1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13 [section]
15 key = value
16 key2 = value2,value3
17 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72 Currently supported debug levels:
74 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87 4, 0x0100: Configuration settings.
89 5, 0x0200: Function data.
91 6, 0x0400: Trace messages for operation functions.
93 7, 0x1000: Trace messages for internal control functions.
95 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98 9, 0x4000: Extremely low-level tracing information.
100 To log required bitmask debug levels, simply add their numbers
102 together as shown in following examples:
103 Example: To log fatal failures, critical failures, serious failures
105 and function data use 0x0270.
106 Example: To log fatal failures, configuration settings, function
108 data, trace messages for internal control functions use 0x1310.
109 Note: The bitmask format of debug levels was introduced in 1.7.0.
111 Default: 0
113 debug (integer)
115 SSSD 1.14 and later also includes the debug alias for debug_level
116 as a convenience feature. If both are specified, the value of
117 debug_level will be used.
118 debug_timestamps (bool)
120 Add a timestamp to the debug messages. If journald is enabled for
121 SSSD debug logging this option is ignored.
122 Default: true
124 debug_microseconds (bool)
126 Add microseconds to the timestamp in debug messages. If journald is
127 enabled for SSSD debug logging this option is ignored.
128 Default: false
130 Options usable in SERVICE and DOMAIN sections
132 timeout (integer)
133 Timeout in seconds between heartbeats for this service. This is
134 used to ensure that the process is alive and capable of answering
135 requests. Note that after three missed heartbeats the process will
136 terminate itself.
137 Default: 10
139
141 The [sssd] section
142 Individual pieces of SSSD functionality are provided by special SSSD
143 services that are started and stopped together with SSSD. The services
144 are managed by a special service frequently called “monitor”. The
145 “[sssd]” section is used to configure the monitor as well as some other
146 important options like the identity domains.
147 Section parameters
149 config_file_version (integer)
151 Indicates what is the syntax of the config file. SSSD 0.6.0 and
152 later use version 2.
153 services
155 Comma separated list of services that are started when sssd itself
156 starts. The services' list is optional on platforms where systemd
157 is supported, as they will either be socket or D-Bus activated when
158 needed.
159 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
161 By default, all services are disabled and the administrator must
163 enable the ones allowed to be used by executing: "systemctl enable
164 sssd-@service@.socket".
165 reconnection_retries (integer)
167 Number of times services should attempt to reconnect in the event
168 of a Data Provider crash or restart before they give up
169 Default: 3
171 domains
173 A domain is a database containing user information. SSSD can use
174 more domains at the same time, but at least one must be configured
175 or SSSD won't start. This parameter describes the list of domains
176 in the order you want them to be queried. A domain name should only
177 consist of alphanumeric ASCII characters, dashes, dots and
178 underscores.
179 re_expression (string)
181 Default regular expression that describes how to parse the string
182 containing user name and domain into these components.
183 Each domain can have an individual regular expression configured.
185 For some ID providers there are also default regular expressions.
186 See DOMAIN SECTIONS for more info on these regular expressions.
187 full_name_format (string)
189 A printf(3)-compatible format that describes how to compose a fully
190 qualified name from user name and domain name components.
191 The following expansions are supported:
193 %1$s
195 user name
196 %2$s
198 domain name as specified in the SSSD config file.
199 %3$s
201 domain flat name. Mostly usable for Active Directory domains,
202 both directly configured or discovered via IPA trusts.
203 Each domain can have an individual format string configured. see
205 DOMAIN SECTIONS for more info on this option.
206 try_inotify (boolean)
208 SSSD monitors the state of resolv.conf to identify when it needs to
209 update its internal DNS resolver. By default, we will attempt to
210 use inotify for this, and will fall back to polling resolv.conf
211 every five seconds if inotify cannot be used.
212 There are some limited situations where it is preferred that we
214 should skip even trying to use inotify. In these rare cases, this
215 option should be set to 'false'
216 Default: true on platforms where inotify is supported. False on
218 other platforms.
219 Note: this option will have no effect on platforms where inotify is
221 unavailable. On these platforms, polling will always be used.
222 krb5_rcache_dir (string)
224 Directory on the filesystem where SSSD should store Kerberos replay
225 cache files.
226 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
228 instruct SSSD to let libkrb5 decide the appropriate location for
229 the replay cache.
230 Default: Distribution-specific and specified at build-time.
232 (__LIBKRB5_DEFAULTS__ if not configured)
233 user (string)
235 The user to drop the privileges to where appropriate to avoid
236 running as the root user. This option does not work when running
237 socket-activated services, as the user set up to run the processes
238 is set up during compilation time. The way to override the systemd
239 unit files is by creating the appropriate files in
240 /etc/systemd/system/. Keep in mind that any change in the socket
241 user, group or permissions may result in a non-usable SSSD. The
242 same may occur in case of changes of the user running the NSS
243 responder.
244 Default: not set, process will run as root
246 default_domain_suffix (string)
248 This string will be used as a default domain name for all names
249 without a domain name component. The main use case is environments
250 where the primary domain is intended for managing host policies and
251 all users are located in a trusted domain. The option allows those
252 users to log in just with their user name without giving a domain
253 name as well.
254 Please note that if this option is set all users from the primary
256 domain have to use their fully qualified name, e.g.
257 user@domain.name, to log in. Setting this option changes default of
258 use_fully_qualified_names to True. It is not allowed to use this
259 option together with use_fully_qualified_names set to False.
260 Default: not set
262 override_space (string)
264 This parameter will replace spaces (space bar) with the given
265 character for user and group names. e.g. (_). User name "john doe"
266 will be "john_doe" This feature was added to help compatibility
267 with shell scripts that have difficulty handling spaces, due to the
268 default field separator in the shell.
269 Please note it is a configuration error to use a replacement
271 character that might be used in user or group names. If a name
272 contains the replacement character SSSD tries to return the
273 unmodified name but in general the result of a lookup is undefined.
274 Default: not set (spaces will not be replaced)
276 certificate_verification (string)
278 With this parameter the certificate verification can be tuned with
279 a comma separated list of options. Supported options are:
280 no_ocsp
282 Disables Online Certificate Status Protocol (OCSP) checks. This
283 might be needed if the OCSP servers defined in the certificate
284 are not reachable from the client.
285 no_verification
287 Disables verification completely. This option should only be
288 used for testing.
289 ocsp_default_responder=URL
291 Sets the OCSP default responder which should be used instead of
292 the one mentioned in the certificate. URL must be replaced with
293 the URL of the OCSP default responder e.g.
294 http://example.com:80/ocsp.
295 (NSS Version) This option must be used together with
297 ocsp_default_responder_signing_cert.
298 ocsp_default_responder_signing_cert=NAME
300 (NSS Version) The nickname of the cert to trust (expected) to
301 sign the OCSP responses. The certificate with the given
302 nickname must be available in the systems NSS database.
303 This option must be used together with ocsp_default_responder.
305 (OpenSSL version) This option is currently ignored. All needed
307 certificates must be available in the PEM file given by
308 pam_cert_db_path.
309 crl_file=/PATH/TO/CRL/FILE
311 (NSS Version) This option is ignored, please see crlutil(1) how
312 to import a Certificate Revocation List (CRL) into a NSS
313 database.
314 (OpenSSL Version) Use the Certificate Revocation List (CRL)
316 from the given file during the verification of the certificate.
317 The CRL must be given in PEM format, see crl(1ssl) for details.
318 This man page was generated for the OpenSSL version.
320 Unknown options are reported but ignored.
322 Default: not set, i.e. do not restrict certificate verification
324 disable_netlink (boolean)
326 SSSD hooks into the netlink interface to monitor changes to routes,
327 addresses, links and trigger certain actions.
328 The SSSD state changes caused by netlink events may be undesirable
330 and can be disabled by setting this option to 'true'
331 Default: false (netlink changes are detected)
333 enable_files_domain (boolean)
335 When this option is enabled, SSSD prepends an implicit domain with
336 “id_provider=files” before any explicitly configured domains.
337 Default: true
339 domain_resolution_order
341 Comma separated list of domains and subdomains representing the
342 lookup order that will be followed. The list doesn't have to
343 include all possible domains as the missing domains will be looked
344 up based on the order they're presented in the “domains”
345 configuration option. The subdomains which are not listed as part
346 of “lookup_order” will be looked up in a random order for each
347 parent domain.
348 Please, note that when this option is set the output format of all
350 commands is always fully-qualified even when using short names for
351 input, for all users but the ones managed by the files provider. In
352 case the administrator wants the output not fully-qualified, the
353 full_name_format option can be used as shown below:
354 “full_name_format=%1$s” However, keep in mind that during login,
355 login applications often canonicalize the username by calling
356 getpwnam(3) which, if a shortname is returned for a qualified input
357 (while trying to reach a user which exists in multiple domains)
358 might re-route the login attempt into the domain which uses
359 shortnames, making this workaround totally not recommended in cases
360 where usernames may overlap between domains.
361 Default: Not set
363
365 Settings that can be used to configure different services are described
366 in this section. They should reside in the [$NAME] section, for
367 example, for NSS service, the section would be “[nss]”
368 General service configuration options
370 These options can be used to configure any service.
371 reconnection_retries (integer)
373 Number of times services should attempt to reconnect in the event
374 of a Data Provider crash or restart before they give up
375 Default: 3
377 fd_limit
379 This option specifies the maximum number of file descriptors that
380 may be opened at one time by this SSSD process. On systems where
381 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
382 absolute setting. On systems without this capability, the resulting
383 value will be the lower value of this or the limits.conf "hard"
384 limit.
385 Default: 8192 (or limits.conf "hard" limit)
387 client_idle_timeout
389 This option specifies the number of seconds that a client of an
390 SSSD process can hold onto a file descriptor without communicating
391 on it. This value is limited in order to avoid resource exhaustion
392 on the system. The timeout can't be shorter than 10 seconds. If a
393 lower value is configured, it will be adjusted to 10 seconds.
394 Default: 60
396 offline_timeout (integer)
398 When SSSD switches to offline mode the amount of time before it
399 tries to go back online will increase based upon the time spent
400 disconnected. This value is in seconds and calculated by the
401 following:
402 offline_timeout + random_offset
404 The random offset can increment up to 30 seconds. After each
406 unsuccessful attempt to go online, the new interval is recalculated
407 by the following:
408 new_interval = old_interval*2 + random_offset
410 Note that the maximum length of each interval is currently limited
412 to one hour. If the calculated length of new_interval is greater
413 than an hour, it will be forced to one hour.
414 Default: 60
416 responder_idle_timeout
418 This option specifies the number of seconds that an SSSD responder
419 process can be up without being used. This value is limited in
420 order to avoid resource exhaustion on the system. The minimum
421 acceptable value for this option is 60 seconds. Setting this option
422 to 0 (zero) means that no timeout will be set up to the responder.
423 This option only has effect when SSSD is built with systemd support
424 and when services are either socket or D-Bus activated.
425 Default: 300
427 cache_first
429 This option specifies whether the responder should query all caches
430 before querying the Data Providers.
431 Default: false
433 NSS configuration options
435 These options can be used to configure the Name Service Switch (NSS)
436 service.
437 enum_cache_timeout (integer)
439 How many seconds should nss_sss cache enumerations (requests for
440 info about all users)
441 Default: 120
443 entry_cache_nowait_percentage (integer)
445 The entry cache can be set to automatically update entries in the
446 background if they are requested beyond a percentage of the
447 entry_cache_timeout value for the domain.
448 For example, if the domain's entry_cache_timeout is set to 30s and
450 entry_cache_nowait_percentage is set to 50 (percent), entries that
451 come in after 15 seconds past the last cache update will be
452 returned immediately, but the SSSD will go and update the cache on
453 its own, so that future requests will not need to block waiting for
454 a cache update.
455 Valid values for this option are 0-99 and represent a percentage of
457 the entry_cache_timeout for each domain. For performance reasons,
458 this percentage will never reduce the nowait timeout to less than
459 10 seconds. (0 disables this feature)
460 Default: 50
462 entry_negative_timeout (integer)
464 Specifies for how many seconds nss_sss should cache negative cache
465 hits (that is, queries for invalid database entries, like
466 nonexistent ones) before asking the back end again.
467 Default: 15
469 local_negative_timeout (integer)
471 Specifies for how many seconds nss_sss should keep local users and
472 groups in negative cache before trying to look it up in the back
473 end again. Setting the option to 0 disables this feature.
474 Default: 14400 (4 hours)
476 filter_users, filter_groups (string)
478 Exclude certain users or groups from being fetched from the sss NSS
479 database. This is particularly useful for system accounts. This
480 option can also be set per-domain or include fully-qualified names
481 to filter only users from the particular domain.
482 NOTE: The filter_groups option doesn't affect inheritance of nested
484 group members, since filtering happens after they are propagated
485 for returning via NSS. E.g. a group having a member group filtered
486 out will still have the member users of the latter listed.
487 Default: root
489 filter_users_in_groups (bool)
491 If you want filtered user still be group members set this option to
492 false.
493 Default: true
495 override_homedir (string)
497 Override the user's home directory. You can either provide an
498 absolute value or a template. In the template, the following
499 sequences are substituted:
500 %u
502 login name
503 %U
505 UID number
506 %d
508 domain name
509 %f
511 fully qualified user name (user@domain)
512 %l
514 The first letter of the login name.
515 %P
517 UPN - User Principal Name (name@REALM)
518 %o
520 The original home directory retrieved from the identity
521 provider.
522 %H
524 The value of configure option homedir_substring.
525 %%
527 a literal '%'
528 This option can also be set per-domain.
530 example:
532 override_homedir = /home/%u
534 Default: Not set (SSSD will use the value retrieved from LDAP)
537 homedir_substring (string)
539 The value of this option will be used in the expansion of the
540 override_homedir option if the template contains the format string
541 %H. An LDAP directory entry can directly contain this template so
542 that this option can be used to expand the home directory path for
543 each client machine (or operating system). It can be set per-domain
544 or globally in the [nss] section. A value specified in a domain
545 section will override one set in the [nss] section.
546 Default: /home
548 fallback_homedir (string)
550 Set a default template for a user's home directory if one is not
551 specified explicitly by the domain's data provider.
552 The available values for this option are the same as for
554 override_homedir.
555 example:
557 fallback_homedir = /home/%u
559 Default: not set (no substitution for unset home directories)
562 override_shell (string)
564 Override the login shell for all users. This option supersedes any
565 other shell options if it takes effect and can be set either in the
566 [nss] section or per-domain.
567 Default: not set (SSSD will use the value retrieved from LDAP)
569 allowed_shells (string)
571 Restrict user shell to one of the listed values. The order of
572 evaluation is:
573 1. If the shell is present in “/etc/shells”, it is used.
575 2. If the shell is in the allowed_shells list but not in
577 “/etc/shells”, use the value of the shell_fallback parameter.
578 3. If the shell is not in the allowed_shells list and not in
580 “/etc/shells”, a nologin shell is used.
581 The wildcard (*) can be used to allow any shell.
583 The (*) is useful if you want to use shell_fallback in case that
585 user's shell is not in “/etc/shells” and maintaining list of all
586 allowed shells in allowed_shells would be to much overhead.
587 An empty string for shell is passed as-is to libc.
589 The “/etc/shells” is only read on SSSD start up, which means that a
591 restart of the SSSD is required in case a new shell is installed.
592 Default: Not set. The user shell is automatically used.
594 vetoed_shells (string)
596 Replace any instance of these shells with the shell_fallback
597 shell_fallback (string)
599 The default shell to use if an allowed shell is not installed on
600 the machine.
601 Default: /bin/sh
603 default_shell
605 The default shell to use if the provider does not return one during
606 lookup. This option can be specified globally in the [nss] section
607 or per-domain.
608 Default: not set (Return NULL if no shell is specified and rely on
610 libc to substitute something sensible when necessary, usually
611 /bin/sh)
612 get_domains_timeout (int)
614 Specifies time in seconds for which the list of subdomains will be
615 considered valid.
616 Default: 60
618 memcache_timeout (int)
620 Specifies time in seconds for which records in the in-memory cache
621 will be valid. Setting this option to zero will disable the
622 in-memory cache.
623 Default: 300
625 WARNING: Disabling the in-memory cache will have significant
627 negative impact on SSSD's performance and should only be used for
628 testing.
629 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
631 "NO", client applications will not use the fast in-memory cache.
632 user_attributes (string)
634 Some of the additional NSS responder requests can return more
635 attributes than just the POSIX ones defined by the NSS interface.
636 The list of attributes is controlled by this option. It is handled
637 the same way as the “user_attributes” option of the InfoPipe
638 responder (see sssd-ifp(5) for details) but with no default values.
639 To make configuration more easy the NSS responder will check the
641 InfoPipe option if it is not set for the NSS responder.
642 Default: not set, fallback to InfoPipe option
644 pwfield (string)
646 The value that NSS operations that return users or groups will
647 return for the “password” field.
648 This option can also be set per-domain.
650 Default: “*” (remote domains) or “x” (the files domain)
652 PAM configuration options
654 These options can be used to configure the Pluggable Authentication
655 Module (PAM) service.
656 offline_credentials_expiration (integer)
658 If the authentication provider is offline, how long should we allow
659 cached logins (in days since the last successful online login).
660 Default: 0 (No limit)
662 offline_failed_login_attempts (integer)
664 If the authentication provider is offline, how many failed login
665 attempts are allowed.
666 Default: 0 (No limit)
668 offline_failed_login_delay (integer)
670 The time in minutes which has to pass after
671 offline_failed_login_attempts has been reached before a new login
672 attempt is possible.
673 If set to 0 the user cannot authenticate offline if
675 offline_failed_login_attempts has been reached. Only a successful
676 online authentication can enable offline authentication again.
677 Default: 5
679 pam_verbosity (integer)
681 Controls what kind of messages are shown to the user during
682 authentication. The higher the number to more messages are
683 displayed.
684 Currently sssd supports the following values:
686 0: do not show any message
688 1: show only important messages
690 2: show informational messages
692 3: show all messages and debug information
694 Default: 1
696 pam_response_filter (integer)
698 A comma separated list of strings which allows to remove (filter)
699 data sent by the PAM responder to pam_sss PAM module. There are
700 different kind of responses sent to pam_sss e.g. messages displayed
701 to the user or environment variables which should be set by
702 pam_sss.
703 While messages already can be controlled with the help of the
705 pam_verbosity option this option allows to filter out other kind of
706 responses as well.
707 Currently the following filters are supported:
709 ENV
711 Do not send any environment variables to any service.
712 ENV:var_name
714 Do not send environment variable var_name to any service.
715 ENV:var_name:service
717 Do not send environment variable var_name to service.
718 Default: not set
720 Example: ENV:KRB5CCNAME:sudo-i
722 pam_id_timeout (integer)
724 For any PAM request while SSSD is online, the SSSD will attempt to
725 immediately update the cached identity information for the user in
726 order to ensure that authentication takes place with the latest
727 information.
728 A complete PAM conversation may perform multiple PAM requests, such
730 as account management and session opening. This option controls (on
731 a per-client-application basis) how long (in seconds) we can cache
732 the identity information to avoid excessive round-trips to the
733 identity provider.
734 Default: 5
736 pam_pwd_expiration_warning (integer)
738 Display a warning N days before the password expires.
739 Please note that the backend server has to provide information
741 about the expiration time of the password. If this information is
742 missing, sssd cannot display a warning.
743 If zero is set, then this filter is not applied, i.e. if the
745 expiration warning was received from backend server, it will
746 automatically be displayed.
747 This setting can be overridden by setting pwd_expiration_warning
749 for a particular domain.
750 Default: 0
752 get_domains_timeout (int)
754 Specifies time in seconds for which the list of subdomains will be
755 considered valid.
756 Default: 60
758 pam_trusted_users (string)
760 Specifies the comma-separated list of UID values or user names that
761 are allowed to run PAM conversations against trusted domains. Users
762 not included in this list can only access domains marked as public
763 with “pam_public_domains”. User names are resolved to UIDs at
764 startup.
765 Default: All users are considered trusted by default
767 Please note that UID 0 is always allowed to access the PAM
769 responder even in case it is not in the pam_trusted_users list.
770 pam_public_domains (string)
772 Specifies the comma-separated list of domain names that are
773 accessible even to untrusted users.
774 Two special values for pam_public_domains option are defined:
776 all (Untrusted users are allowed to access all domains in PAM
778 responder.)
779 none (Untrusted users are not allowed to access any domains PAM in
781 responder.)
782 Default: none
784 pam_account_expired_message (string)
786 Allows a custom expiration message to be set, replacing the default
787 'Permission denied' message.
788 Note: Please be aware that message is only printed for the SSH
790 service unless pam_verbosity is set to 3 (show all messages and
791 debug information).
792 example:
794 pam_account_expired_message = Account expired, please contact help desk.
796 Default: none
799 pam_account_locked_message (string)
801 Allows a custom lockout message to be set, replacing the default
802 'Permission denied' message.
803 example:
805 pam_account_locked_message = Account locked, please contact help desk.
807 Default: none
810 pam_cert_auth (bool)
812 Enable certificate based Smartcard authentication. Since this
813 requires additional communication with the Smartcard which will
814 delay the authentication process this option is disabled by
815 default.
816 Default: False
818 pam_cert_db_path (string)
820 The path to the certificate database which contain the PKCS#11
821 modules to access the Smartcard.
822 Default:
824 · /etc/pki/nssdb (NSS version, path to a NSS database)
826 · /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a
828 file with trusted CA certificates in PEM format)
829 This man page was generated for the OpenSSL version.
831 p11_child_timeout (integer)
833 How many seconds will pam_sss wait for p11_child to finish.
834 Default: 10
836 pam_app_services (string)
838 Which PAM services are permitted to contact domains of type
839 “application”
840 Default: Not set
842 pam_p11_allowed_services (integer)
844 A comma-separated list of PAM service names for which it will be
845 allowed to use Smartcards.
846 It is possible to add another PAM service name to the default set
848 by using “+service_name” or to explicitly remove a PAM service name
849 from the default set by using “-service_name”. For example, in
850 order to replace a default PAM service name for authentication with
851 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
852 “my_pam_service”), you would use the following configuration:
853 pam_p11_allowed_services = +my_pam_service, -login
855 Default: the default set of PAM service names includes:
858 · login
860 · su
862 · su-l
864 · gdm-smartcard
866 · gdm-password
868 · kdm
870 · sudo
872 · sudo-i
874 · gnome-screensaver
876 p11_wait_for_card_timeout (integer)
879 If Smartcard authentication is required how many extra seconds in
880 addition to p11_child_timeout should the PAM responder wait until a
881 Smartcard is inserted.
882 Default: 60
884 p11_uri (string)
886 PKCS#11 URI (see RFC-7512 for details) which can be used to
887 restrict the selection of devices used for Smartcard
888 authentication. By default SSSD's p11_child will search for a
889 PKCS#11 slot (reader) where the 'removable' flags is set and read
890 the certificates from the inserted token from the first slot found.
891 If multiple readers are connected p11_uri can be use to tell
892 p11_child to use a specific reader.
893 Example:
895 p11_uri = slot-description=My%20Smartcar%20Reader
897 or
900 p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
902 To find suitable URI please check the debug output of p11_child. As
905 an alternative the GnuTLS utility 'p11tool' with e.g. the
906 '--list-all' will show PKCS#11 URIs as well.
907 Default: none
909 SUDO configuration options
911 These options can be used to configure the sudo service. The detailed
912 instructions for configuration of sudo(8) to work with sssd(8) are in
913 the manual page sssd-sudo(5).
914 sudo_timed (bool)
916 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
917 attributes that implement time-dependent sudoers entries.
918 Default: false
920 sudo_threshold (integer)
922 Maximum number of expired rules that can be refreshed at once. If
923 number of expired rules is below threshold, those rules are
924 refreshed with “rules refresh” mechanism. If the threshold is
925 exceeded a “full refresh” of sudo rules is triggered instead. This
926 threshold number also applies to IPA sudo command and command group
927 searches.
928 Default: 50
930 AUTOFS configuration options
932 These options can be used to configure the autofs service.
933 autofs_negative_timeout (integer)
935 Specifies for how many seconds should the autofs responder negative
936 cache hits (that is, queries for invalid map entries, like
937 nonexistent ones) before asking the back end again.
938 Default: 15
940 Please note that the automounter only reads the master map on startup,
942 so if any autofs-related changes are made to the sssd.conf, you
943 typically also need to restart the automounter daemon after restarting
944 the SSSD.
945 SSH configuration options
947 These options can be used to configure the SSH service.
948 ssh_hash_known_hosts (bool)
950 Whether or not to hash host names and addresses in the managed
951 known_hosts file.
952 Default: true
954 ssh_known_hosts_timeout (integer)
956 How many seconds to keep a host in the managed known_hosts file
957 after its host keys were requested.
958 Default: 180
960 ssh_use_certificate_keys (bool)
962 If set to true the sss_ssh_authorizedkeys will return ssh keys
963 derived from the public key of X.509 certificates stored in the
964 user entry as well. See sss_ssh_authorizedkeys(1) for details.
965 Default: true
967 ca_db (string)
969 Path to a storage of trusted CA certificates. The option is used to
970 validate user certificates before deriving public ssh keys from
971 them.
972 Default:
974 · /etc/pki/nssdb (NSS version, path to a NSS database)
976 · /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a
978 file with trusted CA certificates in PEM format)
979 This man page was generated for the OpenSSL version.
981 PAC responder configuration options
983 The PAC responder works together with the authorization data plugin for
984 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
985 sends the PAC data during a GSSAPI authentication to the PAC responder.
986 The sub-domain provider collects domain SID and ID ranges of the domain
987 the client is joined to and of remote trusted domains from the local
988 domain controller. If the PAC is decoded and evaluated some of the
989 following operations are done:
990 · If the remote user does not exist in the cache, it is created. The
992 UID is determined with the help of the SID, trusted domains will
993 have UPGs and the GID will have the same value as the UID. The home
994 directory is set based on the subdomain_homedir parameter. The
995 shell will be empty by default, i.e. the system defaults are used,
996 but can be overwritten with the default_shell parameter.
997 · If there are SIDs of groups from domains sssd knows about, the user
999 will be added to those groups.
1000 These options can be used to configure the PAC responder.
1002 allowed_uids (string)
1004 Specifies the comma-separated list of UID values or user names that
1005 are allowed to access the PAC responder. User names are resolved to
1006 UIDs at startup.
1007 Default: 0 (only the root user is allowed to access the PAC
1009 responder)
1010 Please note that although the UID 0 is used as the default it will
1012 be overwritten with this option. If you still want to allow the
1013 root user to access the PAC responder, which would be the typical
1014 case, you have to add 0 to the list of allowed UIDs as well.
1015 pac_lifetime (integer)
1017 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1018 the PAC data can be used to determine the group memberships of a
1019 user.
1020 Default: 300
1022 Session recording configuration options
1024 Session recording works in conjunction with tlog-rec-session(8), a part
1025 of tlog package, to log what users see and type when they log in on a
1026 text terminal. See also sssd-session-recording(5).
1027 These options can be used to configure session recording.
1029 scope (string)
1031 One of the following strings specifying the scope of session
1032 recording:
1033 "none"
1035 No users are recorded.
1036 "some"
1038 Users/groups specified by users and groups options are
1039 recorded.
1040 "all"
1042 All users are recorded.
1043 Default: "none"
1045 users (string)
1047 A comma-separated list of users which should have session recording
1048 enabled. Matches user names as returned by NSS. I.e. after the
1049 possible space replacement, case changes, etc.
1050 Default: Empty. Matches no users.
1052 groups (string)
1054 A comma-separated list of groups, members of which should have
1055 session recording enabled. Matches group names as returned by NSS.
1056 I.e. after the possible space replacement, case changes, etc.
1057 NOTE: using this option (having it set to anything) has a
1059 considerable performance cost, because each uncached request for a
1060 user requires retrieving and matching the groups the user is member
1061 of.
1062 Default: Empty. Matches no groups.
1064
1066 These configuration options can be present in a domain configuration
1067 section, that is, in a section called “[domain/NAME]”
1068 domain_type (string)
1070 Specifies whether the domain is meant to be used by POSIX-aware
1071 clients such as the Name Service Switch or by applications that do
1072 not need POSIX data to be present or generated. Only objects from
1073 POSIX domains are available to the operating system interfaces and
1074 utilities.
1075 Allowed values for this option are “posix” and “application”.
1077 POSIX domains are reachable by all services. Application domains
1079 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1080 and the PAM responder.
1081 NOTE: The application domains are currently well tested with
1083 “id_provider=ldap” only.
1084 For an easy way to configure a non-POSIX domains, please see the
1086 “Application domains” section.
1087 Default: posix
1089 min_id,max_id (integer)
1091 UID and GID limits for the domain. If a domain contains an entry
1092 that is outside these limits, it is ignored.
1093 For users, this affects the primary GID limit. The user will not be
1095 returned to NSS if either the UID or the primary GID is outside the
1096 range. For non-primary group memberships, those that are in range
1097 will be reported as expected.
1098 These ID limits affect even saving entries to cache, not only
1100 returning them by name or ID.
1101 Default: 1 for min_id, 0 (no limit) for max_id
1103 enumerate (bool)
1105 Determines if a domain can be enumerated, that is, whether the
1106 domain can list all the users and group it contains. Note that it
1107 is not required to enable enumeration in order for secondary groups
1108 to be displayed. This parameter can have one of the following
1109 values:
1110 TRUE = Users and groups are enumerated
1112 FALSE = No enumerations for this domain
1114 Default: FALSE
1116 Enumerating a domain requires SSSD to download and store ALL user
1118 and group entries from the remote server.
1119 Note: Enabling enumeration has a moderate performance impact on
1121 SSSD while enumeration is running. It may take up to several
1122 minutes after SSSD startup to fully complete enumerations. During
1123 this time, individual requests for information will go directly to
1124 LDAP, though it may be slow, due to the heavy enumeration
1125 processing. Saving a large number of entries to cache after the
1126 enumeration completes might also be CPU intensive as the
1127 memberships have to be recomputed. This can lead to the “sssd_be”
1128 process becoming unresponsive or even restarted by the internal
1129 watchdog.
1130 While the first enumeration is running, requests for the complete
1132 user or group lists may return no results until it completes.
1133 Further, enabling enumeration may increase the time necessary to
1135 detect network disconnection, as longer timeouts are required to
1136 ensure that enumeration lookups are completed successfully. For
1137 more information, refer to the man pages for the specific
1138 id_provider in use.
1139 For the reasons cited above, enabling enumeration is not
1141 recommended, especially in large environments.
1142 subdomain_enumerate (string)
1144 Whether any of autodetected trusted domains should be enumerated.
1145 The supported values are:
1146 all
1148 All discovered trusted domains will be enumerated
1149 none
1151 No discovered trusted domains will be enumerated
1152 Optionally, a list of one or more domain names can enable
1154 enumeration just for these trusted domains.
1155 Default: none
1157 entry_cache_timeout (integer)
1159 How many seconds should nss_sss consider entries valid before
1160 asking the backend again
1161 The cache expiration timestamps are stored as attributes of
1163 individual objects in the cache. Therefore, changing the cache
1164 timeout only has effect for newly added or expired entries. You
1165 should run the sss_cache(8) tool in order to force refresh of
1166 entries that have already been cached.
1167 Default: 5400
1169 entry_cache_user_timeout (integer)
1171 How many seconds should nss_sss consider user entries valid before
1172 asking the backend again
1173 Default: entry_cache_timeout
1175 entry_cache_group_timeout (integer)
1177 How many seconds should nss_sss consider group entries valid before
1178 asking the backend again
1179 Default: entry_cache_timeout
1181 entry_cache_netgroup_timeout (integer)
1183 How many seconds should nss_sss consider netgroup entries valid
1184 before asking the backend again
1185 Default: entry_cache_timeout
1187 entry_cache_service_timeout (integer)
1189 How many seconds should nss_sss consider service entries valid
1190 before asking the backend again
1191 Default: entry_cache_timeout
1193 entry_cache_sudo_timeout (integer)
1195 How many seconds should sudo consider rules valid before asking the
1196 backend again
1197 Default: entry_cache_timeout
1199 entry_cache_autofs_timeout (integer)
1201 How many seconds should the autofs service consider automounter
1202 maps valid before asking the backend again
1203 Default: entry_cache_timeout
1205 entry_cache_ssh_host_timeout (integer)
1207 How many seconds to keep a host ssh key after refresh. IE how long
1208 to cache the host key for.
1209 Default: entry_cache_timeout
1211 refresh_expired_interval (integer)
1213 Specifies how many seconds SSSD has to wait before triggering a
1214 background refresh task which will refresh all expired or nearly
1215 expired records.
1216 The background refresh will process users, groups and netgroups in
1218 the cache.
1219 You can consider setting this value to 3/4 * entry_cache_timeout.
1221 Default: 0 (disabled)
1223 cache_credentials (bool)
1225 Determines if user credentials are also cached in the local LDB
1226 cache
1227 User credentials are stored in a SHA512 hash, not in plaintext
1229 Default: FALSE
1231 cache_credentials_minimal_first_factor_length (int)
1233 If 2-Factor-Authentication (2FA) is used and credentials should be
1234 saved this value determines the minimal length the first
1235 authentication factor (long term password) must have to be saved as
1236 SHA512 hash into the cache.
1237 This should avoid that the short PINs of a PIN based 2FA scheme are
1239 saved in the cache which would make them easy targets for
1240 brute-force attacks.
1241 Default: 8
1243 account_cache_expiration (integer)
1245 Number of days entries are left in cache after last successful
1246 login before being removed during a cleanup of the cache. 0 means
1247 keep forever. The value of this parameter must be greater than or
1248 equal to offline_credentials_expiration.
1249 Default: 0 (unlimited)
1251 pwd_expiration_warning (integer)
1253 Display a warning N days before the password expires.
1254 If zero is set, then this filter is not applied, i.e. if the
1256 expiration warning was received from backend server, it will
1257 automatically be displayed.
1258 Please note that the backend server has to provide information
1260 about the expiration time of the password. If this information is
1261 missing, sssd cannot display a warning. Also an auth provider has
1262 to be configured for the backend.
1263 Default: 7 (Kerberos), 0 (LDAP)
1265 id_provider (string)
1267 The identification provider used for the domain. Supported ID
1268 providers are:
1269 “proxy”: Support a legacy NSS provider.
1271 “files”: FILES provider. See sssd-files(5) for more information on
1273 how to mirror local users and groups into SSSD.
1274 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1276 configuring LDAP.
1277 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1279 See sssd-ipa(5) for more information on configuring FreeIPA.
1280 “ad”: Active Directory provider. See sssd-ad(5) for more
1282 information on configuring Active Directory.
1283 use_fully_qualified_names (bool)
1285 Use the full name and domain (as formatted by the domain's
1286 full_name_format) as the user's login name reported to NSS.
1287 If set to TRUE, all requests to this domain must use fully
1289 qualified names. For example, if used in LOCAL domain that contains
1290 a "test" user, getent passwd test wouldn't find the user while
1291 getent passwd test@LOCAL would.
1292 NOTE: This option has no effect on netgroup lookups due to their
1294 tendency to include nested netgroups without qualified names. For
1295 netgroups, all domains will be searched when an unqualified name is
1296 requested.
1297 Default: FALSE (TRUE if default_domain_suffix is used)
1299 ignore_group_members (bool)
1301 Do not return group members for group lookups.
1302 If set to TRUE, the group membership attribute is not requested
1304 from the ldap server, and group members are not returned when
1305 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1306 As an effect, “getent group $groupname” would return the requested
1307 group as if it was empty.
1308 Enabling this option can also make access provider checks for group
1310 membership significantly faster, especially for groups containing
1311 many members.
1312 Default: FALSE
1314 auth_provider (string)
1316 The authentication provider used for the domain. Supported auth
1317 providers are:
1318 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1320 information on configuring LDAP.
1321 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1323 information on configuring Kerberos.
1324 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1326 See sssd-ipa(5) for more information on configuring FreeIPA.
1327 “ad”: Active Directory provider. See sssd-ad(5) for more
1329 information on configuring Active Directory.
1330 “proxy” for relaying authentication to some other PAM target.
1332 “none” disables authentication explicitly.
1334 Default: “id_provider” is used if it is set and can handle
1336 authentication requests.
1337 access_provider (string)
1339 The access control provider used for the domain. There are two
1340 built-in access providers (in addition to any included in installed
1341 backends) Internal special providers are:
1342 “permit” always allow access. It's the only permitted access
1344 provider for a local domain.
1345 “deny” always deny access.
1347 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1349 information on configuring LDAP.
1350 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1352 See sssd-ipa(5) for more information on configuring FreeIPA.
1353 “ad”: Active Directory provider. See sssd-ad(5) for more
1355 information on configuring Active Directory.
1356 “simple” access control based on access or deny lists. See sssd-
1358 simple(5) for more information on configuring the simple access
1359 module.
1360 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1362 information on configuring Kerberos.
1363 “proxy” for relaying access control to another PAM module.
1365 Default: “permit”
1367 chpass_provider (string)
1369 The provider which should handle change password operations for the
1370 domain. Supported change password providers are:
1371 “ldap” to change a password stored in a LDAP server. See sssd-
1373 ldap(5) for more information on configuring LDAP.
1374 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1376 information on configuring Kerberos.
1377 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1379 See sssd-ipa(5) for more information on configuring FreeIPA.
1380 “ad”: Active Directory provider. See sssd-ad(5) for more
1382 information on configuring Active Directory.
1383 “proxy” for relaying password changes to some other PAM target.
1385 “none” disallows password changes explicitly.
1387 Default: “auth_provider” is used if it is set and can handle change
1389 password requests.
1390 sudo_provider (string)
1392 The SUDO provider used for the domain. Supported SUDO providers
1393 are:
1394 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1396 information on configuring LDAP.
1397 “ipa” the same as “ldap” but with IPA default settings.
1399 “ad” the same as “ldap” but with AD default settings.
1401 “none” disables SUDO explicitly.
1403 Default: The value of “id_provider” is used if it is set.
1405 The detailed instructions for configuration of sudo_provider are in
1407 the manual page sssd-sudo(5). There are many configuration options
1408 that can be used to adjust the behavior. Please refer to
1409 "ldap_sudo_*" in sssd-ldap(5).
1410 NOTE: Sudo rules are periodically downloaded in the background
1412 unless the sudo provider is explicitly disabled. Set sudo_provider
1413 = None to disable all sudo-related activity in SSSD if you do not
1414 want to use sudo with SSSD at all.
1415 selinux_provider (string)
1417 The provider which should handle loading of selinux settings. Note
1418 that this provider will be called right after access provider ends.
1419 Supported selinux providers are:
1420 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1422 for more information on configuring IPA.
1423 “none” disallows fetching selinux settings explicitly.
1425 Default: “id_provider” is used if it is set and can handle selinux
1427 loading requests.
1428 subdomains_provider (string)
1430 The provider which should handle fetching of subdomains. This value
1431 should be always the same as id_provider. Supported subdomain
1432 providers are:
1433 “ipa” to load a list of subdomains from an IPA server. See sssd-
1435 ipa(5) for more information on configuring IPA.
1436 “ad” to load a list of subdomains from an Active Directory server.
1438 See sssd-ad(5) for more information on configuring the AD provider.
1439 “none” disallows fetching subdomains explicitly.
1441 Default: The value of “id_provider” is used if it is set.
1443 session_provider (string)
1445 The provider which configures and manages user session related
1446 tasks. The only user session task currently provided is the
1447 integration with Fleet Commander, which works only with IPA.
1448 Supported session providers are:
1449 “ipa” to allow performing user session related tasks.
1451 “none” does not perform any kind of user session related tasks.
1453 Default: “id_provider” is used if it is set and can perform session
1455 related tasks.
1456 NOTE: In order to have this feature working as expected SSSD must
1458 be running as "root" and not as the unprivileged user.
1459 autofs_provider (string)
1461 The autofs provider used for the domain. Supported autofs providers
1462 are:
1463 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1465 information on configuring LDAP.
1466 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1468 more information on configuring IPA.
1469 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1471 information on configuring the AD provider.
1472 “none” disables autofs explicitly.
1474 Default: The value of “id_provider” is used if it is set.
1476 hostid_provider (string)
1478 The provider used for retrieving host identity information.
1479 Supported hostid providers are:
1480 “ipa” to load host identity stored in an IPA server. See sssd-
1482 ipa(5) for more information on configuring IPA.
1483 “none” disables hostid explicitly.
1485 Default: The value of “id_provider” is used if it is set.
1487 re_expression (string)
1489 Regular expression for this domain that describes how to parse the
1490 string containing user name and domain into these components. The
1491 "domain" can match either the SSSD configuration domain name, or,
1492 in the case of IPA trust subdomains and Active Directory domains,
1493 the flat (NetBIOS) name of the domain.
1494 Default for the AD and IPA provider:
1496 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1497 which allows three different styles for user names:
1498 · username
1500 · username@domain.name
1502 · domain\username
1504 While the first two correspond to the general default the third one
1506 is introduced to allow easy integration of users from Windows
1507 domains.
1508 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1510 "the name is everything up to the “@” sign, the domain everything
1511 after that"
1512 NOTE: Some Active Directory groups, typically those used for MS
1514 Exchange contain an “@” sign in the name, which clashes with the
1515 default re_expression value for the AD and IPA providers. To
1516 support these groups, consider changing the re_expression value to:
1517 “((?P<name>.+)@(?P<domain>[^@]+$))”.
1518 full_name_format (string)
1520 A printf(3)-compatible format that describes how to compose a fully
1521 qualified name from user name and domain name components.
1522 The following expansions are supported:
1524 %1$s
1526 user name
1527 %2$s
1529 domain name as specified in the SSSD config file.
1530 %3$s
1532 domain flat name. Mostly usable for Active Directory domains,
1533 both directly configured or discovered via IPA trusts.
1534 Default: “%1$s@%2$s”.
1536 lookup_family_order (string)
1538 Provides the ability to select preferred address family to use when
1539 performing DNS lookups.
1540 Supported values:
1542 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1544 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1546 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1548 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1550 Default: ipv4_first
1552 dns_resolver_timeout (integer)
1554 Defines the amount of time (in seconds) to wait for a reply from
1555 the internal fail over service before assuming that the service is
1556 unreachable. If this timeout is reached, the domain will continue
1557 to operate in offline mode.
1558 Please see the section “FAILOVER” for more information about the
1560 service resolution.
1561 Default: 6
1563 dns_discovery_domain (string)
1565 If service discovery is used in the back end, specifies the domain
1566 part of the service discovery DNS query.
1567 Default: Use the domain part of machine's hostname
1569 override_gid (integer)
1571 Override the primary GID value with the one specified.
1572 case_sensitive (string)
1574 Treat user and group names as case sensitive. Possible option
1575 values are:
1576 True
1578 Case sensitive. This value is invalid for AD provider.
1579 False
1581 Case insensitive.
1582 Preserving
1584 Same as False (case insensitive), but does not lowercase names
1585 in the result of NSS operations. Note that name aliases (and in
1586 case of services also protocol names) are still lowercased in
1587 the output.
1588 Default: True (False for AD provider)
1590 subdomain_inherit (string)
1592 Specifies a list of configuration parameters that should be
1593 inherited by a subdomain. Please note that only selected parameters
1594 can be inherited. Currently the following options can be inherited:
1595 ignore_group_members
1597 ldap_purge_cache_timeout
1599 ldap_use_tokengroups
1601 ldap_user_principal
1603 ldap_krb5_keytab (the value of krb5_keytab will be used if
1605 ldap_krb5_keytab is not set explicitly)
1606 Example:
1608 subdomain_inherit = ldap_purge_cache_timeout
1610 Default: none
1613 Note: This option only works with the IPA and AD provider.
1615 subdomain_homedir (string)
1617 Use this homedir as default value for all subdomains within this
1618 domain in IPA AD trust. See override_homedir for info about
1619 possible values. In addition to those, the expansion below can only
1620 be used with subdomain_homedir.
1621 %F
1623 flat (NetBIOS) name of a subdomain.
1624 The value can be overridden by override_homedir option.
1626 Default: /home/%d/%u
1628 realmd_tags (string)
1630 Various tags stored by the realmd configuration service for this
1631 domain.
1632 cached_auth_timeout (int)
1634 Specifies time in seconds since last successful online
1635 authentication for which user will be authenticated using cached
1636 credentials while SSSD is in the online mode.
1637 Special value 0 implies that this feature is disabled.
1639 Please note that if “cached_auth_timeout” is longer than
1641 “pam_id_timeout” then the back end could be called to handle
1642 “initgroups.”
1643 Default: 0
1645 auto_private_groups (string)
1647 If this option is enabled, SSSD will automatically create user
1648 private groups based on user's UID number. The GID number is
1649 ignored in this case.
1650 For POSIX subdomains, setting the option in the main domain is
1652 inherited in the subdomain.
1653 For ID-mapping subdomains, auto_private_groups is already enabled
1655 for the subdomains and setting it to false will not have any effect
1656 for the subdomain.
1657 NOTE: Because the GID number and the user private group are
1659 inferred from the UID number, it is not supported to have multiple
1660 entries with the same UID or GID number with this option. In other
1661 words, enabling this option enforces uniqueness across the ID
1662 space.
1663 Default: False
1665 Options valid for proxy domains.
1667 proxy_pam_target (string)
1669 The proxy target PAM proxies to.
1670 Default: not set by default, you have to take an existing pam
1672 configuration or create a new one and add the service name here.
1673 proxy_lib_name (string)
1675 The name of the NSS library to use in proxy domains. The NSS
1676 functions searched for in the library are in the form of
1677 _nss_$(libName)_$(function), for example _nss_files_getpwent.
1678 proxy_fast_alias (boolean)
1680 When a user or group is looked up by name in the proxy provider, a
1681 second lookup by ID is performed to "canonicalize" the name in case
1682 the requested name was an alias. Setting this option to true would
1683 cause the SSSD to perform the ID lookup from cache for performance
1684 reasons.
1685 Default: false
1687 proxy_max_children (integer)
1689 This option specifies the number of pre-forked proxy children. It
1690 is useful for high-load SSSD environments where sssd may run out of
1691 available child slots, which would cause some issues due to the
1692 requests being queued.
1693 Default: 10
1695 Application domains
1697 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
1698 applications as a gateway to an LDAP directory where users and groups
1699 are stored. However, contrary to the traditional SSSD deployment where
1700 all users and groups either have POSIX attributes or those attributes
1701 can be inferred from the Windows SIDs, in many cases the users and
1702 groups in the application support scenario have no POSIX attributes.
1703 Instead of setting a “[domain/NAME]” section, the administrator can set
1704 up an “[application/NAME]” section that internally represents a domain
1705 with type “application” optionally inherits settings from a tradition
1706 SSSD domain.
1707 Please note that the application domain must still be explicitly
1709 enabled in the “domains” parameter so that the lookup order between the
1710 application domain and its POSIX sibling domain is set correctly.
1711 Application domain parameters
1713 inherit_from (string)
1715 The SSSD POSIX-type domain the application domain inherits all
1716 settings from. The application domain can moreover add its own
1717 settings to the application settings that augment or override the
1718 “sibling” domain settings.
1719 Default: Not set
1721 The following example illustrates the use of an application domain. In
1723 this setup, the POSIX domain is connected to an LDAP server and is used
1724 by the OS through the NSS responder. In addition, the application
1725 domain also requests the telephoneNumber attribute, stores it as the
1726 phone attribute in the cache and makes the phone attribute reachable
1727 through the D-Bus interface.
1728 [sssd]
1730 domains = appdom, posixdom
1731 [ifp]
1733 user_attributes = +phone
1734 [domain/posixdom]
1736 id_provider = ldap
1737 ldap_uri = ldap://ldap.example.com
1738 ldap_search_base = dc=example,dc=com
1739 [application/appdom]
1741 inherit_from = posixdom
1742 ldap_user_extra_attrs = phone:telephoneNumber
1743
1745 Some options used in the domain section can also be used in the trusted
1746 domain section, that is, in a section called
1747 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
1748 actual joined-to base domain. Please refer to examples below for
1749 explanation. Currently supported options in the trusted domain section
1750 are:
1751 ldap_search_base,
1753 ldap_user_search_base,
1755 ldap_group_search_base,
1757 ldap_netgroup_search_base,
1759 ldap_service_search_base,
1761 ad_server,
1763 ad_backup_server,
1765 ad_site,
1767 use_fully_qualified_names
1769 For more details about these options see their individual description
1771 in the manual page.
1772
1774 To allow authentication with Smartcards and certificates SSSD must be
1775 able to map certificates to users. This can be done by adding the full
1776 certificate to the LDAP object of the user or to a local override.
1777 While using the full certificate is required to use the Smartcard
1778 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
1779 details) it might be cumbersome or not even possible to do this for the
1780 general case where local services use PAM for authentication.
1781 To make the mapping more flexible mapping and matching rules were added
1783 to SSSD (see sss-certmap(5) for details).
1784 A mapping and matching rule can be added to the SSSD configuration in a
1786 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
1787 In this section the following options are allowed:
1788 matchrule (string)
1790 Only certificates from the Smartcard which matches this rule will
1791 be processed, all others are ignored.
1792 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
1794 the Extended Key Usage “clientAuth”
1795 maprule (string)
1797 Defines how the user is found for a given certificate.
1798 Default:
1800 · LDAP:(userCertificate;binary={cert!bin}) for LDAP based
1802 providers like “ldap”, “AD” or “ipa”.
1803 · The RULE_NAME for the “files” provider which tries to find a
1805 user with the same name.
1806 domains (string)
1809 Comma separated list of domain names the rule should be applied. By
1810 default a rule is only valid in the domain configured in sssd.conf.
1811 If the provider supports subdomains this option can be used to add
1812 the rule to subdomains as well.
1813 Default: the configured domain in sssd.conf
1815 priority (integer)
1817 Unsigned integer value defining the priority of the rule. The
1818 higher the number the lower the priority. “0” stands for the
1819 highest priority while “4294967295” is the lowest.
1820 Default: the lowest priority
1822 To make the configuration simple and reduce the amount of configuration
1824 options the “files” provider has some special properties:
1825 · if maprule is not set the RULE_NAME name is assumed to be the name
1827 of the matching user
1828 · if a maprule is used both a single user name or a template like
1830 “{subject_rfc822_name.short_name}” must be in braces like e.g.
1831 “(username)” or “({subject_rfc822_name.short_name})”
1832 · the “domains” option is ignored
1834
1837 1. The following example shows a typical SSSD config. It does not
1838 describe configuration of the domains themselves - refer to
1839 documentation on configuring domains for more details.
1840 [sssd]
1842 domains = LDAP
1843 services = nss, pam
1844 config_file_version = 2
1845 [nss]
1847 filter_groups = root
1848 filter_users = root
1849 [pam]
1851 [domain/LDAP]
1853 id_provider = ldap
1854 ldap_uri = ldap://ldap.example.com
1855 ldap_search_base = dc=example,dc=com
1856 auth_provider = krb5
1858 krb5_server = kerberos.example.com
1859 krb5_realm = EXAMPLE.COM
1860 cache_credentials = true
1861 min_id = 10000
1863 max_id = 20000
1864 enumerate = False
1865 2. The following example shows configuration of IPA AD trust where the
1867 AD forest consists of two domains in a parent-child structure. Suppose
1868 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
1869 domain (child.ad.com). To enable shortnames in the child domain the
1870 following configuration should be used.
1871 [domain/ipa.com/child.ad.com]
1873 use_fully_qualified_names = false
1874 3. The following example shows the configuration for two certificate
1876 mapping rules. The first is valid for the configured domain “my.domain”
1877 and additionally for the subdomains “your.domain” and uses the full
1878 certificate in the search filter. The second example is valid for the
1879 domain “files” where it is assumed the files provider is used for this
1880 domain and contains a matching rule for the local user “myname”.
1881 [certmap/my.domain/rule_name]
1883 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
1884 maprule = (userCertificate;binary={cert!bin})
1885 domains = my.domain, your.domain
1886 priority = 10
1887 [certmap/files/myname]
1889 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
1890
1893 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
1894 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
1895 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
1896 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
1897 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
1898 sssd-systemtap(5)
1899
1901 The SSSD upstream - https://pagure.io/SSSD/sssd/
1902SSSD 03/28/2019 SSSD.CONF(5)