1SSSD.CONF(5)             File Formats and Conventions             SSSD.CONF(5)
2
3
4

NAME

6       sssd.conf - the configuration file for SSSD
7

FILE FORMAT

9       The file has an ini-style syntax and consists of sections and
10       parameters. A section begins with the name of the section in square
11       brackets and continues until the next section begins. An example of
12       section with single and multi-valued parameters:
13
14           [section]
15           key = value
16           key2 = value2,value3
17
18
19       The data types used are string (no quotes needed), integer and bool
20       (with values of “TRUE/FALSE”).
21
22       A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23       Inline comments are not supported.
24
25       All sections can have an optional description parameter. Its function
26       is only as a label for the section.
27
28       sssd.conf must be a regular file, owned by root and only root may read
29       from or write to the file.
30

CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY

32       The configuration file sssd.conf will include configuration snippets
33       using the include directory conf.d. This feature is available if SSSD
34       was compiled with libini version 1.3.0 or later.
35
36       Any file placed in conf.d that ends in “.conf” and does not begin with
37       a dot (“.”) will be used together with sssd.conf to configure SSSD.
38
39       The configuration snippets from conf.d have higher priority than
40       sssd.conf and will override sssd.conf when conflicts occur. If several
41       snippets are present in conf.d, then they are included in alphabetical
42       order (based on locale). Files included later have higher priority.
43       Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44       visualize the priority (higher number means higher priority).
45
46       The snippet files require the same owner and permissions as sssd.conf.
47       Which are by default root:root and 0600.
48

GENERAL OPTIONS

50       Following options are usable in more than one configuration sections.
51
52   Options usable in all sections
53       debug_level (integer)
54           SSSD supports two representations for specifying the debug level.
55           The simplest is to specify a decimal value from 0-9, which
56           represents enabling that level and all lower-level debug messages.
57           The more comprehensive option is to specify a hexadecimal bitmask
58           to enable or disable specific levels (such as if you wish to
59           suppress a level).
60
61           Please note that each SSSD service logs into its own log file. Also
62           please note that enabling “debug_level” in the “[sssd]” section
63           only enables debugging just for the sssd process itself, not for
64           the responder or provider processes. The “debug_level” parameter
65           should be added to all sections that you wish to produce debug logs
66           from.
67
68           In addition to changing the log level in the config file using the
69           “debug_level” parameter, which is persistent, but requires SSSD
70           restart, it is also possible to change the debug level on the fly
71           using the sss_debuglevel(8) tool.
72
73           Currently supported debug levels:
74
75           0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76           starting up or causes it to cease running.
77
78           1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79           one that indicates that at least one major feature is not going to
80           work properly.
81
82           2, 0x0040: Serious failures. An error announcing that a particular
83           request or operation has failed.
84
85           3, 0x0080: Minor failures. These are the errors that would
86           percolate down to cause the operation failure of 2.
87
88           4, 0x0100: Configuration settings.
89
90           5, 0x0200: Function data.
91
92           6, 0x0400: Trace messages for operation functions.
93
94           7, 0x1000: Trace messages for internal control functions.
95
96           8, 0x2000: Contents of function-internal variables that may be
97           interesting.
98
99           9, 0x4000: Extremely low-level tracing information.
100
101           To log required bitmask debug levels, simply add their numbers
102           together as shown in following examples:
103
104           Example: To log fatal failures, critical failures, serious failures
105           and function data use 0x0270.
106
107           Example: To log fatal failures, configuration settings, function
108           data, trace messages for internal control functions use 0x1310.
109
110           Note: The bitmask format of debug levels was introduced in 1.7.0.
111
112           Default: 0
113
114       debug (integer)
115           SSSD 1.14 and later also includes the debug alias for debug_level
116           as a convenience feature. If both are specified, the value of
117           debug_level will be used.
118
119       debug_timestamps (bool)
120           Add a timestamp to the debug messages. If journald is enabled for
121           SSSD debug logging this option is ignored.
122
123           Default: true
124
125       debug_microseconds (bool)
126           Add microseconds to the timestamp in debug messages. If journald is
127           enabled for SSSD debug logging this option is ignored.
128
129           Default: false
130
131   Options usable in SERVICE and DOMAIN sections
132       timeout (integer)
133           Timeout in seconds between heartbeats for this service. This is
134           used to ensure that the process is alive and capable of answering
135           requests. Note that after three missed heartbeats the process will
136           terminate itself.
137
138           Default: 10
139

SPECIAL SECTIONS

141   The [sssd] section
142       Individual pieces of SSSD functionality are provided by special SSSD
143       services that are started and stopped together with SSSD. The services
144       are managed by a special service frequently called “monitor”. The
145       “[sssd]” section is used to configure the monitor as well as some other
146       important options like the identity domains.
147
148       Section parameters
149
150       config_file_version (integer)
151           Indicates what is the syntax of the config file. SSSD 0.6.0 and
152           later use version 2.
153
154       services
155           Comma separated list of services that are started when sssd itself
156           starts.  The services' list is optional on platforms where systemd
157           is supported, as they will either be socket or D-Bus activated when
158           needed.
159
160           Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
161
162           By default, all services are disabled and the administrator must
163           enable the ones allowed to be used by executing: "systemctl enable
164           sssd-@service@.socket".
165
166       reconnection_retries (integer)
167           Number of times services should attempt to reconnect in the event
168           of a Data Provider crash or restart before they give up
169
170           Default: 3
171
172       domains
173           A domain is a database containing user information. SSSD can use
174           more domains at the same time, but at least one must be configured
175           or SSSD won't start. This parameter describes the list of domains
176           in the order you want them to be queried. A domain name should only
177           consist of alphanumeric ASCII characters, dashes, dots and
178           underscores.
179
180       re_expression (string)
181           Default regular expression that describes how to parse the string
182           containing user name and domain into these components.
183
184           Each domain can have an individual regular expression configured.
185           For some ID providers there are also default regular expressions.
186           See DOMAIN SECTIONS for more info on these regular expressions.
187
188       full_name_format (string)
189           A printf(3)-compatible format that describes how to compose a fully
190           qualified name from user name and domain name components.
191
192           The following expansions are supported:
193
194           %1$s
195               user name
196
197           %2$s
198               domain name as specified in the SSSD config file.
199
200           %3$s
201               domain flat name. Mostly usable for Active Directory domains,
202               both directly configured or discovered via IPA trusts.
203
204           Each domain can have an individual format string configured. see
205           DOMAIN SECTIONS for more info on this option.
206
207       try_inotify (boolean)
208           SSSD monitors the state of resolv.conf to identify when it needs to
209           update its internal DNS resolver. By default, we will attempt to
210           use inotify for this, and will fall back to polling resolv.conf
211           every five seconds if inotify cannot be used.
212
213           There are some limited situations where it is preferred that we
214           should skip even trying to use inotify. In these rare cases, this
215           option should be set to 'false'
216
217           Default: true on platforms where inotify is supported. False on
218           other platforms.
219
220           Note: this option will have no effect on platforms where inotify is
221           unavailable. On these platforms, polling will always be used.
222
223       krb5_rcache_dir (string)
224           Directory on the filesystem where SSSD should store Kerberos replay
225           cache files.
226
227           This option accepts a special value __LIBKRB5_DEFAULTS__ that will
228           instruct SSSD to let libkrb5 decide the appropriate location for
229           the replay cache.
230
231           Default: Distribution-specific and specified at build-time.
232           (__LIBKRB5_DEFAULTS__ if not configured)
233
234       user (string)
235           The user to drop the privileges to where appropriate to avoid
236           running as the root user.  This option does not work when running
237           socket-activated services, as the user set up to run the processes
238           is set up during compilation time. The way to override the systemd
239           unit files is by creating the appropriate files in
240           /etc/systemd/system/. Keep in mind that any change in the socket
241           user, group or permissions may result in a non-usable SSSD. The
242           same may occur in case of changes of the user running the NSS
243           responder.
244
245           Default: not set, process will run as root
246
247       default_domain_suffix (string)
248           This string will be used as a default domain name for all names
249           without a domain name component. The main use case is environments
250           where the primary domain is intended for managing host policies and
251           all users are located in a trusted domain. The option allows those
252           users to log in just with their user name without giving a domain
253           name as well.
254
255           Please note that if this option is set all users from the primary
256           domain have to use their fully qualified name, e.g.
257           user@domain.name, to log in. Setting this option changes default of
258           use_fully_qualified_names to True. It is not allowed to use this
259           option together with use_fully_qualified_names set to False. One
260           exception from this rule are domains with “id_provider=files” that
261           always try to match the behaviour of nss_files and therefore their
262           output is not qualified even when the default_domain_suffix option
263           is used.
264
265           Default: not set
266
267       override_space (string)
268           This parameter will replace spaces (space bar) with the given
269           character for user and group names. e.g. (_). User name "john doe"
270           will be "john_doe" This feature was added to help compatibility
271           with shell scripts that have difficulty handling spaces, due to the
272           default field separator in the shell.
273
274           Please note it is a configuration error to use a replacement
275           character that might be used in user or group names. If a name
276           contains the replacement character SSSD tries to return the
277           unmodified name but in general the result of a lookup is undefined.
278
279           Default: not set (spaces will not be replaced)
280
281       certificate_verification (string)
282           With this parameter the certificate verification can be tuned with
283           a comma separated list of options. Supported options are:
284
285           no_ocsp
286               Disables Online Certificate Status Protocol (OCSP) checks. This
287               might be needed if the OCSP servers defined in the certificate
288               are not reachable from the client.
289
290           ocsp_dgst
291               Digest (hash) function used to create the certificate ID for
292               the OCSP request. Allowed values are:
293
294               ·   sha1
295
296               ·   sha256
297
298               ·   sha384
299
300               ·   sha512
301
302               Default: sha256
303
304               (NSS Version) This option is ignored, because NSS uses sha1
305               unconditionally.
306
307           no_verification
308               Disables verification completely. This option should only be
309               used for testing.
310
311           ocsp_default_responder=URL
312               Sets the OCSP default responder which should be used instead of
313               the one mentioned in the certificate. URL must be replaced with
314               the URL of the OCSP default responder e.g.
315               http://example.com:80/ocsp.
316
317               (NSS Version) This option must be used together with
318               ocsp_default_responder_signing_cert.
319
320           ocsp_default_responder_signing_cert=NAME
321               (NSS Version) The nickname of the cert to trust (expected) to
322               sign the OCSP responses. The certificate with the given
323               nickname must be available in the systems NSS database.
324
325               This option must be used together with ocsp_default_responder.
326
327               (OpenSSL version) This option is currently ignored. All needed
328               certificates must be available in the PEM file given by
329               pam_cert_db_path.
330
331           crl_file=/PATH/TO/CRL/FILE
332               (NSS Version) This option is ignored, please see crlutil(1) how
333               to import a Certificate Revocation List (CRL) into a NSS
334               database.
335
336               (OpenSSL Version) Use the Certificate Revocation List (CRL)
337               from the given file during the verification of the certificate.
338               The CRL must be given in PEM format, see crl(1ssl) for details.
339
340           This man page was generated for the OpenSSL version.
341
342           Unknown options are reported but ignored.
343
344           Default: not set, i.e. do not restrict certificate verification
345
346       disable_netlink (boolean)
347           SSSD hooks into the netlink interface to monitor changes to routes,
348           addresses, links and trigger certain actions.
349
350           The SSSD state changes caused by netlink events may be undesirable
351           and can be disabled by setting this option to 'true'
352
353           Default: false (netlink changes are detected)
354
355       enable_files_domain (boolean)
356           When this option is enabled, SSSD prepends an implicit domain with
357           “id_provider=files” before any explicitly configured domains.
358
359           Default: true
360
361       domain_resolution_order
362           Comma separated list of domains and subdomains representing the
363           lookup order that will be followed. The list doesn't have to
364           include all possible domains as the missing domains will be looked
365           up based on the order they're presented in the “domains”
366           configuration option. The subdomains which are not listed as part
367           of “lookup_order” will be looked up in a random order for each
368           parent domain.
369
370           Please, note that when this option is set the output format of all
371           commands is always fully-qualified even when using short names for
372           input, for all users but the ones managed by the files provider. In
373           case the administrator wants the output not fully-qualified, the
374           full_name_format option can be used as shown below:
375           “full_name_format=%1$s” However, keep in mind that during login,
376           login applications often canonicalize the username by calling
377           getpwnam(3) which, if a shortname is returned for a qualified input
378           (while trying to reach a user which exists in multiple domains)
379           might re-route the login attempt into the domain which uses
380           shortnames, making this workaround totally not recommended in cases
381           where usernames may overlap between domains.
382
383           Default: Not set
384

SERVICES SECTIONS

386       Settings that can be used to configure different services are described
387       in this section. They should reside in the [$NAME] section, for
388       example, for NSS service, the section would be “[nss]”
389
390   General service configuration options
391       These options can be used to configure any service.
392
393       reconnection_retries (integer)
394           Number of times services should attempt to reconnect in the event
395           of a Data Provider crash or restart before they give up
396
397           Default: 3
398
399       fd_limit
400           This option specifies the maximum number of file descriptors that
401           may be opened at one time by this SSSD process. On systems where
402           SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
403           absolute setting. On systems without this capability, the resulting
404           value will be the lower value of this or the limits.conf "hard"
405           limit.
406
407           Default: 8192 (or limits.conf "hard" limit)
408
409       client_idle_timeout
410           This option specifies the number of seconds that a client of an
411           SSSD process can hold onto a file descriptor without communicating
412           on it. This value is limited in order to avoid resource exhaustion
413           on the system. The timeout can't be shorter than 10 seconds. If a
414           lower value is configured, it will be adjusted to 10 seconds.
415
416           Default: 60
417
418       offline_timeout (integer)
419           When SSSD switches to offline mode the amount of time before it
420           tries to go back online will increase based upon the time spent
421           disconnected. This value is in seconds and calculated by the
422           following:
423
424           offline_timeout + random_offset
425
426           The random offset can increment up to 30 seconds. After each
427           unsuccessful attempt to go online, the new interval is recalculated
428           by the following:
429
430           new_interval = old_interval*2 + random_offset
431
432           Note that the maximum length of each interval is currently limited
433           to one hour. If the calculated length of new_interval is greater
434           than an hour, it will be forced to one hour.
435
436           Default: 60
437
438       responder_idle_timeout
439           This option specifies the number of seconds that an SSSD responder
440           process can be up without being used. This value is limited in
441           order to avoid resource exhaustion on the system. The minimum
442           acceptable value for this option is 60 seconds. Setting this option
443           to 0 (zero) means that no timeout will be set up to the responder.
444           This option only has effect when SSSD is built with systemd support
445           and when services are either socket or D-Bus activated.
446
447           Default: 300
448
449       cache_first
450           This option specifies whether the responder should query all caches
451           before querying the Data Providers.
452
453           Default: false
454
455   NSS configuration options
456       These options can be used to configure the Name Service Switch (NSS)
457       service.
458
459       enum_cache_timeout (integer)
460           How many seconds should nss_sss cache enumerations (requests for
461           info about all users)
462
463           Default: 120
464
465       entry_cache_nowait_percentage (integer)
466           The entry cache can be set to automatically update entries in the
467           background if they are requested beyond a percentage of the
468           entry_cache_timeout value for the domain.
469
470           For example, if the domain's entry_cache_timeout is set to 30s and
471           entry_cache_nowait_percentage is set to 50 (percent), entries that
472           come in after 15 seconds past the last cache update will be
473           returned immediately, but the SSSD will go and update the cache on
474           its own, so that future requests will not need to block waiting for
475           a cache update.
476
477           Valid values for this option are 0-99 and represent a percentage of
478           the entry_cache_timeout for each domain. For performance reasons,
479           this percentage will never reduce the nowait timeout to less than
480           10 seconds. (0 disables this feature)
481
482           Default: 50
483
484       entry_negative_timeout (integer)
485           Specifies for how many seconds nss_sss should cache negative cache
486           hits (that is, queries for invalid database entries, like
487           nonexistent ones) before asking the back end again.
488
489           Default: 15
490
491       local_negative_timeout (integer)
492           Specifies for how many seconds nss_sss should keep local users and
493           groups in negative cache before trying to look it up in the back
494           end again. Setting the option to 0 disables this feature.
495
496           Default: 14400 (4 hours)
497
498       filter_users, filter_groups (string)
499           Exclude certain users or groups from being fetched from the sss NSS
500           database. This is particularly useful for system accounts. This
501           option can also be set per-domain or include fully-qualified names
502           to filter only users from the particular domain or by a user
503           principal name (UPN).
504
505           NOTE: The filter_groups option doesn't affect inheritance of nested
506           group members, since filtering happens after they are propagated
507           for returning via NSS. E.g. a group having a member group filtered
508           out will still have the member users of the latter listed.
509
510           Default: root
511
512       filter_users_in_groups (bool)
513           If you want filtered user still be group members set this option to
514           false.
515
516           Default: true
517
518       override_homedir (string)
519           Override the user's home directory. You can either provide an
520           absolute value or a template. In the template, the following
521           sequences are substituted:
522
523           %u
524               login name
525
526           %U
527               UID number
528
529           %d
530               domain name
531
532           %f
533               fully qualified user name (user@domain)
534
535           %l
536               The first letter of the login name.
537
538           %P
539               UPN - User Principal Name (name@REALM)
540
541           %o
542               The original home directory retrieved from the identity
543               provider.
544
545           %H
546               The value of configure option homedir_substring.
547
548           %%
549               a literal '%'
550
551           This option can also be set per-domain.
552
553           example:
554
555               override_homedir = /home/%u
556
557
558           Default: Not set (SSSD will use the value retrieved from LDAP)
559
560       homedir_substring (string)
561           The value of this option will be used in the expansion of the
562           override_homedir option if the template contains the format string
563           %H. An LDAP directory entry can directly contain this template so
564           that this option can be used to expand the home directory path for
565           each client machine (or operating system). It can be set per-domain
566           or globally in the [nss] section. A value specified in a domain
567           section will override one set in the [nss] section.
568
569           Default: /home
570
571       fallback_homedir (string)
572           Set a default template for a user's home directory if one is not
573           specified explicitly by the domain's data provider.
574
575           The available values for this option are the same as for
576           override_homedir.
577
578           example:
579
580               fallback_homedir = /home/%u
581
582
583           Default: not set (no substitution for unset home directories)
584
585       override_shell (string)
586           Override the login shell for all users. This option supersedes any
587           other shell options if it takes effect and can be set either in the
588           [nss] section or per-domain.
589
590           Default: not set (SSSD will use the value retrieved from LDAP)
591
592       allowed_shells (string)
593           Restrict user shell to one of the listed values. The order of
594           evaluation is:
595
596           1. If the shell is present in “/etc/shells”, it is used.
597
598           2. If the shell is in the allowed_shells list but not in
599           “/etc/shells”, use the value of the shell_fallback parameter.
600
601           3. If the shell is not in the allowed_shells list and not in
602           “/etc/shells”, a nologin shell is used.
603
604           The wildcard (*) can be used to allow any shell.
605
606           The (*) is useful if you want to use shell_fallback in case that
607           user's shell is not in “/etc/shells” and maintaining list of all
608           allowed shells in allowed_shells would be to much overhead.
609
610           An empty string for shell is passed as-is to libc.
611
612           The “/etc/shells” is only read on SSSD start up, which means that a
613           restart of the SSSD is required in case a new shell is installed.
614
615           Default: Not set. The user shell is automatically used.
616
617       vetoed_shells (string)
618           Replace any instance of these shells with the shell_fallback
619
620       shell_fallback (string)
621           The default shell to use if an allowed shell is not installed on
622           the machine.
623
624           Default: /bin/sh
625
626       default_shell
627           The default shell to use if the provider does not return one during
628           lookup. This option can be specified globally in the [nss] section
629           or per-domain.
630
631           Default: not set (Return NULL if no shell is specified and rely on
632           libc to substitute something sensible when necessary, usually
633           /bin/sh)
634
635       get_domains_timeout (int)
636           Specifies time in seconds for which the list of subdomains will be
637           considered valid.
638
639           Default: 60
640
641       memcache_timeout (int)
642           Specifies time in seconds for which records in the in-memory cache
643           will be valid. Setting this option to zero will disable the
644           in-memory cache.
645
646           Default: 300
647
648           WARNING: Disabling the in-memory cache will have significant
649           negative impact on SSSD's performance and should only be used for
650           testing.
651
652           NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
653           "NO", client applications will not use the fast in-memory cache.
654
655       user_attributes (string)
656           Some of the additional NSS responder requests can return more
657           attributes than just the POSIX ones defined by the NSS interface.
658           The list of attributes is controlled by this option. It is handled
659           the same way as the “user_attributes” option of the InfoPipe
660           responder (see sssd-ifp(5) for details) but with no default values.
661
662           To make configuration more easy the NSS responder will check the
663           InfoPipe option if it is not set for the NSS responder.
664
665           Default: not set, fallback to InfoPipe option
666
667       pwfield (string)
668           The value that NSS operations that return users or groups will
669           return for the “password” field.
670
671           This option can also be set per-domain.
672
673           Default: “*” (remote domains) or “x” (the files domain)
674
675   PAM configuration options
676       These options can be used to configure the Pluggable Authentication
677       Module (PAM) service.
678
679       offline_credentials_expiration (integer)
680           If the authentication provider is offline, how long should we allow
681           cached logins (in days since the last successful online login).
682
683           Default: 0 (No limit)
684
685       offline_failed_login_attempts (integer)
686           If the authentication provider is offline, how many failed login
687           attempts are allowed.
688
689           Default: 0 (No limit)
690
691       offline_failed_login_delay (integer)
692           The time in minutes which has to pass after
693           offline_failed_login_attempts has been reached before a new login
694           attempt is possible.
695
696           If set to 0 the user cannot authenticate offline if
697           offline_failed_login_attempts has been reached. Only a successful
698           online authentication can enable offline authentication again.
699
700           Default: 5
701
702       pam_verbosity (integer)
703           Controls what kind of messages are shown to the user during
704           authentication. The higher the number to more messages are
705           displayed.
706
707           Currently sssd supports the following values:
708
709           0: do not show any message
710
711           1: show only important messages
712
713           2: show informational messages
714
715           3: show all messages and debug information
716
717           Default: 1
718
719       pam_response_filter (integer)
720           A comma separated list of strings which allows to remove (filter)
721           data sent by the PAM responder to pam_sss PAM module. There are
722           different kind of responses sent to pam_sss e.g. messages displayed
723           to the user or environment variables which should be set by
724           pam_sss.
725
726           While messages already can be controlled with the help of the
727           pam_verbosity option this option allows to filter out other kind of
728           responses as well.
729
730           Currently the following filters are supported:
731
732           ENV
733               Do not send any environment variables to any service.
734
735           ENV:var_name
736               Do not send environment variable var_name to any service.
737
738           ENV:var_name:service
739               Do not send environment variable var_name to service.
740
741           Default: not set
742
743           Example: ENV:KRB5CCNAME:sudo-i
744
745       pam_id_timeout (integer)
746           For any PAM request while SSSD is online, the SSSD will attempt to
747           immediately update the cached identity information for the user in
748           order to ensure that authentication takes place with the latest
749           information.
750
751           A complete PAM conversation may perform multiple PAM requests, such
752           as account management and session opening. This option controls (on
753           a per-client-application basis) how long (in seconds) we can cache
754           the identity information to avoid excessive round-trips to the
755           identity provider.
756
757           Default: 5
758
759       pam_pwd_expiration_warning (integer)
760           Display a warning N days before the password expires.
761
762           Please note that the backend server has to provide information
763           about the expiration time of the password. If this information is
764           missing, sssd cannot display a warning.
765
766           If zero is set, then this filter is not applied, i.e. if the
767           expiration warning was received from backend server, it will
768           automatically be displayed.
769
770           This setting can be overridden by setting pwd_expiration_warning
771           for a particular domain.
772
773           Default: 0
774
775       get_domains_timeout (int)
776           Specifies time in seconds for which the list of subdomains will be
777           considered valid.
778
779           Default: 60
780
781       pam_trusted_users (string)
782           Specifies the comma-separated list of UID values or user names that
783           are allowed to run PAM conversations against trusted domains. Users
784           not included in this list can only access domains marked as public
785           with “pam_public_domains”. User names are resolved to UIDs at
786           startup.
787
788           Default: All users are considered trusted by default
789
790           Please note that UID 0 is always allowed to access the PAM
791           responder even in case it is not in the pam_trusted_users list.
792
793       pam_public_domains (string)
794           Specifies the comma-separated list of domain names that are
795           accessible even to untrusted users.
796
797           Two special values for pam_public_domains option are defined:
798
799           all (Untrusted users are allowed to access all domains in PAM
800           responder.)
801
802           none (Untrusted users are not allowed to access any domains PAM in
803           responder.)
804
805           Default: none
806
807       pam_account_expired_message (string)
808           Allows a custom expiration message to be set, replacing the default
809           'Permission denied' message.
810
811           Note: Please be aware that message is only printed for the SSH
812           service unless pam_verbosity is set to 3 (show all messages and
813           debug information).
814
815           example:
816
817               pam_account_expired_message = Account expired, please contact help desk.
818
819
820           Default: none
821
822       pam_account_locked_message (string)
823           Allows a custom lockout message to be set, replacing the default
824           'Permission denied' message.
825
826           example:
827
828               pam_account_locked_message = Account locked, please contact help desk.
829
830
831           Default: none
832
833       pam_cert_auth (bool)
834           Enable certificate based Smartcard authentication. Since this
835           requires additional communication with the Smartcard which will
836           delay the authentication process this option is disabled by
837           default.
838
839           Default: False
840
841       pam_cert_db_path (string)
842           The path to the certificate database which contain the PKCS#11
843           modules to access the Smartcard.
844
845           Default:
846
847           ·   /etc/pki/nssdb (NSS version, path to a NSS database)
848
849           ·   /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a
850               file with trusted CA certificates in PEM format)
851
852           This man page was generated for the OpenSSL version.
853
854       p11_child_timeout (integer)
855           How many seconds will pam_sss wait for p11_child to finish.
856
857           Default: 10
858
859       pam_app_services (string)
860           Which PAM services are permitted to contact domains of type
861           “application”
862
863           Default: Not set
864
865       pam_p11_allowed_services (integer)
866           A comma-separated list of PAM service names for which it will be
867           allowed to use Smartcards.
868
869           It is possible to add another PAM service name to the default set
870           by using “+service_name” or to explicitly remove a PAM service name
871           from the default set by using “-service_name”. For example, in
872           order to replace a default PAM service name for authentication with
873           Smartcards (e.g.  “login”) with a custom PAM service name (e.g.
874           “my_pam_service”), you would use the following configuration:
875
876               pam_p11_allowed_services = +my_pam_service, -login
877
878
879           Default: the default set of PAM service names includes:
880
881           ·   login
882
883           ·   su
884
885           ·   su-l
886
887           ·   gdm-smartcard
888
889           ·   gdm-password
890
891           ·   kdm
892
893           ·   sudo
894
895           ·   sudo-i
896
897           ·   gnome-screensaver
898
899
900       p11_wait_for_card_timeout (integer)
901           If Smartcard authentication is required how many extra seconds in
902           addition to p11_child_timeout should the PAM responder wait until a
903           Smartcard is inserted.
904
905           Default: 60
906
907       p11_uri (string)
908           PKCS#11 URI (see RFC-7512 for details) which can be used to
909           restrict the selection of devices used for Smartcard
910           authentication. By default SSSD's p11_child will search for a
911           PKCS#11 slot (reader) where the 'removable' flags is set and read
912           the certificates from the inserted token from the first slot found.
913           If multiple readers are connected p11_uri can be used to tell
914           p11_child to use a specific reader.
915
916           Example:
917
918               p11_uri = slot-description=My%20Smartcar%20Reader
919
920
921           or
922
923               p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
924
925
926           To find suitable URI please check the debug output of p11_child. As
927           an alternative the GnuTLS utility 'p11tool' with e.g. the
928           '--list-all' will show PKCS#11 URIs as well.
929
930           Default: none
931
932   SUDO configuration options
933       These options can be used to configure the sudo service. The detailed
934       instructions for configuration of sudo(8) to work with sssd(8) are in
935       the manual page sssd-sudo(5).
936
937       sudo_timed (bool)
938           Whether or not to evaluate the sudoNotBefore and sudoNotAfter
939           attributes that implement time-dependent sudoers entries.
940
941           Default: false
942
943       sudo_threshold (integer)
944           Maximum number of expired rules that can be refreshed at once. If
945           number of expired rules is below threshold, those rules are
946           refreshed with “rules refresh” mechanism. If the threshold is
947           exceeded a “full refresh” of sudo rules is triggered instead. This
948           threshold number also applies to IPA sudo command and command group
949           searches.
950
951           Default: 50
952
953   AUTOFS configuration options
954       These options can be used to configure the autofs service.
955
956       autofs_negative_timeout (integer)
957           Specifies for how many seconds should the autofs responder negative
958           cache hits (that is, queries for invalid map entries, like
959           nonexistent ones) before asking the back end again.
960
961           Default: 15
962
963       Please note that the automounter only reads the master map on startup,
964       so if any autofs-related changes are made to the sssd.conf, you
965       typically also need to restart the automounter daemon after restarting
966       the SSSD.
967
968   SSH configuration options
969       These options can be used to configure the SSH service.
970
971       ssh_hash_known_hosts (bool)
972           Whether or not to hash host names and addresses in the managed
973           known_hosts file.
974
975           Default: true
976
977       ssh_known_hosts_timeout (integer)
978           How many seconds to keep a host in the managed known_hosts file
979           after its host keys were requested.
980
981           Default: 180
982
983       ssh_use_certificate_keys (bool)
984           If set to true the sss_ssh_authorizedkeys will return ssh keys
985           derived from the public key of X.509 certificates stored in the
986           user entry as well. See sss_ssh_authorizedkeys(1) for details.
987
988           Default: true
989
990       ca_db (string)
991           Path to a storage of trusted CA certificates. The option is used to
992           validate user certificates before deriving public ssh keys from
993           them.
994
995           Default:
996
997           ·   /etc/pki/nssdb (NSS version, path to a NSS database)
998
999           ·   /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a
1000               file with trusted CA certificates in PEM format)
1001
1002           This man page was generated for the OpenSSL version.
1003
1004   PAC responder configuration options
1005       The PAC responder works together with the authorization data plugin for
1006       MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1007       sends the PAC data during a GSSAPI authentication to the PAC responder.
1008       The sub-domain provider collects domain SID and ID ranges of the domain
1009       the client is joined to and of remote trusted domains from the local
1010       domain controller. If the PAC is decoded and evaluated some of the
1011       following operations are done:
1012
1013       ·   If the remote user does not exist in the cache, it is created. The
1014           UID is determined with the help of the SID, trusted domains will
1015           have UPGs and the GID will have the same value as the UID. The home
1016           directory is set based on the subdomain_homedir parameter. The
1017           shell will be empty by default, i.e. the system defaults are used,
1018           but can be overwritten with the default_shell parameter.
1019
1020       ·   If there are SIDs of groups from domains sssd knows about, the user
1021           will be added to those groups.
1022
1023       These options can be used to configure the PAC responder.
1024
1025       allowed_uids (string)
1026           Specifies the comma-separated list of UID values or user names that
1027           are allowed to access the PAC responder. User names are resolved to
1028           UIDs at startup.
1029
1030           Default: 0 (only the root user is allowed to access the PAC
1031           responder)
1032
1033           Please note that although the UID 0 is used as the default it will
1034           be overwritten with this option. If you still want to allow the
1035           root user to access the PAC responder, which would be the typical
1036           case, you have to add 0 to the list of allowed UIDs as well.
1037
1038       pac_lifetime (integer)
1039           Lifetime of the PAC entry in seconds. As long as the PAC is valid
1040           the PAC data can be used to determine the group memberships of a
1041           user.
1042
1043           Default: 300
1044
1045   Session recording configuration options
1046       Session recording works in conjunction with tlog-rec-session(8), a part
1047       of tlog package, to log what users see and type when they log in on a
1048       text terminal. See also sssd-session-recording(5).
1049
1050       These options can be used to configure session recording.
1051
1052       scope (string)
1053           One of the following strings specifying the scope of session
1054           recording:
1055
1056           "none"
1057               No users are recorded.
1058
1059           "some"
1060               Users/groups specified by users and groups options are
1061               recorded.
1062
1063           "all"
1064               All users are recorded.
1065
1066           Default: "none"
1067
1068       users (string)
1069           A comma-separated list of users which should have session recording
1070           enabled. Matches user names as returned by NSS. I.e. after the
1071           possible space replacement, case changes, etc.
1072
1073           Default: Empty. Matches no users.
1074
1075       groups (string)
1076           A comma-separated list of groups, members of which should have
1077           session recording enabled. Matches group names as returned by NSS.
1078           I.e. after the possible space replacement, case changes, etc.
1079
1080           NOTE: using this option (having it set to anything) has a
1081           considerable performance cost, because each uncached request for a
1082           user requires retrieving and matching the groups the user is member
1083           of.
1084
1085           Default: Empty. Matches no groups.
1086

DOMAIN SECTIONS

1088       These configuration options can be present in a domain configuration
1089       section, that is, in a section called “[domain/NAME]”
1090
1091       domain_type (string)
1092           Specifies whether the domain is meant to be used by POSIX-aware
1093           clients such as the Name Service Switch or by applications that do
1094           not need POSIX data to be present or generated. Only objects from
1095           POSIX domains are available to the operating system interfaces and
1096           utilities.
1097
1098           Allowed values for this option are “posix” and “application”.
1099
1100           POSIX domains are reachable by all services. Application domains
1101           are only reachable from the InfoPipe responder (see sssd-ifp(5))
1102           and the PAM responder.
1103
1104           NOTE: The application domains are currently well tested with
1105           “id_provider=ldap” only.
1106
1107           For an easy way to configure a non-POSIX domains, please see the
1108           “Application domains” section.
1109
1110           Default: posix
1111
1112       min_id,max_id (integer)
1113           UID and GID limits for the domain. If a domain contains an entry
1114           that is outside these limits, it is ignored.
1115
1116           For users, this affects the primary GID limit. The user will not be
1117           returned to NSS if either the UID or the primary GID is outside the
1118           range. For non-primary group memberships, those that are in range
1119           will be reported as expected.
1120
1121           These ID limits affect even saving entries to cache, not only
1122           returning them by name or ID.
1123
1124           Default: 1 for min_id, 0 (no limit) for max_id
1125
1126       enumerate (bool)
1127           Determines if a domain can be enumerated, that is, whether the
1128           domain can list all the users and group it contains. Note that it
1129           is not required to enable enumeration in order for secondary groups
1130           to be displayed. This parameter can have one of the following
1131           values:
1132
1133           TRUE = Users and groups are enumerated
1134
1135           FALSE = No enumerations for this domain
1136
1137           Default: FALSE
1138
1139           Enumerating a domain requires SSSD to download and store ALL user
1140           and group entries from the remote server.
1141
1142           Note: Enabling enumeration has a moderate performance impact on
1143           SSSD while enumeration is running. It may take up to several
1144           minutes after SSSD startup to fully complete enumerations. During
1145           this time, individual requests for information will go directly to
1146           LDAP, though it may be slow, due to the heavy enumeration
1147           processing. Saving a large number of entries to cache after the
1148           enumeration completes might also be CPU intensive as the
1149           memberships have to be recomputed. This can lead to the “sssd_be”
1150           process becoming unresponsive or even restarted by the internal
1151           watchdog.
1152
1153           While the first enumeration is running, requests for the complete
1154           user or group lists may return no results until it completes.
1155
1156           Further, enabling enumeration may increase the time necessary to
1157           detect network disconnection, as longer timeouts are required to
1158           ensure that enumeration lookups are completed successfully. For
1159           more information, refer to the man pages for the specific
1160           id_provider in use.
1161
1162           For the reasons cited above, enabling enumeration is not
1163           recommended, especially in large environments.
1164
1165       subdomain_enumerate (string)
1166           Whether any of autodetected trusted domains should be enumerated.
1167           The supported values are:
1168
1169           all
1170               All discovered trusted domains will be enumerated
1171
1172           none
1173               No discovered trusted domains will be enumerated
1174
1175           Optionally, a list of one or more domain names can enable
1176           enumeration just for these trusted domains.
1177
1178           Default: none
1179
1180       entry_cache_timeout (integer)
1181           How many seconds should nss_sss consider entries valid before
1182           asking the backend again
1183
1184           The cache expiration timestamps are stored as attributes of
1185           individual objects in the cache. Therefore, changing the cache
1186           timeout only has effect for newly added or expired entries. You
1187           should run the sss_cache(8) tool in order to force refresh of
1188           entries that have already been cached.
1189
1190           Default: 5400
1191
1192       entry_cache_user_timeout (integer)
1193           How many seconds should nss_sss consider user entries valid before
1194           asking the backend again
1195
1196           Default: entry_cache_timeout
1197
1198       entry_cache_group_timeout (integer)
1199           How many seconds should nss_sss consider group entries valid before
1200           asking the backend again
1201
1202           Default: entry_cache_timeout
1203
1204       entry_cache_netgroup_timeout (integer)
1205           How many seconds should nss_sss consider netgroup entries valid
1206           before asking the backend again
1207
1208           Default: entry_cache_timeout
1209
1210       entry_cache_service_timeout (integer)
1211           How many seconds should nss_sss consider service entries valid
1212           before asking the backend again
1213
1214           Default: entry_cache_timeout
1215
1216       entry_cache_sudo_timeout (integer)
1217           How many seconds should sudo consider rules valid before asking the
1218           backend again
1219
1220           Default: entry_cache_timeout
1221
1222       entry_cache_autofs_timeout (integer)
1223           How many seconds should the autofs service consider automounter
1224           maps valid before asking the backend again
1225
1226           Default: entry_cache_timeout
1227
1228       entry_cache_ssh_host_timeout (integer)
1229           How many seconds to keep a host ssh key after refresh. IE how long
1230           to cache the host key for.
1231
1232           Default: entry_cache_timeout
1233
1234       refresh_expired_interval (integer)
1235           Specifies how many seconds SSSD has to wait before triggering a
1236           background refresh task which will refresh all expired or nearly
1237           expired records.
1238
1239           The background refresh will process users, groups and netgroups in
1240           the cache. For users who have performed the initgroups (get group
1241           membership for user, typically ran at login) operation in the past,
1242           both the user entry and the group membership are updated.
1243
1244           This option is automatically inherited for all trusted domains.
1245
1246           You can consider setting this value to 3/4 * entry_cache_timeout.
1247
1248           Default: 0 (disabled)
1249
1250       cache_credentials (bool)
1251           Determines if user credentials are also cached in the local LDB
1252           cache
1253
1254           User credentials are stored in a SHA512 hash, not in plaintext
1255
1256           Default: FALSE
1257
1258       cache_credentials_minimal_first_factor_length (int)
1259           If 2-Factor-Authentication (2FA) is used and credentials should be
1260           saved this value determines the minimal length the first
1261           authentication factor (long term password) must have to be saved as
1262           SHA512 hash into the cache.
1263
1264           This should avoid that the short PINs of a PIN based 2FA scheme are
1265           saved in the cache which would make them easy targets for
1266           brute-force attacks.
1267
1268           Default: 8
1269
1270       account_cache_expiration (integer)
1271           Number of days entries are left in cache after last successful
1272           login before being removed during a cleanup of the cache. 0 means
1273           keep forever. The value of this parameter must be greater than or
1274           equal to offline_credentials_expiration.
1275
1276           Default: 0 (unlimited)
1277
1278       pwd_expiration_warning (integer)
1279           Display a warning N days before the password expires.
1280
1281           If zero is set, then this filter is not applied, i.e. if the
1282           expiration warning was received from backend server, it will
1283           automatically be displayed.
1284
1285           Please note that the backend server has to provide information
1286           about the expiration time of the password. If this information is
1287           missing, sssd cannot display a warning. Also an auth provider has
1288           to be configured for the backend.
1289
1290           Default: 7 (Kerberos), 0 (LDAP)
1291
1292       id_provider (string)
1293           The identification provider used for the domain. Supported ID
1294           providers are:
1295
1296           “proxy”: Support a legacy NSS provider.
1297
1298           “files”: FILES provider. See sssd-files(5) for more information on
1299           how to mirror local users and groups into SSSD.
1300
1301           “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1302           configuring LDAP.
1303
1304           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1305           See sssd-ipa(5) for more information on configuring FreeIPA.
1306
1307           “ad”: Active Directory provider. See sssd-ad(5) for more
1308           information on configuring Active Directory.
1309
1310       use_fully_qualified_names (bool)
1311           Use the full name and domain (as formatted by the domain's
1312           full_name_format) as the user's login name reported to NSS.
1313
1314           If set to TRUE, all requests to this domain must use fully
1315           qualified names. For example, if used in LOCAL domain that contains
1316           a "test" user, getent passwd test wouldn't find the user while
1317           getent passwd test@LOCAL would.
1318
1319           NOTE: This option has no effect on netgroup lookups due to their
1320           tendency to include nested netgroups without qualified names. For
1321           netgroups, all domains will be searched when an unqualified name is
1322           requested.
1323
1324           Default: FALSE (TRUE if default_domain_suffix is used)
1325
1326       ignore_group_members (bool)
1327           Do not return group members for group lookups.
1328
1329           If set to TRUE, the group membership attribute is not requested
1330           from the ldap server, and group members are not returned when
1331           processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1332           As an effect, “getent group $groupname” would return the requested
1333           group as if it was empty.
1334
1335           Enabling this option can also make access provider checks for group
1336           membership significantly faster, especially for groups containing
1337           many members.
1338
1339           Default: FALSE
1340
1341       auth_provider (string)
1342           The authentication provider used for the domain. Supported auth
1343           providers are:
1344
1345           “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1346           information on configuring LDAP.
1347
1348           “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1349           information on configuring Kerberos.
1350
1351           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1352           See sssd-ipa(5) for more information on configuring FreeIPA.
1353
1354           “ad”: Active Directory provider. See sssd-ad(5) for more
1355           information on configuring Active Directory.
1356
1357           “proxy” for relaying authentication to some other PAM target.
1358
1359           “none” disables authentication explicitly.
1360
1361           Default: “id_provider” is used if it is set and can handle
1362           authentication requests.
1363
1364       access_provider (string)
1365           The access control provider used for the domain. There are two
1366           built-in access providers (in addition to any included in installed
1367           backends) Internal special providers are:
1368
1369           “permit” always allow access. It's the only permitted access
1370           provider for a local domain.
1371
1372           “deny” always deny access.
1373
1374           “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1375           information on configuring LDAP.
1376
1377           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1378           See sssd-ipa(5) for more information on configuring FreeIPA.
1379
1380           “ad”: Active Directory provider. See sssd-ad(5) for more
1381           information on configuring Active Directory.
1382
1383           “simple” access control based on access or deny lists. See sssd-
1384           simple(5) for more information on configuring the simple access
1385           module.
1386
1387           “krb5”: .k5login based access control. See sssd-krb5(5) for more
1388           information on configuring Kerberos.
1389
1390           “proxy” for relaying access control to another PAM module.
1391
1392           Default: “permit”
1393
1394       chpass_provider (string)
1395           The provider which should handle change password operations for the
1396           domain. Supported change password providers are:
1397
1398           “ldap” to change a password stored in a LDAP server. See sssd-
1399           ldap(5) for more information on configuring LDAP.
1400
1401           “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1402           information on configuring Kerberos.
1403
1404           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1405           See sssd-ipa(5) for more information on configuring FreeIPA.
1406
1407           “ad”: Active Directory provider. See sssd-ad(5) for more
1408           information on configuring Active Directory.
1409
1410           “proxy” for relaying password changes to some other PAM target.
1411
1412           “none” disallows password changes explicitly.
1413
1414           Default: “auth_provider” is used if it is set and can handle change
1415           password requests.
1416
1417       sudo_provider (string)
1418           The SUDO provider used for the domain. Supported SUDO providers
1419           are:
1420
1421           “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1422           information on configuring LDAP.
1423
1424           “ipa” the same as “ldap” but with IPA default settings.
1425
1426           “ad” the same as “ldap” but with AD default settings.
1427
1428           “none” disables SUDO explicitly.
1429
1430           Default: The value of “id_provider” is used if it is set.
1431
1432           The detailed instructions for configuration of sudo_provider are in
1433           the manual page sssd-sudo(5). There are many configuration options
1434           that can be used to adjust the behavior. Please refer to
1435           "ldap_sudo_*" in sssd-ldap(5).
1436
1437           NOTE: Sudo rules are periodically downloaded in the background
1438           unless the sudo provider is explicitly disabled. Set sudo_provider
1439           = None to disable all sudo-related activity in SSSD if you do not
1440           want to use sudo with SSSD at all.
1441
1442       selinux_provider (string)
1443           The provider which should handle loading of selinux settings. Note
1444           that this provider will be called right after access provider ends.
1445           Supported selinux providers are:
1446
1447           “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1448           for more information on configuring IPA.
1449
1450           “none” disallows fetching selinux settings explicitly.
1451
1452           Default: “id_provider” is used if it is set and can handle selinux
1453           loading requests.
1454
1455       subdomains_provider (string)
1456           The provider which should handle fetching of subdomains. This value
1457           should be always the same as id_provider. Supported subdomain
1458           providers are:
1459
1460           “ipa” to load a list of subdomains from an IPA server. See sssd-
1461           ipa(5) for more information on configuring IPA.
1462
1463           “ad” to load a list of subdomains from an Active Directory server.
1464           See sssd-ad(5) for more information on configuring the AD provider.
1465
1466           “none” disallows fetching subdomains explicitly.
1467
1468           Default: The value of “id_provider” is used if it is set.
1469
1470       session_provider (string)
1471           The provider which configures and manages user session related
1472           tasks. The only user session task currently provided is the
1473           integration with Fleet Commander, which works only with IPA.
1474           Supported session providers are:
1475
1476           “ipa” to allow performing user session related tasks.
1477
1478           “none” does not perform any kind of user session related tasks.
1479
1480           Default: “id_provider” is used if it is set and can perform session
1481           related tasks.
1482
1483           NOTE: In order to have this feature working as expected SSSD must
1484           be running as "root" and not as the unprivileged user.
1485
1486       autofs_provider (string)
1487           The autofs provider used for the domain. Supported autofs providers
1488           are:
1489
1490           “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1491           information on configuring LDAP.
1492
1493           “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1494           more information on configuring IPA.
1495
1496           “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1497           information on configuring the AD provider.
1498
1499           “none” disables autofs explicitly.
1500
1501           Default: The value of “id_provider” is used if it is set.
1502
1503       hostid_provider (string)
1504           The provider used for retrieving host identity information.
1505           Supported hostid providers are:
1506
1507           “ipa” to load host identity stored in an IPA server. See sssd-
1508           ipa(5) for more information on configuring IPA.
1509
1510           “none” disables hostid explicitly.
1511
1512           Default: The value of “id_provider” is used if it is set.
1513
1514       re_expression (string)
1515           Regular expression for this domain that describes how to parse the
1516           string containing user name and domain into these components. The
1517           "domain" can match either the SSSD configuration domain name, or,
1518           in the case of IPA trust subdomains and Active Directory domains,
1519           the flat (NetBIOS) name of the domain.
1520
1521           Default for the AD and IPA provider:
1522           “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1523           which allows three different styles for user names:
1524
1525           ·   username
1526
1527           ·   username@domain.name
1528
1529           ·   domain\username
1530
1531           While the first two correspond to the general default the third one
1532           is introduced to allow easy integration of users from Windows
1533           domains.
1534
1535           Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1536           "the name is everything up to the “@” sign, the domain everything
1537           after that"
1538
1539           NOTE: Some Active Directory groups, typically those used for MS
1540           Exchange contain an “@” sign in the name, which clashes with the
1541           default re_expression value for the AD and IPA providers. To
1542           support these groups, consider changing the re_expression value to:
1543           “((?P<name>.+)@(?P<domain>[^@]+$))”.
1544
1545       full_name_format (string)
1546           A printf(3)-compatible format that describes how to compose a fully
1547           qualified name from user name and domain name components.
1548
1549           The following expansions are supported:
1550
1551           %1$s
1552               user name
1553
1554           %2$s
1555               domain name as specified in the SSSD config file.
1556
1557           %3$s
1558               domain flat name. Mostly usable for Active Directory domains,
1559               both directly configured or discovered via IPA trusts.
1560
1561           Default: “%1$s@%2$s”.
1562
1563       lookup_family_order (string)
1564           Provides the ability to select preferred address family to use when
1565           performing DNS lookups.
1566
1567           Supported values:
1568
1569           ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1570
1571           ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1572
1573           ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1574
1575           ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1576
1577           Default: ipv4_first
1578
1579       dns_resolver_timeout (integer)
1580           Defines the amount of time (in seconds) to wait for a reply from
1581           the internal fail over service before assuming that the service is
1582           unreachable. If this timeout is reached, the domain will continue
1583           to operate in offline mode.
1584
1585           Please see the section “FAILOVER” for more information about the
1586           service resolution.
1587
1588           Default: 6
1589
1590       dns_discovery_domain (string)
1591           If service discovery is used in the back end, specifies the domain
1592           part of the service discovery DNS query.
1593
1594           Default: Use the domain part of machine's hostname
1595
1596       override_gid (integer)
1597           Override the primary GID value with the one specified.
1598
1599       case_sensitive (string)
1600           Treat user and group names as case sensitive. Possible option
1601           values are:
1602
1603           True
1604               Case sensitive. This value is invalid for AD provider.
1605
1606           False
1607               Case insensitive.
1608
1609           Preserving
1610               Same as False (case insensitive), but does not lowercase names
1611               in the result of NSS operations. Note that name aliases (and in
1612               case of services also protocol names) are still lowercased in
1613               the output.
1614
1615           Default: True (False for AD provider)
1616
1617       subdomain_inherit (string)
1618           Specifies a list of configuration parameters that should be
1619           inherited by a subdomain. Please note that only selected parameters
1620           can be inherited. Currently the following options can be inherited:
1621
1622           ignore_group_members
1623
1624           ldap_purge_cache_timeout
1625
1626           ldap_use_tokengroups
1627
1628           ldap_user_principal
1629
1630           ldap_krb5_keytab (the value of krb5_keytab will be used if
1631           ldap_krb5_keytab is not set explicitly)
1632
1633           Example:
1634
1635               subdomain_inherit = ldap_purge_cache_timeout
1636
1637
1638           Default: none
1639
1640           Note: This option only works with the IPA and AD provider.
1641
1642       subdomain_homedir (string)
1643           Use this homedir as default value for all subdomains within this
1644           domain in IPA AD trust. See override_homedir for info about
1645           possible values. In addition to those, the expansion below can only
1646           be used with subdomain_homedir.
1647
1648           %F
1649               flat (NetBIOS) name of a subdomain.
1650
1651           The value can be overridden by override_homedir option.
1652
1653           Default: /home/%d/%u
1654
1655       realmd_tags (string)
1656           Various tags stored by the realmd configuration service for this
1657           domain.
1658
1659       cached_auth_timeout (int)
1660           Specifies time in seconds since last successful online
1661           authentication for which user will be authenticated using cached
1662           credentials while SSSD is in the online mode. If the credentials
1663           are incorrect, SSSD falls back to online authentication.
1664
1665           This option's value is inherited by all trusted domains. At the
1666           moment it is not possible to set a different value per trusted
1667           domain.
1668
1669           Special value 0 implies that this feature is disabled.
1670
1671           Please note that if “cached_auth_timeout” is longer than
1672           “pam_id_timeout” then the back end could be called to handle
1673           “initgroups.”
1674
1675           Default: 0
1676
1677       auto_private_groups (string)
1678           This option takes any of three available values:
1679
1680           true
1681               Create user's private group unconditionally from user's UID
1682               number. The GID number is ignored in this case.
1683
1684               NOTE: Because the GID number and the user private group are
1685               inferred from the UID number, it is not supported to have
1686               multiple entries with the same UID or GID number with this
1687               option. In other words, enabling this option enforces
1688               uniqueness across the ID space.
1689
1690           false
1691               Always use the user's primary GID number. The GID number must
1692               refer to a group object in the LDAP database.
1693
1694           hybrid
1695               A primary group is autogenerated for user entries whose UID and
1696               GID numbers have the same value and at the same time the GID
1697               number does not correspond to a real group object in LDAP. If
1698               the values are the same, but the primary GID in the user entry
1699               is also used by a group object, the primary GID of the user
1700               resolves to that group object.
1701
1702               If the UID and GID of a user are different, then the GID must
1703               correspond to a group entry, otherwise the GID is simply not
1704               resolvable.
1705
1706               This feature is useful for environments that wish to stop
1707               maintaining a separate group objects for the user private
1708               groups, but also wish to retain the existing user private
1709               groups.
1710
1711           For subdomains, the default value is False for subdomains that use
1712           assigned POSIX IDs and True for subdomains that use automatic
1713           ID-mapping.
1714
1715           The value of auto_private_groups can either be set per subdomains
1716           in a subsection, for example:
1717
1718               [domain/forest.domain/sub.domain]
1719               auto_private_groups = false
1720
1721           or globally for all subdomains in the main domain section using the
1722           subdomain_inherit option:
1723
1724               [domain/forest.domain]
1725               subdomain_inherit = auto_private_groups
1726               auto_private_groups = false
1727
1728
1729       Options valid for proxy domains.
1730
1731       proxy_pam_target (string)
1732           The proxy target PAM proxies to.
1733
1734           Default: not set by default, you have to take an existing pam
1735           configuration or create a new one and add the service name here.
1736
1737       proxy_lib_name (string)
1738           The name of the NSS library to use in proxy domains. The NSS
1739           functions searched for in the library are in the form of
1740           _nss_$(libName)_$(function), for example _nss_files_getpwent.
1741
1742       proxy_fast_alias (boolean)
1743           When a user or group is looked up by name in the proxy provider, a
1744           second lookup by ID is performed to "canonicalize" the name in case
1745           the requested name was an alias. Setting this option to true would
1746           cause the SSSD to perform the ID lookup from cache for performance
1747           reasons.
1748
1749           Default: false
1750
1751       proxy_max_children (integer)
1752           This option specifies the number of pre-forked proxy children. It
1753           is useful for high-load SSSD environments where sssd may run out of
1754           available child slots, which would cause some issues due to the
1755           requests being queued.
1756
1757           Default: 10
1758
1759   Application domains
1760       SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
1761       applications as a gateway to an LDAP directory where users and groups
1762       are stored. However, contrary to the traditional SSSD deployment where
1763       all users and groups either have POSIX attributes or those attributes
1764       can be inferred from the Windows SIDs, in many cases the users and
1765       groups in the application support scenario have no POSIX attributes.
1766       Instead of setting a “[domain/NAME]” section, the administrator can set
1767       up an “[application/NAME]” section that internally represents a domain
1768       with type “application” optionally inherits settings from a tradition
1769       SSSD domain.
1770
1771       Please note that the application domain must still be explicitly
1772       enabled in the “domains” parameter so that the lookup order between the
1773       application domain and its POSIX sibling domain is set correctly.
1774
1775       Application domain parameters
1776
1777       inherit_from (string)
1778           The SSSD POSIX-type domain the application domain inherits all
1779           settings from. The application domain can moreover add its own
1780           settings to the application settings that augment or override the
1781           “sibling” domain settings.
1782
1783           Default: Not set
1784
1785       The following example illustrates the use of an application domain. In
1786       this setup, the POSIX domain is connected to an LDAP server and is used
1787       by the OS through the NSS responder. In addition, the application
1788       domain also requests the telephoneNumber attribute, stores it as the
1789       phone attribute in the cache and makes the phone attribute reachable
1790       through the D-Bus interface.
1791
1792           [sssd]
1793           domains = appdom, posixdom
1794
1795           [ifp]
1796           user_attributes = +phone
1797
1798           [domain/posixdom]
1799           id_provider = ldap
1800           ldap_uri = ldap://ldap.example.com
1801           ldap_search_base = dc=example,dc=com
1802
1803           [application/appdom]
1804           inherit_from = posixdom
1805           ldap_user_extra_attrs = phone:telephoneNumber
1806

TRUSTED DOMAIN SECTION

1808       Some options used in the domain section can also be used in the trusted
1809       domain section, that is, in a section called
1810       “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
1811       actual joined-to base domain. Please refer to examples below for
1812       explanation. Currently supported options in the trusted domain section
1813       are:
1814
1815       ldap_search_base,
1816
1817       ldap_user_search_base,
1818
1819       ldap_group_search_base,
1820
1821       ldap_netgroup_search_base,
1822
1823       ldap_service_search_base,
1824
1825       ldap_sasl_mech,
1826
1827       ad_server,
1828
1829       ad_backup_server,
1830
1831       ad_site,
1832
1833       use_fully_qualified_names
1834
1835       For more details about these options see their individual description
1836       in the manual page.
1837

CERTIFICATE MAPPING SECTION

1839       To allow authentication with Smartcards and certificates SSSD must be
1840       able to map certificates to users. This can be done by adding the full
1841       certificate to the LDAP object of the user or to a local override.
1842       While using the full certificate is required to use the Smartcard
1843       authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
1844       details) it might be cumbersome or not even possible to do this for the
1845       general case where local services use PAM for authentication.
1846
1847       To make the mapping more flexible mapping and matching rules were added
1848       to SSSD (see sss-certmap(5) for details).
1849
1850       A mapping and matching rule can be added to the SSSD configuration in a
1851       section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
1852       In this section the following options are allowed:
1853
1854       matchrule (string)
1855           Only certificates from the Smartcard which matches this rule will
1856           be processed, all others are ignored.
1857
1858           Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
1859           the Extended Key Usage “clientAuth”
1860
1861       maprule (string)
1862           Defines how the user is found for a given certificate.
1863
1864           Default:
1865
1866           ·   LDAP:(userCertificate;binary={cert!bin}) for LDAP based
1867               providers like “ldap”, “AD” or “ipa”.
1868
1869           ·   The RULE_NAME for the “files” provider which tries to find a
1870               user with the same name.
1871
1872
1873       domains (string)
1874           Comma separated list of domain names the rule should be applied. By
1875           default a rule is only valid in the domain configured in sssd.conf.
1876           If the provider supports subdomains this option can be used to add
1877           the rule to subdomains as well.
1878
1879           Default: the configured domain in sssd.conf
1880
1881       priority (integer)
1882           Unsigned integer value defining the priority of the rule. The
1883           higher the number the lower the priority.  “0” stands for the
1884           highest priority while “4294967295” is the lowest.
1885
1886           Default: the lowest priority
1887
1888       To make the configuration simple and reduce the amount of configuration
1889       options the “files” provider has some special properties:
1890
1891       ·   if maprule is not set the RULE_NAME name is assumed to be the name
1892           of the matching user
1893
1894       ·   if a maprule is used both a single user name or a template like
1895           “{subject_rfc822_name.short_name}” must be in braces like e.g.
1896           “(username)” or “({subject_rfc822_name.short_name})”
1897
1898       ·   the “domains” option is ignored
1899
1900

PROMPTING CONFIGURATION SECTION

1902       If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
1903       SSSD's PAM module pam_sss will ask SSSD to figure out which
1904       authentication methods are available for the user trying to log in.
1905       Based on the results pam_sss will prompt the user for appropriate
1906       credentials.
1907
1908       With the growing number of authentication methods and the possibility
1909       that there are multiple ones for a single user the heuristic used by
1910       pam_sss to select the prompting might not be suitable for all use
1911       cases. The following options should provide a better flexibility here.
1912
1913       Each supported authentication method has its own configuration
1914       subsection under “[prompting/...]”. Currently there are:
1915
1916       [prompting/password]
1917           to configure password prompting, allowed options are:
1918
1919           password_prompt
1920               to change the string of the password prompt
1921
1922
1923       [prompting/2fa]
1924           to configure two-factor authentication prompting, allowed options
1925           are:
1926
1927           first_prompt
1928               to change the string of the prompt for the first factor
1929
1930           second_prompt
1931               to change the string of the prompt for the second factor
1932
1933           single_prompt
1934               boolean value, if True there will be only a single prompt using
1935               the value of first_prompt where it is expected that both
1936               factors are entered as a single string
1937
1938
1939       It is possible to add a subsection for specific PAM services, e.g.
1940       “[prompting/password/sshd]” to individual change the prompting for this
1941       service.
1942

EXAMPLES

1944       1. The following example shows a typical SSSD config. It does not
1945       describe configuration of the domains themselves - refer to
1946       documentation on configuring domains for more details.
1947
1948           [sssd]
1949           domains = LDAP
1950           services = nss, pam
1951           config_file_version = 2
1952
1953           [nss]
1954           filter_groups = root
1955           filter_users = root
1956
1957           [pam]
1958
1959           [domain/LDAP]
1960           id_provider = ldap
1961           ldap_uri = ldap://ldap.example.com
1962           ldap_search_base = dc=example,dc=com
1963
1964           auth_provider = krb5
1965           krb5_server = kerberos.example.com
1966           krb5_realm = EXAMPLE.COM
1967           cache_credentials = true
1968
1969           min_id = 10000
1970           max_id = 20000
1971           enumerate = False
1972
1973       2. The following example shows configuration of IPA AD trust where the
1974       AD forest consists of two domains in a parent-child structure. Suppose
1975       IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
1976       domain (child.ad.com). To enable shortnames in the child domain the
1977       following configuration should be used.
1978
1979           [domain/ipa.com/child.ad.com]
1980           use_fully_qualified_names = false
1981
1982       3. The following example shows the configuration for two certificate
1983       mapping rules. The first is valid for the configured domain “my.domain”
1984       and additionally for the subdomains “your.domain” and uses the full
1985       certificate in the search filter. The second example is valid for the
1986       domain “files” where it is assumed the files provider is used for this
1987       domain and contains a matching rule for the local user “myname”.
1988
1989           [certmap/my.domain/rule_name]
1990           matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
1991           maprule = (userCertificate;binary={cert!bin})
1992           domains = my.domain, your.domain
1993           priority = 10
1994
1995           [certmap/files/myname]
1996           matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
1997
1998

SEE ALSO

2000       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2001       sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2002       recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2003       sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2004       sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8).  sss_rpcidmapd(5)
2005       sssd-systemtap(5)
2006

AUTHORS

2008       The SSSD upstream - https://pagure.io/SSSD/sssd/
2009
2010
2011
2012SSSD                              10/22/2019                      SSSD.CONF(5)
Impressum