1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13 [section]
15 key = value
16 key2 = value2,value3
17 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72 Currently supported debug levels:
74 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87 4, 0x0100: Configuration settings.
89 5, 0x0200: Function data.
91 6, 0x0400: Trace messages for operation functions.
93 7, 0x1000: Trace messages for internal control functions.
95 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98 9, 0x4000: Extremely low-level tracing information.
100 To log required bitmask debug levels, simply add their numbers
102 together as shown in following examples:
103 Example: To log fatal failures, critical failures, serious failures
105 and function data use 0x0270.
106 Example: To log fatal failures, configuration settings, function
108 data, trace messages for internal control functions use 0x1310.
109 Note: The bitmask format of debug levels was introduced in 1.7.0.
111 Default: 0
113 debug (integer)
115 SSSD 1.14 and later also includes the debug alias for debug_level
116 as a convenience feature. If both are specified, the value of
117 debug_level will be used.
118 debug_timestamps (bool)
120 Add a timestamp to the debug messages. If journald is enabled for
121 SSSD debug logging this option is ignored.
122 Default: true
124 debug_microseconds (bool)
126 Add microseconds to the timestamp in debug messages. If journald is
127 enabled for SSSD debug logging this option is ignored.
128 Default: false
130 Options usable in SERVICE and DOMAIN sections
132 timeout (integer)
133 Timeout in seconds between heartbeats for this service. This is
134 used to ensure that the process is alive and capable of answering
135 requests. Note that after three missed heartbeats the process will
136 terminate itself.
137 Default: 10
139
141 The [sssd] section
142 Individual pieces of SSSD functionality are provided by special SSSD
143 services that are started and stopped together with SSSD. The services
144 are managed by a special service frequently called “monitor”. The
145 “[sssd]” section is used to configure the monitor as well as some other
146 important options like the identity domains.
147 Section parameters
149 config_file_version (integer)
151 Indicates what is the syntax of the config file. SSSD 0.6.0 and
152 later use version 2.
153 services
155 Comma separated list of services that are started when sssd itself
156 starts. The services' list is optional on platforms where systemd
157 is supported, as they will either be socket or D-Bus activated when
158 needed.
159 Supported services: nss, pam , sudo, autofs, ssh, pac, ifp
161 By default, all services are disabled and the administrator must
163 enable the ones allowed to be used by executing: "systemctl enable
164 sssd-@service@.socket".
165 reconnection_retries (integer)
167 Number of times services should attempt to reconnect in the event
168 of a Data Provider crash or restart before they give up
169 Default: 3
171 domains
173 A domain is a database containing user information. SSSD can use
174 more domains at the same time, but at least one must be configured
175 or SSSD won't start. This parameter describes the list of domains
176 in the order you want them to be queried. A domain name should only
177 consist of alphanumeric ASCII characters, dashes, dots and
178 underscores.
179 re_expression (string)
181 Default regular expression that describes how to parse the string
182 containing user name and domain into these components.
183 Each domain can have an individual regular expression configured.
185 For some ID providers there are also default regular expressions.
186 See DOMAIN SECTIONS for more info on these regular expressions.
187 full_name_format (string)
189 A printf(3)-compatible format that describes how to compose a fully
190 qualified name from user name and domain name components.
191 The following expansions are supported:
193 %1$s
195 user name
196 %2$s
198 domain name as specified in the SSSD config file.
199 %3$s
201 domain flat name. Mostly usable for Active Directory domains,
202 both directly configured or discovered via IPA trusts.
203 Each domain can have an individual format string configured. see
205 DOMAIN SECTIONS for more info on this option.
206 try_inotify (boolean)
208 SSSD monitors the state of resolv.conf to identify when it needs to
209 update its internal DNS resolver. By default, we will attempt to
210 use inotify for this, and will fall back to polling resolv.conf
211 every five seconds if inotify cannot be used.
212 There are some limited situations where it is preferred that we
214 should skip even trying to use inotify. In these rare cases, this
215 option should be set to 'false'
216 Default: true on platforms where inotify is supported. False on
218 other platforms.
219 Note: this option will have no effect on platforms where inotify is
221 unavailable. On these platforms, polling will always be used.
222 krb5_rcache_dir (string)
224 Directory on the filesystem where SSSD should store Kerberos replay
225 cache files.
226 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
228 instruct SSSD to let libkrb5 decide the appropriate location for
229 the replay cache.
230 Default: Distribution-specific and specified at build-time.
232 (__LIBKRB5_DEFAULTS__ if not configured)
233 user (string)
235 The user to drop the privileges to where appropriate to avoid
236 running as the root user. This option does not work when running
237 socket-activated services, as the user set up to run the processes
238 is set up during compilation time. The way to override the systemd
239 unit files is by creating the appropriate files in
240 /etc/systemd/system/. Keep in mind that any change in the socket
241 user, group or permissions may result in a non-usable SSSD. The
242 same may occur in case of changes of the user running the NSS
243 responder.
244 Default: not set, process will run as root
246 default_domain_suffix (string)
248 This string will be used as a default domain name for all names
249 without a domain name component. The main use case is environments
250 where the primary domain is intended for managing host policies and
251 all users are located in a trusted domain. The option allows those
252 users to log in just with their user name without giving a domain
253 name as well.
254 Please note that if this option is set all users from the primary
256 domain have to use their fully qualified name, e.g.
257 user@domain.name, to log in. Setting this option changes default of
258 use_fully_qualified_names to True. It is not allowed to use this
259 option together with use_fully_qualified_names set to False.
260 Default: not set
262 override_space (string)
264 This parameter will replace spaces (space bar) with the given
265 character for user and group names. e.g. (_). User name "john doe"
266 will be "john_doe" This feature was added to help compatibility
267 with shell scripts that have difficulty handling spaces, due to the
268 default field separator in the shell.
269 Please note it is a configuration error to use a replacement
271 character that might be used in user or group names. If a name
272 contains the replacement character SSSD tries to return the
273 unmodified name but in general the result of a lookup is undefined.
274 Default: not set (spaces will not be replaced)
276 certificate_verification (string)
278 With this parameter the certificate verification can be tuned with
279 a comma separated list of options. Supported options are:
280 no_ocsp
282 Disables Online Certificate Status Protocol (OCSP) checks. This
283 might be needed if the OCSP servers defined in the certificate
284 are not reachable from the client.
285 no_verification
287 Disables verification completely. This option should only be
288 used for testing.
289 ocsp_default_responder=URL
291 Sets the OCSP default responder which should be used instead of
292 the one mentioned in the certificate. URL must be replaced with
293 the URL of the OCSP default responder e.g.
294 http://example.com:80/ocsp.
295 This option must be used together with
297 ocsp_default_responder_signing_cert.
298 ocsp_default_responder_signing_cert=NAME
300 The nickname of the cert to trust (expected) to sign the OCSP
301 responses. The certificate with the given nickname must be
302 available in the systems NSS database.
303 This option must be used together with ocsp_default_responder.
305 Unknown options are reported but ignored.
307 Default: not set, i.e. do not restrict certificate verification
309 disable_netlink (boolean)
311 SSSD hooks into the netlink interface to monitor changes to routes,
312 addresses, links and trigger certain actions.
313 The SSSD state changes caused by netlink events may be undesirable
315 and can be disabled by setting this option to 'true'
316 Default: false (netlink changes are detected)
318 enable_files_domain (boolean)
320 When this option is enabled, SSSD prepends an implicit domain with
321 “id_provider=files” before any explicitly configured domains.
322 Default: false
324 domain_resolution_order
326 Comma separated list of domains and subdomains representing the
327 lookup order that will be followed. The list doesn't have to
328 include all possible domains as the missing domains will be looked
329 up based on the order they're presented in the “domains”
330 configuration option. The subdomains which are not listed as part
331 of “lookup_order” will be looked up in a random order for each
332 parent domain.
333 Please, note that when this option is set the output format of all
335 commands is always fully-qualified even when using short names for
336 input, for all users but the ones managed by the files provider. In
337 case the administrator wants the output not fully-qualified, the
338 full_name_format option can be used as shown below:
339 “full_name_format=%1$s” However, keep in mind that during login,
340 login applications often canonicalize the username by calling
341 getpwnam(3) which, if a shortname is returned for a qualified input
342 (while trying to reach a user which exists in multiple domains)
343 might re-route the login attempt into the domain which uses
344 shortnames, making this workaround totally not recommended in cases
345 where usernames may overlap between domains.
346 Default: Not set
348
350 Settings that can be used to configure different services are described
351 in this section. They should reside in the [$NAME] section, for
352 example, for NSS service, the section would be “[nss]”
353 General service configuration options
355 These options can be used to configure any service.
356 reconnection_retries (integer)
358 Number of times services should attempt to reconnect in the event
359 of a Data Provider crash or restart before they give up
360 Default: 3
362 fd_limit
364 This option specifies the maximum number of file descriptors that
365 may be opened at one time by this SSSD process. On systems where
366 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
367 absolute setting. On systems without this capability, the resulting
368 value will be the lower value of this or the limits.conf "hard"
369 limit.
370 Default: 8192 (or limits.conf "hard" limit)
372 client_idle_timeout
374 This option specifies the number of seconds that a client of an
375 SSSD process can hold onto a file descriptor without communicating
376 on it. This value is limited in order to avoid resource exhaustion
377 on the system. The timeout can't be shorter than 10 seconds. If a
378 lower value is configured, it will be adjusted to 10 seconds.
379 Default: 60
381 offline_timeout (integer)
383 When SSSD switches to offline mode the amount of time before it
384 tries to go back online will increase based upon the time spent
385 disconnected. This value is in seconds and calculated by the
386 following:
387 offline_timeout + random_offset
389 The random offset can increment up to 30 seconds. After each
391 unsuccessful attempt to go online, the new interval is recalculated
392 by the following:
393 new_interval = old_interval*2 + random_offset
395 Note that the maximum length of each interval is currently limited
397 to one hour. If the calculated length of new_interval is greater
398 than an hour, it will be forced to one hour.
399 Default: 60
401 responder_idle_timeout
403 This option specifies the number of seconds that an SSSD responder
404 process can be up without being used. This value is limited in
405 order to avoid resource exhaustion on the system. The minimum
406 acceptable value for this option is 60 seconds. Setting this option
407 to 0 (zero) means that no timeout will be set up to the responder.
408 This option only has effect when SSSD is built with systemd support
409 and when services are either socket or D-Bus activated.
410 Default: 300
412 cache_first
414 This option specifies whether the responder should query all caches
415 before querying the Data Providers.
416 Default: false
418 NSS configuration options
420 These options can be used to configure the Name Service Switch (NSS)
421 service.
422 enum_cache_timeout (integer)
424 How many seconds should nss_sss cache enumerations (requests for
425 info about all users)
426 Default: 120
428 entry_cache_nowait_percentage (integer)
430 The entry cache can be set to automatically update entries in the
431 background if they are requested beyond a percentage of the
432 entry_cache_timeout value for the domain.
433 For example, if the domain's entry_cache_timeout is set to 30s and
435 entry_cache_nowait_percentage is set to 50 (percent), entries that
436 come in after 15 seconds past the last cache update will be
437 returned immediately, but the SSSD will go and update the cache on
438 its own, so that future requests will not need to block waiting for
439 a cache update.
440 Valid values for this option are 0-99 and represent a percentage of
442 the entry_cache_timeout for each domain. For performance reasons,
443 this percentage will never reduce the nowait timeout to less than
444 10 seconds. (0 disables this feature)
445 Default: 50
447 entry_negative_timeout (integer)
449 Specifies for how many seconds nss_sss should cache negative cache
450 hits (that is, queries for invalid database entries, like
451 nonexistent ones) before asking the back end again.
452 Default: 15
454 local_negative_timeout (integer)
456 Specifies for how many seconds nss_sss should keep local users and
457 groups in negative cache before trying to look it up in the back
458 end again. Setting the option to 0 disables this feature.
459 Default: 14400 (4 hours)
461 filter_users, filter_groups (string)
463 Exclude certain users or groups from being fetched from the sss NSS
464 database. This is particularly useful for system accounts. This
465 option can also be set per-domain or include fully-qualified names
466 to filter only users from the particular domain.
467 NOTE: The filter_groups option doesn't affect inheritance of nested
469 group members, since filtering happens after they are propagated
470 for returning via NSS. E.g. a group having a member group filtered
471 out will still have the member users of the latter listed.
472 Default: root
474 filter_users_in_groups (bool)
476 If you want filtered user still be group members set this option to
477 false.
478 Default: true
480 override_homedir (string)
482 Override the user's home directory. You can either provide an
483 absolute value or a template. In the template, the following
484 sequences are substituted:
485 %u
487 login name
488 %U
490 UID number
491 %d
493 domain name
494 %f
496 fully qualified user name (user@domain)
497 %l
499 The first letter of the login name.
500 %P
502 UPN - User Principal Name (name@REALM)
503 %o
505 The original home directory retrieved from the identity
506 provider.
507 %H
509 The value of configure option homedir_substring.
510 %%
512 a literal '%'
513 This option can also be set per-domain.
515 example:
517 override_homedir = /home/%u
519 Default: Not set (SSSD will use the value retrieved from LDAP)
522 homedir_substring (string)
524 The value of this option will be used in the expansion of the
525 override_homedir option if the template contains the format string
526 %H. An LDAP directory entry can directly contain this template so
527 that this option can be used to expand the home directory path for
528 each client machine (or operating system). It can be set per-domain
529 or globally in the [nss] section. A value specified in a domain
530 section will override one set in the [nss] section.
531 Default: /home
533 fallback_homedir (string)
535 Set a default template for a user's home directory if one is not
536 specified explicitly by the domain's data provider.
537 The available values for this option are the same as for
539 override_homedir.
540 example:
542 fallback_homedir = /home/%u
544 Default: not set (no substitution for unset home directories)
547 override_shell (string)
549 Override the login shell for all users. This option supersedes any
550 other shell options if it takes effect and can be set either in the
551 [nss] section or per-domain.
552 Default: not set (SSSD will use the value retrieved from LDAP)
554 allowed_shells (string)
556 Restrict user shell to one of the listed values. The order of
557 evaluation is:
558 1. If the shell is present in “/etc/shells”, it is used.
560 2. If the shell is in the allowed_shells list but not in
562 “/etc/shells”, use the value of the shell_fallback parameter.
563 3. If the shell is not in the allowed_shells list and not in
565 “/etc/shells”, a nologin shell is used.
566 The wildcard (*) can be used to allow any shell.
568 The (*) is useful if you want to use shell_fallback in case that
570 user's shell is not in “/etc/shells” and maintaining list of all
571 allowed shells in allowed_shells would be to much overhead.
572 An empty string for shell is passed as-is to libc.
574 The “/etc/shells” is only read on SSSD start up, which means that a
576 restart of the SSSD is required in case a new shell is installed.
577 Default: Not set. The user shell is automatically used.
579 vetoed_shells (string)
581 Replace any instance of these shells with the shell_fallback
582 shell_fallback (string)
584 The default shell to use if an allowed shell is not installed on
585 the machine.
586 Default: /bin/sh
588 default_shell
590 The default shell to use if the provider does not return one during
591 lookup. This option can be specified globally in the [nss] section
592 or per-domain.
593 Default: not set (Return NULL if no shell is specified and rely on
595 libc to substitute something sensible when necessary, usually
596 /bin/sh)
597 get_domains_timeout (int)
599 Specifies time in seconds for which the list of subdomains will be
600 considered valid.
601 Default: 60
603 memcache_timeout (int)
605 Specifies time in seconds for which records in the in-memory cache
606 will be valid. Setting this option to zero will disable the
607 in-memory cache.
608 Default: 300
610 WARNING: Disabling the in-memory cache will have significant
612 negative impact on SSSD's performance and should only be used for
613 testing.
614 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
616 "NO", client applications will not use the fast in-memory cache.
617 user_attributes (string)
619 Some of the additional NSS responder requests can return more
620 attributes than just the POSIX ones defined by the NSS interface.
621 The list of attributes is controlled by this option. It is handled
622 the same way as the “user_attributes” option of the InfoPipe
623 responder (see sssd-ifp(5) for details) but with no default values.
624 To make configuration more easy the NSS responder will check the
626 InfoPipe option if it is not set for the NSS responder.
627 Default: not set, fallback to InfoPipe option
629 pwfield (string)
631 The value that NSS operations that return users or groups will
632 return for the “password” field.
633 This option can also be set per-domain.
635 Default: “*” (remote domains) or “x” (the files domain)
637 PAM configuration options
639 These options can be used to configure the Pluggable Authentication
640 Module (PAM) service.
641 offline_credentials_expiration (integer)
643 If the authentication provider is offline, how long should we allow
644 cached logins (in days since the last successful online login).
645 Default: 0 (No limit)
647 offline_failed_login_attempts (integer)
649 If the authentication provider is offline, how many failed login
650 attempts are allowed.
651 Default: 0 (No limit)
653 offline_failed_login_delay (integer)
655 The time in minutes which has to pass after
656 offline_failed_login_attempts has been reached before a new login
657 attempt is possible.
658 If set to 0 the user cannot authenticate offline if
660 offline_failed_login_attempts has been reached. Only a successful
661 online authentication can enable offline authentication again.
662 Default: 5
664 pam_verbosity (integer)
666 Controls what kind of messages are shown to the user during
667 authentication. The higher the number to more messages are
668 displayed.
669 Currently sssd supports the following values:
671 0: do not show any message
673 1: show only important messages
675 2: show informational messages
677 3: show all messages and debug information
679 Default: 1
681 pam_response_filter (integer)
683 A comma separated list of strings which allows to remove (filter)
684 data sent by the PAM responder to pam_sss PAM module. There are
685 different kind of responses sent to pam_sss e.g. messages displayed
686 to the user or environment variables which should be set by
687 pam_sss.
688 While messages already can be controlled with the help of the
690 pam_verbosity option this option allows to filter out other kind of
691 responses as well.
692 Currently the following filters are supported:
694 ENV
696 Do not send any environment variables to any service.
697 ENV:var_name
699 Do not send environment variable var_name to any service.
700 ENV:var_name:service
702 Do not send environment variable var_name to service.
703 Default: not set
705 Example: ENV:KRB5CCNAME:sudo-i
707 pam_id_timeout (integer)
709 For any PAM request while SSSD is online, the SSSD will attempt to
710 immediately update the cached identity information for the user in
711 order to ensure that authentication takes place with the latest
712 information.
713 A complete PAM conversation may perform multiple PAM requests, such
715 as account management and session opening. This option controls (on
716 a per-client-application basis) how long (in seconds) we can cache
717 the identity information to avoid excessive round-trips to the
718 identity provider.
719 Default: 5
721 pam_pwd_expiration_warning (integer)
723 Display a warning N days before the password expires.
724 Please note that the backend server has to provide information
726 about the expiration time of the password. If this information is
727 missing, sssd cannot display a warning.
728 If zero is set, then this filter is not applied, i.e. if the
730 expiration warning was received from backend server, it will
731 automatically be displayed.
732 This setting can be overridden by setting pwd_expiration_warning
734 for a particular domain.
735 Default: 0
737 get_domains_timeout (int)
739 Specifies time in seconds for which the list of subdomains will be
740 considered valid.
741 Default: 60
743 pam_trusted_users (string)
745 Specifies the comma-separated list of UID values or user names that
746 are allowed to run PAM conversations against trusted domains. Users
747 not included in this list can only access domains marked as public
748 with “pam_public_domains”. User names are resolved to UIDs at
749 startup.
750 Default: All users are considered trusted by default
752 Please note that UID 0 is always allowed to access the PAM
754 responder even in case it is not in the pam_trusted_users list.
755 pam_public_domains (string)
757 Specifies the comma-separated list of domain names that are
758 accessible even to untrusted users.
759 Two special values for pam_public_domains option are defined:
761 all (Untrusted users are allowed to access all domains in PAM
763 responder.)
764 none (Untrusted users are not allowed to access any domains PAM in
766 responder.)
767 Default: none
769 pam_account_expired_message (string)
771 Allows a custom expiration message to be set, replacing the default
772 'Permission denied' message.
773 Note: Please be aware that message is only printed for the SSH
775 service unless pam_verbosity is set to 3 (show all messages and
776 debug information).
777 example:
779 pam_account_expired_message = Account expired, please contact help desk.
781 Default: none
784 pam_account_locked_message (string)
786 Allows a custom lockout message to be set, replacing the default
787 'Permission denied' message.
788 example:
790 pam_account_locked_message = Account locked, please contact help desk.
792 Default: none
795 pam_cert_auth (bool)
797 Enable certificate based Smartcard authentication. Since this
798 requires additional communication with the Smartcard which will
799 delay the authentication process this option is disabled by
800 default.
801 Default: False
803 pam_cert_db_path (string)
805 The path to the certificate database which contain the PKCS#11
806 modules to access the Smartcard.
807 Default:
809 · /etc/pki/nssdb (NSS version, path to a NSS database)
811 · /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a
813 file with trusted CA certificates in PEM format)
814 This man page was generated for the NSS version.
816 p11_child_timeout (integer)
818 How many seconds will pam_sss wait for p11_child to finish.
819 Default: 10
821 pam_app_services (string)
823 Which PAM services are permitted to contact domains of type
824 “application”
825 Default: Not set
827 SUDO configuration options
829 These options can be used to configure the sudo service. The detailed
830 instructions for configuration of sudo(8) to work with sssd(8) are in
831 the manual page sssd-sudo(5).
832 sudo_timed (bool)
834 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
835 attributes that implement time-dependent sudoers entries.
836 Default: false
838 sudo_threshold (integer)
840 Maximum number of expired rules that can be refreshed at once. If
841 number of expired rules is below threshold, those rules are
842 refreshed with “rules refresh” mechanism. If the threshold is
843 exceeded a “full refresh” of sudo rules is triggered instead. This
844 threshold number also applies to IPA sudo command and command group
845 searches.
846 Default: 50
848 AUTOFS configuration options
850 These options can be used to configure the autofs service.
851 autofs_negative_timeout (integer)
853 Specifies for how many seconds should the autofs responder negative
854 cache hits (that is, queries for invalid map entries, like
855 nonexistent ones) before asking the back end again.
856 Default: 15
858 Please note that the automounter only reads the master map on startup,
860 so if any autofs-related changes are made to the sssd.conf, you
861 typically also need to restart the automounter daemon after restarting
862 the SSSD.
863 SSH configuration options
865 These options can be used to configure the SSH service.
866 ssh_hash_known_hosts (bool)
868 Whether or not to hash host names and addresses in the managed
869 known_hosts file.
870 Default: true
872 ssh_known_hosts_timeout (integer)
874 How many seconds to keep a host in the managed known_hosts file
875 after its host keys were requested.
876 Default: 180
878 ssh_use_certificate_keys (bool)
880 If set to true the sss_ssh_authorizedkeys will return ssh keys
881 derived from the public key of X.509 certificates stored in the
882 user entry as well. See sss_ssh_authorizedkeys(1) for details.
883 Default: true
885 ca_db (string)
887 Path to a storage of trusted CA certificates. The option is used to
888 validate user certificates before deriving public ssh keys from
889 them.
890 Default:
892 · /etc/pki/nssdb (NSS version, path to a NSS database)
894 · /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a
896 file with trusted CA certificates in PEM format)
897 This man page was generated for the NSS version.
899 PAC responder configuration options
901 The PAC responder works together with the authorization data plugin for
902 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
903 sends the PAC data during a GSSAPI authentication to the PAC responder.
904 The sub-domain provider collects domain SID and ID ranges of the domain
905 the client is joined to and of remote trusted domains from the local
906 domain controller. If the PAC is decoded and evaluated some of the
907 following operations are done:
908 · If the remote user does not exist in the cache, it is created. The
910 UID is determined with the help of the SID, trusted domains will
911 have UPGs and the GID will have the same value as the UID. The home
912 directory is set based on the subdomain_homedir parameter. The
913 shell will be empty by default, i.e. the system defaults are used,
914 but can be overwritten with the default_shell parameter.
915 · If there are SIDs of groups from domains sssd knows about, the user
917 will be added to those groups.
918 These options can be used to configure the PAC responder.
920 allowed_uids (string)
922 Specifies the comma-separated list of UID values or user names that
923 are allowed to access the PAC responder. User names are resolved to
924 UIDs at startup.
925 Default: 0 (only the root user is allowed to access the PAC
927 responder)
928 Please note that although the UID 0 is used as the default it will
930 be overwritten with this option. If you still want to allow the
931 root user to access the PAC responder, which would be the typical
932 case, you have to add 0 to the list of allowed UIDs as well.
933 pac_lifetime (integer)
935 Lifetime of the PAC entry in seconds. As long as the PAC is valid
936 the PAC data can be used to determine the group memberships of a
937 user.
938 Default: 300
940 Session recording configuration options
942 Session recording works in conjunction with tlog-rec-session(8), a part
943 of tlog package, to log what users see and type when they log in on a
944 text terminal. See also sssd-session-recording(5).
945 These options can be used to configure session recording.
947 scope (string)
949 One of the following strings specifying the scope of session
950 recording:
951 "none"
953 No users are recorded.
954 "some"
956 Users/groups specified by users and groups options are
957 recorded.
958 "all"
960 All users are recorded.
961 Default: "none"
963 users (string)
965 A comma-separated list of users which should have session recording
966 enabled. Matches user names as returned by NSS. I.e. after the
967 possible space replacement, case changes, etc.
968 Default: Empty. Matches no users.
970 groups (string)
972 A comma-separated list of groups, members of which should have
973 session recording enabled. Matches group names as returned by NSS.
974 I.e. after the possible space replacement, case changes, etc.
975 NOTE: using this option (having it set to anything) has a
977 considerable performance cost, because each uncached request for a
978 user requires retrieving and matching the groups the user is member
979 of.
980 Default: Empty. Matches no groups.
982
984 These configuration options can be present in a domain configuration
985 section, that is, in a section called “[domain/NAME]”
986 domain_type (string)
988 Specifies whether the domain is meant to be used by POSIX-aware
989 clients such as the Name Service Switch or by applications that do
990 not need POSIX data to be present or generated. Only objects from
991 POSIX domains are available to the operating system interfaces and
992 utilities.
993 Allowed values for this option are “posix” and “application”.
995 POSIX domains are reachable by all services. Application domains
997 are only reachable from the InfoPipe responder (see sssd-ifp(5))
998 and the PAM responder.
999 NOTE: The application domains are currently well tested with
1001 “id_provider=ldap” only.
1002 For an easy way to configure a non-POSIX domains, please see the
1004 “Application domains” section.
1005 Default: posix
1007 min_id,max_id (integer)
1009 UID and GID limits for the domain. If a domain contains an entry
1010 that is outside these limits, it is ignored.
1011 For users, this affects the primary GID limit. The user will not be
1013 returned to NSS if either the UID or the primary GID is outside the
1014 range. For non-primary group memberships, those that are in range
1015 will be reported as expected.
1016 These ID limits affect even saving entries to cache, not only
1018 returning them by name or ID.
1019 Default: 1 for min_id, 0 (no limit) for max_id
1021 enumerate (bool)
1023 Determines if a domain can be enumerated, that is, whether the
1024 domain can list all the users and group it contains. Note that it
1025 is not required to enable enumeration in order for secondary groups
1026 to be displayed. This parameter can have one of the following
1027 values:
1028 TRUE = Users and groups are enumerated
1030 FALSE = No enumerations for this domain
1032 Default: FALSE
1034 Enumerating a domain requires SSSD to download and store ALL user
1036 and group entries from the remote server.
1037 Note: Enabling enumeration has a moderate performance impact on
1039 SSSD while enumeration is running. It may take up to several
1040 minutes after SSSD startup to fully complete enumerations. During
1041 this time, individual requests for information will go directly to
1042 LDAP, though it may be slow, due to the heavy enumeration
1043 processing. Saving a large number of entries to cache after the
1044 enumeration completes might also be CPU intensive as the
1045 memberships have to be recomputed. This can lead to the “sssd_be”
1046 process becoming unresponsive or even restarted by the internal
1047 watchdog.
1048 While the first enumeration is running, requests for the complete
1050 user or group lists may return no results until it completes.
1051 Further, enabling enumeration may increase the time necessary to
1053 detect network disconnection, as longer timeouts are required to
1054 ensure that enumeration lookups are completed successfully. For
1055 more information, refer to the man pages for the specific
1056 id_provider in use.
1057 For the reasons cited above, enabling enumeration is not
1059 recommended, especially in large environments.
1060 subdomain_enumerate (string)
1062 Whether any of autodetected trusted domains should be enumerated.
1063 The supported values are:
1064 all
1066 All discovered trusted domains will be enumerated
1067 none
1069 No discovered trusted domains will be enumerated
1070 Optionally, a list of one or more domain names can enable
1072 enumeration just for these trusted domains.
1073 Default: none
1075 entry_cache_timeout (integer)
1077 How many seconds should nss_sss consider entries valid before
1078 asking the backend again
1079 The cache expiration timestamps are stored as attributes of
1081 individual objects in the cache. Therefore, changing the cache
1082 timeout only has effect for newly added or expired entries. You
1083 should run the sss_cache(8) tool in order to force refresh of
1084 entries that have already been cached.
1085 Default: 5400
1087 entry_cache_user_timeout (integer)
1089 How many seconds should nss_sss consider user entries valid before
1090 asking the backend again
1091 Default: entry_cache_timeout
1093 entry_cache_group_timeout (integer)
1095 How many seconds should nss_sss consider group entries valid before
1096 asking the backend again
1097 Default: entry_cache_timeout
1099 entry_cache_netgroup_timeout (integer)
1101 How many seconds should nss_sss consider netgroup entries valid
1102 before asking the backend again
1103 Default: entry_cache_timeout
1105 entry_cache_service_timeout (integer)
1107 How many seconds should nss_sss consider service entries valid
1108 before asking the backend again
1109 Default: entry_cache_timeout
1111 entry_cache_sudo_timeout (integer)
1113 How many seconds should sudo consider rules valid before asking the
1114 backend again
1115 Default: entry_cache_timeout
1117 entry_cache_autofs_timeout (integer)
1119 How many seconds should the autofs service consider automounter
1120 maps valid before asking the backend again
1121 Default: entry_cache_timeout
1123 entry_cache_ssh_host_timeout (integer)
1125 How many seconds to keep a host ssh key after refresh. IE how long
1126 to cache the host key for.
1127 Default: entry_cache_timeout
1129 refresh_expired_interval (integer)
1131 Specifies how many seconds SSSD has to wait before triggering a
1132 background refresh task which will refresh all expired or nearly
1133 expired records.
1134 The background refresh will process users, groups and netgroups in
1136 the cache.
1137 You can consider setting this value to 3/4 * entry_cache_timeout.
1139 Default: 0 (disabled)
1141 cache_credentials (bool)
1143 Determines if user credentials are also cached in the local LDB
1144 cache
1145 User credentials are stored in a SHA512 hash, not in plaintext
1147 Default: FALSE
1149 cache_credentials_minimal_first_factor_length (int)
1151 If 2-Factor-Authentication (2FA) is used and credentials should be
1152 saved this value determines the minimal length the first
1153 authentication factor (long term password) must have to be saved as
1154 SHA512 hash into the cache.
1155 This should avoid that the short PINs of a PIN based 2FA scheme are
1157 saved in the cache which would make them easy targets for
1158 brute-force attacks.
1159 Default: 8
1161 account_cache_expiration (integer)
1163 Number of days entries are left in cache after last successful
1164 login before being removed during a cleanup of the cache. 0 means
1165 keep forever. The value of this parameter must be greater than or
1166 equal to offline_credentials_expiration.
1167 Default: 0 (unlimited)
1169 pwd_expiration_warning (integer)
1171 Display a warning N days before the password expires.
1172 If zero is set, then this filter is not applied, i.e. if the
1174 expiration warning was received from backend server, it will
1175 automatically be displayed.
1176 Please note that the backend server has to provide information
1178 about the expiration time of the password. If this information is
1179 missing, sssd cannot display a warning. Also an auth provider has
1180 to be configured for the backend.
1181 Default: 7 (Kerberos), 0 (LDAP)
1183 id_provider (string)
1185 The identification provider used for the domain. Supported ID
1186 providers are:
1187 “proxy”: Support a legacy NSS provider.
1189 “local”: SSSD internal provider for local users (DEPRECATED).
1191 “files”: FILES provider. See sssd-files(5) for more information on
1193 how to mirror local users and groups into SSSD.
1194 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1196 configuring LDAP.
1197 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1199 See sssd-ipa(5) for more information on configuring FreeIPA.
1200 “ad”: Active Directory provider. See sssd-ad(5) for more
1202 information on configuring Active Directory.
1203 use_fully_qualified_names (bool)
1205 Use the full name and domain (as formatted by the domain's
1206 full_name_format) as the user's login name reported to NSS.
1207 If set to TRUE, all requests to this domain must use fully
1209 qualified names. For example, if used in LOCAL domain that contains
1210 a "test" user, getent passwd test wouldn't find the user while
1211 getent passwd test@LOCAL would.
1212 NOTE: This option has no effect on netgroup lookups due to their
1214 tendency to include nested netgroups without qualified names. For
1215 netgroups, all domains will be searched when an unqualified name is
1216 requested.
1217 Default: FALSE (TRUE if default_domain_suffix is used)
1219 ignore_group_members (bool)
1221 Do not return group members for group lookups.
1222 If set to TRUE, the group membership attribute is not requested
1224 from the ldap server, and group members are not returned when
1225 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1226 As an effect, “getent group $groupname” would return the requested
1227 group as if it was empty.
1228 Enabling this option can also make access provider checks for group
1230 membership significantly faster, especially for groups containing
1231 many members.
1232 Default: FALSE
1234 auth_provider (string)
1236 The authentication provider used for the domain. Supported auth
1237 providers are:
1238 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1240 information on configuring LDAP.
1241 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1243 information on configuring Kerberos.
1244 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1246 See sssd-ipa(5) for more information on configuring FreeIPA.
1247 “ad”: Active Directory provider. See sssd-ad(5) for more
1249 information on configuring Active Directory.
1250 “proxy” for relaying authentication to some other PAM target.
1252 “local”: SSSD internal provider for local users
1254 “none” disables authentication explicitly.
1256 Default: “id_provider” is used if it is set and can handle
1258 authentication requests.
1259 access_provider (string)
1261 The access control provider used for the domain. There are two
1262 built-in access providers (in addition to any included in installed
1263 backends) Internal special providers are:
1264 “permit” always allow access. It's the only permitted access
1266 provider for a local domain.
1267 “deny” always deny access.
1269 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1271 information on configuring LDAP.
1272 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1274 See sssd-ipa(5) for more information on configuring FreeIPA.
1275 “ad”: Active Directory provider. See sssd-ad(5) for more
1277 information on configuring Active Directory.
1278 “simple” access control based on access or deny lists. See sssd-
1280 simple(5) for more information on configuring the simple access
1281 module.
1282 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1284 information on configuring Kerberos.
1285 “proxy” for relaying access control to another PAM module.
1287 Default: “permit”
1289 chpass_provider (string)
1291 The provider which should handle change password operations for the
1292 domain. Supported change password providers are:
1293 “ldap” to change a password stored in a LDAP server. See sssd-
1295 ldap(5) for more information on configuring LDAP.
1296 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1298 information on configuring Kerberos.
1299 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1301 See sssd-ipa(5) for more information on configuring FreeIPA.
1302 “ad”: Active Directory provider. See sssd-ad(5) for more
1304 information on configuring Active Directory.
1305 “proxy” for relaying password changes to some other PAM target.
1307 “none” disallows password changes explicitly.
1309 Default: “auth_provider” is used if it is set and can handle change
1311 password requests.
1312 sudo_provider (string)
1314 The SUDO provider used for the domain. Supported SUDO providers
1315 are:
1316 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1318 information on configuring LDAP.
1319 “ipa” the same as “ldap” but with IPA default settings.
1321 “ad” the same as “ldap” but with AD default settings.
1323 “none” disables SUDO explicitly.
1325 Default: The value of “id_provider” is used if it is set.
1327 The detailed instructions for configuration of sudo_provider are in
1329 the manual page sssd-sudo(5). There are many configuration options
1330 that can be used to adjust the behavior. Please refer to
1331 "ldap_sudo_*" in sssd-ldap(5).
1332 NOTE: Sudo rules are periodically downloaded in the background
1334 unless the sudo provider is explicitly disabled. Set sudo_provider
1335 = None to disable all sudo-related activity in SSSD if you do not
1336 want to use sudo with SSSD at all.
1337 selinux_provider (string)
1339 The provider which should handle loading of selinux settings. Note
1340 that this provider will be called right after access provider ends.
1341 Supported selinux providers are:
1342 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1344 for more information on configuring IPA.
1345 “none” disallows fetching selinux settings explicitly.
1347 Default: “id_provider” is used if it is set and can handle selinux
1349 loading requests.
1350 subdomains_provider (string)
1352 The provider which should handle fetching of subdomains. This value
1353 should be always the same as id_provider. Supported subdomain
1354 providers are:
1355 “ipa” to load a list of subdomains from an IPA server. See sssd-
1357 ipa(5) for more information on configuring IPA.
1358 “ad” to load a list of subdomains from an Active Directory server.
1360 See sssd-ad(5) for more information on configuring the AD provider.
1361 “none” disallows fetching subdomains explicitly.
1363 Default: The value of “id_provider” is used if it is set.
1365 session_provider (string)
1367 The provider which configures and manages user session related
1368 tasks. The only user session task currently provided is the
1369 integration with Fleet Commander, which works only with IPA.
1370 Supported session providers are:
1371 “ipa” to allow performing user session related tasks.
1373 “none” does not perform any kind of user session related tasks.
1375 Default: “id_provider” is used if it is set and can perform session
1377 related tasks.
1378 NOTE: In order to have this feature working as expected SSSD must
1380 be running as "root" and not as the unprivileged user.
1381 autofs_provider (string)
1383 The autofs provider used for the domain. Supported autofs providers
1384 are:
1385 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1387 information on configuring LDAP.
1388 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1390 more information on configuring IPA.
1391 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1393 information on configuring the AD provider.
1394 “none” disables autofs explicitly.
1396 Default: The value of “id_provider” is used if it is set.
1398 hostid_provider (string)
1400 The provider used for retrieving host identity information.
1401 Supported hostid providers are:
1402 “ipa” to load host identity stored in an IPA server. See sssd-
1404 ipa(5) for more information on configuring IPA.
1405 “none” disables hostid explicitly.
1407 Default: The value of “id_provider” is used if it is set.
1409 re_expression (string)
1411 Regular expression for this domain that describes how to parse the
1412 string containing user name and domain into these components. The
1413 "domain" can match either the SSSD configuration domain name, or,
1414 in the case of IPA trust subdomains and Active Directory domains,
1415 the flat (NetBIOS) name of the domain.
1416 Default for the AD and IPA provider:
1418 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1419 which allows three different styles for user names:
1420 · username
1422 · username@domain.name
1424 · domain\username
1426 While the first two correspond to the general default the third one
1428 is introduced to allow easy integration of users from Windows
1429 domains.
1430 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1432 "the name is everything up to the “@” sign, the domain everything
1433 after that"
1434 full_name_format (string)
1436 A printf(3)-compatible format that describes how to compose a fully
1437 qualified name from user name and domain name components.
1438 The following expansions are supported:
1440 %1$s
1442 user name
1443 %2$s
1445 domain name as specified in the SSSD config file.
1446 %3$s
1448 domain flat name. Mostly usable for Active Directory domains,
1449 both directly configured or discovered via IPA trusts.
1450 Default: “%1$s@%2$s”.
1452 lookup_family_order (string)
1454 Provides the ability to select preferred address family to use when
1455 performing DNS lookups.
1456 Supported values:
1458 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1460 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1462 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1464 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1466 Default: ipv4_first
1468 dns_resolver_timeout (integer)
1470 Defines the amount of time (in seconds) to wait for a reply from
1471 the internal fail over service before assuming that the service is
1472 unreachable. If this timeout is reached, the domain will continue
1473 to operate in offline mode.
1474 Please see the section “FAILOVER” for more information about the
1476 service resolution.
1477 Default: 6
1479 dns_discovery_domain (string)
1481 If service discovery is used in the back end, specifies the domain
1482 part of the service discovery DNS query.
1483 Default: Use the domain part of machine's hostname
1485 override_gid (integer)
1487 Override the primary GID value with the one specified.
1488 case_sensitive (string)
1490 Treat user and group names as case sensitive. At the moment, this
1491 option is not supported in the local provider. Possible option
1492 values are:
1493 True
1495 Case sensitive. This value is invalid for AD provider.
1496 False
1498 Case insensitive.
1499 Preserving
1501 Same as False (case insensitive), but does not lowercase names
1502 in the result of NSS operations. Note that name aliases (and in
1503 case of services also protocol names) are still lowercased in
1504 the output.
1505 Default: True (False for AD provider)
1507 subdomain_inherit (string)
1509 Specifies a list of configuration parameters that should be
1510 inherited by a subdomain. Please note that only selected parameters
1511 can be inherited. Currently the following options can be inherited:
1512 ignore_group_members
1514 ldap_purge_cache_timeout
1516 ldap_use_tokengroups
1518 ldap_user_principal
1520 ldap_krb5_keytab (the value of krb5_keytab will be used if
1522 ldap_krb5_keytab is not set explicitly)
1523 Example:
1525 subdomain_inherit = ldap_purge_cache_timeout
1527 Default: none
1530 Note: This option only works with the IPA and AD provider.
1532 subdomain_homedir (string)
1534 Use this homedir as default value for all subdomains within this
1535 domain in IPA AD trust. See override_homedir for info about
1536 possible values. In addition to those, the expansion below can only
1537 be used with subdomain_homedir.
1538 %F
1540 flat (NetBIOS) name of a subdomain.
1541 The value can be overridden by override_homedir option.
1543 Default: /home/%d/%u
1545 realmd_tags (string)
1547 Various tags stored by the realmd configuration service for this
1548 domain.
1549 cached_auth_timeout (int)
1551 Specifies time in seconds since last successful online
1552 authentication for which user will be authenticated using cached
1553 credentials while SSSD is in the online mode.
1554 Special value 0 implies that this feature is disabled.
1556 Please note that if “cached_auth_timeout” is longer than
1558 “pam_id_timeout” then the back end could be called to handle
1559 “initgroups.”
1560 Default: 0
1562 auto_private_groups (string)
1564 If this option is enabled, SSSD will automatically create user
1565 private groups based on user's UID number. The GID number is
1566 ignored in this case.
1567 For POSIX subdomains, setting the option in the main domain is
1569 inherited in the subdomain.
1570 For ID-mapping subdomains, auto_private_groups is already enabled
1572 for the subdomains and setting it to false will not have any effect
1573 for the subdomain.
1574 NOTE: Because the GID number and the user private group are
1576 inferred from the UID number, it is not supported to have multiple
1577 entries with the same UID or GID number with this option. In other
1578 words, enabling this option enforces uniqueness across the ID
1579 space.
1580 Default: False
1582 Options valid for proxy domains.
1584 proxy_pam_target (string)
1586 The proxy target PAM proxies to.
1587 Default: not set by default, you have to take an existing pam
1589 configuration or create a new one and add the service name here.
1590 proxy_lib_name (string)
1592 The name of the NSS library to use in proxy domains. The NSS
1593 functions searched for in the library are in the form of
1594 _nss_$(libName)_$(function), for example _nss_files_getpwent.
1595 proxy_fast_alias (boolean)
1597 When a user or group is looked up by name in the proxy provider, a
1598 second lookup by ID is performed to "canonicalize" the name in case
1599 the requested name was an alias. Setting this option to true would
1600 cause the SSSD to perform the ID lookup from cache for performance
1601 reasons.
1602 Default: false
1604 proxy_max_children (integer)
1606 This option specifies the number of pre-forked proxy children. It
1607 is useful for high-load SSSD environments where sssd may run out of
1608 available child slots, which would cause some issues due to the
1609 requests being queued.
1610 Default: 10
1612 Application domains
1614 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
1615 applications as a gateway to an LDAP directory where users and groups
1616 are stored. However, contrary to the traditional SSSD deployment where
1617 all users and groups either have POSIX attributes or those attributes
1618 can be inferred from the Windows SIDs, in many cases the users and
1619 groups in the application support scenario have no POSIX attributes.
1620 Instead of setting a “[domain/NAME]” section, the administrator can set
1621 up an “[application/NAME]” section that internally represents a domain
1622 with type “application” optionally inherits settings from a tradition
1623 SSSD domain.
1624 Please note that the application domain must still be explicitly
1626 enabled in the “domains” parameter so that the lookup order between the
1627 application domain and its POSIX sibling domain is set correctly.
1628 Application domain parameters
1630 inherit_from (string)
1632 The SSSD POSIX-type domain the application domain inherits all
1633 settings from. The application domain can moreover add its own
1634 settings to the application settings that augment or override the
1635 “sibling” domain settings.
1636 Default: Not set
1638 The following example illustrates the use of an application domain. In
1640 this setup, the POSIX domain is connected to an LDAP server and is used
1641 by the OS through the NSS responder. In addition, the application
1642 domain also requests the telephoneNumber attribute, stores it as the
1643 phone attribute in the cache and makes the phone attribute reachable
1644 through the D-Bus interface.
1645 [sssd]
1647 domains = appdom, posixdom
1648 [ifp]
1650 user_attributes = +phone
1651 [domain/posixdom]
1653 id_provider = ldap
1654 ldap_uri = ldap://ldap.example.com
1655 ldap_search_base = dc=example,dc=com
1656 [application/appdom]
1658 inherit_from = posixdom
1659 ldap_user_extra_attrs = phone:telephoneNumber
1660 The local domain section
1662 This section contains settings for domain that stores users and groups
1663 in SSSD native database, that is, a domain that uses id_provider=local.
1664 Section parameters
1666 default_shell (string)
1668 The default shell for users created with SSSD userspace tools.
1669 Default: /bin/bash
1671 base_directory (string)
1673 The tools append the login name to base_directory and use that as
1674 the home directory.
1675 Default: /home
1677 create_homedir (bool)
1679 Indicate if a home directory should be created by default for new
1680 users. Can be overridden on command line.
1681 Default: TRUE
1683 remove_homedir (bool)
1685 Indicate if a home directory should be removed by default for
1686 deleted users. Can be overridden on command line.
1687 Default: TRUE
1689 homedir_umask (integer)
1691 Used by sss_useradd(8) to specify the default permissions on a
1692 newly created home directory.
1693 Default: 077
1695 skel_dir (string)
1697 The skeleton directory, which contains files and directories to be
1698 copied in the user's home directory, when the home directory is
1699 created by sss_useradd(8)
1700 Default: /etc/skel
1702 mail_dir (string)
1704 The mail spool directory. This is needed to manipulate the mailbox
1705 when its corresponding user account is modified or deleted. If not
1706 specified, a default value is used.
1707 Default: /var/mail
1709 userdel_cmd (string)
1711 The command that is run after a user is removed. The command us
1712 passed the username of the user being removed as the first and only
1713 parameter. The return code of the command is not taken into
1714 account.
1715 Default: None, no command is run
1717
1719 Some options used in the domain section can also be used in the trusted
1720 domain section, that is, in a section called
1721 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
1722 actual joined-to base domain. Please refer to examples below for
1723 explanation. Currently supported options in the trusted domain section
1724 are:
1725 ldap_search_base,
1727 ldap_user_search_base,
1729 ldap_group_search_base,
1731 ldap_netgroup_search_base,
1733 ldap_service_search_base,
1735 ad_server,
1737 ad_backup_server,
1739 ad_site,
1741 use_fully_qualified_names
1743 For more details about these options see their individual description
1745 in the manual page.
1746
1748 1. The following example shows a typical SSSD config. It does not
1749 describe configuration of the domains themselves - refer to
1750 documentation on configuring domains for more details.
1751 [sssd]
1753 domains = LDAP
1754 services = nss, pam
1755 config_file_version = 2
1756 [nss]
1758 filter_groups = root
1759 filter_users = root
1760 [pam]
1762 [domain/LDAP]
1764 id_provider = ldap
1765 ldap_uri = ldap://ldap.example.com
1766 ldap_search_base = dc=example,dc=com
1767 auth_provider = krb5
1769 krb5_server = kerberos.example.com
1770 krb5_realm = EXAMPLE.COM
1771 cache_credentials = true
1772 min_id = 10000
1774 max_id = 20000
1775 enumerate = False
1776 2. The following example shows configuration of IPA AD trust where the
1778 AD forest consists of two domains in a parent-child structure. Suppose
1779 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
1780 domain (child.ad.com). To enable shortnames in the child domain the
1781 following configuration should be used.
1782 [domain/ipa.com/child.ad.com]
1784 use_fully_qualified_names = false
1785
1788 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
1789 sssd-ipa(5), sssd-ad(5), sssd-sudo(5),sssd-secrets(5),sssd-session-
1790 recording(5), sss_cache(8), sss_debuglevel(8), sss_groupadd(8),
1791 sss_groupdel(8), sss_groupshow(8), sss_groupmod(8), sss_useradd(8),
1792 sss_userdel(8), sss_usermod(8), sss_obfuscate(8), sss_seed(8),
1793 sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
1794 sss_ssh_knownhostsproxy(8),sssd-ifp(5),pam_sss(8).
1795 sss_rpcidmapd(5)sssd-systemtap(5)
1796
1798 The SSSD upstream - https://pagure.io/SSSD/sssd/
1799SSSD 04/25/2019 SSSD.CONF(5)