0100: Configuration settings.
76
77
78 5, 0x0200: Function data.
79
80
81 6, 0x0400: Trace messages for operation functions.
82
83
84 7, 0x1000: Trace messages for internal control functions.
85
86
87 8, 0x2000: Contents of function-internal variables that may be
88 interesting.
89
90
91 9, 0x4000: Extremely low-level tracing information.
92
93 To log required bitmask debug levels, simply add their numbers
94 together as shown in following examples:
95
96
97 Example: To log fatal failures, critical failures, serious failures
98 and function data use 0x0270.
99
100
101 Example: To log fatal failures, configuration settings, function
102 data, trace messages for internal control functions use 0x1310.
103
104
105 Note: The bitmask format of debug levels was introduced in 1.7.0.
106
107
108 Default: 0
109
110 debug_timestamps (bool)
111 Add a timestamp to the debug messages. If journald is enabled for
112 SSSD debug logging this option is ignored.
113
114 Default: true
115
116 debug_microseconds (bool)
117 Add microseconds to the timestamp in debug messages. If journald is
118 enabled for SSSD debug logging this option is ignored.
119
120 Default: false
121
122 Options usable in SERVICE and DOMAIN sections
123 timeout (integer)
124 Timeout in seconds between heartbeats for this service. This is
125 used to ensure that the process is alive and capable of answering
126 requests.
127
128 Default: 10
129
131 The [sssd] section
132 Individual pieces of SSSD functionality are provided by special SSSD
133 services that are started and stopped together with SSSD. The services
134 are managed by a special service frequently called “monitor”. The
135 “[sssd]” section is used to configure the monitor as well as some other
136 important options like the identity domains.
137
138 Section parameters
139
140 config_file_version (integer)
141 Indicates what is the syntax of the config file. SSSD 0.6.0 and
142 later use version 2.
143
144 services
145 Comma separated list of services that are started when sssd itself
146 starts.
147
148 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
149
150 reconnection_retries (integer)
151 Number of times services should attempt to reconnect in the event
152 of a Data Provider crash or restart before they give up
153
154 Default: 3
155
156 domains
157 A domain is a database containing user information. SSSD can use
158 more domains at the same time, but at least one must be configured
159 or SSSD won´t start. This parameter described the list of domains
160 in the order you want them to be queried. A domain name should only
161 consist of alphanumeric ASCII characters, dashes, dots and
162 underscores.
163
164 re_expression (string)
165 Default regular expression that describes how to parse the string
166 containing user name and domain into these components.
167
168 Each domain can have an individual regular expression configured.
169 For some ID providers there are also default regular expressions.
170 See DOMAIN SECTIONS for more info on these regular expressions.
171
172 full_name_format (string)
173 A printf(3)-compatible format that describes how to compose a fully
174 qualified name from user name and domain name components.
175
176 The following expansions are supported:
177
178 %1$s
179 user name
180
181 %2$s
182 domain name as specified in the SSSD config file.
183
184 %3$s
185 domain flat name. Mostly usable for Active Directory domains,
186 both directly configured or discovered via IPA trusts.
187
188 Each domain can have an individual format string configured. see
189 DOMAIN SECTIONS for more info on this option.
190
191 try_inotify (boolean)
192 SSSD monitors the state of resolv.conf to identify when it needs to
193 update its internal DNS resolver. By default, we will attempt to
194 use inotify for this, and will fall back to polling resolv.conf
195 every five seconds if inotify cannot be used.
196
197 There are some limited situations where it is preferred that we
198 should skip even trying to use inotify. In these rare cases, this
199 option should be set to ´false´
200
201 Default: true on platforms where inotify is supported. False on
202 other platforms.
203
204 Note: this option will have no effect on platforms where inotify is
205 unavailable. On these platforms, polling will always be used.
206
207 krb5_rcache_dir (string)
208 Directory on the filesystem where SSSD should store Kerberos replay
209 cache files.
210
211 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
212 instruct SSSD to let libkrb5 decide the appropriate location for
213 the replay cache.
214
215 Default: Distribution-specific and specified at build-time.
216 (__LIBKRB5_DEFAULTS__ if not configured)
217
218 user (string)
219 The user to drop the privileges to where appropriate to avoid
220 running as the root user.
221
222 Default: not set, process will run as root
223
224 default_domain_suffix (string)
225 This string will be used as a default domain name for all names
226 without a domain name component. The main use case is environments
227 where the primary domain is intended for managing host policies and
228 all users are located in a trusted domain. The option allows those
229 users to log in just with their user name without giving a domain
230 name as well.
231
232 Please note that if this option is set all users from the primary
233 domain have to use their fully qualified name, e.g.
234 user@domain.name, to log in. Setting this option changes default of
235 use_fully_qualified_names to True. It is not allowed to use this
236 option together with use_fully_qualified_names set to False.
237
238 Default: not set
239
240 override_space (string)
241 This parameter will replace spaces (space bar) with the given
242 character for user and group names. e.g. (_). User name "john doe"
243 will be "john_doe" This feature was added to help compatibility
244 with shell scripts that have difficulty handling spaces, due to the
245 default field separator in the shell.
246
247 Please note it is a configuration error to use a replacement
248 character that might be used in user or group names. If a name
249 contains the replacement character SSSD tries to return the
250 unmodified name but in general the result of a lookup is undefined.
251
252 Default: not set (spaces will not be replaced)
253
254 certificate_verification (string)
255 With this parameter the certificate verification can be tuned with
256 a comma separated list of options. Supported options are:
257
258 no_ocsp
259 Disables Online Certificate Status Protocol (OCSP) checks. This
260 might be needed if the OCSP servers defined in the certificate
261 are not reachable from the client.
262
263 no_verification
264 Disables verification completely. This option should only be
265 used for testing.
266
267 ocsp_default_responder=URL
268 Sets the OCSP default responder which should be used instead of
269 the one mentioned in the certificate. URL must be replaced with
270 the URL of the OCSP default responder e.g.
271 http://example.com:80/ocsp.
272
273 This option must be used together with
274 ocsp_default_responder_signing_cert.
275
276 ocsp_default_responder_signing_cert=NAME
277 The nickname of the cert to trust (expected) to sign the OCSP
278 responses. The certificate with the given nickname must be
279 availble in the systems NSS database.
280
281 This option must be used together with ocsp_default_responder.
282
283 Unknown options are reported but ignored.
284
285 Default: not set, i.e. do not restrict certificate vertification
286
288 Settings that can be used to configure different services are described
289 in this section. They should reside in the [$NAME] section, for
290 example, for NSS service, the section would be “[nss]”
291
292 General service configuration options
293 These options can be used to configure any service.
294
295 reconnection_retries (integer)
296 Number of times services should attempt to reconnect in the event
297 of a Data Provider crash or restart before they give up
298
299 Default: 3
300
301 fd_limit
302 This option specifies the maximum number of file descriptors that
303 may be opened at one time by this SSSD process. On systems where
304 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
305 absolute setting. On systems without this capability, the resulting
306 value will be the lower value of this or the limits.conf "hard"
307 limit.
308
309 Default: 8192 (or limits.conf "hard" limit)
310
311 client_idle_timeout
312 This option specifies the number of seconds that a client of an
313 SSSD process can hold onto a file descriptor without communicating
314 on it. This value is limited in order to avoid resource exhaustion
315 on the system.
316
317 Default: 60
318
319 force_timeout (integer)
320 If a service is not responding to ping checks (see the “timeout”
321 option), it is first sent the SIGTERM signal that instructs it to
322 quit gracefully. If the service does not terminate after
323 “force_timeout” seconds, the monitor will forcibly shut it down by
324 sending a SIGKILL signal.
325
326 Default: 60
327
328 offline_timeout (integer)
329 When SSSD switches to offline mode the amount of time before it
330 tries to go back online will increase based upon the time spent
331 disconnected. This value is in seconds and calculated by the
332 following:
333
334 offline_timeout + random_offset
335
336 The random offset can increment up to 30 seconds. After each
337 unsuccessful attempt to go online, the new interval is recalculated
338 by the following:
339
340 new_interval = old_interval*2 + random_offset
341
342 Note that the maximum length of each interval is currently limited
343 to one hour. If the calculated length of new_interval is greater
344 than an hour, it will be forced to one hour.
345
346 Default: 60
347
348 subdomain_inherit (string)
349 Specifies a list of configuration parameters that should be
350 inherited by a subdomain. Please note that only selected parameters
351 can be inherited. Currently the following options can be inherited:
352
353 ignore_group_members
354
355 ldap_purge_cache_timeout
356
357 ldap_use_tokengroups
358
359 ldap_user_principal
360
361 Example:
362
363 subdomain_inherit = ldap_purge_cache_timeout
364
365
366 Default: none
367
368 NSS configuration options
369 These options can be used to configure the Name Service Switch (NSS)
370 service.
371
372 enum_cache_timeout (integer)
373 How many seconds should nss_sss cache enumerations (requests for
374 info about all users)
375
376 Default: 120
377
378 entry_cache_nowait_percentage (integer)
379 The entry cache can be set to automatically update entries in the
380 background if they are requested beyond a percentage of the
381 entry_cache_timeout value for the domain.
382
383 For example, if the domain´s entry_cache_timeout is set to 30s and
384 entry_cache_nowait_percentage is set to 50 (percent), entries that
385 come in after 15 seconds past the last cache update will be
386 returned immediately, but the SSSD will go and update the cache on
387 its own, so that future requests will not need to block waiting for
388 a cache update.
389
390 Valid values for this option are 0-99 and represent a percentage of
391 the entry_cache_timeout for each domain. For performance reasons,
392 this percentage will never reduce the nowait timeout to less than
393 10 seconds. (0 disables this feature)
394
395 Default: 50
396
397 entry_negative_timeout (integer)
398 Specifies for how many seconds nss_sss should cache negative cache
399 hits (that is, queries for invalid database entries, like
400 nonexistent ones) before asking the back end again.
401
402 Default: 15
403
404 filter_users, filter_groups (string)
405 Exclude certain users from being fetched from the sss NSS database.
406 This is particularly useful for system accounts. This option can
407 also be set per-domain or include fully-qualified names to filter
408 only users from the particular domain.
409
410 Default: root
411
412 filter_users_in_groups (bool)
413 If you want filtered user still be group members set this option to
414 false.
415
416 Default: true
417
418 override_homedir (string)
419 Override the user´s home directory. You can either provide an
420 absolute value or a template. In the template, the following
421 sequences are substituted:
422
423 %u
424 login name
425
426 %U
427 UID number
428
429 %d
430 domain name
431
432 %f
433 fully qualified user name (user@domain)
434
435 %P
436 UPN - User Principal Name (name@REALM)
437
438 %o
439 The original home directory retrieved from the identity
440 provider.
441
442 %H
443 The value of configure option homedir_substring.
444
445 %%
446 a literal ´%´
447
448 This option can also be set per-domain.
449
450 example:
451
452 override_homedir = /home/%u
453
454
455 Default: Not set (SSSD will use the value retrieved from LDAP)
456
457 homedir_substring (string)
458 The value of this option will be used in the expansion of the
459 override_homedir option if the template contains the format string
460 %H. An LDAP directory entry can directly contain this template so
461 that this option can be used to expand the home directory path for
462 each client machine (or operating system). It can be set per-domain
463 or globally in the [nss] section. A value specified in a domain
464 section will override one set in the [nss] section.
465
466 Default: /home
467
468 fallback_homedir (string)
469 Set a default template for a user´s home directory if one is not
470 specified explicitly by the domain´s data provider.
471
472 The available values for this option are the same as for
473 override_homedir.
474
475 example:
476
477 fallback_homedir = /home/%u
478
479
480 Default: not set (no substitution for unset home directories)
481
482 override_shell (string)
483 Override the login shell for all users. This option supersedes any
484 other shell options if it takes effect and can be set either in the
485 [nss] section or per-domain.
486
487 Default: not set (SSSD will use the value retrieved from LDAP)
488
489 allowed_shells (string)
490 Restrict user shell to one of the listed values. The order of
491 evaluation is:
492
493 1. If the shell is present in “/etc/shells”, it is used.
494
495 2. If the shell is in the allowed_shells list but not in
496 “/etc/shells”, use the value of the shell_fallback parameter.
497
498 3. If the shell is not in the allowed_shells list and not in
499 “/etc/shells”, a nologin shell is used.
500
501 The wildcard (*) can be used to allow any shell.
502
503 The (*) is useful if you want to use shell_fallback in case that
504 user´s shell is not in “/etc/shells” and maintaining list of all
505 allowed shells in allowed_shells would be to much overhead.
506
507 An empty string for shell is passed as-is to libc.
508
509 The “/etc/shells” is only read on SSSD start up, which means that a
510 restart of the SSSD is required in case a new shell is installed.
511
512 Default: Not set. The user shell is automatically used.
513
514 vetoed_shells (string)
515 Replace any instance of these shells with the shell_fallback
516
517 shell_fallback (string)
518 The default shell to use if an allowed shell is not installed on
519 the machine.
520
521 Default: /bin/sh
522
523 default_shell
524 The default shell to use if the provider does not return one during
525 lookup. This option can be specified globally in the [nss] section
526 or per-domain.
527
528 Default: not set (Return NULL if no shell is specified and rely on
529 libc to substitute something sensible when necessary, usually
530 /bin/sh)
531
532 get_domains_timeout (int)
533 Specifies time in seconds for which the list of subdomains will be
534 considered valid.
535
536 Default: 60
537
538 memcache_timeout (int)
539 Specifies time in seconds for which records in the in-memory cache
540 will be valid.
541
542 Default: 300
543
544 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
545 "NO", client applications will not use the fast in-memory cache.
546
547 user_attributes (string)
548 Some of the additional NSS responder requests can return more
549 attributes than just the POSIX ones defined by the NSS interface.
550 The list of attributes is controlled by this option. It is handled
551 the same way as the “user_attributes” option of the InfoPipe
552 responder (see sssd-ifp(5) for details) but with no default values.
553
554 To make configuration more easy the NSS responder will check the
555 InfoPipe option if it is not set for the NSS responder.
556
557 Default: not set, fallback to InfoPipe option
558
559 PAM configuration options
560 These options can be used to configure the Pluggable Authentication
561 Module (PAM) service.
562
563 offline_credentials_expiration (integer)
564 If the authentication provider is offline, how long should we allow
565 cached logins (in days since the last successful online login).
566
567 Default: 0 (No limit)
568
569 offline_failed_login_attempts (integer)
570 If the authentication provider is offline, how many failed login
571 attempts are allowed.
572
573 Default: 0 (No limit)
574
575 offline_failed_login_delay (integer)
576 The time in minutes which has to pass after
577 offline_failed_login_attempts has been reached before a new login
578 attempt is possible.
579
580 If set to 0 the user cannot authenticate offline if
581 offline_failed_login_attempts has been reached. Only a successful
582 online authentication can enable offline authentication again.
583
584 Default: 5
585
586 pam_verbosity (integer)
587 Controls what kind of messages are shown to the user during
588 authentication. The higher the number to more messages are
589 displayed.
590
591 Currently sssd supports the following values:
592
593
594 0: do not show any message
595
596
597 1: show only important messages
598
599
600 2: show informational messages
601
602
603 3: show all messages and debug information
604
605 Default: 1
606
607 pam_response_filter (integer)
608 A comma separated list of strings which allows to remove (filter)
609 data send by the PAM responder to pam_sss PAM module. There are
610 different kind of responses send to pam_sss e.g. messages displayed
611 to the user or environment variables which should be set by
612 pam_sss.
613
614 While messages already can be controlled with the help of the
615 pam_verbosity option this option allows to filter out other kind of
616 responses as well.
617
618 Currently the following filters are supported:
619
620 ENV
621 Do not sent any environment variables to any service.
622
623 ENV:var_name
624 Do not sent environment variable var_name to any service.
625
626 ENV:var_name:service
627 Do not sent environment variable var_name to service.
628
629 Default: not set
630
631 Example: ENV:KRB5CCNAME:sudo-i
632
633 pam_id_timeout (integer)
634 For any PAM request while SSSD is online, the SSSD will attempt to
635 immediately update the cached identity information for the user in
636 order to ensure that authentication takes place with the latest
637 information.
638
639 A complete PAM conversation may perform multiple PAM requests, such
640 as account management and session opening. This option controls (on
641 a per-client-application basis) how long (in seconds) we can cache
642 the identity information to avoid excessive round-trips to the
643 identity provider.
644
645 Default: 5
646
647 pam_pwd_expiration_warning (integer)
648 Display a warning N days before the password expires.
649
650 Please note that the backend server has to provide information
651 about the expiration time of the password. If this information is
652 missing, sssd cannot display a warning.
653
654 If zero is set, then this filter is not applied, i.e. if the
655 expiration warning was received from backend server, it will
656 automatically be displayed.
657
658 This setting can be overridden by setting pwd_expiration_warning
659 for a particular domain.
660
661 Default: 0
662
663 get_domains_timeout (int)
664 Specifies time in seconds for which the list of subdomains will be
665 considered valid.
666
667 Default: 60
668
669 pam_trusted_users (string)
670 Specifies the comma-separated list of UID values or user names that
671 are allowed to access the PAM responder. User names are resolved to
672 UIDs at startup.
673
674 Default: all (All users are allowed to access the PAM responder)
675
676 Please note that UID 0 is always allowed to access the PAM
677 responder even in case it is not in the pam_trusted_users list.
678
679 pam_public_domains (string)
680 Specifies the comma-separated list of domain names that are
681 accessible even to untrusted users.
682
683 Two special values for pam_public_domains option are defined:
684
685 all (Untrusted users are allowed to access all domains in PAM
686 responder.)
687
688 none (Untrusted users are not allowed to access any domains PAM in
689 responder.)
690
691 Default: none
692
693 pam_account_expired_message (string)
694 Allows a custom expiration message to be set, replacing the default
695 ´Permission denied´ message.
696
697 Note: Please be aware that message is only printed for the SSH
698 service unless pam_verbostiy is set to 3 (show all messages and
699 debug information).
700
701 example:
702
703 pam_account_expired_message = Account expired, please contact help desk.
704
705
706 Default: none
707
708 pam_account_locked_message (string)
709 Allows a custom lockout message to be set, replacing the default
710 ´Permission denied´ message.
711
712 example:
713
714 pam_account_locked_message = Account locked, please contact help desk.
715
716
717 Default: none
718
719 pam_cert_auth (bool)
720 Enable certificate based Smartcard authentication. Since this
721 requires additional communication with the Smartcard which will
722 delay the authentication process this option is disabled by
723 default.
724
725 Default: False
726
727 pam_cert_db_path (string)
728 The path to the certificate database which contain the PKCS#11
729 modules to access the Smartcard.
730
731 Default: /etc/pki/nssdb (NSS version)
732
733 p11_child_timeout (integer)
734 How many seconds will pam_sss wait for p11_child to finish.
735
736 Default: 10
737
738 SUDO configuration options
739 These options can be used to configure the sudo service. The detailed
740 instructions for configuration of sudo(8) to work with sssd(8) are in
741 the manual page sssd-sudo(5).
742
743 sudo_timed (bool)
744 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
745 attributes that implement time-dependent sudoers entries.
746
747 Default: false
748
749 AUTOFS configuration options
750 These options can be used to configure the autofs service.
751
752 autofs_negative_timeout (integer)
753 Specifies for how many seconds should the autofs responder negative
754 cache hits (that is, queries for invalid map entries, like
755 nonexistent ones) before asking the back end again.
756
757 Default: 15
758
759 Please note that the automounter only reads the master map on startup,
760 so if any autofs-related changes are made to the sssd.conf, you
761 typically also need to restart the automounter daemon after restarting
762 the SSSD.
763
764 SSH configuration options
765 These options can be used to configure the SSH service.
766
767 ssh_hash_known_hosts (bool)
768 Whether or not to hash host names and addresses in the managed
769 known_hosts file.
770
771 Default: true
772
773 ssh_known_hosts_timeout (integer)
774 How many seconds to keep a host in the managed known_hosts file
775 after its host keys were requested.
776
777 Default: 180
778
779 ca_db (string)
780 Path to a storage of trusted CA certificates. The option is used to
781 validate user certificates before deriving public ssh keys from
782 them.
783
784 Default: /etc/pki/nssdb
785
786 PAC responder configuration options
787 The PAC responder works together with the authorization data plugin for
788 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
789 sends the PAC data during a GSSAPI authentication to the PAC responder.
790 The sub-domain provider collects domain SID and ID ranges of the domain
791 the client is joined to and of remote trusted domains from the local
792 domain controller. If the PAC is decoded and evaluated some of the
793 following operations are done:
794
795 · If the remote user does not exist in the cache, it is created. The
796 uid is determined with the help of the SID, trusted domains will
797 have UPGs and the gid will have the same value as the uid. The home
798 directory is set based on the subdomain_homedir parameter. The
799 shell will be empty by default, i.e. the system defaults are used,
800 but can be overwritten with the default_shell parameter.
801
802 · If there are SIDs of groups from domains sssd knows about, the user
803 will be added to those groups.
804
805
806 These options can be used to configure the PAC responder.
807
808 allowed_uids (string)
809 Specifies the comma-separated list of UID values or user names that
810 are allowed to access the PAC responder. User names are resolved to
811 UIDs at startup.
812
813 Default: 0 (only the root user is allowed to access the PAC
814 responder)
815
816 Please note that although the UID 0 is used as the default it will
817 be overwritten with this option. If you still want to allow the
818 root user to access the PAC responder, which would be the typical
819 case, you have to add 0 to the list of allowed UIDs as well.
820
822 These configuration options can be present in a domain configuration
823 section, that is, in a section called “[domain/NAME]”
824
825 min_id,max_id (integer)
826 UID and GID limits for the domain. If a domain contains an entry
827 that is outside these limits, it is ignored.
828
829 For users, this affects the primary GID limit. The user will not be
830 returned to NSS if either the UID or the primary GID is outside the
831 range. For non-primary group memberships, those that are in range
832 will be reported as expected.
833
834 These ID limits affect even saving entries to cache, not only
835 returning them by name or ID.
836
837 Default: 1 for min_id, 0 (no limit) for max_id
838
839 enumerate (bool)
840 Determines if a domain can be enumerated. This parameter can have
841 one of the following values:
842
843 TRUE = Users and groups are enumerated
844
845 FALSE = No enumerations for this domain
846
847 Default: FALSE
848
849 Note: Enabling enumeration has a moderate performance impact on
850 SSSD while enumeration is running. It may take up to several
851 minutes after SSSD startup to fully complete enumerations. During
852 this time, individual requests for information will go directly to
853 LDAP, though it may be slow, due to the heavy enumeration
854 processing. Saving a large number of entries to cache after the
855 enumeration completes might also be CPU intensive as the
856 memberships have to be recomputed.
857
858 While the first enumeration is running, requests for the complete
859 user or group lists may return no results until it completes.
860
861 Further, enabling enumeration may increase the time necessary to
862 detect network disconnection, as longer timeouts are required to
863 ensure that enumeration lookups are completed successfully. For
864 more information, refer to the man pages for the specific
865 id_provider in use.
866
867 For the reasons cited above, enabling enumeration is not
868 recommended, especially in large environments.
869
870 subdomain_enumerate (string)
871 Whether any of autodetected trusted domains should be enumerated.
872 The supported values are:
873
874 all
875 All discovered trusted domains will be enumerated
876
877 none
878 No discovered trusted domains will be enumerated
879
880 Optionally, a list of one or more domain names can enable
881 enumeration just for these trusted domains.
882
883 Default: none
884
885 force_timeout (integer)
886 If a service is not responding to ping checks (see the “timeout”
887 option), it is first sent the SIGTERM signal that instructs it to
888 quit gracefully. If the service does not terminate after
889 “force_timeout” seconds, the monitor will forcibly shut it down by
890 sending a SIGKILL signal.
891
892 Default: 60
893
894 entry_cache_timeout (integer)
895 How many seconds should nss_sss consider entries valid before
896 asking the backend again
897
898 The cache expiration timestamps are stored as attributes of
899 individual objects in the cache. Therefore, changing the cache
900 timeout only has effect for newly added or expired entries. You
901 should run the sss_cache(8) tool in order to force refresh of
902 entries that have already been cached.
903
904 Default: 5400
905
906 entry_cache_user_timeout (integer)
907 How many seconds should nss_sss consider user entries valid before
908 asking the backend again
909
910 Default: entry_cache_timeout
911
912 entry_cache_group_timeout (integer)
913 How many seconds should nss_sss consider group entries valid before
914 asking the backend again
915
916 Default: entry_cache_timeout
917
918 entry_cache_netgroup_timeout (integer)
919 How many seconds should nss_sss consider netgroup entries valid
920 before asking the backend again
921
922 Default: entry_cache_timeout
923
924 entry_cache_service_timeout (integer)
925 How many seconds should nss_sss consider service entries valid
926 before asking the backend again
927
928 Default: entry_cache_timeout
929
930 entry_cache_sudo_timeout (integer)
931 How many seconds should sudo consider rules valid before asking the
932 backend again
933
934 Default: entry_cache_timeout
935
936 entry_cache_autofs_timeout (integer)
937 How many seconds should the autofs service consider automounter
938 maps valid before asking the backend again
939
940 Default: entry_cache_timeout
941
942 entry_cache_ssh_host_timeout (integer)
943 How many seconds to keep a host ssh key after refresh. IE how long
944 to cache the host key for.
945
946 Default: entry_cache_timeout
947
948 refresh_expired_interval (integer)
949 Specifies how many seconds SSSD has to wait before triggering a
950 background refresh task which will refresh all expired or nearly
951 expired records.
952
953 The background refresh will process users, groups and netgroups in
954 the cache.
955
956 You can consider setting this value to 3/4 * entry_cache_timeout.
957
958 Default: 0 (disabled)
959
960 cache_credentials (bool)
961 Determines if user credentials are also cached in the local LDB
962 cache
963
964 User credentials are stored in a SHA512 hash, not in plaintext
965
966 Default: FALSE
967
968 cache_credentials_minimal_first_factor_length (int)
969 If 2-Factor-Authentication (2FA) is used and credentials should be
970 saved this value determines the minimal length the first
971 authentication factor (long term password) must have to be saved as
972 SHA512 hash into the cache.
973
974 This should avoid that the short PINs of a PIN based 2FA scheme are
975 saved in the cache which would make them easy targets for
976 brute-force attacks.
977
978 Default: 8
979
980 account_cache_expiration (integer)
981 Number of days entries are left in cache after last successful
982 login before being removed during a cleanup of the cache. 0 means
983 keep forever. The value of this parameter must be greater than or
984 equal to offline_credentials_expiration.
985
986 Default: 0 (unlimited)
987
988 pwd_expiration_warning (integer)
989 Display a warning N days before the password expires.
990
991 If zero is set, then this filter is not applied, i.e. if the
992 expiration warning was received from backend server, it will
993 automatically be displayed.
994
995 Please note that the backend server has to provide information
996 about the expiration time of the password. If this information is
997 missing, sssd cannot display a warning. Also an auth provider has
998 to be configured for the backend.
999
1000 Default: 7 (Kerberos), 0 (LDAP)
1001
1002 id_provider (string)
1003 The identification provider used for the domain. Supported ID
1004 providers are:
1005
1006
1007 “proxy”: Support a legacy NSS provider
1008
1009
1010 “local”: SSSD internal provider for local users
1011
1012
1013 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1014 configuring LDAP.
1015
1016
1017 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1018 See sssd-ipa(5) for more information on configuring FreeIPA.
1019
1020
1021 “ad”: Active Directory provider. See sssd-ad(5) for more
1022 information on configuring Active Directory.
1023
1024 use_fully_qualified_names (bool)
1025 Use the full name and domain (as formatted by the domain´s
1026 full_name_format) as the user´s login name reported to NSS.
1027
1028 If set to TRUE, all requests to this domain must use fully
1029 qualified names. For example, if used in LOCAL domain that contains
1030 a "test" user, getent passwd test wouldn´t find the user while
1031 getent passwd test@LOCAL would.
1032
1033 NOTE: This option has no effect on netgroup lookups due to their
1034 tendency to include nested netgroups without qualified names. For
1035 netgroups, all domains will be searched when an unqualified name is
1036 requested.
1037
1038 Default: FALSE (TRUE if default_domain_suffix is used)
1039
1040 ignore_group_members (bool)
1041 Do not return group members for group lookups.
1042
1043 If set to TRUE, the group membership attribute is not requested
1044 from the ldap server, and group members are not returned when
1045 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1046 As an effect, “getent group $groupname” would return the requested
1047 group as if it was empty.
1048
1049 Enabling this option can also make access provider checks for group
1050 membership significantly faster, especially for groups containing
1051 many members.
1052
1053 Default: FALSE
1054
1055 auth_provider (string)
1056 The authentication provider used for the domain. Supported auth
1057 providers are:
1058
1059
1060 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1061 information on configuring LDAP.
1062
1063
1064 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1065 information on configuring Kerberos.
1066
1067
1068 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1069 See sssd-ipa(5) for more information on configuring FreeIPA.
1070
1071
1072 “ad”: Active Directory provider. See sssd-ad(5) for more
1073 information on configuring Active Directory.
1074
1075
1076 “proxy” for relaying authentication to some other PAM target.
1077
1078
1079 “local”: SSSD internal provider for local users
1080
1081
1082 “none” disables authentication explicitly.
1083
1084 Default: “id_provider” is used if it is set and can handle
1085 authentication requests.
1086
1087 access_provider (string)
1088 The access control provider used for the domain. There are two
1089 built-in access providers (in addition to any included in installed
1090 backends) Internal special providers are:
1091
1092
1093 “permit” always allow access. It´s the only permitted access
1094 provider for a local domain.
1095
1096
1097 “deny” always deny access.
1098
1099
1100 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1101 information on configuring LDAP.
1102
1103
1104 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1105 See sssd-ipa(5) for more information on configuring FreeIPA.
1106
1107
1108 “ad”: Active Directory provider. See sssd-ad(5) for more
1109 information on configuring Active Directory.
1110
1111
1112 “simple” access control based on access or deny lists. See sssd-
1113 simple(5) for more information on configuring the simple access
1114 module.
1115
1116 Default: “permit”
1117
1118 chpass_provider (string)
1119 The provider which should handle change password operations for the
1120 domain. Supported change password providers are:
1121
1122
1123 “ldap” to change a password stored in a LDAP server. See sssd-
1124 ldap(5) for more information on configuring LDAP.
1125
1126
1127 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1128 information on configuring Kerberos.
1129
1130
1131 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1132 See sssd-ipa(5) for more information on configuring FreeIPA.
1133
1134
1135 “ad”: Active Directory provider. See sssd-ad(5) for more
1136 information on configuring Active Directory.
1137
1138
1139 “proxy” for relaying password changes to some other PAM target.
1140
1141
1142 “none” disallows password changes explicitly.
1143
1144 Default: “auth_provider” is used if it is set and can handle change
1145 password requests.
1146
1147 sudo_provider (string)
1148 The SUDO provider used for the domain. Supported SUDO providers
1149 are:
1150
1151
1152 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1153 information on configuring LDAP.
1154
1155
1156 “ipa” the same as “ldap” but with IPA default settings.
1157
1158
1159 “ad” the same as “ldap” but with AD default settings.
1160
1161
1162 “none” disables SUDO explicitly.
1163
1164 Default: The value of “id_provider” is used if it is set.
1165
1166 The detailed instructions for configuration of sudo_provider are in
1167 the manual page sssd-sudo(5). There are many configuration options
1168 that can be used to adjust the behavior. Please refer to
1169 "ldap_sudo_*" in sssd-ldap(5).
1170
1171 selinux_provider (string)
1172 The provider which should handle loading of selinux settings. Note
1173 that this provider will be called right after access provider ends.
1174 Supported selinux providers are:
1175
1176
1177 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1178 for more information on configuring IPA.
1179
1180
1181 “none” disallows fetching selinux settings explicitly.
1182
1183 Default: “id_provider” is used if it is set and can handle selinux
1184 loading requests.
1185
1186 subdomains_provider (string)
1187 The provider which should handle fetching of subdomains. This value
1188 should be always the same as id_provider. Supported subdomain
1189 providers are:
1190
1191
1192 “ipa” to load a list of subdomains from an IPA server. See sssd-
1193 ipa(5) for more information on configuring IPA.
1194
1195
1196 “ad” to load a list of subdomains from an Active Directory server.
1197 See sssd-ad(5) for more information on configuring the AD provider.
1198
1199
1200 “none” disallows fetching subdomains explicitly.
1201
1202 Default: The value of “id_provider” is used if it is set.
1203
1204 autofs_provider (string)
1205 The autofs provider used for the domain. Supported autofs providers
1206 are:
1207
1208
1209 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1210 information on configuring LDAP.
1211
1212
1213 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1214 more information on configuring IPA.
1215
1216
1217 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1218 information on configuring the AD provider.
1219
1220
1221 “none” disables autofs explicitly.
1222
1223 Default: The value of “id_provider” is used if it is set.
1224
1225 hostid_provider (string)
1226 The provider used for retrieving host identity information.
1227 Supported hostid providers are:
1228
1229
1230 “ipa” to load host identity stored in an IPA server. See sssd-
1231 ipa(5) for more information on configuring IPA.
1232
1233
1234 “none” disables hostid explicitly.
1235
1236 Default: The value of “id_provider” is used if it is set.
1237
1238 re_expression (string)
1239 Regular expression for this domain that describes how to parse the
1240 string containing user name and domain into these components. The
1241 "domain" can match either the SSSD configuration domain name, or,
1242 in the case of IPA trust subdomains and Active Directory domains,
1243 the flat (NetBIOS) name of the domain.
1244
1245 Default for the AD and IPA provider:
1246 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1247 which allows three different styles for user names:
1248
1249 · username
1250
1251 · username@domain.name
1252
1253 · domain\username
1254 While the first two correspond to the general default the third
1255 one is introduced to allow easy integration of users from
1256 Windows domains.
1257
1258 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates
1259 to "the name is everything up to the “@” sign, the domain
1260 everything after that"
1261
1262 PLEASE NOTE: the support for non-unique named subpatterns is
1263 not available on all platforms (e.g. RHEL5 and SLES10). Only
1264 platforms with libpcre version 7 or higher can support
1265 non-unique named subpatterns.
1266
1267 PLEASE NOTE ALSO: older version of libpcre only support the
1268 Python syntax (?P<name>) to label subpatterns.
1269
1270 full_name_format (string)
1271 A printf(3)-compatible format that describes how to compose a
1272 fully qualified name from user name and domain name components.
1273
1274 The following expansions are supported:
1275
1276 %1$s
1277 user name
1278
1279 %2$s
1280 domain name as specified in the SSSD config file.
1281
1282 %3$s
1283 domain flat name. Mostly usable for Active Directory
1284 domains, both directly configured or discovered via IPA
1285 trusts.
1286
1287 Default: “%1$s@%2$s”.
1288
1289 lookup_family_order (string)
1290 Provides the ability to select preferred address family to use
1291 when performing DNS lookups.
1292
1293 Supported values:
1294
1295 ipv4_first: Try looking up IPv4 address, if that fails, try
1296 IPv6
1297
1298 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1299
1300 ipv6_first: Try looking up IPv6 address, if that fails, try
1301 IPv4
1302
1303 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1304
1305 Default: ipv4_first
1306
1307 dns_resolver_timeout (integer)
1308 Defines the amount of time (in seconds) to wait for a reply
1309 from the DNS resolver before assuming that it is unreachable.
1310 If this timeout is reached, the domain will continue to operate
1311 in offline mode.
1312
1313 Default: 6
1314
1315 dns_discovery_domain (string)
1316 If service discovery is used in the back end, specifies the
1317 domain part of the service discovery DNS query.
1318
1319 Default: Use the domain part of machine´s hostname
1320
1321 override_gid (integer)
1322 Override the primary GID value with the one specified.
1323
1324 case_sensitive (string)
1325 Treat user and group names as case sensitive. At the moment,
1326 this option is not supported in the local provider. Possible
1327 option values are:
1328
1329 True
1330 Case sensitive. This value is invalid for AD provider.
1331
1332 False
1333 Case insensitive.
1334
1335 Preserving
1336 Same as False (case insensitive), but does not lowercase
1337 names in the result of NSS operations. Note that name
1338 aliases (and in case of services also protocol names) are
1339 still lowercased in the output.
1340
1341 Default: True (False for AD provider)
1342
1343 proxy_fast_alias (boolean)
1344 When a user or group is looked up by name in the proxy
1345 provider, a second lookup by ID is performed to "canonicalize"
1346 the name in case the requested name was an alias. Setting this
1347 option to true would cause the SSSD to perform the ID lookup
1348 from cache for performance reasons.
1349
1350 Default: false
1351
1352 subdomain_homedir (string)
1353 Use this homedir as default value for all subdomains within
1354 this domain in IPA AD trust. See override_homedir for info
1355 about possible values. In addition to those, the expansion
1356 below can only be used with subdomain_homedir.
1357
1358 %F
1359 flat (NetBIOS) name of a subdomain.
1360
1361 The value can be overridden by override_homedir option.
1362
1363 Default: /home/%d/%u
1364
1365 realmd_tags (string)
1366 Various tags stored by the realmd configuration service for
1367 this domain.
1368
1369 cached_auth_timeout (int)
1370 Specifies time in seconds since last successful online
1371 authentication for which user will be authenticated using
1372 cached credentials while SSSD is in the online mode.
1373
1374 Special value 0 implies that this feature is disabled.
1375
1376 Please note that if “cached_auth_timeout” is longer than
1377 “pam_id_timeout” then the back end could be called to handle
1378 “initgroups.”
1379
1380 Default: 0
1381
1382 Options valid for proxy domains.
1383
1384 proxy_pam_target (string)
1385 The proxy target PAM proxies to.
1386
1387 Default: not set by default, you have to take an existing pam
1388 configuration or create a new one and add the service name
1389 here.
1390
1391 proxy_lib_name (string)
1392 The name of the NSS library to use in proxy domains. The NSS
1393 functions searched for in the library are in the form of
1394 _nss_$(libName)_$(function), for example _nss_files_getpwent.
1395
1396 proxy_max_children (integer)
1397 This option specifies the number of pre-forked proxy children.
1398 It is useful for high-load SSSD environments where sssd may run
1399 out of available child slots, which would cause some issues due
1400 to the requests being queued.
1401
1402 Default: 10
1403
1404 The local domain section
1405 This section contains settings for domain that stores users and groups
1406 in SSSD native database, that is, a domain that uses id_provider=local.
1407
1408 Section parameters
1409
1410 default_shell (string)
1411 The default shell for users created with SSSD userspace tools.
1412
1413 Default: /bin/bash
1414
1415 base_directory (string)
1416 The tools append the login name to base_directory and use that as
1417 the home directory.
1418
1419 Default: /home
1420
1421 create_homedir (bool)
1422 Indicate if a home directory should be created by default for new
1423 users. Can be overridden on command line.
1424
1425 Default: TRUE
1426
1427 remove_homedir (bool)
1428 Indicate if a home directory should be removed by default for
1429 deleted users. Can be overridden on command line.
1430
1431 Default: TRUE
1432
1433 homedir_umask (integer)
1434 Used by sss_useradd(8) to specify the default permissions on a
1435 newly created home directory.
1436
1437 Default: 077
1438
1439 skel_dir (string)
1440 The skeleton directory, which contains files and directories to be
1441 copied in the user´s home directory, when the home directory is
1442 created by sss_useradd(8)
1443
1444 Default: /etc/skel
1445
1446 mail_dir (string)
1447 The mail spool directory. This is needed to manipulate the mailbox
1448 when its corresponding user account is modified or deleted. If not
1449 specified, a default value is used.
1450
1451 Default: /var/mail
1452
1453 userdel_cmd (string)
1454 The command that is run after a user is removed. The command us
1455 passed the username of the user being removed as the first and only
1456 parameter. The return code of the command is not taken into
1457 account.
1458
1459 Default: None, no command is run
1460
1462 The following example shows a typical SSSD config. It does not describe
1463 configuration of the domains themselves - refer to documentation on
1464 configuring domains for more details.
1465
1466 [sssd]
1467 domains = LDAP
1468 services = nss, pam
1469 config_file_version = 2
1470
1471 [nss]
1472 filter_groups = root
1473 filter_users = root
1474
1475 [pam]
1476
1477 [domain/LDAP]
1478 id_provider = ldap
1479 ldap_uri = ldap://ldap.example.com
1480 ldap_search_base = dc=example,dc=com
1481
1482 auth_provider = krb5
1483 krb5_server = kerberos.example.com
1484 krb5_realm = EXAMPLE.COM
1485 cache_credentials = true
1486
1487 min_id = 10000
1488 max_id = 20000
1489 enumerate = False
1490
1491
1493 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
1494 sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sss_cache(8), sss_debuglevel(8),
1495 sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8),
1496 sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
1497 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
1498 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
1499
1501 The SSSD upstream - http://fedorahosted.org/sssd
1502
1503
1504
1505SSSD 01/15/2019 SSSD.CONF(5)