1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13 [section]
15 key = value
16 key2 = value2,value3
17 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72 Currently supported debug levels:
74 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87 4, 0x0100: Configuration settings.
89 5, 0x0200: Function data.
91 6, 0x0400: Trace messages for operation functions.
93 7, 0x1000: Trace messages for internal control functions.
95 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98 9, 0x4000: Extremely low-level tracing information.
100 To log required bitmask debug levels, simply add their numbers
102 together as shown in following examples:
103 Example: To log fatal failures, critical failures, serious failures
105 and function data use 0x0270.
106 Example: To log fatal failures, configuration settings, function
108 data, trace messages for internal control functions use 0x1310.
109 Note: The bitmask format of debug levels was introduced in 1.7.0.
111 Default: 0
113 debug (integer)
115 SSSD 1.14 and later also includes the debug alias for debug_level
116 as a convenience feature. If both are specified, the value of
117 debug_level will be used.
118 debug_timestamps (bool)
120 Add a timestamp to the debug messages. If journald is enabled for
121 SSSD debug logging this option is ignored.
122 Default: true
124 debug_microseconds (bool)
126 Add microseconds to the timestamp in debug messages. If journald is
127 enabled for SSSD debug logging this option is ignored.
128 Default: false
130 Options usable in SERVICE and DOMAIN sections
132 timeout (integer)
133 Timeout in seconds between heartbeats for this service. This is
134 used to ensure that the process is alive and capable of answering
135 requests. Note that after three missed heartbeats the process will
136 terminate itself.
137 Default: 10
139
141 The [sssd] section
142 Individual pieces of SSSD functionality are provided by special SSSD
143 services that are started and stopped together with SSSD. The services
144 are managed by a special service frequently called “monitor”. The
145 “[sssd]” section is used to configure the monitor as well as some other
146 important options like the identity domains.
147 Section parameters
149 config_file_version (integer)
151 Indicates what is the syntax of the config file. SSSD 0.6.0 and
152 later use version 2.
153 services
155 Comma separated list of services that are started when sssd itself
156 starts. The services' list is optional on platforms where systemd
157 is supported, as they will either be socket or D-Bus activated when
158 needed.
159 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
161 By default, all services are disabled and the administrator must
163 enable the ones allowed to be used by executing: "systemctl enable
164 sssd-@service@.socket".
165 reconnection_retries (integer)
167 Number of times services should attempt to reconnect in the event
168 of a Data Provider crash or restart before they give up
169 Default: 3
171 domains
173 A domain is a database containing user information. SSSD can use
174 more domains at the same time, but at least one must be configured
175 or SSSD won't start. This parameter describes the list of domains
176 in the order you want them to be queried. A domain name should only
177 consist of alphanumeric ASCII characters, dashes, dots and
178 underscores.
179 re_expression (string)
181 Default regular expression that describes how to parse the string
182 containing user name and domain into these components.
183 Each domain can have an individual regular expression configured.
185 For some ID providers there are also default regular expressions.
186 See DOMAIN SECTIONS for more info on these regular expressions.
187 full_name_format (string)
189 A printf(3)-compatible format that describes how to compose a fully
190 qualified name from user name and domain name components.
191 The following expansions are supported:
193 %1$s
195 user name
196 %2$s
198 domain name as specified in the SSSD config file.
199 %3$s
201 domain flat name. Mostly usable for Active Directory domains,
202 both directly configured or discovered via IPA trusts.
203 Each domain can have an individual format string configured. see
205 DOMAIN SECTIONS for more info on this option.
206 monitor_resolv_conf (boolean)
208 Controls if SSSD should monitor the state of resolv.conf to
209 identify when it needs to update its internal DNS resolver.
210 Default: true
212 try_inotify (boolean)
214 By default, SSSD will attempt to use inotify to monitor
215 configuration files changes and will fall back to polling every
216 five seconds if inotify cannot be used.
217 There are some limited situations where it is preferred that we
219 should skip even trying to use inotify. In these rare cases, this
220 option should be set to 'false'
221 Default: true on platforms where inotify is supported. False on
223 other platforms.
224 Note: this option will have no effect on platforms where inotify is
226 unavailable. On these platforms, polling will always be used.
227 krb5_rcache_dir (string)
229 Directory on the filesystem where SSSD should store Kerberos replay
230 cache files.
231 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
233 instruct SSSD to let libkrb5 decide the appropriate location for
234 the replay cache.
235 Default: Distribution-specific and specified at build-time.
237 (__LIBKRB5_DEFAULTS__ if not configured)
238 user (string)
240 The user to drop the privileges to where appropriate to avoid
241 running as the root user. This option does not work when running
242 socket-activated services, as the user set up to run the processes
243 is set up during compilation time. The way to override the systemd
244 unit files is by creating the appropriate files in
245 /etc/systemd/system/. Keep in mind that any change in the socket
246 user, group or permissions may result in a non-usable SSSD. The
247 same may occur in case of changes of the user running the NSS
248 responder.
249 Default: not set, process will run as root
251 default_domain_suffix (string)
253 This string will be used as a default domain name for all names
254 without a domain name component. The main use case is environments
255 where the primary domain is intended for managing host policies and
256 all users are located in a trusted domain. The option allows those
257 users to log in just with their user name without giving a domain
258 name as well.
259 Please note that if this option is set all users from the primary
261 domain have to use their fully qualified name, e.g.
262 user@domain.name, to log in. Setting this option changes default of
263 use_fully_qualified_names to True. It is not allowed to use this
264 option together with use_fully_qualified_names set to False. One
265 exception from this rule are domains with “id_provider=files” that
266 always try to match the behaviour of nss_files and therefore their
267 output is not qualified even when the default_domain_suffix option
268 is used.
269 Default: not set
271 override_space (string)
273 This parameter will replace spaces (space bar) with the given
274 character for user and group names. e.g. (_). User name "john doe"
275 will be "john_doe" This feature was added to help compatibility
276 with shell scripts that have difficulty handling spaces, due to the
277 default field separator in the shell.
278 Please note it is a configuration error to use a replacement
280 character that might be used in user or group names. If a name
281 contains the replacement character SSSD tries to return the
282 unmodified name but in general the result of a lookup is undefined.
283 Default: not set (spaces will not be replaced)
285 certificate_verification (string)
287 With this parameter the certificate verification can be tuned with
288 a comma separated list of options. Supported options are:
289 no_ocsp
291 Disables Online Certificate Status Protocol (OCSP) checks. This
292 might be needed if the OCSP servers defined in the certificate
293 are not reachable from the client.
294 soft_ocsp
296 (NSS Version) This option is ignored.
297 (OpenSSL Version) If a connection cannot be established to an
299 OCSP responder the OCSP check is skipped. This option should be
300 used to allow authentication when the system is offline and the
301 OCSP responder cannot be reached.
302 ocsp_dgst
304 Digest (hash) function used to create the certificate ID for
305 the OCSP request. Allowed values are:
306 · sha1
308 · sha256
310 · sha384
312 · sha512
314 Default: sha256
316 (NSS Version) This option is ignored, because NSS uses sha1
318 unconditionally.
319 no_verification
321 Disables verification completely. This option should only be
322 used for testing.
323 ocsp_default_responder=URL
325 Sets the OCSP default responder which should be used instead of
326 the one mentioned in the certificate. URL must be replaced with
327 the URL of the OCSP default responder e.g.
328 http://example.com:80/ocsp.
329 (NSS Version) This option must be used together with
331 ocsp_default_responder_signing_cert.
332 ocsp_default_responder_signing_cert=NAME
334 (NSS Version) The nickname of the cert to trust (expected) to
335 sign the OCSP responses. The certificate with the given
336 nickname must be available in the systems NSS database.
337 This option must be used together with ocsp_default_responder.
339 (OpenSSL version) This option is currently ignored. All needed
341 certificates must be available in the PEM file given by
342 pam_cert_db_path.
343 crl_file=/PATH/TO/CRL/FILE
345 (NSS Version) This option is ignored, please see crlutil(1) how
346 to import a Certificate Revocation List (CRL) into a NSS
347 database.
348 (OpenSSL Version) Use the Certificate Revocation List (CRL)
350 from the given file during the verification of the certificate.
351 The CRL must be given in PEM format, see crl(1ssl) for details.
352 soft_crl
354 (NSS Version) This option is ignored.
355 (OpenSSL Version) If a Certificate Revocation List (CRL) is
357 expired ignore the CRL checks for the related certificates.
358 This option should be used to allow authentication when the
359 system is offline and the CRL cannot be renewed.
360 This man page was generated for the OpenSSL version.
362 Unknown options are reported but ignored.
364 Default: not set, i.e. do not restrict certificate verification
366 disable_netlink (boolean)
368 SSSD hooks into the netlink interface to monitor changes to routes,
369 addresses, links and trigger certain actions.
370 The SSSD state changes caused by netlink events may be undesirable
372 and can be disabled by setting this option to 'true'
373 Default: false (netlink changes are detected)
375 enable_files_domain (boolean)
377 When this option is enabled, SSSD prepends an implicit domain with
378 “id_provider=files” before any explicitly configured domains.
379 Default: true
381 domain_resolution_order
383 Comma separated list of domains and subdomains representing the
384 lookup order that will be followed. The list doesn't have to
385 include all possible domains as the missing domains will be looked
386 up based on the order they're presented in the “domains”
387 configuration option. The subdomains which are not listed as part
388 of “lookup_order” will be looked up in a random order for each
389 parent domain.
390 Please, note that when this option is set the output format of all
392 commands is always fully-qualified even when using short names for
393 input, for all users but the ones managed by the files provider. In
394 case the administrator wants the output not fully-qualified, the
395 full_name_format option can be used as shown below:
396 “full_name_format=%1$s” However, keep in mind that during login,
397 login applications often canonicalize the username by calling
398 getpwnam(3) which, if a shortname is returned for a qualified input
399 (while trying to reach a user which exists in multiple domains)
400 might re-route the login attempt into the domain which uses
401 shortnames, making this workaround totally not recommended in cases
402 where usernames may overlap between domains.
403 Default: Not set
405
407 Settings that can be used to configure different services are described
408 in this section. They should reside in the [$NAME] section, for
409 example, for NSS service, the section would be “[nss]”
410 General service configuration options
412 These options can be used to configure any service.
413 reconnection_retries (integer)
415 Number of times services should attempt to reconnect in the event
416 of a Data Provider crash or restart before they give up
417 Default: 3
419 fd_limit
421 This option specifies the maximum number of file descriptors that
422 may be opened at one time by this SSSD process. On systems where
423 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
424 absolute setting. On systems without this capability, the resulting
425 value will be the lower value of this or the limits.conf "hard"
426 limit.
427 Default: 8192 (or limits.conf "hard" limit)
429 client_idle_timeout
431 This option specifies the number of seconds that a client of an
432 SSSD process can hold onto a file descriptor without communicating
433 on it. This value is limited in order to avoid resource exhaustion
434 on the system. The timeout can't be shorter than 10 seconds. If a
435 lower value is configured, it will be adjusted to 10 seconds.
436 Default: 60
438 offline_timeout (integer)
440 When SSSD switches to offline mode the amount of time before it
441 tries to go back online will increase based upon the time spent
442 disconnected. This value is in seconds and calculated by the
443 following:
444 offline_timeout + random_offset
446 The random offset can increment up to 30 seconds. After each
448 unsuccessful attempt to go online, the new interval is recalculated
449 by the following:
450 new_interval = old_interval*2 + random_offset
452 Note that the maximum length of each interval is currently limited
454 to one hour. If the calculated length of new_interval is greater
455 than an hour, it will be forced to one hour.
456 Default: 60
458 responder_idle_timeout
460 This option specifies the number of seconds that an SSSD responder
461 process can be up without being used. This value is limited in
462 order to avoid resource exhaustion on the system. The minimum
463 acceptable value for this option is 60 seconds. Setting this option
464 to 0 (zero) means that no timeout will be set up to the responder.
465 This option only has effect when SSSD is built with systemd support
466 and when services are either socket or D-Bus activated.
467 Default: 300
469 cache_first
471 This option specifies whether the responder should query all caches
472 before querying the Data Providers.
473 Default: false
475 NSS configuration options
477 These options can be used to configure the Name Service Switch (NSS)
478 service.
479 enum_cache_timeout (integer)
481 How many seconds should nss_sss cache enumerations (requests for
482 info about all users)
483 Default: 120
485 entry_cache_nowait_percentage (integer)
487 The entry cache can be set to automatically update entries in the
488 background if they are requested beyond a percentage of the
489 entry_cache_timeout value for the domain.
490 For example, if the domain's entry_cache_timeout is set to 30s and
492 entry_cache_nowait_percentage is set to 50 (percent), entries that
493 come in after 15 seconds past the last cache update will be
494 returned immediately, but the SSSD will go and update the cache on
495 its own, so that future requests will not need to block waiting for
496 a cache update.
497 Valid values for this option are 0-99 and represent a percentage of
499 the entry_cache_timeout for each domain. For performance reasons,
500 this percentage will never reduce the nowait timeout to less than
501 10 seconds. (0 disables this feature)
502 Default: 50
504 entry_negative_timeout (integer)
506 Specifies for how many seconds nss_sss should cache negative cache
507 hits (that is, queries for invalid database entries, like
508 nonexistent ones) before asking the back end again.
509 Default: 15
511 local_negative_timeout (integer)
513 Specifies for how many seconds nss_sss should keep local users and
514 groups in negative cache before trying to look it up in the back
515 end again. Setting the option to 0 disables this feature.
516 Default: 14400 (4 hours)
518 filter_users, filter_groups (string)
520 Exclude certain users or groups from being fetched from the sss NSS
521 database. This is particularly useful for system accounts. This
522 option can also be set per-domain or include fully-qualified names
523 to filter only users from the particular domain or by a user
524 principal name (UPN).
525 NOTE: The filter_groups option doesn't affect inheritance of nested
527 group members, since filtering happens after they are propagated
528 for returning via NSS. E.g. a group having a member group filtered
529 out will still have the member users of the latter listed.
530 Default: root
532 filter_users_in_groups (bool)
534 If you want filtered user still be group members set this option to
535 false.
536 Default: true
538 override_homedir (string)
540 Override the user's home directory. You can either provide an
541 absolute value or a template. In the template, the following
542 sequences are substituted:
543 %u
545 login name
546 %U
548 UID number
549 %d
551 domain name
552 %f
554 fully qualified user name (user@domain)
555 %l
557 The first letter of the login name.
558 %P
560 UPN - User Principal Name (name@REALM)
561 %o
563 The original home directory retrieved from the identity
564 provider.
565 %H
567 The value of configure option homedir_substring.
568 %%
570 a literal '%'
571 This option can also be set per-domain.
573 example:
575 override_homedir = /home/%u
577 Default: Not set (SSSD will use the value retrieved from LDAP)
580 homedir_substring (string)
582 The value of this option will be used in the expansion of the
583 override_homedir option if the template contains the format string
584 %H. An LDAP directory entry can directly contain this template so
585 that this option can be used to expand the home directory path for
586 each client machine (or operating system). It can be set per-domain
587 or globally in the [nss] section. A value specified in a domain
588 section will override one set in the [nss] section.
589 Default: /home
591 fallback_homedir (string)
593 Set a default template for a user's home directory if one is not
594 specified explicitly by the domain's data provider.
595 The available values for this option are the same as for
597 override_homedir.
598 example:
600 fallback_homedir = /home/%u
602 Default: not set (no substitution for unset home directories)
605 override_shell (string)
607 Override the login shell for all users. This option supersedes any
608 other shell options if it takes effect and can be set either in the
609 [nss] section or per-domain.
610 Default: not set (SSSD will use the value retrieved from LDAP)
612 allowed_shells (string)
614 Restrict user shell to one of the listed values. The order of
615 evaluation is:
616 1. If the shell is present in “/etc/shells”, it is used.
618 2. If the shell is in the allowed_shells list but not in
620 “/etc/shells”, use the value of the shell_fallback parameter.
621 3. If the shell is not in the allowed_shells list and not in
623 “/etc/shells”, a nologin shell is used.
624 The wildcard (*) can be used to allow any shell.
626 The (*) is useful if you want to use shell_fallback in case that
628 user's shell is not in “/etc/shells” and maintaining list of all
629 allowed shells in allowed_shells would be to much overhead.
630 An empty string for shell is passed as-is to libc.
632 The “/etc/shells” is only read on SSSD start up, which means that a
634 restart of the SSSD is required in case a new shell is installed.
635 Default: Not set. The user shell is automatically used.
637 vetoed_shells (string)
639 Replace any instance of these shells with the shell_fallback
640 shell_fallback (string)
642 The default shell to use if an allowed shell is not installed on
643 the machine.
644 Default: /bin/sh
646 default_shell
648 The default shell to use if the provider does not return one during
649 lookup. This option can be specified globally in the [nss] section
650 or per-domain.
651 Default: not set (Return NULL if no shell is specified and rely on
653 libc to substitute something sensible when necessary, usually
654 /bin/sh)
655 get_domains_timeout (int)
657 Specifies time in seconds for which the list of subdomains will be
658 considered valid.
659 Default: 60
661 memcache_timeout (int)
663 Specifies time in seconds for which records in the in-memory cache
664 will be valid. Setting this option to zero will disable the
665 in-memory cache.
666 Default: 300
668 WARNING: Disabling the in-memory cache will have significant
670 negative impact on SSSD's performance and should only be used for
671 testing.
672 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
674 "NO", client applications will not use the fast in-memory cache.
675 user_attributes (string)
677 Some of the additional NSS responder requests can return more
678 attributes than just the POSIX ones defined by the NSS interface.
679 The list of attributes is controlled by this option. It is handled
680 the same way as the “user_attributes” option of the InfoPipe
681 responder (see sssd-ifp(5) for details) but with no default values.
682 To make configuration more easy the NSS responder will check the
684 InfoPipe option if it is not set for the NSS responder.
685 Default: not set, fallback to InfoPipe option
687 pwfield (string)
689 The value that NSS operations that return users or groups will
690 return for the “password” field.
691 This option can also be set per-domain.
693 Default: “*” (remote domains) or “x” (the files domain)
695 PAM configuration options
697 These options can be used to configure the Pluggable Authentication
698 Module (PAM) service.
699 offline_credentials_expiration (integer)
701 If the authentication provider is offline, how long should we allow
702 cached logins (in days since the last successful online login).
703 Default: 0 (No limit)
705 offline_failed_login_attempts (integer)
707 If the authentication provider is offline, how many failed login
708 attempts are allowed.
709 Default: 0 (No limit)
711 offline_failed_login_delay (integer)
713 The time in minutes which has to pass after
714 offline_failed_login_attempts has been reached before a new login
715 attempt is possible.
716 If set to 0 the user cannot authenticate offline if
718 offline_failed_login_attempts has been reached. Only a successful
719 online authentication can enable offline authentication again.
720 Default: 5
722 pam_verbosity (integer)
724 Controls what kind of messages are shown to the user during
725 authentication. The higher the number to more messages are
726 displayed.
727 Currently sssd supports the following values:
729 0: do not show any message
731 1: show only important messages
733 2: show informational messages
735 3: show all messages and debug information
737 Default: 1
739 pam_response_filter (integer)
741 A comma separated list of strings which allows to remove (filter)
742 data sent by the PAM responder to pam_sss PAM module. There are
743 different kind of responses sent to pam_sss e.g. messages displayed
744 to the user or environment variables which should be set by
745 pam_sss.
746 While messages already can be controlled with the help of the
748 pam_verbosity option this option allows to filter out other kind of
749 responses as well.
750 Currently the following filters are supported:
752 ENV
754 Do not send any environment variables to any service.
755 ENV:var_name
757 Do not send environment variable var_name to any service.
758 ENV:var_name:service
760 Do not send environment variable var_name to service.
761 Default: not set
763 Example: ENV:KRB5CCNAME:sudo-i
765 pam_id_timeout (integer)
767 For any PAM request while SSSD is online, the SSSD will attempt to
768 immediately update the cached identity information for the user in
769 order to ensure that authentication takes place with the latest
770 information.
771 A complete PAM conversation may perform multiple PAM requests, such
773 as account management and session opening. This option controls (on
774 a per-client-application basis) how long (in seconds) we can cache
775 the identity information to avoid excessive round-trips to the
776 identity provider.
777 Default: 5
779 pam_pwd_expiration_warning (integer)
781 Display a warning N days before the password expires.
782 Please note that the backend server has to provide information
784 about the expiration time of the password. If this information is
785 missing, sssd cannot display a warning.
786 If zero is set, then this filter is not applied, i.e. if the
788 expiration warning was received from backend server, it will
789 automatically be displayed.
790 This setting can be overridden by setting pwd_expiration_warning
792 for a particular domain.
793 Default: 0
795 get_domains_timeout (int)
797 Specifies time in seconds for which the list of subdomains will be
798 considered valid.
799 Default: 60
801 pam_trusted_users (string)
803 Specifies the comma-separated list of UID values or user names that
804 are allowed to run PAM conversations against trusted domains. Users
805 not included in this list can only access domains marked as public
806 with “pam_public_domains”. User names are resolved to UIDs at
807 startup.
808 Default: All users are considered trusted by default
810 Please note that UID 0 is always allowed to access the PAM
812 responder even in case it is not in the pam_trusted_users list.
813 pam_public_domains (string)
815 Specifies the comma-separated list of domain names that are
816 accessible even to untrusted users.
817 Two special values for pam_public_domains option are defined:
819 all (Untrusted users are allowed to access all domains in PAM
821 responder.)
822 none (Untrusted users are not allowed to access any domains PAM in
824 responder.)
825 Default: none
827 pam_account_expired_message (string)
829 Allows a custom expiration message to be set, replacing the default
830 'Permission denied' message.
831 Note: Please be aware that message is only printed for the SSH
833 service unless pam_verbosity is set to 3 (show all messages and
834 debug information).
835 example:
837 pam_account_expired_message = Account expired, please contact help desk.
839 Default: none
842 pam_account_locked_message (string)
844 Allows a custom lockout message to be set, replacing the default
845 'Permission denied' message.
846 example:
848 pam_account_locked_message = Account locked, please contact help desk.
850 Default: none
853 pam_cert_auth (bool)
855 Enable certificate based Smartcard authentication. Since this
856 requires additional communication with the Smartcard which will
857 delay the authentication process this option is disabled by
858 default.
859 Default: False
861 pam_cert_db_path (string)
863 The path to the certificate database which contain the PKCS#11
864 modules to access the Smartcard.
865 Default:
867 · /etc/pki/nssdb (NSS version, path to a NSS database)
869 · /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a
871 file with trusted CA certificates in PEM format)
872 This man page was generated for the OpenSSL version.
874 p11_child_timeout (integer)
876 How many seconds will pam_sss wait for p11_child to finish.
877 Default: 10
879 pam_app_services (string)
881 Which PAM services are permitted to contact domains of type
882 “application”
883 Default: Not set
885 pam_p11_allowed_services (integer)
887 A comma-separated list of PAM service names for which it will be
888 allowed to use Smartcards.
889 It is possible to add another PAM service name to the default set
891 by using “+service_name” or to explicitly remove a PAM service name
892 from the default set by using “-service_name”. For example, in
893 order to replace a default PAM service name for authentication with
894 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
895 “my_pam_service”), you would use the following configuration:
896 pam_p11_allowed_services = +my_pam_service, -login
898 Default: the default set of PAM service names includes:
901 · login
903 · su
905 · su-l
907 · gdm-smartcard
909 · gdm-password
911 · kdm
913 · sudo
915 · sudo-i
917 · gnome-screensaver
919 p11_wait_for_card_timeout (integer)
922 If Smartcard authentication is required how many extra seconds in
923 addition to p11_child_timeout should the PAM responder wait until a
924 Smartcard is inserted.
925 Default: 60
927 p11_uri (string)
929 PKCS#11 URI (see RFC-7512 for details) which can be used to
930 restrict the selection of devices used for Smartcard
931 authentication. By default SSSD's p11_child will search for a
932 PKCS#11 slot (reader) where the 'removable' flags is set and read
933 the certificates from the inserted token from the first slot found.
934 If multiple readers are connected p11_uri can be used to tell
935 p11_child to use a specific reader.
936 Example:
938 p11_uri = slot-description=My%20Smartcar%20Reader
940 or
943 p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
945 To find suitable URI please check the debug output of p11_child. As
948 an alternative the GnuTLS utility 'p11tool' with e.g. the
949 '--list-all' will show PKCS#11 URIs as well.
950 Default: none
952 SUDO configuration options
954 These options can be used to configure the sudo service. The detailed
955 instructions for configuration of sudo(8) to work with sssd(8) are in
956 the manual page sssd-sudo(5).
957 sudo_timed (bool)
959 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
960 attributes that implement time-dependent sudoers entries.
961 Default: false
963 sudo_threshold (integer)
965 Maximum number of expired rules that can be refreshed at once. If
966 number of expired rules is below threshold, those rules are
967 refreshed with “rules refresh” mechanism. If the threshold is
968 exceeded a “full refresh” of sudo rules is triggered instead. This
969 threshold number also applies to IPA sudo command and command group
970 searches.
971 Default: 50
973 AUTOFS configuration options
975 These options can be used to configure the autofs service.
976 autofs_negative_timeout (integer)
978 Specifies for how many seconds should the autofs responder negative
979 cache hits (that is, queries for invalid map entries, like
980 nonexistent ones) before asking the back end again.
981 Default: 15
983 Please note that the automounter only reads the master map on startup,
985 so if any autofs-related changes are made to the sssd.conf, you
986 typically also need to restart the automounter daemon after restarting
987 the SSSD.
988 SSH configuration options
990 These options can be used to configure the SSH service.
991 ssh_hash_known_hosts (bool)
993 Whether or not to hash host names and addresses in the managed
994 known_hosts file.
995 Default: true
997 ssh_known_hosts_timeout (integer)
999 How many seconds to keep a host in the managed known_hosts file
1000 after its host keys were requested.
1001 Default: 180
1003 ssh_use_certificate_keys (bool)
1005 If set to true the sss_ssh_authorizedkeys will return ssh keys
1006 derived from the public key of X.509 certificates stored in the
1007 user entry as well. See sss_ssh_authorizedkeys(1) for details.
1008 Default: true
1010 ssh_use_certificate_matching_rules (string)
1012 By default the ssh responder will use all available certificate
1013 matching rules to filter the certificates so that ssh keys are only
1014 derived from the matching ones. With this option the used rules can
1015 be restricted with a comma separated list of mapping and matching
1016 rule names. All other rules will be ignored.
1017 If a non-existing rule name is given all rules will be ignored and
1019 all available certificates will be used to derive ssh keys.
1020 Default: not set, all found rules are used
1022 ca_db (string)
1024 Path to a storage of trusted CA certificates. The option is used to
1025 validate user certificates before deriving public ssh keys from
1026 them.
1027 Default:
1029 · /etc/pki/nssdb (NSS version, path to a NSS database)
1031 · /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a
1033 file with trusted CA certificates in PEM format)
1034 This man page was generated for the OpenSSL version.
1036 PAC responder configuration options
1038 The PAC responder works together with the authorization data plugin for
1039 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1040 sends the PAC data during a GSSAPI authentication to the PAC responder.
1041 The sub-domain provider collects domain SID and ID ranges of the domain
1042 the client is joined to and of remote trusted domains from the local
1043 domain controller. If the PAC is decoded and evaluated some of the
1044 following operations are done:
1045 · If the remote user does not exist in the cache, it is created. The
1047 UID is determined with the help of the SID, trusted domains will
1048 have UPGs and the GID will have the same value as the UID. The home
1049 directory is set based on the subdomain_homedir parameter. The
1050 shell will be empty by default, i.e. the system defaults are used,
1051 but can be overwritten with the default_shell parameter.
1052 · If there are SIDs of groups from domains sssd knows about, the user
1054 will be added to those groups.
1055 These options can be used to configure the PAC responder.
1057 allowed_uids (string)
1059 Specifies the comma-separated list of UID values or user names that
1060 are allowed to access the PAC responder. User names are resolved to
1061 UIDs at startup.
1062 Default: 0 (only the root user is allowed to access the PAC
1064 responder)
1065 Please note that although the UID 0 is used as the default it will
1067 be overwritten with this option. If you still want to allow the
1068 root user to access the PAC responder, which would be the typical
1069 case, you have to add 0 to the list of allowed UIDs as well.
1070 pac_lifetime (integer)
1072 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1073 the PAC data can be used to determine the group memberships of a
1074 user.
1075 Default: 300
1077 Session recording configuration options
1079 Session recording works in conjunction with tlog-rec-session(8), a part
1080 of tlog package, to log what users see and type when they log in on a
1081 text terminal. See also sssd-session-recording(5).
1082 These options can be used to configure session recording.
1084 scope (string)
1086 One of the following strings specifying the scope of session
1087 recording:
1088 "none"
1090 No users are recorded.
1091 "some"
1093 Users/groups specified by users and groups options are
1094 recorded.
1095 "all"
1097 All users are recorded.
1098 Default: "none"
1100 users (string)
1102 A comma-separated list of users which should have session recording
1103 enabled. Matches user names as returned by NSS. I.e. after the
1104 possible space replacement, case changes, etc.
1105 Default: Empty. Matches no users.
1107 groups (string)
1109 A comma-separated list of groups, members of which should have
1110 session recording enabled. Matches group names as returned by NSS.
1111 I.e. after the possible space replacement, case changes, etc.
1112 NOTE: using this option (having it set to anything) has a
1114 considerable performance cost, because each uncached request for a
1115 user requires retrieving and matching the groups the user is member
1116 of.
1117 Default: Empty. Matches no groups.
1119
1121 These configuration options can be present in a domain configuration
1122 section, that is, in a section called “[domain/NAME]”
1123 domain_type (string)
1125 Specifies whether the domain is meant to be used by POSIX-aware
1126 clients such as the Name Service Switch or by applications that do
1127 not need POSIX data to be present or generated. Only objects from
1128 POSIX domains are available to the operating system interfaces and
1129 utilities.
1130 Allowed values for this option are “posix” and “application”.
1132 POSIX domains are reachable by all services. Application domains
1134 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1135 and the PAM responder.
1136 NOTE: The application domains are currently well tested with
1138 “id_provider=ldap” only.
1139 For an easy way to configure a non-POSIX domains, please see the
1141 “Application domains” section.
1142 Default: posix
1144 min_id,max_id (integer)
1146 UID and GID limits for the domain. If a domain contains an entry
1147 that is outside these limits, it is ignored.
1148 For users, this affects the primary GID limit. The user will not be
1150 returned to NSS if either the UID or the primary GID is outside the
1151 range. For non-primary group memberships, those that are in range
1152 will be reported as expected.
1153 These ID limits affect even saving entries to cache, not only
1155 returning them by name or ID.
1156 Default: 1 for min_id, 0 (no limit) for max_id
1158 enumerate (bool)
1160 Determines if a domain can be enumerated, that is, whether the
1161 domain can list all the users and group it contains. Note that it
1162 is not required to enable enumeration in order for secondary groups
1163 to be displayed. This parameter can have one of the following
1164 values:
1165 TRUE = Users and groups are enumerated
1167 FALSE = No enumerations for this domain
1169 Default: FALSE
1171 Enumerating a domain requires SSSD to download and store ALL user
1173 and group entries from the remote server.
1174 Note: Enabling enumeration has a moderate performance impact on
1176 SSSD while enumeration is running. It may take up to several
1177 minutes after SSSD startup to fully complete enumerations. During
1178 this time, individual requests for information will go directly to
1179 LDAP, though it may be slow, due to the heavy enumeration
1180 processing. Saving a large number of entries to cache after the
1181 enumeration completes might also be CPU intensive as the
1182 memberships have to be recomputed. This can lead to the “sssd_be”
1183 process becoming unresponsive or even restarted by the internal
1184 watchdog.
1185 While the first enumeration is running, requests for the complete
1187 user or group lists may return no results until it completes.
1188 Further, enabling enumeration may increase the time necessary to
1190 detect network disconnection, as longer timeouts are required to
1191 ensure that enumeration lookups are completed successfully. For
1192 more information, refer to the man pages for the specific
1193 id_provider in use.
1194 For the reasons cited above, enabling enumeration is not
1196 recommended, especially in large environments.
1197 subdomain_enumerate (string)
1199 Whether any of autodetected trusted domains should be enumerated.
1200 The supported values are:
1201 all
1203 All discovered trusted domains will be enumerated
1204 none
1206 No discovered trusted domains will be enumerated
1207 Optionally, a list of one or more domain names can enable
1209 enumeration just for these trusted domains.
1210 Default: none
1212 entry_cache_timeout (integer)
1214 How many seconds should nss_sss consider entries valid before
1215 asking the backend again
1216 The cache expiration timestamps are stored as attributes of
1218 individual objects in the cache. Therefore, changing the cache
1219 timeout only has effect for newly added or expired entries. You
1220 should run the sss_cache(8) tool in order to force refresh of
1221 entries that have already been cached.
1222 Default: 5400
1224 entry_cache_user_timeout (integer)
1226 How many seconds should nss_sss consider user entries valid before
1227 asking the backend again
1228 Default: entry_cache_timeout
1230 entry_cache_group_timeout (integer)
1232 How many seconds should nss_sss consider group entries valid before
1233 asking the backend again
1234 Default: entry_cache_timeout
1236 entry_cache_netgroup_timeout (integer)
1238 How many seconds should nss_sss consider netgroup entries valid
1239 before asking the backend again
1240 Default: entry_cache_timeout
1242 entry_cache_service_timeout (integer)
1244 How many seconds should nss_sss consider service entries valid
1245 before asking the backend again
1246 Default: entry_cache_timeout
1248 entry_cache_sudo_timeout (integer)
1250 How many seconds should sudo consider rules valid before asking the
1251 backend again
1252 Default: entry_cache_timeout
1254 entry_cache_autofs_timeout (integer)
1256 How many seconds should the autofs service consider automounter
1257 maps valid before asking the backend again
1258 Default: entry_cache_timeout
1260 entry_cache_ssh_host_timeout (integer)
1262 How many seconds to keep a host ssh key after refresh. IE how long
1263 to cache the host key for.
1264 Default: entry_cache_timeout
1266 refresh_expired_interval (integer)
1268 Specifies how many seconds SSSD has to wait before triggering a
1269 background refresh task which will refresh all expired or nearly
1270 expired records.
1271 The background refresh will process users, groups and netgroups in
1273 the cache. For users who have performed the initgroups (get group
1274 membership for user, typically ran at login) operation in the past,
1275 both the user entry and the group membership are updated.
1276 This option is automatically inherited for all trusted domains.
1278 You can consider setting this value to 3/4 * entry_cache_timeout.
1280 Default: 0 (disabled)
1282 cache_credentials (bool)
1284 Determines if user credentials are also cached in the local LDB
1285 cache
1286 User credentials are stored in a SHA512 hash, not in plaintext
1288 Default: FALSE
1290 cache_credentials_minimal_first_factor_length (int)
1292 If 2-Factor-Authentication (2FA) is used and credentials should be
1293 saved this value determines the minimal length the first
1294 authentication factor (long term password) must have to be saved as
1295 SHA512 hash into the cache.
1296 This should avoid that the short PINs of a PIN based 2FA scheme are
1298 saved in the cache which would make them easy targets for
1299 brute-force attacks.
1300 Default: 8
1302 account_cache_expiration (integer)
1304 Number of days entries are left in cache after last successful
1305 login before being removed during a cleanup of the cache. 0 means
1306 keep forever. The value of this parameter must be greater than or
1307 equal to offline_credentials_expiration.
1308 Default: 0 (unlimited)
1310 pwd_expiration_warning (integer)
1312 Display a warning N days before the password expires.
1313 If zero is set, then this filter is not applied, i.e. if the
1315 expiration warning was received from backend server, it will
1316 automatically be displayed.
1317 Please note that the backend server has to provide information
1319 about the expiration time of the password. If this information is
1320 missing, sssd cannot display a warning. Also an auth provider has
1321 to be configured for the backend.
1322 Default: 7 (Kerberos), 0 (LDAP)
1324 id_provider (string)
1326 The identification provider used for the domain. Supported ID
1327 providers are:
1328 “proxy”: Support a legacy NSS provider.
1330 “files”: FILES provider. See sssd-files(5) for more information on
1332 how to mirror local users and groups into SSSD.
1333 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1335 configuring LDAP.
1336 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1338 See sssd-ipa(5) for more information on configuring FreeIPA.
1339 “ad”: Active Directory provider. See sssd-ad(5) for more
1341 information on configuring Active Directory.
1342 use_fully_qualified_names (bool)
1344 Use the full name and domain (as formatted by the domain's
1345 full_name_format) as the user's login name reported to NSS.
1346 If set to TRUE, all requests to this domain must use fully
1348 qualified names. For example, if used in LOCAL domain that contains
1349 a "test" user, getent passwd test wouldn't find the user while
1350 getent passwd test@LOCAL would.
1351 NOTE: This option has no effect on netgroup lookups due to their
1353 tendency to include nested netgroups without qualified names. For
1354 netgroups, all domains will be searched when an unqualified name is
1355 requested.
1356 Default: FALSE (TRUE if default_domain_suffix is used)
1358 ignore_group_members (bool)
1360 Do not return group members for group lookups.
1361 If set to TRUE, the group membership attribute is not requested
1363 from the ldap server, and group members are not returned when
1364 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1365 As an effect, “getent group $groupname” would return the requested
1366 group as if it was empty.
1367 Enabling this option can also make access provider checks for group
1369 membership significantly faster, especially for groups containing
1370 many members.
1371 Default: FALSE
1373 auth_provider (string)
1375 The authentication provider used for the domain. Supported auth
1376 providers are:
1377 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1379 information on configuring LDAP.
1380 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1382 information on configuring Kerberos.
1383 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1385 See sssd-ipa(5) for more information on configuring FreeIPA.
1386 “ad”: Active Directory provider. See sssd-ad(5) for more
1388 information on configuring Active Directory.
1389 “proxy” for relaying authentication to some other PAM target.
1391 “none” disables authentication explicitly.
1393 Default: “id_provider” is used if it is set and can handle
1395 authentication requests.
1396 access_provider (string)
1398 The access control provider used for the domain. There are two
1399 built-in access providers (in addition to any included in installed
1400 backends) Internal special providers are:
1401 “permit” always allow access. It's the only permitted access
1403 provider for a local domain.
1404 “deny” always deny access.
1406 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1408 information on configuring LDAP.
1409 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1411 See sssd-ipa(5) for more information on configuring FreeIPA.
1412 “ad”: Active Directory provider. See sssd-ad(5) for more
1414 information on configuring Active Directory.
1415 “simple” access control based on access or deny lists. See sssd-
1417 simple(5) for more information on configuring the simple access
1418 module.
1419 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1421 information on configuring Kerberos.
1422 “proxy” for relaying access control to another PAM module.
1424 Default: “permit”
1426 chpass_provider (string)
1428 The provider which should handle change password operations for the
1429 domain. Supported change password providers are:
1430 “ldap” to change a password stored in a LDAP server. See sssd-
1432 ldap(5) for more information on configuring LDAP.
1433 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1435 information on configuring Kerberos.
1436 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1438 See sssd-ipa(5) for more information on configuring FreeIPA.
1439 “ad”: Active Directory provider. See sssd-ad(5) for more
1441 information on configuring Active Directory.
1442 “proxy” for relaying password changes to some other PAM target.
1444 “none” disallows password changes explicitly.
1446 Default: “auth_provider” is used if it is set and can handle change
1448 password requests.
1449 sudo_provider (string)
1451 The SUDO provider used for the domain. Supported SUDO providers
1452 are:
1453 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1455 information on configuring LDAP.
1456 “ipa” the same as “ldap” but with IPA default settings.
1458 “ad” the same as “ldap” but with AD default settings.
1460 “none” disables SUDO explicitly.
1462 Default: The value of “id_provider” is used if it is set.
1464 The detailed instructions for configuration of sudo_provider are in
1466 the manual page sssd-sudo(5). There are many configuration options
1467 that can be used to adjust the behavior. Please refer to
1468 "ldap_sudo_*" in sssd-ldap(5).
1469 NOTE: Sudo rules are periodically downloaded in the background
1471 unless the sudo provider is explicitly disabled. Set sudo_provider
1472 = None to disable all sudo-related activity in SSSD if you do not
1473 want to use sudo with SSSD at all.
1474 selinux_provider (string)
1476 The provider which should handle loading of selinux settings. Note
1477 that this provider will be called right after access provider ends.
1478 Supported selinux providers are:
1479 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1481 for more information on configuring IPA.
1482 “none” disallows fetching selinux settings explicitly.
1484 Default: “id_provider” is used if it is set and can handle selinux
1486 loading requests.
1487 subdomains_provider (string)
1489 The provider which should handle fetching of subdomains. This value
1490 should be always the same as id_provider. Supported subdomain
1491 providers are:
1492 “ipa” to load a list of subdomains from an IPA server. See sssd-
1494 ipa(5) for more information on configuring IPA.
1495 “ad” to load a list of subdomains from an Active Directory server.
1497 See sssd-ad(5) for more information on configuring the AD provider.
1498 “none” disallows fetching subdomains explicitly.
1500 Default: The value of “id_provider” is used if it is set.
1502 session_provider (string)
1504 The provider which configures and manages user session related
1505 tasks. The only user session task currently provided is the
1506 integration with Fleet Commander, which works only with IPA.
1507 Supported session providers are:
1508 “ipa” to allow performing user session related tasks.
1510 “none” does not perform any kind of user session related tasks.
1512 Default: “id_provider” is used if it is set and can perform session
1514 related tasks.
1515 NOTE: In order to have this feature working as expected SSSD must
1517 be running as "root" and not as the unprivileged user.
1518 autofs_provider (string)
1520 The autofs provider used for the domain. Supported autofs providers
1521 are:
1522 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1524 information on configuring LDAP.
1525 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1527 more information on configuring IPA.
1528 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1530 information on configuring the AD provider.
1531 “none” disables autofs explicitly.
1533 Default: The value of “id_provider” is used if it is set.
1535 hostid_provider (string)
1537 The provider used for retrieving host identity information.
1538 Supported hostid providers are:
1539 “ipa” to load host identity stored in an IPA server. See sssd-
1541 ipa(5) for more information on configuring IPA.
1542 “none” disables hostid explicitly.
1544 Default: The value of “id_provider” is used if it is set.
1546 re_expression (string)
1548 Regular expression for this domain that describes how to parse the
1549 string containing user name and domain into these components. The
1550 "domain" can match either the SSSD configuration domain name, or,
1551 in the case of IPA trust subdomains and Active Directory domains,
1552 the flat (NetBIOS) name of the domain.
1553 Default for the AD and IPA provider:
1555 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1556 which allows three different styles for user names:
1557 · username
1559 · username@domain.name
1561 · domain\username
1563 While the first two correspond to the general default the third one
1565 is introduced to allow easy integration of users from Windows
1566 domains.
1567 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1569 "the name is everything up to the “@” sign, the domain everything
1570 after that"
1571 NOTE: Some Active Directory groups, typically those used for MS
1573 Exchange contain an “@” sign in the name, which clashes with the
1574 default re_expression value for the AD and IPA providers. To
1575 support these groups, consider changing the re_expression value to:
1576 “((?P<name>.+)@(?P<domain>[^@]+$))”.
1577 full_name_format (string)
1579 A printf(3)-compatible format that describes how to compose a fully
1580 qualified name from user name and domain name components.
1581 The following expansions are supported:
1583 %1$s
1585 user name
1586 %2$s
1588 domain name as specified in the SSSD config file.
1589 %3$s
1591 domain flat name. Mostly usable for Active Directory domains,
1592 both directly configured or discovered via IPA trusts.
1593 Default: “%1$s@%2$s”.
1595 lookup_family_order (string)
1597 Provides the ability to select preferred address family to use when
1598 performing DNS lookups.
1599 Supported values:
1601 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1603 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1605 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1607 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1609 Default: ipv4_first
1611 dns_resolver_timeout (integer)
1613 Defines the amount of time (in seconds) to wait for a reply from
1614 the internal fail over service before assuming that the service is
1615 unreachable. If this timeout is reached, the domain will continue
1616 to operate in offline mode.
1617 Please see the section “FAILOVER” for more information about the
1619 service resolution.
1620 Default: 6
1622 dns_discovery_domain (string)
1624 If service discovery is used in the back end, specifies the domain
1625 part of the service discovery DNS query.
1626 Default: Use the domain part of machine's hostname
1628 override_gid (integer)
1630 Override the primary GID value with the one specified.
1631 case_sensitive (string)
1633 Treat user and group names as case sensitive. Possible option
1634 values are:
1635 True
1637 Case sensitive. This value is invalid for AD provider.
1638 False
1640 Case insensitive.
1641 Preserving
1643 Same as False (case insensitive), but does not lowercase names
1644 in the result of NSS operations. Note that name aliases (and in
1645 case of services also protocol names) are still lowercased in
1646 the output.
1647 Default: True (False for AD provider)
1649 subdomain_inherit (string)
1651 Specifies a list of configuration parameters that should be
1652 inherited by a subdomain. Please note that only selected parameters
1653 can be inherited. Currently the following options can be inherited:
1654 ignore_group_members
1656 ldap_purge_cache_timeout
1658 ldap_use_tokengroups
1660 ldap_user_principal
1662 ldap_krb5_keytab (the value of krb5_keytab will be used if
1664 ldap_krb5_keytab is not set explicitly)
1665 Example:
1667 subdomain_inherit = ldap_purge_cache_timeout
1669 Default: none
1672 Note: This option only works with the IPA and AD provider.
1674 subdomain_homedir (string)
1676 Use this homedir as default value for all subdomains within this
1677 domain in IPA AD trust. See override_homedir for info about
1678 possible values. In addition to those, the expansion below can only
1679 be used with subdomain_homedir.
1680 %F
1682 flat (NetBIOS) name of a subdomain.
1683 The value can be overridden by override_homedir option.
1685 Default: /home/%d/%u
1687 realmd_tags (string)
1689 Various tags stored by the realmd configuration service for this
1690 domain.
1691 cached_auth_timeout (int)
1693 Specifies time in seconds since last successful online
1694 authentication for which user will be authenticated using cached
1695 credentials while SSSD is in the online mode. If the credentials
1696 are incorrect, SSSD falls back to online authentication.
1697 This option's value is inherited by all trusted domains. At the
1699 moment it is not possible to set a different value per trusted
1700 domain.
1701 Special value 0 implies that this feature is disabled.
1703 Please note that if “cached_auth_timeout” is longer than
1705 “pam_id_timeout” then the back end could be called to handle
1706 “initgroups.”
1707 Default: 0
1709 auto_private_groups (string)
1711 This option takes any of three available values:
1712 true
1714 Create user's private group unconditionally from user's UID
1715 number. The GID number is ignored in this case.
1716 NOTE: Because the GID number and the user private group are
1718 inferred from the UID number, it is not supported to have
1719 multiple entries with the same UID or GID number with this
1720 option. In other words, enabling this option enforces
1721 uniqueness across the ID space.
1722 false
1724 Always use the user's primary GID number. The GID number must
1725 refer to a group object in the LDAP database.
1726 hybrid
1728 A primary group is autogenerated for user entries whose UID and
1729 GID numbers have the same value and at the same time the GID
1730 number does not correspond to a real group object in LDAP. If
1731 the values are the same, but the primary GID in the user entry
1732 is also used by a group object, the primary GID of the user
1733 resolves to that group object.
1734 If the UID and GID of a user are different, then the GID must
1736 correspond to a group entry, otherwise the GID is simply not
1737 resolvable.
1738 This feature is useful for environments that wish to stop
1740 maintaining a separate group objects for the user private
1741 groups, but also wish to retain the existing user private
1742 groups.
1743 For subdomains, the default value is False for subdomains that use
1745 assigned POSIX IDs and True for subdomains that use automatic
1746 ID-mapping.
1747 The value of auto_private_groups can either be set per subdomains
1749 in a subsection, for example:
1750 [domain/forest.domain/sub.domain]
1752 auto_private_groups = false
1753 or globally for all subdomains in the main domain section using the
1755 subdomain_inherit option:
1756 [domain/forest.domain]
1758 subdomain_inherit = auto_private_groups
1759 auto_private_groups = false
1760 Options valid for proxy domains.
1763 proxy_pam_target (string)
1765 The proxy target PAM proxies to.
1766 Default: not set by default, you have to take an existing pam
1768 configuration or create a new one and add the service name here.
1769 proxy_lib_name (string)
1771 The name of the NSS library to use in proxy domains. The NSS
1772 functions searched for in the library are in the form of
1773 _nss_$(libName)_$(function), for example _nss_files_getpwent.
1774 proxy_fast_alias (boolean)
1776 When a user or group is looked up by name in the proxy provider, a
1777 second lookup by ID is performed to "canonicalize" the name in case
1778 the requested name was an alias. Setting this option to true would
1779 cause the SSSD to perform the ID lookup from cache for performance
1780 reasons.
1781 Default: false
1783 proxy_max_children (integer)
1785 This option specifies the number of pre-forked proxy children. It
1786 is useful for high-load SSSD environments where sssd may run out of
1787 available child slots, which would cause some issues due to the
1788 requests being queued.
1789 Default: 10
1791 Application domains
1793 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
1794 applications as a gateway to an LDAP directory where users and groups
1795 are stored. However, contrary to the traditional SSSD deployment where
1796 all users and groups either have POSIX attributes or those attributes
1797 can be inferred from the Windows SIDs, in many cases the users and
1798 groups in the application support scenario have no POSIX attributes.
1799 Instead of setting a “[domain/NAME]” section, the administrator can set
1800 up an “[application/NAME]” section that internally represents a domain
1801 with type “application” optionally inherits settings from a tradition
1802 SSSD domain.
1803 Please note that the application domain must still be explicitly
1805 enabled in the “domains” parameter so that the lookup order between the
1806 application domain and its POSIX sibling domain is set correctly.
1807 Application domain parameters
1809 inherit_from (string)
1811 The SSSD POSIX-type domain the application domain inherits all
1812 settings from. The application domain can moreover add its own
1813 settings to the application settings that augment or override the
1814 “sibling” domain settings.
1815 Default: Not set
1817 The following example illustrates the use of an application domain. In
1819 this setup, the POSIX domain is connected to an LDAP server and is used
1820 by the OS through the NSS responder. In addition, the application
1821 domain also requests the telephoneNumber attribute, stores it as the
1822 phone attribute in the cache and makes the phone attribute reachable
1823 through the D-Bus interface.
1824 [sssd]
1826 domains = appdom, posixdom
1827 [ifp]
1829 user_attributes = +phone
1830 [domain/posixdom]
1832 id_provider = ldap
1833 ldap_uri = ldap://ldap.example.com
1834 ldap_search_base = dc=example,dc=com
1835 [application/appdom]
1837 inherit_from = posixdom
1838 ldap_user_extra_attrs = phone:telephoneNumber
1839
1841 Some options used in the domain section can also be used in the trusted
1842 domain section, that is, in a section called
1843 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
1844 actual joined-to base domain. Please refer to examples below for
1845 explanation. Currently supported options in the trusted domain section
1846 are:
1847 ldap_search_base,
1849 ldap_user_search_base,
1851 ldap_group_search_base,
1853 ldap_netgroup_search_base,
1855 ldap_service_search_base,
1857 ldap_sasl_mech,
1859 ad_server,
1861 ad_backup_server,
1863 ad_site,
1865 use_fully_qualified_names
1867 For more details about these options see their individual description
1869 in the manual page.
1870
1872 To allow authentication with Smartcards and certificates SSSD must be
1873 able to map certificates to users. This can be done by adding the full
1874 certificate to the LDAP object of the user or to a local override.
1875 While using the full certificate is required to use the Smartcard
1876 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
1877 details) it might be cumbersome or not even possible to do this for the
1878 general case where local services use PAM for authentication.
1879 To make the mapping more flexible mapping and matching rules were added
1881 to SSSD (see sss-certmap(5) for details).
1882 A mapping and matching rule can be added to the SSSD configuration in a
1884 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
1885 In this section the following options are allowed:
1886 matchrule (string)
1888 Only certificates from the Smartcard which matches this rule will
1889 be processed, all others are ignored.
1890 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
1892 the Extended Key Usage “clientAuth”
1893 maprule (string)
1895 Defines how the user is found for a given certificate.
1896 Default:
1898 · LDAP:(userCertificate;binary={cert!bin}) for LDAP based
1900 providers like “ldap”, “AD” or “ipa”.
1901 · The RULE_NAME for the “files” provider which tries to find a
1903 user with the same name.
1904 domains (string)
1907 Comma separated list of domain names the rule should be applied. By
1908 default a rule is only valid in the domain configured in sssd.conf.
1909 If the provider supports subdomains this option can be used to add
1910 the rule to subdomains as well.
1911 Default: the configured domain in sssd.conf
1913 priority (integer)
1915 Unsigned integer value defining the priority of the rule. The
1916 higher the number the lower the priority. “0” stands for the
1917 highest priority while “4294967295” is the lowest.
1918 Default: the lowest priority
1920 To make the configuration simple and reduce the amount of configuration
1922 options the “files” provider has some special properties:
1923 · if maprule is not set the RULE_NAME name is assumed to be the name
1925 of the matching user
1926 · if a maprule is used both a single user name or a template like
1928 “{subject_rfc822_name.short_name}” must be in braces like e.g.
1929 “(username)” or “({subject_rfc822_name.short_name})”
1930 · the “domains” option is ignored
1932
1935 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
1936 SSSD's PAM module pam_sss will ask SSSD to figure out which
1937 authentication methods are available for the user trying to log in.
1938 Based on the results pam_sss will prompt the user for appropriate
1939 credentials.
1940 With the growing number of authentication methods and the possibility
1942 that there are multiple ones for a single user the heuristic used by
1943 pam_sss to select the prompting might not be suitable for all use
1944 cases. The following options should provide a better flexibility here.
1945 Each supported authentication method has its own configuration
1947 subsection under “[prompting/...]”. Currently there are:
1948 [prompting/password]
1950 to configure password prompting, allowed options are:
1951 password_prompt
1953 to change the string of the password prompt
1954 [prompting/2fa]
1957 to configure two-factor authentication prompting, allowed options
1958 are:
1959 first_prompt
1961 to change the string of the prompt for the first factor
1962 second_prompt
1964 to change the string of the prompt for the second factor
1965 single_prompt
1967 boolean value, if True there will be only a single prompt using
1968 the value of first_prompt where it is expected that both
1969 factors are entered as a single string
1970 It is possible to add a subsection for specific PAM services, e.g.
1973 “[prompting/password/sshd]” to individual change the prompting for this
1974 service.
1975
1977 1. The following example shows a typical SSSD config. It does not
1978 describe configuration of the domains themselves - refer to
1979 documentation on configuring domains for more details.
1980 [sssd]
1982 domains = LDAP
1983 services = nss, pam
1984 config_file_version = 2
1985 [nss]
1987 filter_groups = root
1988 filter_users = root
1989 [pam]
1991 [domain/LDAP]
1993 id_provider = ldap
1994 ldap_uri = ldap://ldap.example.com
1995 ldap_search_base = dc=example,dc=com
1996 auth_provider = krb5
1998 krb5_server = kerberos.example.com
1999 krb5_realm = EXAMPLE.COM
2000 cache_credentials = true
2001 min_id = 10000
2003 max_id = 20000
2004 enumerate = False
2005 2. The following example shows configuration of IPA AD trust where the
2007 AD forest consists of two domains in a parent-child structure. Suppose
2008 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2009 domain (child.ad.com). To enable shortnames in the child domain the
2010 following configuration should be used.
2011 [domain/ipa.com/child.ad.com]
2013 use_fully_qualified_names = false
2014 3. The following example shows the configuration for two certificate
2016 mapping rules. The first is valid for the configured domain “my.domain”
2017 and additionally for the subdomains “your.domain” and uses the full
2018 certificate in the search filter. The second example is valid for the
2019 domain “files” where it is assumed the files provider is used for this
2020 domain and contains a matching rule for the local user “myname”.
2021 [certmap/my.domain/rule_name]
2023 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2024 maprule = (userCertificate;binary={cert!bin})
2025 domains = my.domain, your.domain
2026 priority = 10
2027 [certmap/files/myname]
2029 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
2030
2033 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2034 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2035 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2036 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2037 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
2038 sssd-systemtap(5)
2039
2041 The SSSD upstream - https://pagure.io/SSSD/sssd/
2042SSSD 02/26/2020 SSSD.CONF(5)