1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
3
4
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13
14 [section]
15 key = value
16 key2 = value2,value3
17
18
19 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21
22 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24
25 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27
28 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35
36 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38
39 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45
46 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51
52 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60
61 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67
68 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72
73 Currently supported debug levels:
74
75 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77
78 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81
82 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84
85 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87
88 4, 0x0100: Configuration settings.
89
90 5, 0x0200: Function data.
91
92 6, 0x0400: Trace messages for operation functions.
93
94 7, 0x1000: Trace messages for internal control functions.
95
96 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98
99 9, 0x4000: Extremely low-level tracing information.
100
101 To log required bitmask debug levels, simply add their numbers
102 together as shown in following examples:
103
104 Example: To log fatal failures, critical failures, serious failures
105 and function data use 0x0270.
106
107 Example: To log fatal failures, configuration settings, function
108 data, trace messages for internal control functions use 0x1310.
109
110 Note: The bitmask format of debug levels was introduced in 1.7.0.
111
112 Default: 0
113
114 debug (integer)
115 SSSD 1.14 and later also includes the debug alias for debug_level
116 as a convenience feature. If both are specified, the value of
117 debug_level will be used.
118
119 debug_timestamps (bool)
120 Add a timestamp to the debug messages. If journald is enabled for
121 SSSD debug logging this option is ignored.
122
123 Default: true
124
125 debug_microseconds (bool)
126 Add microseconds to the timestamp in debug messages. If journald is
127 enabled for SSSD debug logging this option is ignored.
128
129 Default: false
130
131 Options usable in SERVICE and DOMAIN sections
132 timeout (integer)
133 Timeout in seconds between heartbeats for this service. This is
134 used to ensure that the process is alive and capable of answering
135 requests. Note that after three missed heartbeats the process will
136 terminate itself.
137
138 Default: 10
139
141 The [sssd] section
142 Individual pieces of SSSD functionality are provided by special SSSD
143 services that are started and stopped together with SSSD. The services
144 are managed by a special service frequently called “monitor”. The
145 “[sssd]” section is used to configure the monitor as well as some other
146 important options like the identity domains.
147
148 Section parameters
149
150 config_file_version (integer)
151 Indicates what is the syntax of the config file. SSSD 0.6.0 and
152 later use version 2.
153
154 services
155 Comma separated list of services that are started when sssd itself
156 starts. The services' list is optional on platforms where systemd
157 is supported, as they will either be socket or D-Bus activated when
158 needed.
159
160 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
161
162 By default, all services are disabled and the administrator must
163 enable the ones allowed to be used by executing: "systemctl enable
164 sssd-@service@.socket".
165
166 reconnection_retries (integer)
167 Number of times services should attempt to reconnect in the event
168 of a Data Provider crash or restart before they give up
169
170 Default: 3
171
172 domains
173 A domain is a database containing user information. SSSD can use
174 more domains at the same time, but at least one must be configured
175 or SSSD won't start. This parameter describes the list of domains
176 in the order you want them to be queried. A domain name should only
177 consist of alphanumeric ASCII characters, dashes, dots and
178 underscores.
179
180 re_expression (string)
181 Default regular expression that describes how to parse the string
182 containing user name and domain into these components.
183
184 Each domain can have an individual regular expression configured.
185 For some ID providers there are also default regular expressions.
186 See DOMAIN SECTIONS for more info on these regular expressions.
187
188 full_name_format (string)
189 A printf(3)-compatible format that describes how to compose a fully
190 qualified name from user name and domain name components.
191
192 The following expansions are supported:
193
194 %1$s
195 user name
196
197 %2$s
198 domain name as specified in the SSSD config file.
199
200 %3$s
201 domain flat name. Mostly usable for Active Directory domains,
202 both directly configured or discovered via IPA trusts.
203
204 Each domain can have an individual format string configured. see
205 DOMAIN SECTIONS for more info on this option.
206
207 try_inotify (boolean)
208 SSSD monitors the state of resolv.conf to identify when it needs to
209 update its internal DNS resolver. By default, we will attempt to
210 use inotify for this, and will fall back to polling resolv.conf
211 every five seconds if inotify cannot be used.
212
213 There are some limited situations where it is preferred that we
214 should skip even trying to use inotify. In these rare cases, this
215 option should be set to 'false'
216
217 Default: true on platforms where inotify is supported. False on
218 other platforms.
219
220 Note: this option will have no effect on platforms where inotify is
221 unavailable. On these platforms, polling will always be used.
222
223 krb5_rcache_dir (string)
224 Directory on the filesystem where SSSD should store Kerberos replay
225 cache files.
226
227 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
228 instruct SSSD to let libkrb5 decide the appropriate location for
229 the replay cache.
230
231 Default: Distribution-specific and specified at build-time.
232 (__LIBKRB5_DEFAULTS__ if not configured)
233
234 user (string)
235 The user to drop the privileges to where appropriate to avoid
236 running as the root user. This option does not work when running
237 socket-activated services, as the user set up to run the processes
238 is set up during compilation time. The way to override the systemd
239 unit files is by creating the appropriate files in
240 /etc/systemd/system/. Keep in mind that any change in the socket
241 user, group or permissions may result in a non-usable SSSD. The
242 same may occur in case of changes of the user running the NSS
243 responder.
244
245 Default: not set, process will run as root
246
247 default_domain_suffix (string)
248 This string will be used as a default domain name for all names
249 without a domain name component. The main use case is environments
250 where the primary domain is intended for managing host policies and
251 all users are located in a trusted domain. The option allows those
252 users to log in just with their user name without giving a domain
253 name as well.
254
255 Please note that if this option is set all users from the primary
256 domain have to use their fully qualified name, e.g.
257 user@domain.name, to log in. Setting this option changes default of
258 use_fully_qualified_names to True. It is not allowed to use this
259 option together with use_fully_qualified_names set to False. One
260 exception from this rule are domains with “id_provider=files” that
261 always try to match the behaviour of nss_files and therefore their
262 output is not qualified even when the default_domain_suffix option
263 is used.
264
265 Default: not set
266
267 override_space (string)
268 This parameter will replace spaces (space bar) with the given
269 character for user and group names. e.g. (_). User name "john doe"
270 will be "john_doe" This feature was added to help compatibility
271 with shell scripts that have difficulty handling spaces, due to the
272 default field separator in the shell.
273
274 Please note it is a configuration error to use a replacement
275 character that might be used in user or group names. If a name
276 contains the replacement character SSSD tries to return the
277 unmodified name but in general the result of a lookup is undefined.
278
279 Default: not set (spaces will not be replaced)
280
281 certificate_verification (string)
282 With this parameter the certificate verification can be tuned with
283 a comma separated list of options. Supported options are:
284
285 no_ocsp
286 Disables Online Certificate Status Protocol (OCSP) checks. This
287 might be needed if the OCSP servers defined in the certificate
288 are not reachable from the client.
289
290 ocsp_dgst
291 Digest (hash) function used to create the certificate ID for
292 the OCSP request. Allowed values are:
293
294 · sha1
295
296 · sha256
297
298 · sha384
299
300 · sha512
301
302 Default: sha256
303
304 (NSS Version) This option is ignored, because NSS uses sha1
305 unconditionally.
306
307 no_verification
308 Disables verification completely. This option should only be
309 used for testing.
310
311 ocsp_default_responder=URL
312 Sets the OCSP default responder which should be used instead of
313 the one mentioned in the certificate. URL must be replaced with
314 the URL of the OCSP default responder e.g.
315 http://example.com:80/ocsp.
316
317 (NSS Version) This option must be used together with
318 ocsp_default_responder_signing_cert.
319
320 ocsp_default_responder_signing_cert=NAME
321 (NSS Version) The nickname of the cert to trust (expected) to
322 sign the OCSP responses. The certificate with the given
323 nickname must be available in the systems NSS database.
324
325 This option must be used together with ocsp_default_responder.
326
327 (OpenSSL version) This option is currently ignored. All needed
328 certificates must be available in the PEM file given by
329 pam_cert_db_path.
330
331 crl_file=/PATH/TO/CRL/FILE
332 (NSS Version) This option is ignored, please see crlutil(1) how
333 to import a Certificate Revocation List (CRL) into a NSS
334 database.
335
336 (OpenSSL Version) Use the Certificate Revocation List (CRL)
337 from the given file during the verification of the certificate.
338 The CRL must be given in PEM format, see crl(1ssl) for details.
339
340 This man page was generated for the OpenSSL version.
341
342 Unknown options are reported but ignored.
343
344 Default: not set, i.e. do not restrict certificate verification
345
346 disable_netlink (boolean)
347 SSSD hooks into the netlink interface to monitor changes to routes,
348 addresses, links and trigger certain actions.
349
350 The SSSD state changes caused by netlink events may be undesirable
351 and can be disabled by setting this option to 'true'
352
353 Default: false (netlink changes are detected)
354
355 enable_files_domain (boolean)
356 When this option is enabled, SSSD prepends an implicit domain with
357 “id_provider=files” before any explicitly configured domains.
358
359 Default: true
360
361 domain_resolution_order
362 Comma separated list of domains and subdomains representing the
363 lookup order that will be followed. The list doesn't have to
364 include all possible domains as the missing domains will be looked
365 up based on the order they're presented in the “domains”
366 configuration option. The subdomains which are not listed as part
367 of “lookup_order” will be looked up in a random order for each
368 parent domain.
369
370 Please, note that when this option is set the output format of all
371 commands is always fully-qualified even when using short names for
372 input, for all users but the ones managed by the files provider. In
373 case the administrator wants the output not fully-qualified, the
374 full_name_format option can be used as shown below:
375 “full_name_format=%1$s” However, keep in mind that during login,
376 login applications often canonicalize the username by calling
377 getpwnam(3) which, if a shortname is returned for a qualified input
378 (while trying to reach a user which exists in multiple domains)
379 might re-route the login attempt into the domain which uses
380 shortnames, making this workaround totally not recommended in cases
381 where usernames may overlap between domains.
382
383 Default: Not set
384
386 Settings that can be used to configure different services are described
387 in this section. They should reside in the [$NAME] section, for
388 example, for NSS service, the section would be “[nss]”
389
390 General service configuration options
391 These options can be used to configure any service.
392
393 reconnection_retries (integer)
394 Number of times services should attempt to reconnect in the event
395 of a Data Provider crash or restart before they give up
396
397 Default: 3
398
399 fd_limit
400 This option specifies the maximum number of file descriptors that
401 may be opened at one time by this SSSD process. On systems where
402 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
403 absolute setting. On systems without this capability, the resulting
404 value will be the lower value of this or the limits.conf "hard"
405 limit.
406
407 Default: 8192 (or limits.conf "hard" limit)
408
409 client_idle_timeout
410 This option specifies the number of seconds that a client of an
411 SSSD process can hold onto a file descriptor without communicating
412 on it. This value is limited in order to avoid resource exhaustion
413 on the system. The timeout can't be shorter than 10 seconds. If a
414 lower value is configured, it will be adjusted to 10 seconds.
415
416 Default: 60
417
418 offline_timeout (integer)
419 When SSSD switches to offline mode the amount of time before it
420 tries to go back online will increase based upon the time spent
421 disconnected. This value is in seconds and calculated by the
422 following:
423
424 offline_timeout + random_offset
425
426 The random offset can increment up to 30 seconds. After each
427 unsuccessful attempt to go online, the new interval is recalculated
428 by the following:
429
430 new_interval = old_interval*2 + random_offset
431
432 Note that the maximum length of each interval is currently limited
433 to one hour. If the calculated length of new_interval is greater
434 than an hour, it will be forced to one hour.
435
436 Default: 60
437
438 responder_idle_timeout
439 This option specifies the number of seconds that an SSSD responder
440 process can be up without being used. This value is limited in
441 order to avoid resource exhaustion on the system. The minimum
442 acceptable value for this option is 60 seconds. Setting this option
443 to 0 (zero) means that no timeout will be set up to the responder.
444 This option only has effect when SSSD is built with systemd support
445 and when services are either socket or D-Bus activated.
446
447 Default: 300
448
449 cache_first
450 This option specifies whether the responder should query all caches
451 before querying the Data Providers.
452
453 Default: false
454
455 NSS configuration options
456 These options can be used to configure the Name Service Switch (NSS)
457 service.
458
459 enum_cache_timeout (integer)
460 How many seconds should nss_sss cache enumerations (requests for
461 info about all users)
462
463 Default: 120
464
465 entry_cache_nowait_percentage (integer)
466 The entry cache can be set to automatically update entries in the
467 background if they are requested beyond a percentage of the
468 entry_cache_timeout value for the domain.
469
470 For example, if the domain's entry_cache_timeout is set to 30s and
471 entry_cache_nowait_percentage is set to 50 (percent), entries that
472 come in after 15 seconds past the last cache update will be
473 returned immediately, but the SSSD will go and update the cache on
474 its own, so that future requests will not need to block waiting for
475 a cache update.
476
477 Valid values for this option are 0-99 and represent a percentage of
478 the entry_cache_timeout for each domain. For performance reasons,
479 this percentage will never reduce the nowait timeout to less than
480 10 seconds. (0 disables this feature)
481
482 Default: 50
483
484 entry_negative_timeout (integer)
485 Specifies for how many seconds nss_sss should cache negative cache
486 hits (that is, queries for invalid database entries, like
487 nonexistent ones) before asking the back end again.
488
489 Default: 15
490
491 local_negative_timeout (integer)
492 Specifies for how many seconds nss_sss should keep local users and
493 groups in negative cache before trying to look it up in the back
494 end again. Setting the option to 0 disables this feature.
495
496 Default: 14400 (4 hours)
497
498 filter_users, filter_groups (string)
499 Exclude certain users or groups from being fetched from the sss NSS
500 database. This is particularly useful for system accounts. This
501 option can also be set per-domain or include fully-qualified names
502 to filter only users from the particular domain or by a user
503 principal name (UPN).
504
505 NOTE: The filter_groups option doesn't affect inheritance of nested
506 group members, since filtering happens after they are propagated
507 for returning via NSS. E.g. a group having a member group filtered
508 out will still have the member users of the latter listed.
509
510 Default: root
511
512 filter_users_in_groups (bool)
513 If you want filtered user still be group members set this option to
514 false.
515
516 Default: true
517
518 override_homedir (string)
519 Override the user's home directory. You can either provide an
520 absolute value or a template. In the template, the following
521 sequences are substituted:
522
523 %u
524 login name
525
526 %U
527 UID number
528
529 %d
530 domain name
531
532 %f
533 fully qualified user name (user@domain)
534
535 %l
536 The first letter of the login name.
537
538 %P
539 UPN - User Principal Name (name@REALM)
540
541 %o
542 The original home directory retrieved from the identity
543 provider.
544
545 %H
546 The value of configure option homedir_substring.
547
548 %%
549 a literal '%'
550
551 This option can also be set per-domain.
552
553 example:
554
555 override_homedir = /home/%u
556
557
558 Default: Not set (SSSD will use the value retrieved from LDAP)
559
560 homedir_substring (string)
561 The value of this option will be used in the expansion of the
562 override_homedir option if the template contains the format string
563 %H. An LDAP directory entry can directly contain this template so
564 that this option can be used to expand the home directory path for
565 each client machine (or operating system). It can be set per-domain
566 or globally in the [nss] section. A value specified in a domain
567 section will override one set in the [nss] section.
568
569 Default: /home
570
571 fallback_homedir (string)
572 Set a default template for a user's home directory if one is not
573 specified explicitly by the domain's data provider.
574
575 The available values for this option are the same as for
576 override_homedir.
577
578 example:
579
580 fallback_homedir = /home/%u
581
582
583 Default: not set (no substitution for unset home directories)
584
585 override_shell (string)
586 Override the login shell for all users. This option supersedes any
587 other shell options if it takes effect and can be set either in the
588 [nss] section or per-domain.
589
590 Default: not set (SSSD will use the value retrieved from LDAP)
591
592 allowed_shells (string)
593 Restrict user shell to one of the listed values. The order of
594 evaluation is:
595
596 1. If the shell is present in “/etc/shells”, it is used.
597
598 2. If the shell is in the allowed_shells list but not in
599 “/etc/shells”, use the value of the shell_fallback parameter.
600
601 3. If the shell is not in the allowed_shells list and not in
602 “/etc/shells”, a nologin shell is used.
603
604 The wildcard (*) can be used to allow any shell.
605
606 The (*) is useful if you want to use shell_fallback in case that
607 user's shell is not in “/etc/shells” and maintaining list of all
608 allowed shells in allowed_shells would be to much overhead.
609
610 An empty string for shell is passed as-is to libc.
611
612 The “/etc/shells” is only read on SSSD start up, which means that a
613 restart of the SSSD is required in case a new shell is installed.
614
615 Default: Not set. The user shell is automatically used.
616
617 vetoed_shells (string)
618 Replace any instance of these shells with the shell_fallback
619
620 shell_fallback (string)
621 The default shell to use if an allowed shell is not installed on
622 the machine.
623
624 Default: /bin/sh
625
626 default_shell
627 The default shell to use if the provider does not return one during
628 lookup. This option can be specified globally in the [nss] section
629 or per-domain.
630
631 Default: not set (Return NULL if no shell is specified and rely on
632 libc to substitute something sensible when necessary, usually
633 /bin/sh)
634
635 get_domains_timeout (int)
636 Specifies time in seconds for which the list of subdomains will be
637 considered valid.
638
639 Default: 60
640
641 memcache_timeout (int)
642 Specifies time in seconds for which records in the in-memory cache
643 will be valid. Setting this option to zero will disable the
644 in-memory cache.
645
646 Default: 300
647
648 WARNING: Disabling the in-memory cache will have significant
649 negative impact on SSSD's performance and should only be used for
650 testing.
651
652 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
653 "NO", client applications will not use the fast in-memory cache.
654
655 user_attributes (string)
656 Some of the additional NSS responder requests can return more
657 attributes than just the POSIX ones defined by the NSS interface.
658 The list of attributes is controlled by this option. It is handled
659 the same way as the “user_attributes” option of the InfoPipe
660 responder (see sssd-ifp(5) for details) but with no default values.
661
662 To make configuration more easy the NSS responder will check the
663 InfoPipe option if it is not set for the NSS responder.
664
665 Default: not set, fallback to InfoPipe option
666
667 pwfield (string)
668 The value that NSS operations that return users or groups will
669 return for the “password” field.
670
671 This option can also be set per-domain.
672
673 Default: “*” (remote domains) or “x” (the files domain)
674
675 PAM configuration options
676 These options can be used to configure the Pluggable Authentication
677 Module (PAM) service.
678
679 offline_credentials_expiration (integer)
680 If the authentication provider is offline, how long should we allow
681 cached logins (in days since the last successful online login).
682
683 Default: 0 (No limit)
684
685 offline_failed_login_attempts (integer)
686 If the authentication provider is offline, how many failed login
687 attempts are allowed.
688
689 Default: 0 (No limit)
690
691 offline_failed_login_delay (integer)
692 The time in minutes which has to pass after
693 offline_failed_login_attempts has been reached before a new login
694 attempt is possible.
695
696 If set to 0 the user cannot authenticate offline if
697 offline_failed_login_attempts has been reached. Only a successful
698 online authentication can enable offline authentication again.
699
700 Default: 5
701
702 pam_verbosity (integer)
703 Controls what kind of messages are shown to the user during
704 authentication. The higher the number to more messages are
705 displayed.
706
707 Currently sssd supports the following values:
708
709 0: do not show any message
710
711 1: show only important messages
712
713 2: show informational messages
714
715 3: show all messages and debug information
716
717 Default: 1
718
719 pam_response_filter (integer)
720 A comma separated list of strings which allows to remove (filter)
721 data sent by the PAM responder to pam_sss PAM module. There are
722 different kind of responses sent to pam_sss e.g. messages displayed
723 to the user or environment variables which should be set by
724 pam_sss.
725
726 While messages already can be controlled with the help of the
727 pam_verbosity option this option allows to filter out other kind of
728 responses as well.
729
730 Currently the following filters are supported:
731
732 ENV
733 Do not send any environment variables to any service.
734
735 ENV:var_name
736 Do not send environment variable var_name to any service.
737
738 ENV:var_name:service
739 Do not send environment variable var_name to service.
740
741 Default: not set
742
743 Example: ENV:KRB5CCNAME:sudo-i
744
745 pam_id_timeout (integer)
746 For any PAM request while SSSD is online, the SSSD will attempt to
747 immediately update the cached identity information for the user in
748 order to ensure that authentication takes place with the latest
749 information.
750
751 A complete PAM conversation may perform multiple PAM requests, such
752 as account management and session opening. This option controls (on
753 a per-client-application basis) how long (in seconds) we can cache
754 the identity information to avoid excessive round-trips to the
755 identity provider.
756
757 Default: 5
758
759 pam_pwd_expiration_warning (integer)
760 Display a warning N days before the password expires.
761
762 Please note that the backend server has to provide information
763 about the expiration time of the password. If this information is
764 missing, sssd cannot display a warning.
765
766 If zero is set, then this filter is not applied, i.e. if the
767 expiration warning was received from backend server, it will
768 automatically be displayed.
769
770 This setting can be overridden by setting pwd_expiration_warning
771 for a particular domain.
772
773 Default: 0
774
775 get_domains_timeout (int)
776 Specifies time in seconds for which the list of subdomains will be
777 considered valid.
778
779 Default: 60
780
781 pam_trusted_users (string)
782 Specifies the comma-separated list of UID values or user names that
783 are allowed to run PAM conversations against trusted domains. Users
784 not included in this list can only access domains marked as public
785 with “pam_public_domains”. User names are resolved to UIDs at
786 startup.
787
788 Default: All users are considered trusted by default
789
790 Please note that UID 0 is always allowed to access the PAM
791 responder even in case it is not in the pam_trusted_users list.
792
793 pam_public_domains (string)
794 Specifies the comma-separated list of domain names that are
795 accessible even to untrusted users.
796
797 Two special values for pam_public_domains option are defined:
798
799 all (Untrusted users are allowed to access all domains in PAM
800 responder.)
801
802 none (Untrusted users are not allowed to access any domains PAM in
803 responder.)
804
805 Default: none
806
807 pam_account_expired_message (string)
808 Allows a custom expiration message to be set, replacing the default
809 'Permission denied' message.
810
811 Note: Please be aware that message is only printed for the SSH
812 service unless pam_verbosity is set to 3 (show all messages and
813 debug information).
814
815 example:
816
817 pam_account_expired_message = Account expired, please contact help desk.
818
819
820 Default: none
821
822 pam_account_locked_message (string)
823 Allows a custom lockout message to be set, replacing the default
824 'Permission denied' message.
825
826 example:
827
828 pam_account_locked_message = Account locked, please contact help desk.
829
830
831 Default: none
832
833 pam_cert_auth (bool)
834 Enable certificate based Smartcard authentication. Since this
835 requires additional communication with the Smartcard which will
836 delay the authentication process this option is disabled by
837 default.
838
839 Default: False
840
841 pam_cert_db_path (string)
842 The path to the certificate database which contain the PKCS#11
843 modules to access the Smartcard.
844
845 Default:
846
847 · /etc/pki/nssdb (NSS version, path to a NSS database)
848
849 · /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a
850 file with trusted CA certificates in PEM format)
851
852 This man page was generated for the OpenSSL version.
853
854 p11_child_timeout (integer)
855 How many seconds will pam_sss wait for p11_child to finish.
856
857 Default: 10
858
859 pam_app_services (string)
860 Which PAM services are permitted to contact domains of type
861 “application”
862
863 Default: Not set
864
865 pam_p11_allowed_services (integer)
866 A comma-separated list of PAM service names for which it will be
867 allowed to use Smartcards.
868
869 It is possible to add another PAM service name to the default set
870 by using “+service_name” or to explicitly remove a PAM service name
871 from the default set by using “-service_name”. For example, in
872 order to replace a default PAM service name for authentication with
873 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
874 “my_pam_service”), you would use the following configuration:
875
876 pam_p11_allowed_services = +my_pam_service, -login
877
878
879 Default: the default set of PAM service names includes:
880
881 · login
882
883 · su
884
885 · su-l
886
887 · gdm-smartcard
888
889 · gdm-password
890
891 · kdm
892
893 · sudo
894
895 · sudo-i
896
897 · gnome-screensaver
898
899
900 p11_wait_for_card_timeout (integer)
901 If Smartcard authentication is required how many extra seconds in
902 addition to p11_child_timeout should the PAM responder wait until a
903 Smartcard is inserted.
904
905 Default: 60
906
907 p11_uri (string)
908 PKCS#11 URI (see RFC-7512 for details) which can be used to
909 restrict the selection of devices used for Smartcard
910 authentication. By default SSSD's p11_child will search for a
911 PKCS#11 slot (reader) where the 'removable' flags is set and read
912 the certificates from the inserted token from the first slot found.
913 If multiple readers are connected p11_uri can be used to tell
914 p11_child to use a specific reader.
915
916 Example:
917
918 p11_uri = slot-description=My%20Smartcar%20Reader
919
920
921 or
922
923 p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
924
925
926 To find suitable URI please check the debug output of p11_child. As
927 an alternative the GnuTLS utility 'p11tool' with e.g. the
928 '--list-all' will show PKCS#11 URIs as well.
929
930 Default: none
931
932 SUDO configuration options
933 These options can be used to configure the sudo service. The detailed
934 instructions for configuration of sudo(8) to work with sssd(8) are in
935 the manual page sssd-sudo(5).
936
937 sudo_timed (bool)
938 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
939 attributes that implement time-dependent sudoers entries.
940
941 Default: false
942
943 sudo_threshold (integer)
944 Maximum number of expired rules that can be refreshed at once. If
945 number of expired rules is below threshold, those rules are
946 refreshed with “rules refresh” mechanism. If the threshold is
947 exceeded a “full refresh” of sudo rules is triggered instead. This
948 threshold number also applies to IPA sudo command and command group
949 searches.
950
951 Default: 50
952
953 AUTOFS configuration options
954 These options can be used to configure the autofs service.
955
956 autofs_negative_timeout (integer)
957 Specifies for how many seconds should the autofs responder negative
958 cache hits (that is, queries for invalid map entries, like
959 nonexistent ones) before asking the back end again.
960
961 Default: 15
962
963 Please note that the automounter only reads the master map on startup,
964 so if any autofs-related changes are made to the sssd.conf, you
965 typically also need to restart the automounter daemon after restarting
966 the SSSD.
967
968 SSH configuration options
969 These options can be used to configure the SSH service.
970
971 ssh_hash_known_hosts (bool)
972 Whether or not to hash host names and addresses in the managed
973 known_hosts file.
974
975 Default: true
976
977 ssh_known_hosts_timeout (integer)
978 How many seconds to keep a host in the managed known_hosts file
979 after its host keys were requested.
980
981 Default: 180
982
983 ssh_use_certificate_keys (bool)
984 If set to true the sss_ssh_authorizedkeys will return ssh keys
985 derived from the public key of X.509 certificates stored in the
986 user entry as well. See sss_ssh_authorizedkeys(1) for details.
987
988 Default: true
989
990 ca_db (string)
991 Path to a storage of trusted CA certificates. The option is used to
992 validate user certificates before deriving public ssh keys from
993 them.
994
995 Default:
996
997 · /etc/pki/nssdb (NSS version, path to a NSS database)
998
999 · /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a
1000 file with trusted CA certificates in PEM format)
1001
1002 This man page was generated for the OpenSSL version.
1003
1004 PAC responder configuration options
1005 The PAC responder works together with the authorization data plugin for
1006 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1007 sends the PAC data during a GSSAPI authentication to the PAC responder.
1008 The sub-domain provider collects domain SID and ID ranges of the domain
1009 the client is joined to and of remote trusted domains from the local
1010 domain controller. If the PAC is decoded and evaluated some of the
1011 following operations are done:
1012
1013 · If the remote user does not exist in the cache, it is created. The
1014 UID is determined with the help of the SID, trusted domains will
1015 have UPGs and the GID will have the same value as the UID. The home
1016 directory is set based on the subdomain_homedir parameter. The
1017 shell will be empty by default, i.e. the system defaults are used,
1018 but can be overwritten with the default_shell parameter.
1019
1020 · If there are SIDs of groups from domains sssd knows about, the user
1021 will be added to those groups.
1022
1023 These options can be used to configure the PAC responder.
1024
1025 allowed_uids (string)
1026 Specifies the comma-separated list of UID values or user names that
1027 are allowed to access the PAC responder. User names are resolved to
1028 UIDs at startup.
1029
1030 Default: 0 (only the root user is allowed to access the PAC
1031 responder)
1032
1033 Please note that although the UID 0 is used as the default it will
1034 be overwritten with this option. If you still want to allow the
1035 root user to access the PAC responder, which would be the typical
1036 case, you have to add 0 to the list of allowed UIDs as well.
1037
1038 pac_lifetime (integer)
1039 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1040 the PAC data can be used to determine the group memberships of a
1041 user.
1042
1043 Default: 300
1044
1045 Session recording configuration options
1046 Session recording works in conjunction with tlog-rec-session(8), a part
1047 of tlog package, to log what users see and type when they log in on a
1048 text terminal. See also sssd-session-recording(5).
1049
1050 These options can be used to configure session recording.
1051
1052 scope (string)
1053 One of the following strings specifying the scope of session
1054 recording:
1055
1056 "none"
1057 No users are recorded.
1058
1059 "some"
1060 Users/groups specified by users and groups options are
1061 recorded.
1062
1063 "all"
1064 All users are recorded.
1065
1066 Default: "none"
1067
1068 users (string)
1069 A comma-separated list of users which should have session recording
1070 enabled. Matches user names as returned by NSS. I.e. after the
1071 possible space replacement, case changes, etc.
1072
1073 Default: Empty. Matches no users.
1074
1075 groups (string)
1076 A comma-separated list of groups, members of which should have
1077 session recording enabled. Matches group names as returned by NSS.
1078 I.e. after the possible space replacement, case changes, etc.
1079
1080 NOTE: using this option (having it set to anything) has a
1081 considerable performance cost, because each uncached request for a
1082 user requires retrieving and matching the groups the user is member
1083 of.
1084
1085 Default: Empty. Matches no groups.
1086
1088 These configuration options can be present in a domain configuration
1089 section, that is, in a section called “[domain/NAME]”
1090
1091 domain_type (string)
1092 Specifies whether the domain is meant to be used by POSIX-aware
1093 clients such as the Name Service Switch or by applications that do
1094 not need POSIX data to be present or generated. Only objects from
1095 POSIX domains are available to the operating system interfaces and
1096 utilities.
1097
1098 Allowed values for this option are “posix” and “application”.
1099
1100 POSIX domains are reachable by all services. Application domains
1101 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1102 and the PAM responder.
1103
1104 NOTE: The application domains are currently well tested with
1105 “id_provider=ldap” only.
1106
1107 For an easy way to configure a non-POSIX domains, please see the
1108 “Application domains” section.
1109
1110 Default: posix
1111
1112 min_id,max_id (integer)
1113 UID and GID limits for the domain. If a domain contains an entry
1114 that is outside these limits, it is ignored.
1115
1116 For users, this affects the primary GID limit. The user will not be
1117 returned to NSS if either the UID or the primary GID is outside the
1118 range. For non-primary group memberships, those that are in range
1119 will be reported as expected.
1120
1121 These ID limits affect even saving entries to cache, not only
1122 returning them by name or ID.
1123
1124 Default: 1 for min_id, 0 (no limit) for max_id
1125
1126 enumerate (bool)
1127 Determines if a domain can be enumerated, that is, whether the
1128 domain can list all the users and group it contains. Note that it
1129 is not required to enable enumeration in order for secondary groups
1130 to be displayed. This parameter can have one of the following
1131 values:
1132
1133 TRUE = Users and groups are enumerated
1134
1135 FALSE = No enumerations for this domain
1136
1137 Default: FALSE
1138
1139 Enumerating a domain requires SSSD to download and store ALL user
1140 and group entries from the remote server.
1141
1142 Note: Enabling enumeration has a moderate performance impact on
1143 SSSD while enumeration is running. It may take up to several
1144 minutes after SSSD startup to fully complete enumerations. During
1145 this time, individual requests for information will go directly to
1146 LDAP, though it may be slow, due to the heavy enumeration
1147 processing. Saving a large number of entries to cache after the
1148 enumeration completes might also be CPU intensive as the
1149 memberships have to be recomputed. This can lead to the “sssd_be”
1150 process becoming unresponsive or even restarted by the internal
1151 watchdog.
1152
1153 While the first enumeration is running, requests for the complete
1154 user or group lists may return no results until it completes.
1155
1156 Further, enabling enumeration may increase the time necessary to
1157 detect network disconnection, as longer timeouts are required to
1158 ensure that enumeration lookups are completed successfully. For
1159 more information, refer to the man pages for the specific
1160 id_provider in use.
1161
1162 For the reasons cited above, enabling enumeration is not
1163 recommended, especially in large environments.
1164
1165 subdomain_enumerate (string)
1166 Whether any of autodetected trusted domains should be enumerated.
1167 The supported values are:
1168
1169 all
1170 All discovered trusted domains will be enumerated
1171
1172 none
1173 No discovered trusted domains will be enumerated
1174
1175 Optionally, a list of one or more domain names can enable
1176 enumeration just for these trusted domains.
1177
1178 Default: none
1179
1180 entry_cache_timeout (integer)
1181 How many seconds should nss_sss consider entries valid before
1182 asking the backend again
1183
1184 The cache expiration timestamps are stored as attributes of
1185 individual objects in the cache. Therefore, changing the cache
1186 timeout only has effect for newly added or expired entries. You
1187 should run the sss_cache(8) tool in order to force refresh of
1188 entries that have already been cached.
1189
1190 Default: 5400
1191
1192 entry_cache_user_timeout (integer)
1193 How many seconds should nss_sss consider user entries valid before
1194 asking the backend again
1195
1196 Default: entry_cache_timeout
1197
1198 entry_cache_group_timeout (integer)
1199 How many seconds should nss_sss consider group entries valid before
1200 asking the backend again
1201
1202 Default: entry_cache_timeout
1203
1204 entry_cache_netgroup_timeout (integer)
1205 How many seconds should nss_sss consider netgroup entries valid
1206 before asking the backend again
1207
1208 Default: entry_cache_timeout
1209
1210 entry_cache_service_timeout (integer)
1211 How many seconds should nss_sss consider service entries valid
1212 before asking the backend again
1213
1214 Default: entry_cache_timeout
1215
1216 entry_cache_sudo_timeout (integer)
1217 How many seconds should sudo consider rules valid before asking the
1218 backend again
1219
1220 Default: entry_cache_timeout
1221
1222 entry_cache_autofs_timeout (integer)
1223 How many seconds should the autofs service consider automounter
1224 maps valid before asking the backend again
1225
1226 Default: entry_cache_timeout
1227
1228 entry_cache_ssh_host_timeout (integer)
1229 How many seconds to keep a host ssh key after refresh. IE how long
1230 to cache the host key for.
1231
1232 Default: entry_cache_timeout
1233
1234 refresh_expired_interval (integer)
1235 Specifies how many seconds SSSD has to wait before triggering a
1236 background refresh task which will refresh all expired or nearly
1237 expired records.
1238
1239 The background refresh will process users, groups and netgroups in
1240 the cache. For users who have performed the initgroups (get group
1241 membership for user, typically ran at login) operation in the past,
1242 both the user entry and the group membership are updated.
1243
1244 This option is automatically inherited for all trusted domains.
1245
1246 You can consider setting this value to 3/4 * entry_cache_timeout.
1247
1248 Default: 0 (disabled)
1249
1250 cache_credentials (bool)
1251 Determines if user credentials are also cached in the local LDB
1252 cache
1253
1254 User credentials are stored in a SHA512 hash, not in plaintext
1255
1256 Default: FALSE
1257
1258 cache_credentials_minimal_first_factor_length (int)
1259 If 2-Factor-Authentication (2FA) is used and credentials should be
1260 saved this value determines the minimal length the first
1261 authentication factor (long term password) must have to be saved as
1262 SHA512 hash into the cache.
1263
1264 This should avoid that the short PINs of a PIN based 2FA scheme are
1265 saved in the cache which would make them easy targets for
1266 brute-force attacks.
1267
1268 Default: 8
1269
1270 account_cache_expiration (integer)
1271 Number of days entries are left in cache after last successful
1272 login before being removed during a cleanup of the cache. 0 means
1273 keep forever. The value of this parameter must be greater than or
1274 equal to offline_credentials_expiration.
1275
1276 Default: 0 (unlimited)
1277
1278 pwd_expiration_warning (integer)
1279 Display a warning N days before the password expires.
1280
1281 If zero is set, then this filter is not applied, i.e. if the
1282 expiration warning was received from backend server, it will
1283 automatically be displayed.
1284
1285 Please note that the backend server has to provide information
1286 about the expiration time of the password. If this information is
1287 missing, sssd cannot display a warning. Also an auth provider has
1288 to be configured for the backend.
1289
1290 Default: 7 (Kerberos), 0 (LDAP)
1291
1292 id_provider (string)
1293 The identification provider used for the domain. Supported ID
1294 providers are:
1295
1296 “proxy”: Support a legacy NSS provider.
1297
1298 “files”: FILES provider. See sssd-files(5) for more information on
1299 how to mirror local users and groups into SSSD.
1300
1301 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1302 configuring LDAP.
1303
1304 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1305 See sssd-ipa(5) for more information on configuring FreeIPA.
1306
1307 “ad”: Active Directory provider. See sssd-ad(5) for more
1308 information on configuring Active Directory.
1309
1310 use_fully_qualified_names (bool)
1311 Use the full name and domain (as formatted by the domain's
1312 full_name_format) as the user's login name reported to NSS.
1313
1314 If set to TRUE, all requests to this domain must use fully
1315 qualified names. For example, if used in LOCAL domain that contains
1316 a "test" user, getent passwd test wouldn't find the user while
1317 getent passwd test@LOCAL would.
1318
1319 NOTE: This option has no effect on netgroup lookups due to their
1320 tendency to include nested netgroups without qualified names. For
1321 netgroups, all domains will be searched when an unqualified name is
1322 requested.
1323
1324 Default: FALSE (TRUE if default_domain_suffix is used)
1325
1326 ignore_group_members (bool)
1327 Do not return group members for group lookups.
1328
1329 If set to TRUE, the group membership attribute is not requested
1330 from the ldap server, and group members are not returned when
1331 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1332 As an effect, “getent group $groupname” would return the requested
1333 group as if it was empty.
1334
1335 Enabling this option can also make access provider checks for group
1336 membership significantly faster, especially for groups containing
1337 many members.
1338
1339 Default: FALSE
1340
1341 auth_provider (string)
1342 The authentication provider used for the domain. Supported auth
1343 providers are:
1344
1345 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1346 information on configuring LDAP.
1347
1348 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1349 information on configuring Kerberos.
1350
1351 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1352 See sssd-ipa(5) for more information on configuring FreeIPA.
1353
1354 “ad”: Active Directory provider. See sssd-ad(5) for more
1355 information on configuring Active Directory.
1356
1357 “proxy” for relaying authentication to some other PAM target.
1358
1359 “none” disables authentication explicitly.
1360
1361 Default: “id_provider” is used if it is set and can handle
1362 authentication requests.
1363
1364 access_provider (string)
1365 The access control provider used for the domain. There are two
1366 built-in access providers (in addition to any included in installed
1367 backends) Internal special providers are:
1368
1369 “permit” always allow access. It's the only permitted access
1370 provider for a local domain.
1371
1372 “deny” always deny access.
1373
1374 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1375 information on configuring LDAP.
1376
1377 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1378 See sssd-ipa(5) for more information on configuring FreeIPA.
1379
1380 “ad”: Active Directory provider. See sssd-ad(5) for more
1381 information on configuring Active Directory.
1382
1383 “simple” access control based on access or deny lists. See sssd-
1384 simple(5) for more information on configuring the simple access
1385 module.
1386
1387 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1388 information on configuring Kerberos.
1389
1390 “proxy” for relaying access control to another PAM module.
1391
1392 Default: “permit”
1393
1394 chpass_provider (string)
1395 The provider which should handle change password operations for the
1396 domain. Supported change password providers are:
1397
1398 “ldap” to change a password stored in a LDAP server. See sssd-
1399 ldap(5) for more information on configuring LDAP.
1400
1401 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1402 information on configuring Kerberos.
1403
1404 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1405 See sssd-ipa(5) for more information on configuring FreeIPA.
1406
1407 “ad”: Active Directory provider. See sssd-ad(5) for more
1408 information on configuring Active Directory.
1409
1410 “proxy” for relaying password changes to some other PAM target.
1411
1412 “none” disallows password changes explicitly.
1413
1414 Default: “auth_provider” is used if it is set and can handle change
1415 password requests.
1416
1417 sudo_provider (string)
1418 The SUDO provider used for the domain. Supported SUDO providers
1419 are:
1420
1421 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1422 information on configuring LDAP.
1423
1424 “ipa” the same as “ldap” but with IPA default settings.
1425
1426 “ad” the same as “ldap” but with AD default settings.
1427
1428 “none” disables SUDO explicitly.
1429
1430 Default: The value of “id_provider” is used if it is set.
1431
1432 The detailed instructions for configuration of sudo_provider are in
1433 the manual page sssd-sudo(5). There are many configuration options
1434 that can be used to adjust the behavior. Please refer to
1435 "ldap_sudo_*" in sssd-ldap(5).
1436
1437 NOTE: Sudo rules are periodically downloaded in the background
1438 unless the sudo provider is explicitly disabled. Set sudo_provider
1439 = None to disable all sudo-related activity in SSSD if you do not
1440 want to use sudo with SSSD at all.
1441
1442 selinux_provider (string)
1443 The provider which should handle loading of selinux settings. Note
1444 that this provider will be called right after access provider ends.
1445 Supported selinux providers are:
1446
1447 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1448 for more information on configuring IPA.
1449
1450 “none” disallows fetching selinux settings explicitly.
1451
1452 Default: “id_provider” is used if it is set and can handle selinux
1453 loading requests.
1454
1455 subdomains_provider (string)
1456 The provider which should handle fetching of subdomains. This value
1457 should be always the same as id_provider. Supported subdomain
1458 providers are:
1459
1460 “ipa” to load a list of subdomains from an IPA server. See sssd-
1461 ipa(5) for more information on configuring IPA.
1462
1463 “ad” to load a list of subdomains from an Active Directory server.
1464 See sssd-ad(5) for more information on configuring the AD provider.
1465
1466 “none” disallows fetching subdomains explicitly.
1467
1468 Default: The value of “id_provider” is used if it is set.
1469
1470 session_provider (string)
1471 The provider which configures and manages user session related
1472 tasks. The only user session task currently provided is the
1473 integration with Fleet Commander, which works only with IPA.
1474 Supported session providers are:
1475
1476 “ipa” to allow performing user session related tasks.
1477
1478 “none” does not perform any kind of user session related tasks.
1479
1480 Default: “id_provider” is used if it is set and can perform session
1481 related tasks.
1482
1483 NOTE: In order to have this feature working as expected SSSD must
1484 be running as "root" and not as the unprivileged user.
1485
1486 autofs_provider (string)
1487 The autofs provider used for the domain. Supported autofs providers
1488 are:
1489
1490 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1491 information on configuring LDAP.
1492
1493 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1494 more information on configuring IPA.
1495
1496 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1497 information on configuring the AD provider.
1498
1499 “none” disables autofs explicitly.
1500
1501 Default: The value of “id_provider” is used if it is set.
1502
1503 hostid_provider (string)
1504 The provider used for retrieving host identity information.
1505 Supported hostid providers are:
1506
1507 “ipa” to load host identity stored in an IPA server. See sssd-
1508 ipa(5) for more information on configuring IPA.
1509
1510 “none” disables hostid explicitly.
1511
1512 Default: The value of “id_provider” is used if it is set.
1513
1514 re_expression (string)
1515 Regular expression for this domain that describes how to parse the
1516 string containing user name and domain into these components. The
1517 "domain" can match either the SSSD configuration domain name, or,
1518 in the case of IPA trust subdomains and Active Directory domains,
1519 the flat (NetBIOS) name of the domain.
1520
1521 Default for the AD and IPA provider:
1522 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1523 which allows three different styles for user names:
1524
1525 · username
1526
1527 · username@domain.name
1528
1529 · domain\username
1530
1531 While the first two correspond to the general default the third one
1532 is introduced to allow easy integration of users from Windows
1533 domains.
1534
1535 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1536 "the name is everything up to the “@” sign, the domain everything
1537 after that"
1538
1539 NOTE: Some Active Directory groups, typically those used for MS
1540 Exchange contain an “@” sign in the name, which clashes with the
1541 default re_expression value for the AD and IPA providers. To
1542 support these groups, consider changing the re_expression value to:
1543 “((?P<name>.+)@(?P<domain>[^@]+$))”.
1544
1545 full_name_format (string)
1546 A printf(3)-compatible format that describes how to compose a fully
1547 qualified name from user name and domain name components.
1548
1549 The following expansions are supported:
1550
1551 %1$s
1552 user name
1553
1554 %2$s
1555 domain name as specified in the SSSD config file.
1556
1557 %3$s
1558 domain flat name. Mostly usable for Active Directory domains,
1559 both directly configured or discovered via IPA trusts.
1560
1561 Default: “%1$s@%2$s”.
1562
1563 lookup_family_order (string)
1564 Provides the ability to select preferred address family to use when
1565 performing DNS lookups.
1566
1567 Supported values:
1568
1569 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1570
1571 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1572
1573 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1574
1575 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1576
1577 Default: ipv4_first
1578
1579 dns_resolver_timeout (integer)
1580 Defines the amount of time (in seconds) to wait for a reply from
1581 the internal fail over service before assuming that the service is
1582 unreachable. If this timeout is reached, the domain will continue
1583 to operate in offline mode.
1584
1585 Please see the section “FAILOVER” for more information about the
1586 service resolution.
1587
1588 Default: 6
1589
1590 dns_discovery_domain (string)
1591 If service discovery is used in the back end, specifies the domain
1592 part of the service discovery DNS query.
1593
1594 Default: Use the domain part of machine's hostname
1595
1596 override_gid (integer)
1597 Override the primary GID value with the one specified.
1598
1599 case_sensitive (string)
1600 Treat user and group names as case sensitive. Possible option
1601 values are:
1602
1603 True
1604 Case sensitive. This value is invalid for AD provider.
1605
1606 False
1607 Case insensitive.
1608
1609 Preserving
1610 Same as False (case insensitive), but does not lowercase names
1611 in the result of NSS operations. Note that name aliases (and in
1612 case of services also protocol names) are still lowercased in
1613 the output.
1614
1615 Default: True (False for AD provider)
1616
1617 subdomain_inherit (string)
1618 Specifies a list of configuration parameters that should be
1619 inherited by a subdomain. Please note that only selected parameters
1620 can be inherited. Currently the following options can be inherited:
1621
1622 ignore_group_members
1623
1624 ldap_purge_cache_timeout
1625
1626 ldap_use_tokengroups
1627
1628 ldap_user_principal
1629
1630 ldap_krb5_keytab (the value of krb5_keytab will be used if
1631 ldap_krb5_keytab is not set explicitly)
1632
1633 Example:
1634
1635 subdomain_inherit = ldap_purge_cache_timeout
1636
1637
1638 Default: none
1639
1640 Note: This option only works with the IPA and AD provider.
1641
1642 subdomain_homedir (string)
1643 Use this homedir as default value for all subdomains within this
1644 domain in IPA AD trust. See override_homedir for info about
1645 possible values. In addition to those, the expansion below can only
1646 be used with subdomain_homedir.
1647
1648 %F
1649 flat (NetBIOS) name of a subdomain.
1650
1651 The value can be overridden by override_homedir option.
1652
1653 Default: /home/%d/%u
1654
1655 realmd_tags (string)
1656 Various tags stored by the realmd configuration service for this
1657 domain.
1658
1659 cached_auth_timeout (int)
1660 Specifies time in seconds since last successful online
1661 authentication for which user will be authenticated using cached
1662 credentials while SSSD is in the online mode. If the credentials
1663 are incorrect, SSSD falls back to online authentication.
1664
1665 This option's value is inherited by all trusted domains. At the
1666 moment it is not possible to set a different value per trusted
1667 domain.
1668
1669 Special value 0 implies that this feature is disabled.
1670
1671 Please note that if “cached_auth_timeout” is longer than
1672 “pam_id_timeout” then the back end could be called to handle
1673 “initgroups.”
1674
1675 Default: 0
1676
1677 auto_private_groups (string)
1678 This option takes any of three available values:
1679
1680 true
1681 Create user's private group unconditionally from user's UID
1682 number. The GID number is ignored in this case.
1683
1684 NOTE: Because the GID number and the user private group are
1685 inferred from the UID number, it is not supported to have
1686 multiple entries with the same UID or GID number with this
1687 option. In other words, enabling this option enforces
1688 uniqueness across the ID space.
1689
1690 false
1691 Always use the user's primary GID number. The GID number must
1692 refer to a group object in the LDAP database.
1693
1694 hybrid
1695 A primary group is autogenerated for user entries whose UID and
1696 GID numbers have the same value and at the same time the GID
1697 number does not correspond to a real group object in LDAP. If
1698 the values are the same, but the primary GID in the user entry
1699 is also used by a group object, the primary GID of the user
1700 resolves to that group object.
1701
1702 If the UID and GID of a user are different, then the GID must
1703 correspond to a group entry, otherwise the GID is simply not
1704 resolvable.
1705
1706 This feature is useful for environments that wish to stop
1707 maintaining a separate group objects for the user private
1708 groups, but also wish to retain the existing user private
1709 groups.
1710
1711 For subdomains, the default value is False for subdomains that use
1712 assigned POSIX IDs and True for subdomains that use automatic
1713 ID-mapping.
1714
1715 The value of auto_private_groups can either be set per subdomains
1716 in a subsection, for example:
1717
1718 [domain/forest.domain/sub.domain]
1719 auto_private_groups = false
1720
1721 or globally for all subdomains in the main domain section using the
1722 subdomain_inherit option:
1723
1724 [domain/forest.domain]
1725 subdomain_inherit = auto_private_groups
1726 auto_private_groups = false
1727
1728
1729 Options valid for proxy domains.
1730
1731 proxy_pam_target (string)
1732 The proxy target PAM proxies to.
1733
1734 Default: not set by default, you have to take an existing pam
1735 configuration or create a new one and add the service name here.
1736
1737 proxy_lib_name (string)
1738 The name of the NSS library to use in proxy domains. The NSS
1739 functions searched for in the library are in the form of
1740 _nss_$(libName)_$(function), for example _nss_files_getpwent.
1741
1742 proxy_fast_alias (boolean)
1743 When a user or group is looked up by name in the proxy provider, a
1744 second lookup by ID is performed to "canonicalize" the name in case
1745 the requested name was an alias. Setting this option to true would
1746 cause the SSSD to perform the ID lookup from cache for performance
1747 reasons.
1748
1749 Default: false
1750
1751 proxy_max_children (integer)
1752 This option specifies the number of pre-forked proxy children. It
1753 is useful for high-load SSSD environments where sssd may run out of
1754 available child slots, which would cause some issues due to the
1755 requests being queued.
1756
1757 Default: 10
1758
1759 Application domains
1760 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
1761 applications as a gateway to an LDAP directory where users and groups
1762 are stored. However, contrary to the traditional SSSD deployment where
1763 all users and groups either have POSIX attributes or those attributes
1764 can be inferred from the Windows SIDs, in many cases the users and
1765 groups in the application support scenario have no POSIX attributes.
1766 Instead of setting a “[domain/NAME]” section, the administrator can set
1767 up an “[application/NAME]” section that internally represents a domain
1768 with type “application” optionally inherits settings from a tradition
1769 SSSD domain.
1770
1771 Please note that the application domain must still be explicitly
1772 enabled in the “domains” parameter so that the lookup order between the
1773 application domain and its POSIX sibling domain is set correctly.
1774
1775 Application domain parameters
1776
1777 inherit_from (string)
1778 The SSSD POSIX-type domain the application domain inherits all
1779 settings from. The application domain can moreover add its own
1780 settings to the application settings that augment or override the
1781 “sibling” domain settings.
1782
1783 Default: Not set
1784
1785 The following example illustrates the use of an application domain. In
1786 this setup, the POSIX domain is connected to an LDAP server and is used
1787 by the OS through the NSS responder. In addition, the application
1788 domain also requests the telephoneNumber attribute, stores it as the
1789 phone attribute in the cache and makes the phone attribute reachable
1790 through the D-Bus interface.
1791
1792 [sssd]
1793 domains = appdom, posixdom
1794
1795 [ifp]
1796 user_attributes = +phone
1797
1798 [domain/posixdom]
1799 id_provider = ldap
1800 ldap_uri = ldap://ldap.example.com
1801 ldap_search_base = dc=example,dc=com
1802
1803 [application/appdom]
1804 inherit_from = posixdom
1805 ldap_user_extra_attrs = phone:telephoneNumber
1806
1808 Some options used in the domain section can also be used in the trusted
1809 domain section, that is, in a section called
1810 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
1811 actual joined-to base domain. Please refer to examples below for
1812 explanation. Currently supported options in the trusted domain section
1813 are:
1814
1815 ldap_search_base,
1816
1817 ldap_user_search_base,
1818
1819 ldap_group_search_base,
1820
1821 ldap_netgroup_search_base,
1822
1823 ldap_service_search_base,
1824
1825 ldap_sasl_mech,
1826
1827 ad_server,
1828
1829 ad_backup_server,
1830
1831 ad_site,
1832
1833 use_fully_qualified_names
1834
1835 For more details about these options see their individual description
1836 in the manual page.
1837
1839 To allow authentication with Smartcards and certificates SSSD must be
1840 able to map certificates to users. This can be done by adding the full
1841 certificate to the LDAP object of the user or to a local override.
1842 While using the full certificate is required to use the Smartcard
1843 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
1844 details) it might be cumbersome or not even possible to do this for the
1845 general case where local services use PAM for authentication.
1846
1847 To make the mapping more flexible mapping and matching rules were added
1848 to SSSD (see sss-certmap(5) for details).
1849
1850 A mapping and matching rule can be added to the SSSD configuration in a
1851 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
1852 In this section the following options are allowed:
1853
1854 matchrule (string)
1855 Only certificates from the Smartcard which matches this rule will
1856 be processed, all others are ignored.
1857
1858 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
1859 the Extended Key Usage “clientAuth”
1860
1861 maprule (string)
1862 Defines how the user is found for a given certificate.
1863
1864 Default:
1865
1866 · LDAP:(userCertificate;binary={cert!bin}) for LDAP based
1867 providers like “ldap”, “AD” or “ipa”.
1868
1869 · The RULE_NAME for the “files” provider which tries to find a
1870 user with the same name.
1871
1872
1873 domains (string)
1874 Comma separated list of domain names the rule should be applied. By
1875 default a rule is only valid in the domain configured in sssd.conf.
1876 If the provider supports subdomains this option can be used to add
1877 the rule to subdomains as well.
1878
1879 Default: the configured domain in sssd.conf
1880
1881 priority (integer)
1882 Unsigned integer value defining the priority of the rule. The
1883 higher the number the lower the priority. “0” stands for the
1884 highest priority while “4294967295” is the lowest.
1885
1886 Default: the lowest priority
1887
1888 To make the configuration simple and reduce the amount of configuration
1889 options the “files” provider has some special properties:
1890
1891 · if maprule is not set the RULE_NAME name is assumed to be the name
1892 of the matching user
1893
1894 · if a maprule is used both a single user name or a template like
1895 “{subject_rfc822_name.short_name}” must be in braces like e.g.
1896 “(username)” or “({subject_rfc822_name.short_name})”
1897
1898 · the “domains” option is ignored
1899
1900
1902 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
1903 SSSD's PAM module pam_sss will ask SSSD to figure out which
1904 authentication methods are available for the user trying to log in.
1905 Based on the results pam_sss will prompt the user for appropriate
1906 credentials.
1907
1908 With the growing number of authentication methods and the possibility
1909 that there are multiple ones for a single user the heuristic used by
1910 pam_sss to select the prompting might not be suitable for all use
1911 cases. The following options should provide a better flexibility here.
1912
1913 Each supported authentication method has its own configuration
1914 subsection under “[prompting/...]”. Currently there are:
1915
1916 [prompting/password]
1917 to configure password prompting, allowed options are:
1918
1919 password_prompt
1920 to change the string of the password prompt
1921
1922
1923 [prompting/2fa]
1924 to configure two-factor authentication prompting, allowed options
1925 are:
1926
1927 first_prompt
1928 to change the string of the prompt for the first factor
1929
1930 second_prompt
1931 to change the string of the prompt for the second factor
1932
1933 single_prompt
1934 boolean value, if True there will be only a single prompt using
1935 the value of first_prompt where it is expected that both
1936 factors are entered as a single string
1937
1938
1939 It is possible to add a subsection for specific PAM services, e.g.
1940 “[prompting/password/sshd]” to individual change the prompting for this
1941 service.
1942
1944 1. The following example shows a typical SSSD config. It does not
1945 describe configuration of the domains themselves - refer to
1946 documentation on configuring domains for more details.
1947
1948 [sssd]
1949 domains = LDAP
1950 services = nss, pam
1951 config_file_version = 2
1952
1953 [nss]
1954 filter_groups = root
1955 filter_users = root
1956
1957 [pam]
1958
1959 [domain/LDAP]
1960 id_provider = ldap
1961 ldap_uri = ldap://ldap.example.com
1962 ldap_search_base = dc=example,dc=com
1963
1964 auth_provider = krb5
1965 krb5_server = kerberos.example.com
1966 krb5_realm = EXAMPLE.COM
1967 cache_credentials = true
1968
1969 min_id = 10000
1970 max_id = 20000
1971 enumerate = False
1972
1973 2. The following example shows configuration of IPA AD trust where the
1974 AD forest consists of two domains in a parent-child structure. Suppose
1975 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
1976 domain (child.ad.com). To enable shortnames in the child domain the
1977 following configuration should be used.
1978
1979 [domain/ipa.com/child.ad.com]
1980 use_fully_qualified_names = false
1981
1982 3. The following example shows the configuration for two certificate
1983 mapping rules. The first is valid for the configured domain “my.domain”
1984 and additionally for the subdomains “your.domain” and uses the full
1985 certificate in the search filter. The second example is valid for the
1986 domain “files” where it is assumed the files provider is used for this
1987 domain and contains a matching rule for the local user “myname”.
1988
1989 [certmap/my.domain/rule_name]
1990 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
1991 maprule = (userCertificate;binary={cert!bin})
1992 domains = my.domain, your.domain
1993 priority = 10
1994
1995 [certmap/files/myname]
1996 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
1997
1998
2000 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2001 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2002 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2003 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2004 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
2005 sssd-systemtap(5)
2006
2008 The SSSD upstream - https://pagure.io/SSSD/sssd/
2009
2010
2011
2012SSSD 10/22/2019 SSSD.CONF(5)