1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13 [section]
15 key = value
16 key2 = value2,value3
17 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21 A line comment starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 Following options are usable in more than one configuration sections.
33 Options usable in all sections
35 debug_level (integer)
36 SSSD supports two representations for specifying the debug level.
37 The simplest is to specify a decimal value from 0-9, which
38 represents enabling that level and all lower-level debug messages.
39 The more comprehensive option is to specify a hexadecimal bitmask
40 to enable or disable specific levels (such as if you wish to
41 suppress a level).
42 Please note that each SSSD service logs into its own log file. Also
44 please note that enabling “debug_level” in the “[sssd]” section
45 only enables debugging just for the sssd process itself, not for
46 the responder or provider processes. The “debug_level” parameter
47 should be added to all sections that you wish to produce debug logs
48 from.
49 In addition to changing the log level in the config file using the
51 “debug_level” parameter, which is persistent, but requires SSSD
52 restart, it is also possible to change the debug level on the fly
53 using the sss_debuglevel(8) tool.
54 Currently supported debug levels:
56 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
59 starting up or causes it to cease running.
60 1, 0x0020: Critical failures. An error that doesn´t kill the SSSD,
63 but one that indicates that at least one major feature is not going
64 to work properly.
65 2, 0x0040: Serious failures. An error announcing that a particular
68 request or operation has failed.
69 3, 0x0080: Minor failures. These are the errors that would
72 percolate down to cause the operation failure of 2.
73 4, 0x0100: Configuration settings.
76 5, 0x0200: Function data.
79 6, 0x0400: Trace messages for operation functions.
82 7, 0x1000: Trace messages for internal control functions.
85 8, 0x2000: Contents of function-internal variables that may be
88 interesting.
89 9, 0x4000: Extremely low-level tracing information.
92 To log required bitmask debug levels, simply add their numbers
94 together as shown in following examples:
95 Example: To log fatal failures, critical failures, serious failures
98 and function data use 0x0270.
99 Example: To log fatal failures, configuration settings, function
102 data, trace messages for internal control functions use 0x1310.
103 Note: The bitmask format of debug levels was introduced in 1.7.0.
106 Default: 0
109 debug_timestamps (bool)
111 Add a timestamp to the debug messages. If journald is enabled for
112 SSSD debug logging this option is ignored.
113 Default: true
115 debug_microseconds (bool)
117 Add microseconds to the timestamp in debug messages. If journald is
118 enabled for SSSD debug logging this option is ignored.
119 Default: false
121 Options usable in SERVICE and DOMAIN sections
123 timeout (integer)
124 Timeout in seconds between heartbeats for this service. This is
125 used to ensure that the process is alive and capable of answering
126 requests.
127 Default: 10
129
131 The [sssd] section
132 Individual pieces of SSSD functionality are provided by special SSSD
133 services that are started and stopped together with SSSD. The services
134 are managed by a special service frequently called “monitor”. The
135 “[sssd]” section is used to configure the monitor as well as some other
136 important options like the identity domains.
137 Section parameters
139 config_file_version (integer)
141 Indicates what is the syntax of the config file. SSSD 0.6.0 and
142 later use version 2.
143 services
145 Comma separated list of services that are started when sssd itself
146 starts.
147 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
149 reconnection_retries (integer)
151 Number of times services should attempt to reconnect in the event
152 of a Data Provider crash or restart before they give up
153 Default: 3
155 domains
157 A domain is a database containing user information. SSSD can use
158 more domains at the same time, but at least one must be configured
159 or SSSD won´t start. This parameter described the list of domains
160 in the order you want them to be queried. A domain name should only
161 consist of alphanumeric ASCII characters, dashes, dots and
162 underscores.
163 re_expression (string)
165 Default regular expression that describes how to parse the string
166 containing user name and domain into these components.
167 Each domain can have an individual regular expression configured.
169 For some ID providers there are also default regular expressions.
170 See DOMAIN SECTIONS for more info on these regular expressions.
171 full_name_format (string)
173 A printf(3)-compatible format that describes how to compose a fully
174 qualified name from user name and domain name components.
175 The following expansions are supported:
177 %1$s
179 user name
180 %2$s
182 domain name as specified in the SSSD config file.
183 %3$s
185 domain flat name. Mostly usable for Active Directory domains,
186 both directly configured or discovered via IPA trusts.
187 Each domain can have an individual format string configured. see
189 DOMAIN SECTIONS for more info on this option.
190 try_inotify (boolean)
192 SSSD monitors the state of resolv.conf to identify when it needs to
193 update its internal DNS resolver. By default, we will attempt to
194 use inotify for this, and will fall back to polling resolv.conf
195 every five seconds if inotify cannot be used.
196 There are some limited situations where it is preferred that we
198 should skip even trying to use inotify. In these rare cases, this
199 option should be set to ´false´
200 Default: true on platforms where inotify is supported. False on
202 other platforms.
203 Note: this option will have no effect on platforms where inotify is
205 unavailable. On these platforms, polling will always be used.
206 krb5_rcache_dir (string)
208 Directory on the filesystem where SSSD should store Kerberos replay
209 cache files.
210 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
212 instruct SSSD to let libkrb5 decide the appropriate location for
213 the replay cache.
214 Default: Distribution-specific and specified at build-time.
216 (__LIBKRB5_DEFAULTS__ if not configured)
217 user (string)
219 The user to drop the privileges to where appropriate to avoid
220 running as the root user.
221 Default: not set, process will run as root
223 default_domain_suffix (string)
225 This string will be used as a default domain name for all names
226 without a domain name component. The main use case is environments
227 where the primary domain is intended for managing host policies and
228 all users are located in a trusted domain. The option allows those
229 users to log in just with their user name without giving a domain
230 name as well.
231 Please note that if this option is set all users from the primary
233 domain have to use their fully qualified name, e.g.
234 user@domain.name, to log in. Setting this option changes default of
235 use_fully_qualified_names to True. It is not allowed to use this
236 option together with use_fully_qualified_names set to False.
237 Default: not set
239 override_space (string)
241 This parameter will replace spaces (space bar) with the given
242 character for user and group names. e.g. (_). User name "john doe"
243 will be "john_doe" This feature was added to help compatibility
244 with shell scripts that have difficulty handling spaces, due to the
245 default field separator in the shell.
246 Please note it is a configuration error to use a replacement
248 character that might be used in user or group names. If a name
249 contains the replacement character SSSD tries to return the
250 unmodified name but in general the result of a lookup is undefined.
251 Default: not set (spaces will not be replaced)
253 certificate_verification (string)
255 With this parameter the certificate verification can be tuned with
256 a comma separated list of options. Supported options are:
257 no_ocsp
259 Disables Online Certificate Status Protocol (OCSP) checks. This
260 might be needed if the OCSP servers defined in the certificate
261 are not reachable from the client.
262 no_verification
264 Disables verification completely. This option should only be
265 used for testing.
266 ocsp_default_responder=URL
268 Sets the OCSP default responder which should be used instead of
269 the one mentioned in the certificate. URL must be replaced with
270 the URL of the OCSP default responder e.g.
271 http://example.com:80/ocsp.
272 This option must be used together with
274 ocsp_default_responder_signing_cert.
275 ocsp_default_responder_signing_cert=NAME
277 The nickname of the cert to trust (expected) to sign the OCSP
278 responses. The certificate with the given nickname must be
279 availble in the systems NSS database.
280 This option must be used together with ocsp_default_responder.
282 Unknown options are reported but ignored.
284 Default: not set, i.e. do not restrict certificate vertification
286
288 Settings that can be used to configure different services are described
289 in this section. They should reside in the [$NAME] section, for
290 example, for NSS service, the section would be “[nss]”
291 General service configuration options
293 These options can be used to configure any service.
294 reconnection_retries (integer)
296 Number of times services should attempt to reconnect in the event
297 of a Data Provider crash or restart before they give up
298 Default: 3
300 fd_limit
302 This option specifies the maximum number of file descriptors that
303 may be opened at one time by this SSSD process. On systems where
304 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
305 absolute setting. On systems without this capability, the resulting
306 value will be the lower value of this or the limits.conf "hard"
307 limit.
308 Default: 8192 (or limits.conf "hard" limit)
310 client_idle_timeout
312 This option specifies the number of seconds that a client of an
313 SSSD process can hold onto a file descriptor without communicating
314 on it. This value is limited in order to avoid resource exhaustion
315 on the system.
316 Default: 60
318 force_timeout (integer)
320 If a service is not responding to ping checks (see the “timeout”
321 option), it is first sent the SIGTERM signal that instructs it to
322 quit gracefully. If the service does not terminate after
323 “force_timeout” seconds, the monitor will forcibly shut it down by
324 sending a SIGKILL signal.
325 Default: 60
327 offline_timeout (integer)
329 When SSSD switches to offline mode the amount of time before it
330 tries to go back online will increase based upon the time spent
331 disconnected. This value is in seconds and calculated by the
332 following:
333 offline_timeout + random_offset
335 The random offset can increment up to 30 seconds. After each
337 unsuccessful attempt to go online, the new interval is recalculated
338 by the following:
339 new_interval = old_interval*2 + random_offset
341 Note that the maximum length of each interval is currently limited
343 to one hour. If the calculated length of new_interval is greater
344 than an hour, it will be forced to one hour.
345 Default: 60
347 subdomain_inherit (string)
349 Specifies a list of configuration parameters that should be
350 inherited by a subdomain. Please note that only selected parameters
351 can be inherited. Currently the following options can be inherited:
352 ignore_group_members
354 ldap_purge_cache_timeout
356 ldap_use_tokengroups
358 ldap_user_principal
360 Example:
362 subdomain_inherit = ldap_purge_cache_timeout
364 Default: none
367 NSS configuration options
369 These options can be used to configure the Name Service Switch (NSS)
370 service.
371 enum_cache_timeout (integer)
373 How many seconds should nss_sss cache enumerations (requests for
374 info about all users)
375 Default: 120
377 entry_cache_nowait_percentage (integer)
379 The entry cache can be set to automatically update entries in the
380 background if they are requested beyond a percentage of the
381 entry_cache_timeout value for the domain.
382 For example, if the domain´s entry_cache_timeout is set to 30s and
384 entry_cache_nowait_percentage is set to 50 (percent), entries that
385 come in after 15 seconds past the last cache update will be
386 returned immediately, but the SSSD will go and update the cache on
387 its own, so that future requests will not need to block waiting for
388 a cache update.
389 Valid values for this option are 0-99 and represent a percentage of
391 the entry_cache_timeout for each domain. For performance reasons,
392 this percentage will never reduce the nowait timeout to less than
393 10 seconds. (0 disables this feature)
394 Default: 50
396 entry_negative_timeout (integer)
398 Specifies for how many seconds nss_sss should cache negative cache
399 hits (that is, queries for invalid database entries, like
400 nonexistent ones) before asking the back end again.
401 Default: 15
403 filter_users, filter_groups (string)
405 Exclude certain users from being fetched from the sss NSS database.
406 This is particularly useful for system accounts. This option can
407 also be set per-domain or include fully-qualified names to filter
408 only users from the particular domain.
409 Default: root
411 filter_users_in_groups (bool)
413 If you want filtered user still be group members set this option to
414 false.
415 Default: true
417 override_homedir (string)
419 Override the user´s home directory. You can either provide an
420 absolute value or a template. In the template, the following
421 sequences are substituted:
422 %u
424 login name
425 %U
427 UID number
428 %d
430 domain name
431 %f
433 fully qualified user name (user@domain)
434 %P
436 UPN - User Principal Name (name@REALM)
437 %o
439 The original home directory retrieved from the identity
440 provider.
441 %H
443 The value of configure option homedir_substring.
444 %%
446 a literal ´%´
447 This option can also be set per-domain.
449 example:
451 override_homedir = /home/%u
453 Default: Not set (SSSD will use the value retrieved from LDAP)
456 homedir_substring (string)
458 The value of this option will be used in the expansion of the
459 override_homedir option if the template contains the format string
460 %H. An LDAP directory entry can directly contain this template so
461 that this option can be used to expand the home directory path for
462 each client machine (or operating system). It can be set per-domain
463 or globally in the [nss] section. A value specified in a domain
464 section will override one set in the [nss] section.
465 Default: /home
467 fallback_homedir (string)
469 Set a default template for a user´s home directory if one is not
470 specified explicitly by the domain´s data provider.
471 The available values for this option are the same as for
473 override_homedir.
474 example:
476 fallback_homedir = /home/%u
478 Default: not set (no substitution for unset home directories)
481 override_shell (string)
483 Override the login shell for all users. This option supersedes any
484 other shell options if it takes effect and can be set either in the
485 [nss] section or per-domain.
486 Default: not set (SSSD will use the value retrieved from LDAP)
488 allowed_shells (string)
490 Restrict user shell to one of the listed values. The order of
491 evaluation is:
492 1. If the shell is present in “/etc/shells”, it is used.
494 2. If the shell is in the allowed_shells list but not in
496 “/etc/shells”, use the value of the shell_fallback parameter.
497 3. If the shell is not in the allowed_shells list and not in
499 “/etc/shells”, a nologin shell is used.
500 The wildcard (*) can be used to allow any shell.
502 The (*) is useful if you want to use shell_fallback in case that
504 user´s shell is not in “/etc/shells” and maintaining list of all
505 allowed shells in allowed_shells would be to much overhead.
506 An empty string for shell is passed as-is to libc.
508 The “/etc/shells” is only read on SSSD start up, which means that a
510 restart of the SSSD is required in case a new shell is installed.
511 Default: Not set. The user shell is automatically used.
513 vetoed_shells (string)
515 Replace any instance of these shells with the shell_fallback
516 shell_fallback (string)
518 The default shell to use if an allowed shell is not installed on
519 the machine.
520 Default: /bin/sh
522 default_shell
524 The default shell to use if the provider does not return one during
525 lookup. This option can be specified globally in the [nss] section
526 or per-domain.
527 Default: not set (Return NULL if no shell is specified and rely on
529 libc to substitute something sensible when necessary, usually
530 /bin/sh)
531 get_domains_timeout (int)
533 Specifies time in seconds for which the list of subdomains will be
534 considered valid.
535 Default: 60
537 memcache_timeout (int)
539 Specifies time in seconds for which records in the in-memory cache
540 will be valid.
541 Default: 300
543 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
545 "NO", client applications will not use the fast in-memory cache.
546 user_attributes (string)
548 Some of the additional NSS responder requests can return more
549 attributes than just the POSIX ones defined by the NSS interface.
550 The list of attributes is controlled by this option. It is handled
551 the same way as the “user_attributes” option of the InfoPipe
552 responder (see sssd-ifp(5) for details) but with no default values.
553 To make configuration more easy the NSS responder will check the
555 InfoPipe option if it is not set for the NSS responder.
556 Default: not set, fallback to InfoPipe option
558 PAM configuration options
560 These options can be used to configure the Pluggable Authentication
561 Module (PAM) service.
562 offline_credentials_expiration (integer)
564 If the authentication provider is offline, how long should we allow
565 cached logins (in days since the last successful online login).
566 Default: 0 (No limit)
568 offline_failed_login_attempts (integer)
570 If the authentication provider is offline, how many failed login
571 attempts are allowed.
572 Default: 0 (No limit)
574 offline_failed_login_delay (integer)
576 The time in minutes which has to pass after
577 offline_failed_login_attempts has been reached before a new login
578 attempt is possible.
579 If set to 0 the user cannot authenticate offline if
581 offline_failed_login_attempts has been reached. Only a successful
582 online authentication can enable offline authentication again.
583 Default: 5
585 pam_verbosity (integer)
587 Controls what kind of messages are shown to the user during
588 authentication. The higher the number to more messages are
589 displayed.
590 Currently sssd supports the following values:
592 0: do not show any message
595 1: show only important messages
598 2: show informational messages
601 3: show all messages and debug information
604 Default: 1
606 pam_response_filter (integer)
608 A comma separated list of strings which allows to remove (filter)
609 data send by the PAM responder to pam_sss PAM module. There are
610 different kind of responses send to pam_sss e.g. messages displayed
611 to the user or environment variables which should be set by
612 pam_sss.
613 While messages already can be controlled with the help of the
615 pam_verbosity option this option allows to filter out other kind of
616 responses as well.
617 Currently the following filters are supported:
619 ENV
621 Do not sent any environment variables to any service.
622 ENV:var_name
624 Do not sent environment variable var_name to any service.
625 ENV:var_name:service
627 Do not sent environment variable var_name to service.
628 Default: not set
630 Example: ENV:KRB5CCNAME:sudo-i
632 pam_id_timeout (integer)
634 For any PAM request while SSSD is online, the SSSD will attempt to
635 immediately update the cached identity information for the user in
636 order to ensure that authentication takes place with the latest
637 information.
638 A complete PAM conversation may perform multiple PAM requests, such
640 as account management and session opening. This option controls (on
641 a per-client-application basis) how long (in seconds) we can cache
642 the identity information to avoid excessive round-trips to the
643 identity provider.
644 Default: 5
646 pam_pwd_expiration_warning (integer)
648 Display a warning N days before the password expires.
649 Please note that the backend server has to provide information
651 about the expiration time of the password. If this information is
652 missing, sssd cannot display a warning.
653 If zero is set, then this filter is not applied, i.e. if the
655 expiration warning was received from backend server, it will
656 automatically be displayed.
657 This setting can be overridden by setting pwd_expiration_warning
659 for a particular domain.
660 Default: 0
662 get_domains_timeout (int)
664 Specifies time in seconds for which the list of subdomains will be
665 considered valid.
666 Default: 60
668 pam_trusted_users (string)
670 Specifies the comma-separated list of UID values or user names that
671 are allowed to access the PAM responder. User names are resolved to
672 UIDs at startup.
673 Default: all (All users are allowed to access the PAM responder)
675 Please note that UID 0 is always allowed to access the PAM
677 responder even in case it is not in the pam_trusted_users list.
678 pam_public_domains (string)
680 Specifies the comma-separated list of domain names that are
681 accessible even to untrusted users.
682 Two special values for pam_public_domains option are defined:
684 all (Untrusted users are allowed to access all domains in PAM
686 responder.)
687 none (Untrusted users are not allowed to access any domains PAM in
689 responder.)
690 Default: none
692 pam_account_expired_message (string)
694 Allows a custom expiration message to be set, replacing the default
695 ´Permission denied´ message.
696 Note: Please be aware that message is only printed for the SSH
698 service unless pam_verbostiy is set to 3 (show all messages and
699 debug information).
700 example:
702 pam_account_expired_message = Account expired, please contact help desk.
704 Default: none
707 pam_account_locked_message (string)
709 Allows a custom lockout message to be set, replacing the default
710 ´Permission denied´ message.
711 example:
713 pam_account_locked_message = Account locked, please contact help desk.
715 Default: none
718 pam_cert_auth (bool)
720 Enable certificate based Smartcard authentication. Since this
721 requires additional communication with the Smartcard which will
722 delay the authentication process this option is disabled by
723 default.
724 Default: False
726 pam_cert_db_path (string)
728 The path to the certificate database which contain the PKCS#11
729 modules to access the Smartcard.
730 Default: /etc/pki/nssdb (NSS version)
732 p11_child_timeout (integer)
734 How many seconds will pam_sss wait for p11_child to finish.
735 Default: 10
737 SUDO configuration options
739 These options can be used to configure the sudo service. The detailed
740 instructions for configuration of sudo(8) to work with sssd(8) are in
741 the manual page sssd-sudo(5).
742 sudo_timed (bool)
744 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
745 attributes that implement time-dependent sudoers entries.
746 Default: false
748 AUTOFS configuration options
750 These options can be used to configure the autofs service.
751 autofs_negative_timeout (integer)
753 Specifies for how many seconds should the autofs responder negative
754 cache hits (that is, queries for invalid map entries, like
755 nonexistent ones) before asking the back end again.
756 Default: 15
758 Please note that the automounter only reads the master map on startup,
760 so if any autofs-related changes are made to the sssd.conf, you
761 typically also need to restart the automounter daemon after restarting
762 the SSSD.
763 SSH configuration options
765 These options can be used to configure the SSH service.
766 ssh_hash_known_hosts (bool)
768 Whether or not to hash host names and addresses in the managed
769 known_hosts file.
770 Default: true
772 ssh_known_hosts_timeout (integer)
774 How many seconds to keep a host in the managed known_hosts file
775 after its host keys were requested.
776 Default: 180
778 ca_db (string)
780 Path to a storage of trusted CA certificates. The option is used to
781 validate user certificates before deriving public ssh keys from
782 them.
783 Default: /etc/pki/nssdb
785 PAC responder configuration options
787 The PAC responder works together with the authorization data plugin for
788 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
789 sends the PAC data during a GSSAPI authentication to the PAC responder.
790 The sub-domain provider collects domain SID and ID ranges of the domain
791 the client is joined to and of remote trusted domains from the local
792 domain controller. If the PAC is decoded and evaluated some of the
793 following operations are done:
794 · If the remote user does not exist in the cache, it is created. The
796 uid is determined with the help of the SID, trusted domains will
797 have UPGs and the gid will have the same value as the uid. The home
798 directory is set based on the subdomain_homedir parameter. The
799 shell will be empty by default, i.e. the system defaults are used,
800 but can be overwritten with the default_shell parameter.
801 · If there are SIDs of groups from domains sssd knows about, the user
803 will be added to those groups.
804 These options can be used to configure the PAC responder.
807 allowed_uids (string)
809 Specifies the comma-separated list of UID values or user names that
810 are allowed to access the PAC responder. User names are resolved to
811 UIDs at startup.
812 Default: 0 (only the root user is allowed to access the PAC
814 responder)
815 Please note that although the UID 0 is used as the default it will
817 be overwritten with this option. If you still want to allow the
818 root user to access the PAC responder, which would be the typical
819 case, you have to add 0 to the list of allowed UIDs as well.
820
822 These configuration options can be present in a domain configuration
823 section, that is, in a section called “[domain/NAME]”
824 min_id,max_id (integer)
826 UID and GID limits for the domain. If a domain contains an entry
827 that is outside these limits, it is ignored.
828 For users, this affects the primary GID limit. The user will not be
830 returned to NSS if either the UID or the primary GID is outside the
831 range. For non-primary group memberships, those that are in range
832 will be reported as expected.
833 These ID limits affect even saving entries to cache, not only
835 returning them by name or ID.
836 Default: 1 for min_id, 0 (no limit) for max_id
838 enumerate (bool)
840 Determines if a domain can be enumerated. This parameter can have
841 one of the following values:
842 TRUE = Users and groups are enumerated
844 FALSE = No enumerations for this domain
846 Default: FALSE
848 Note: Enabling enumeration has a moderate performance impact on
850 SSSD while enumeration is running. It may take up to several
851 minutes after SSSD startup to fully complete enumerations. During
852 this time, individual requests for information will go directly to
853 LDAP, though it may be slow, due to the heavy enumeration
854 processing. Saving a large number of entries to cache after the
855 enumeration completes might also be CPU intensive as the
856 memberships have to be recomputed.
857 While the first enumeration is running, requests for the complete
859 user or group lists may return no results until it completes.
860 Further, enabling enumeration may increase the time necessary to
862 detect network disconnection, as longer timeouts are required to
863 ensure that enumeration lookups are completed successfully. For
864 more information, refer to the man pages for the specific
865 id_provider in use.
866 For the reasons cited above, enabling enumeration is not
868 recommended, especially in large environments.
869 subdomain_enumerate (string)
871 Whether any of autodetected trusted domains should be enumerated.
872 The supported values are:
873 all
875 All discovered trusted domains will be enumerated
876 none
878 No discovered trusted domains will be enumerated
879 Optionally, a list of one or more domain names can enable
881 enumeration just for these trusted domains.
882 Default: none
884 force_timeout (integer)
886 If a service is not responding to ping checks (see the “timeout”
887 option), it is first sent the SIGTERM signal that instructs it to
888 quit gracefully. If the service does not terminate after
889 “force_timeout” seconds, the monitor will forcibly shut it down by
890 sending a SIGKILL signal.
891 Default: 60
893 entry_cache_timeout (integer)
895 How many seconds should nss_sss consider entries valid before
896 asking the backend again
897 The cache expiration timestamps are stored as attributes of
899 individual objects in the cache. Therefore, changing the cache
900 timeout only has effect for newly added or expired entries. You
901 should run the sss_cache(8) tool in order to force refresh of
902 entries that have already been cached.
903 Default: 5400
905 entry_cache_user_timeout (integer)
907 How many seconds should nss_sss consider user entries valid before
908 asking the backend again
909 Default: entry_cache_timeout
911 entry_cache_group_timeout (integer)
913 How many seconds should nss_sss consider group entries valid before
914 asking the backend again
915 Default: entry_cache_timeout
917 entry_cache_netgroup_timeout (integer)
919 How many seconds should nss_sss consider netgroup entries valid
920 before asking the backend again
921 Default: entry_cache_timeout
923 entry_cache_service_timeout (integer)
925 How many seconds should nss_sss consider service entries valid
926 before asking the backend again
927 Default: entry_cache_timeout
929 entry_cache_sudo_timeout (integer)
931 How many seconds should sudo consider rules valid before asking the
932 backend again
933 Default: entry_cache_timeout
935 entry_cache_autofs_timeout (integer)
937 How many seconds should the autofs service consider automounter
938 maps valid before asking the backend again
939 Default: entry_cache_timeout
941 entry_cache_ssh_host_timeout (integer)
943 How many seconds to keep a host ssh key after refresh. IE how long
944 to cache the host key for.
945 Default: entry_cache_timeout
947 refresh_expired_interval (integer)
949 Specifies how many seconds SSSD has to wait before triggering a
950 background refresh task which will refresh all expired or nearly
951 expired records.
952 The background refresh will process users, groups and netgroups in
954 the cache.
955 You can consider setting this value to 3/4 * entry_cache_timeout.
957 Default: 0 (disabled)
959 cache_credentials (bool)
961 Determines if user credentials are also cached in the local LDB
962 cache
963 User credentials are stored in a SHA512 hash, not in plaintext
965 Default: FALSE
967 cache_credentials_minimal_first_factor_length (int)
969 If 2-Factor-Authentication (2FA) is used and credentials should be
970 saved this value determines the minimal length the first
971 authentication factor (long term password) must have to be saved as
972 SHA512 hash into the cache.
973 This should avoid that the short PINs of a PIN based 2FA scheme are
975 saved in the cache which would make them easy targets for
976 brute-force attacks.
977 Default: 8
979 account_cache_expiration (integer)
981 Number of days entries are left in cache after last successful
982 login before being removed during a cleanup of the cache. 0 means
983 keep forever. The value of this parameter must be greater than or
984 equal to offline_credentials_expiration.
985 Default: 0 (unlimited)
987 pwd_expiration_warning (integer)
989 Display a warning N days before the password expires.
990 If zero is set, then this filter is not applied, i.e. if the
992 expiration warning was received from backend server, it will
993 automatically be displayed.
994 Please note that the backend server has to provide information
996 about the expiration time of the password. If this information is
997 missing, sssd cannot display a warning. Also an auth provider has
998 to be configured for the backend.
999 Default: 7 (Kerberos), 0 (LDAP)
1001 id_provider (string)
1003 The identification provider used for the domain. Supported ID
1004 providers are:
1005 “proxy”: Support a legacy NSS provider
1008 “local”: SSSD internal provider for local users
1011 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1014 configuring LDAP.
1015 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1018 See sssd-ipa(5) for more information on configuring FreeIPA.
1019 “ad”: Active Directory provider. See sssd-ad(5) for more
1022 information on configuring Active Directory.
1023 use_fully_qualified_names (bool)
1025 Use the full name and domain (as formatted by the domain´s
1026 full_name_format) as the user´s login name reported to NSS.
1027 If set to TRUE, all requests to this domain must use fully
1029 qualified names. For example, if used in LOCAL domain that contains
1030 a "test" user, getent passwd test wouldn´t find the user while
1031 getent passwd test@LOCAL would.
1032 NOTE: This option has no effect on netgroup lookups due to their
1034 tendency to include nested netgroups without qualified names. For
1035 netgroups, all domains will be searched when an unqualified name is
1036 requested.
1037 Default: FALSE (TRUE if default_domain_suffix is used)
1039 ignore_group_members (bool)
1041 Do not return group members for group lookups.
1042 If set to TRUE, the group membership attribute is not requested
1044 from the ldap server, and group members are not returned when
1045 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1046 As an effect, “getent group $groupname” would return the requested
1047 group as if it was empty.
1048 Enabling this option can also make access provider checks for group
1050 membership significantly faster, especially for groups containing
1051 many members.
1052 Default: FALSE
1054 auth_provider (string)
1056 The authentication provider used for the domain. Supported auth
1057 providers are:
1058 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1061 information on configuring LDAP.
1062 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1065 information on configuring Kerberos.
1066 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1069 See sssd-ipa(5) for more information on configuring FreeIPA.
1070 “ad”: Active Directory provider. See sssd-ad(5) for more
1073 information on configuring Active Directory.
1074 “proxy” for relaying authentication to some other PAM target.
1077 “local”: SSSD internal provider for local users
1080 “none” disables authentication explicitly.
1083 Default: “id_provider” is used if it is set and can handle
1085 authentication requests.
1086 access_provider (string)
1088 The access control provider used for the domain. There are two
1089 built-in access providers (in addition to any included in installed
1090 backends) Internal special providers are:
1091 “permit” always allow access. It´s the only permitted access
1094 provider for a local domain.
1095 “deny” always deny access.
1098 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1101 information on configuring LDAP.
1102 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1105 See sssd-ipa(5) for more information on configuring FreeIPA.
1106 “ad”: Active Directory provider. See sssd-ad(5) for more
1109 information on configuring Active Directory.
1110 “simple” access control based on access or deny lists. See sssd-
1113 simple(5) for more information on configuring the simple access
1114 module.
1115 Default: “permit”
1117 chpass_provider (string)
1119 The provider which should handle change password operations for the
1120 domain. Supported change password providers are:
1121 “ldap” to change a password stored in a LDAP server. See sssd-
1124 ldap(5) for more information on configuring LDAP.
1125 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1128 information on configuring Kerberos.
1129 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1132 See sssd-ipa(5) for more information on configuring FreeIPA.
1133 “ad”: Active Directory provider. See sssd-ad(5) for more
1136 information on configuring Active Directory.
1137 “proxy” for relaying password changes to some other PAM target.
1140 “none” disallows password changes explicitly.
1143 Default: “auth_provider” is used if it is set and can handle change
1145 password requests.
1146 sudo_provider (string)
1148 The SUDO provider used for the domain. Supported SUDO providers
1149 are:
1150 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1153 information on configuring LDAP.
1154 “ipa” the same as “ldap” but with IPA default settings.
1157 “ad” the same as “ldap” but with AD default settings.
1160 “none” disables SUDO explicitly.
1163 Default: The value of “id_provider” is used if it is set.
1165 The detailed instructions for configuration of sudo_provider are in
1167 the manual page sssd-sudo(5). There are many configuration options
1168 that can be used to adjust the behavior. Please refer to
1169 "ldap_sudo_*" in sssd-ldap(5).
1170 selinux_provider (string)
1172 The provider which should handle loading of selinux settings. Note
1173 that this provider will be called right after access provider ends.
1174 Supported selinux providers are:
1175 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1178 for more information on configuring IPA.
1179 “none” disallows fetching selinux settings explicitly.
1182 Default: “id_provider” is used if it is set and can handle selinux
1184 loading requests.
1185 subdomains_provider (string)
1187 The provider which should handle fetching of subdomains. This value
1188 should be always the same as id_provider. Supported subdomain
1189 providers are:
1190 “ipa” to load a list of subdomains from an IPA server. See sssd-
1193 ipa(5) for more information on configuring IPA.
1194 “ad” to load a list of subdomains from an Active Directory server.
1197 See sssd-ad(5) for more information on configuring the AD provider.
1198 “none” disallows fetching subdomains explicitly.
1201 Default: The value of “id_provider” is used if it is set.
1203 autofs_provider (string)
1205 The autofs provider used for the domain. Supported autofs providers
1206 are:
1207 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1210 information on configuring LDAP.
1211 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1214 more information on configuring IPA.
1215 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1218 information on configuring the AD provider.
1219 “none” disables autofs explicitly.
1222 Default: The value of “id_provider” is used if it is set.
1224 hostid_provider (string)
1226 The provider used for retrieving host identity information.
1227 Supported hostid providers are:
1228 “ipa” to load host identity stored in an IPA server. See sssd-
1231 ipa(5) for more information on configuring IPA.
1232 “none” disables hostid explicitly.
1235 Default: The value of “id_provider” is used if it is set.
1237 re_expression (string)
1239 Regular expression for this domain that describes how to parse the
1240 string containing user name and domain into these components. The
1241 "domain" can match either the SSSD configuration domain name, or,
1242 in the case of IPA trust subdomains and Active Directory domains,
1243 the flat (NetBIOS) name of the domain.
1244 Default for the AD and IPA provider:
1246 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1247 which allows three different styles for user names:
1248 · username
1250 · username@domain.name
1252 · domain\username
1254 While the first two correspond to the general default the third
1255 one is introduced to allow easy integration of users from
1256 Windows domains.
1257 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates
1259 to "the name is everything up to the “@” sign, the domain
1260 everything after that"
1261 PLEASE NOTE: the support for non-unique named subpatterns is
1263 not available on all platforms (e.g. RHEL5 and SLES10). Only
1264 platforms with libpcre version 7 or higher can support
1265 non-unique named subpatterns.
1266 PLEASE NOTE ALSO: older version of libpcre only support the
1268 Python syntax (?P<name>) to label subpatterns.
1269 full_name_format (string)
1271 A printf(3)-compatible format that describes how to compose a
1272 fully qualified name from user name and domain name components.
1273 The following expansions are supported:
1275 %1$s
1277 user name
1278 %2$s
1280 domain name as specified in the SSSD config file.
1281 %3$s
1283 domain flat name. Mostly usable for Active Directory
1284 domains, both directly configured or discovered via IPA
1285 trusts.
1286 Default: “%1$s@%2$s”.
1288 lookup_family_order (string)
1290 Provides the ability to select preferred address family to use
1291 when performing DNS lookups.
1292 Supported values:
1294 ipv4_first: Try looking up IPv4 address, if that fails, try
1296 IPv6
1297 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1299 ipv6_first: Try looking up IPv6 address, if that fails, try
1301 IPv4
1302 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1304 Default: ipv4_first
1306 dns_resolver_timeout (integer)
1308 Defines the amount of time (in seconds) to wait for a reply
1309 from the DNS resolver before assuming that it is unreachable.
1310 If this timeout is reached, the domain will continue to operate
1311 in offline mode.
1312 Default: 6
1314 dns_discovery_domain (string)
1316 If service discovery is used in the back end, specifies the
1317 domain part of the service discovery DNS query.
1318 Default: Use the domain part of machine´s hostname
1320 override_gid (integer)
1322 Override the primary GID value with the one specified.
1323 case_sensitive (string)
1325 Treat user and group names as case sensitive. At the moment,
1326 this option is not supported in the local provider. Possible
1327 option values are:
1328 True
1330 Case sensitive. This value is invalid for AD provider.
1331 False
1333 Case insensitive.
1334 Preserving
1336 Same as False (case insensitive), but does not lowercase
1337 names in the result of NSS operations. Note that name
1338 aliases (and in case of services also protocol names) are
1339 still lowercased in the output.
1340 Default: True (False for AD provider)
1342 proxy_fast_alias (boolean)
1344 When a user or group is looked up by name in the proxy
1345 provider, a second lookup by ID is performed to "canonicalize"
1346 the name in case the requested name was an alias. Setting this
1347 option to true would cause the SSSD to perform the ID lookup
1348 from cache for performance reasons.
1349 Default: false
1351 subdomain_homedir (string)
1353 Use this homedir as default value for all subdomains within
1354 this domain in IPA AD trust. See override_homedir for info
1355 about possible values. In addition to those, the expansion
1356 below can only be used with subdomain_homedir.
1357 %F
1359 flat (NetBIOS) name of a subdomain.
1360 The value can be overridden by override_homedir option.
1362 Default: /home/%d/%u
1364 realmd_tags (string)
1366 Various tags stored by the realmd configuration service for
1367 this domain.
1368 cached_auth_timeout (int)
1370 Specifies time in seconds since last successful online
1371 authentication for which user will be authenticated using
1372 cached credentials while SSSD is in the online mode.
1373 Special value 0 implies that this feature is disabled.
1375 Please note that if “cached_auth_timeout” is longer than
1377 “pam_id_timeout” then the back end could be called to handle
1378 “initgroups.”
1379 Default: 0
1381 Options valid for proxy domains.
1383 proxy_pam_target (string)
1385 The proxy target PAM proxies to.
1386 Default: not set by default, you have to take an existing pam
1388 configuration or create a new one and add the service name
1389 here.
1390 proxy_lib_name (string)
1392 The name of the NSS library to use in proxy domains. The NSS
1393 functions searched for in the library are in the form of
1394 _nss_$(libName)_$(function), for example _nss_files_getpwent.
1395 proxy_max_children (integer)
1397 This option specifies the number of pre-forked proxy children.
1398 It is useful for high-load SSSD environments where sssd may run
1399 out of available child slots, which would cause some issues due
1400 to the requests being queued.
1401 Default: 10
1403 The local domain section
1405 This section contains settings for domain that stores users and groups
1406 in SSSD native database, that is, a domain that uses id_provider=local.
1407 Section parameters
1409 default_shell (string)
1411 The default shell for users created with SSSD userspace tools.
1412 Default: /bin/bash
1414 base_directory (string)
1416 The tools append the login name to base_directory and use that as
1417 the home directory.
1418 Default: /home
1420 create_homedir (bool)
1422 Indicate if a home directory should be created by default for new
1423 users. Can be overridden on command line.
1424 Default: TRUE
1426 remove_homedir (bool)
1428 Indicate if a home directory should be removed by default for
1429 deleted users. Can be overridden on command line.
1430 Default: TRUE
1432 homedir_umask (integer)
1434 Used by sss_useradd(8) to specify the default permissions on a
1435 newly created home directory.
1436 Default: 077
1438 skel_dir (string)
1440 The skeleton directory, which contains files and directories to be
1441 copied in the user´s home directory, when the home directory is
1442 created by sss_useradd(8)
1443 Default: /etc/skel
1445 mail_dir (string)
1447 The mail spool directory. This is needed to manipulate the mailbox
1448 when its corresponding user account is modified or deleted. If not
1449 specified, a default value is used.
1450 Default: /var/mail
1452 userdel_cmd (string)
1454 The command that is run after a user is removed. The command us
1455 passed the username of the user being removed as the first and only
1456 parameter. The return code of the command is not taken into
1457 account.
1458 Default: None, no command is run
1460
1462 The following example shows a typical SSSD config. It does not describe
1463 configuration of the domains themselves - refer to documentation on
1464 configuring domains for more details.
1465 [sssd]
1467 domains = LDAP
1468 services = nss, pam
1469 config_file_version = 2
1470 [nss]
1472 filter_groups = root
1473 filter_users = root
1474 [pam]
1476 [domain/LDAP]
1478 id_provider = ldap
1479 ldap_uri = ldap://ldap.example.com
1480 ldap_search_base = dc=example,dc=com
1481 auth_provider = krb5
1483 krb5_server = kerberos.example.com
1484 krb5_realm = EXAMPLE.COM
1485 cache_credentials = true
1486 min_id = 10000
1488 max_id = 20000
1489 enumerate = False
1490
1493 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
1494 sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sss_cache(8), sss_debuglevel(8),
1495 sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8),
1496 sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8),
1497 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
1498 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
1499
1501 The SSSD upstream - http://fedorahosted.org/sssd
1502SSSD 01/15/2019 SSSD.CONF(5)