1SSSD.CONF(5)             File Formats and Conventions             SSSD.CONF(5)
2
3
4

NAME

6       sssd.conf - the configuration file for SSSD
7

FILE FORMAT

9       The file has an ini-style syntax and consists of sections and
10       parameters. A section begins with the name of the section in square
11       brackets and continues until the next section begins. An example of
12       section with single and multi-valued parameters:
13
14           [section]
15           key = value
16           key2 = value2,value3
17
18
19       The data types used are string (no quotes needed), integer and bool
20       (with values of “TRUE/FALSE”).
21
22       A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23       Inline comments are not supported.
24
25       All sections can have an optional description parameter. Its function
26       is only as a label for the section.
27
28       sssd.conf must be a regular file, owned by root and only root may read
29       from or write to the file.
30

CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY

32       The configuration file sssd.conf will include configuration snippets
33       using the include directory conf.d. This feature is available if SSSD
34       was compiled with libini version 1.3.0 or later.
35
36       Any file placed in conf.d that ends in “.conf” and does not begin with
37       a dot (“.”) will be used together with sssd.conf to configure SSSD.
38
39       The configuration snippets from conf.d have higher priority than
40       sssd.conf and will override sssd.conf when conflicts occur. If several
41       snippets are present in conf.d, then they are included in alphabetical
42       order (based on locale). Files included later have higher priority.
43       Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44       visualize the priority (higher number means higher priority).
45
46       The snippet files require the same owner and permissions as sssd.conf.
47       Which are by default root:root and 0600.
48

GENERAL OPTIONS

50       Following options are usable in more than one configuration sections.
51
52   Options usable in all sections
53       debug_level (integer)
54           SSSD supports two representations for specifying the debug level.
55           The simplest is to specify a decimal value from 0-9, which
56           represents enabling that level and all lower-level debug messages.
57           The more comprehensive option is to specify a hexadecimal bitmask
58           to enable or disable specific levels (such as if you wish to
59           suppress a level).
60
61           Please note that each SSSD service logs into its own log file. Also
62           please note that enabling “debug_level” in the “[sssd]” section
63           only enables debugging just for the sssd process itself, not for
64           the responder or provider processes. The “debug_level” parameter
65           should be added to all sections that you wish to produce debug logs
66           from.
67
68           In addition to changing the log level in the config file using the
69           “debug_level” parameter, which is persistent, but requires SSSD
70           restart, it is also possible to change the debug level on the fly
71           using the sss_debuglevel(8) tool.
72
73           Currently supported debug levels:
74
75           0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76           starting up or causes it to cease running.
77
78           1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79           one that indicates that at least one major feature is not going to
80           work properly.
81
82           2, 0x0040: Serious failures. An error announcing that a particular
83           request or operation has failed.
84
85           3, 0x0080: Minor failures. These are the errors that would
86           percolate down to cause the operation failure of 2.
87
88           4, 0x0100: Configuration settings.
89
90           5, 0x0200: Function data.
91
92           6, 0x0400: Trace messages for operation functions.
93
94           7, 0x1000: Trace messages for internal control functions.
95
96           8, 0x2000: Contents of function-internal variables that may be
97           interesting.
98
99           9, 0x4000: Extremely low-level tracing information.
100
101           10, 0x10000: Even more low-level libldb tracing information. Almost
102           never really required.
103
104           To log required bitmask debug levels, simply add their numbers
105           together as shown in following examples:
106
107           Example: To log fatal failures, critical failures, serious failures
108           and function data use 0x0270.
109
110           Example: To log fatal failures, configuration settings, function
111           data, trace messages for internal control functions use 0x1310.
112
113           Note: The bitmask format of debug levels was introduced in 1.7.0.
114
115           Default: 0x0070 (i.e. fatal, critical and serious failures;
116           corresponds to setting 2 in decimal notation)
117
118       debug (integer)
119           SSSD 1.14 and later also includes the debug alias for debug_level
120           as a convenience feature. If both are specified, the value of
121           debug_level will be used.
122
123       debug_timestamps (bool)
124           Add a timestamp to the debug messages. If journald is enabled for
125           SSSD debug logging this option is ignored.
126
127           Default: true
128
129       debug_microseconds (bool)
130           Add microseconds to the timestamp in debug messages. If journald is
131           enabled for SSSD debug logging this option is ignored.
132
133           Default: false
134
135   Options usable in SERVICE and DOMAIN sections
136       timeout (integer)
137           Timeout in seconds between heartbeats for this service. This is
138           used to ensure that the process is alive and capable of answering
139           requests. Note that after three missed heartbeats the process will
140           terminate itself.
141
142           Default: 10
143

SPECIAL SECTIONS

145   The [sssd] section
146       Individual pieces of SSSD functionality are provided by special SSSD
147       services that are started and stopped together with SSSD. The services
148       are managed by a special service frequently called “monitor”. The
149       “[sssd]” section is used to configure the monitor as well as some other
150       important options like the identity domains.
151
152       Section parameters
153
154       config_file_version (integer)
155           Indicates what is the syntax of the config file. SSSD 0.6.0 and
156           later use version 2.
157
158       services
159           Comma separated list of services that are started when sssd itself
160           starts.  The services' list is optional on platforms where systemd
161           is supported, as they will either be socket or D-Bus activated when
162           needed.
163
164           Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
165
166           By default, all services are disabled and the administrator must
167           enable the ones allowed to be used by executing: "systemctl enable
168           sssd-@service@.socket".
169
170       reconnection_retries (integer)
171           Number of times services should attempt to reconnect in the event
172           of a Data Provider crash or restart before they give up
173
174           Default: 3
175
176       domains
177           A domain is a database containing user information. SSSD can use
178           more domains at the same time, but at least one must be configured
179           or SSSD won't start. This parameter describes the list of domains
180           in the order you want them to be queried. A domain name is
181           recommended to contain only alphanumeric ASCII characters, dashes,
182           dots and underscores. '/' character is forbidden.
183
184       re_expression (string)
185           Default regular expression that describes how to parse the string
186           containing user name and domain into these components.
187
188           Each domain can have an individual regular expression configured.
189           For some ID providers there are also default regular expressions.
190           See DOMAIN SECTIONS for more info on these regular expressions.
191
192       full_name_format (string)
193           A printf(3)-compatible format that describes how to compose a fully
194           qualified name from user name and domain name components.
195
196           The following expansions are supported:
197
198           %1$s
199               user name
200
201           %2$s
202               domain name as specified in the SSSD config file.
203
204           %3$s
205               domain flat name. Mostly usable for Active Directory domains,
206               both directly configured or discovered via IPA trusts.
207
208           Each domain can have an individual format string configured. See
209           DOMAIN SECTIONS for more info on this option.
210
211       monitor_resolv_conf (boolean)
212           Controls if SSSD should monitor the state of resolv.conf to
213           identify when it needs to update its internal DNS resolver.
214
215           Default: true
216
217       try_inotify (boolean)
218           By default, SSSD will attempt to use inotify to monitor
219           configuration files changes and will fall back to polling every
220           five seconds if inotify cannot be used.
221
222           There are some limited situations where it is preferred that we
223           should skip even trying to use inotify. In these rare cases, this
224           option should be set to 'false'
225
226           Default: true on platforms where inotify is supported. False on
227           other platforms.
228
229           Note: this option will have no effect on platforms where inotify is
230           unavailable. On these platforms, polling will always be used.
231
232       krb5_rcache_dir (string)
233           Directory on the filesystem where SSSD should store Kerberos replay
234           cache files.
235
236           This option accepts a special value __LIBKRB5_DEFAULTS__ that will
237           instruct SSSD to let libkrb5 decide the appropriate location for
238           the replay cache.
239
240           Default: Distribution-specific and specified at build-time.
241           (__LIBKRB5_DEFAULTS__ if not configured)
242
243       user (string)
244           The user to drop the privileges to where appropriate to avoid
245           running as the root user.  This option does not work when running
246           socket-activated services, as the user set up to run the processes
247           is set up during compilation time. The way to override the systemd
248           unit files is by creating the appropriate files in
249           /etc/systemd/system/. Keep in mind that any change in the socket
250           user, group or permissions may result in a non-usable SSSD. The
251           same may occur in case of changes of the user running the NSS
252           responder.
253
254           Default: not set, process will run as root
255
256       default_domain_suffix (string)
257           This string will be used as a default domain name for all names
258           without a domain name component. The main use case is environments
259           where the primary domain is intended for managing host policies and
260           all users are located in a trusted domain. The option allows those
261           users to log in just with their user name without giving a domain
262           name as well.
263
264           Please note that if this option is set all users from the primary
265           domain have to use their fully qualified name, e.g.
266           user@domain.name, to log in. Setting this option changes default of
267           use_fully_qualified_names to True. It is not allowed to use this
268           option together with use_fully_qualified_names set to False. One
269           exception from this rule are domains with “id_provider=files” that
270           always try to match the behaviour of nss_files and therefore their
271           output is not qualified even when the default_domain_suffix option
272           is used.
273
274           Default: not set
275
276       override_space (string)
277           This parameter will replace spaces (space bar) with the given
278           character for user and group names. e.g. (_). User name "john doe"
279           will be "john_doe" This feature was added to help compatibility
280           with shell scripts that have difficulty handling spaces, due to the
281           default field separator in the shell.
282
283           Please note it is a configuration error to use a replacement
284           character that might be used in user or group names. If a name
285           contains the replacement character SSSD tries to return the
286           unmodified name but in general the result of a lookup is undefined.
287
288           Default: not set (spaces will not be replaced)
289
290       certificate_verification (string)
291           With this parameter the certificate verification can be tuned with
292           a comma separated list of options. Supported options are:
293
294           no_ocsp
295               Disables Online Certificate Status Protocol (OCSP) checks. This
296               might be needed if the OCSP servers defined in the certificate
297               are not reachable from the client.
298
299           soft_ocsp
300               If a connection cannot be established to an OCSP responder the
301               OCSP check is skipped. This option should be used to allow
302               authentication when the system is offline and the OCSP
303               responder cannot be reached.
304
305           ocsp_dgst
306               Digest (hash) function used to create the certificate ID for
307               the OCSP request. Allowed values are:
308
309               ·   sha1
310
311               ·   sha256
312
313               ·   sha384
314
315               ·   sha512
316
317               Default: sha1 (to allow compatibility with RFC5019-compliant
318               responder)
319
320           no_verification
321               Disables verification completely. This option should only be
322               used for testing.
323
324           ocsp_default_responder=URL
325               Sets the OCSP default responder which should be used instead of
326               the one mentioned in the certificate. URL must be replaced with
327               the URL of the OCSP default responder e.g.
328               http://example.com:80/ocsp.
329
330           ocsp_default_responder_signing_cert=NAME
331               This option is currently ignored. All needed certificates must
332               be available in the PEM file given by pam_cert_db_path.
333
334           crl_file=/PATH/TO/CRL/FILE
335               Use the Certificate Revocation List (CRL) from the given file
336               during the verification of the certificate. The CRL must be
337               given in PEM format, see crl(1ssl) for details.
338
339           soft_crl
340               If a Certificate Revocation List (CRL) is expired ignore the
341               CRL checks for the related certificates. This option should be
342               used to allow authentication when the system is offline and the
343               CRL cannot be renewed.
344
345           Unknown options are reported but ignored.
346
347           Default: not set, i.e. do not restrict certificate verification
348
349       disable_netlink (boolean)
350           SSSD hooks into the netlink interface to monitor changes to routes,
351           addresses, links and trigger certain actions.
352
353           The SSSD state changes caused by netlink events may be undesirable
354           and can be disabled by setting this option to 'true'
355
356           Default: false (netlink changes are detected)
357
358       enable_files_domain (boolean)
359           When this option is enabled, SSSD prepends an implicit domain with
360           “id_provider=files” before any explicitly configured domains.
361
362           Default: true
363
364       domain_resolution_order
365           Comma separated list of domains and subdomains representing the
366           lookup order that will be followed. The list doesn't have to
367           include all possible domains as the missing domains will be looked
368           up based on the order they're presented in the “domains”
369           configuration option. The subdomains which are not listed as part
370           of “lookup_order” will be looked up in a random order for each
371           parent domain.
372
373           Please, note that when this option is set the output format of all
374           commands is always fully-qualified even when using short names for
375           input, for all users but the ones managed by the files provider. In
376           case the administrator wants the output not fully-qualified, the
377           full_name_format option can be used as shown below:
378           “full_name_format=%1$s” However, keep in mind that during login,
379           login applications often canonicalize the username by calling
380           getpwnam(3) which, if a shortname is returned for a qualified input
381           (while trying to reach a user which exists in multiple domains)
382           might re-route the login attempt into the domain which uses
383           shortnames, making this workaround totally not recommended in cases
384           where usernames may overlap between domains.
385
386           Default: Not set
387

SERVICES SECTIONS

389       Settings that can be used to configure different services are described
390       in this section. They should reside in the [$NAME] section, for
391       example, for NSS service, the section would be “[nss]”
392
393   General service configuration options
394       These options can be used to configure any service.
395
396       reconnection_retries (integer)
397           Number of times services should attempt to reconnect in the event
398           of a Data Provider crash or restart before they give up
399
400           Default: 3
401
402       fd_limit
403           This option specifies the maximum number of file descriptors that
404           may be opened at one time by this SSSD process. On systems where
405           SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
406           absolute setting. On systems without this capability, the resulting
407           value will be the lower value of this or the limits.conf "hard"
408           limit.
409
410           Default: 8192 (or limits.conf "hard" limit)
411
412       client_idle_timeout
413           This option specifies the number of seconds that a client of an
414           SSSD process can hold onto a file descriptor without communicating
415           on it. This value is limited in order to avoid resource exhaustion
416           on the system. The timeout can't be shorter than 10 seconds. If a
417           lower value is configured, it will be adjusted to 10 seconds.
418
419           Default: 60, KCM: 300
420
421       offline_timeout (integer)
422           When SSSD switches to offline mode the amount of time before it
423           tries to go back online will increase based upon the time spent
424           disconnected. This value is in seconds and calculated by the
425           following:
426
427           offline_timeout + random_offset
428
429           The random offset value is from 0 to 30. After each unsuccessful
430           attempt to go online, the new interval is recalculated by the
431           following:
432
433           new_interval = (old_interval * 2) + random_offset
434
435           Note that the maximum length of each interval is defined by
436           offline_timeout_max, which defaults to one hour. If the calculated
437           length of new_interval is greater than offline_timeout_max, it will
438           be forced to the offline_timeout_max value.
439
440           Default: 60
441
442       offline_timeout_max (integer)
443           Controls by how much the time between attempts to go online can be
444           incremented following unsuccessful attempts to go online.
445
446           A value of 0 disables the incrementing behaviour.
447
448           The value of this parameter should be set in correlation to
449           offline_timeout parameter value.
450
451           With offline_timeout set to 60 (default value) there is no point in
452           setting offlinet_timeout_max to less than 120 as it will saturate
453           instantly. General rule here should be to set offline_timeout_max
454           to at least 4 times offline_timeout.
455
456           Although a value between 0 and offline_timeout may be specified, it
457           has the effect of overriding the offline_timeout value so is of
458           little use.
459
460           Default: 3600
461
462       responder_idle_timeout
463           This option specifies the number of seconds that an SSSD responder
464           process can be up without being used. This value is limited in
465           order to avoid resource exhaustion on the system. The minimum
466           acceptable value for this option is 60 seconds. Setting this option
467           to 0 (zero) means that no timeout will be set up to the responder.
468           This option only has effect when SSSD is built with systemd support
469           and when services are either socket or D-Bus activated.
470
471           Default: 300
472
473       cache_first
474           This option specifies whether the responder should query all caches
475           before querying the Data Providers.
476
477           Default: false
478
479   NSS configuration options
480       These options can be used to configure the Name Service Switch (NSS)
481       service.
482
483       enum_cache_timeout (integer)
484           How many seconds should nss_sss cache enumerations (requests for
485           info about all users)
486
487           Default: 120
488
489       entry_cache_nowait_percentage (integer)
490           The entry cache can be set to automatically update entries in the
491           background if they are requested beyond a percentage of the
492           entry_cache_timeout value for the domain.
493
494           For example, if the domain's entry_cache_timeout is set to 30s and
495           entry_cache_nowait_percentage is set to 50 (percent), entries that
496           come in after 15 seconds past the last cache update will be
497           returned immediately, but the SSSD will go and update the cache on
498           its own, so that future requests will not need to block waiting for
499           a cache update.
500
501           Valid values for this option are 0-99 and represent a percentage of
502           the entry_cache_timeout for each domain. For performance reasons,
503           this percentage will never reduce the nowait timeout to less than
504           10 seconds. (0 disables this feature)
505
506           Default: 50
507
508       entry_negative_timeout (integer)
509           Specifies for how many seconds nss_sss should cache negative cache
510           hits (that is, queries for invalid database entries, like
511           nonexistent ones) before asking the back end again.
512
513           Default: 15
514
515       local_negative_timeout (integer)
516           Specifies for how many seconds nss_sss should keep local users and
517           groups in negative cache before trying to look it up in the back
518           end again. Setting the option to 0 disables this feature.
519
520           Default: 14400 (4 hours)
521
522       filter_users, filter_groups (string)
523           Exclude certain users or groups from being fetched from the sss NSS
524           database. This is particularly useful for system accounts. This
525           option can also be set per-domain or include fully-qualified names
526           to filter only users from the particular domain or by a user
527           principal name (UPN).
528
529           NOTE: The filter_groups option doesn't affect inheritance of nested
530           group members, since filtering happens after they are propagated
531           for returning via NSS. E.g. a group having a member group filtered
532           out will still have the member users of the latter listed.
533
534           Default: root
535
536       filter_users_in_groups (bool)
537           If you want filtered user still be group members set this option to
538           false.
539
540           Default: true
541
542       override_homedir (string)
543           Override the user's home directory. You can either provide an
544           absolute value or a template. In the template, the following
545           sequences are substituted:
546
547           %u
548               login name
549
550           %U
551               UID number
552
553           %d
554               domain name
555
556           %f
557               fully qualified user name (user@domain)
558
559           %l
560               The first letter of the login name.
561
562           %P
563               UPN - User Principal Name (name@REALM)
564
565           %o
566               The original home directory retrieved from the identity
567               provider.
568
569           %H
570               The value of configure option homedir_substring.
571
572           %%
573               a literal '%'
574
575           This option can also be set per-domain.
576
577           example:
578
579               override_homedir = /home/%u
580
581
582           Default: Not set (SSSD will use the value retrieved from LDAP)
583
584       homedir_substring (string)
585           The value of this option will be used in the expansion of the
586           override_homedir option if the template contains the format string
587           %H. An LDAP directory entry can directly contain this template so
588           that this option can be used to expand the home directory path for
589           each client machine (or operating system). It can be set per-domain
590           or globally in the [nss] section. A value specified in a domain
591           section will override one set in the [nss] section.
592
593           Default: /home
594
595       fallback_homedir (string)
596           Set a default template for a user's home directory if one is not
597           specified explicitly by the domain's data provider.
598
599           The available values for this option are the same as for
600           override_homedir.
601
602           example:
603
604               fallback_homedir = /home/%u
605
606
607           Default: not set (no substitution for unset home directories)
608
609       override_shell (string)
610           Override the login shell for all users. This option supersedes any
611           other shell options if it takes effect and can be set either in the
612           [nss] section or per-domain.
613
614           Default: not set (SSSD will use the value retrieved from LDAP)
615
616       allowed_shells (string)
617           Restrict user shell to one of the listed values. The order of
618           evaluation is:
619
620           1. If the shell is present in “/etc/shells”, it is used.
621
622           2. If the shell is in the allowed_shells list but not in
623           “/etc/shells”, use the value of the shell_fallback parameter.
624
625           3. If the shell is not in the allowed_shells list and not in
626           “/etc/shells”, a nologin shell is used.
627
628           The wildcard (*) can be used to allow any shell.
629
630           The (*) is useful if you want to use shell_fallback in case that
631           user's shell is not in “/etc/shells” and maintaining list of all
632           allowed shells in allowed_shells would be to much overhead.
633
634           An empty string for shell is passed as-is to libc.
635
636           The “/etc/shells” is only read on SSSD start up, which means that a
637           restart of the SSSD is required in case a new shell is installed.
638
639           Default: Not set. The user shell is automatically used.
640
641       vetoed_shells (string)
642           Replace any instance of these shells with the shell_fallback
643
644       shell_fallback (string)
645           The default shell to use if an allowed shell is not installed on
646           the machine.
647
648           Default: /bin/sh
649
650       default_shell
651           The default shell to use if the provider does not return one during
652           lookup. This option can be specified globally in the [nss] section
653           or per-domain.
654
655           Default: not set (Return NULL if no shell is specified and rely on
656           libc to substitute something sensible when necessary, usually
657           /bin/sh)
658
659       get_domains_timeout (int)
660           Specifies time in seconds for which the list of subdomains will be
661           considered valid.
662
663           Default: 60
664
665       memcache_timeout (integer)
666           Specifies time in seconds for which records in the in-memory cache
667           will be valid. Setting this option to zero will disable the
668           in-memory cache.
669
670           Default: 300
671
672           WARNING: Disabling the in-memory cache will have significant
673           negative impact on SSSD's performance and should only be used for
674           testing.
675
676           NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
677           "NO", client applications will not use the fast in-memory cache.
678
679       memcache_size_passwd (integer)
680           Size (in megabytes) of the data table allocated inside fast
681           in-memory cache for passwd requests. Setting the size to 0 will
682           disable the passwd in-memory cache.
683
684           Default: 8
685
686           WARNING: Disabled or too small in-memory cache can have significant
687           negative impact on SSSD's performance.
688
689           NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
690           "NO", client applications will not use the fast in-memory cache.
691
692       memcache_size_group (integer)
693           Size (in megabytes) of the data table allocated inside fast
694           in-memory cache for group requests. Setting the size to 0 will
695           disable the group in-memory cache.
696
697           Default: 6
698
699           WARNING: Disabled or too small in-memory cache can have significant
700           negative impact on SSSD's performance.
701
702           NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
703           "NO", client applications will not use the fast in-memory cache.
704
705       memcache_size_initgroups (integer)
706           Size (in megabytes) of the data table allocated inside fast
707           in-memory cache for initgroups requests. Setting the size to 0 will
708           disable the initgroups in-memory cache.
709
710           Default: 10
711
712           WARNING: Disabled or too small in-memory cache can have significant
713           negative impact on SSSD's performance.
714
715           NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
716           "NO", client applications will not use the fast in-memory cache.
717
718       user_attributes (string)
719           Some of the additional NSS responder requests can return more
720           attributes than just the POSIX ones defined by the NSS interface.
721           The list of attributes is controlled by this option. It is handled
722           the same way as the “user_attributes” option of the InfoPipe
723           responder (see sssd-ifp(5) for details) but with no default values.
724
725           To make configuration more easy the NSS responder will check the
726           InfoPipe option if it is not set for the NSS responder.
727
728           Default: not set, fallback to InfoPipe option
729
730       pwfield (string)
731           The value that NSS operations that return users or groups will
732           return for the “password” field.
733
734           Default: “*”
735
736           Note: This option can also be set per-domain which overwrites the
737           value in [nss] section.
738
739           Default: “not set” (remote domains), “x” (the files domain), “x”
740           (proxy domain with nss_files and sssd-shadowutils target)
741
742   PAM configuration options
743       These options can be used to configure the Pluggable Authentication
744       Module (PAM) service.
745
746       offline_credentials_expiration (integer)
747           If the authentication provider is offline, how long should we allow
748           cached logins (in days since the last successful online login).
749
750           Default: 0 (No limit)
751
752       offline_failed_login_attempts (integer)
753           If the authentication provider is offline, how many failed login
754           attempts are allowed.
755
756           Default: 0 (No limit)
757
758       offline_failed_login_delay (integer)
759           The time in minutes which has to pass after
760           offline_failed_login_attempts has been reached before a new login
761           attempt is possible.
762
763           If set to 0 the user cannot authenticate offline if
764           offline_failed_login_attempts has been reached. Only a successful
765           online authentication can enable offline authentication again.
766
767           Default: 5
768
769       pam_verbosity (integer)
770           Controls what kind of messages are shown to the user during
771           authentication. The higher the number to more messages are
772           displayed.
773
774           Currently sssd supports the following values:
775
776           0: do not show any message
777
778           1: show only important messages
779
780           2: show informational messages
781
782           3: show all messages and debug information
783
784           Default: 1
785
786       pam_response_filter (string)
787           A comma separated list of strings which allows to remove (filter)
788           data sent by the PAM responder to pam_sss PAM module. There are
789           different kind of responses sent to pam_sss e.g. messages displayed
790           to the user or environment variables which should be set by
791           pam_sss.
792
793           While messages already can be controlled with the help of the
794           pam_verbosity option this option allows to filter out other kind of
795           responses as well.
796
797           Currently the following filters are supported:
798
799           ENV
800               Do not send any environment variables to any service.
801
802           ENV:var_name
803               Do not send environment variable var_name to any service.
804
805           ENV:var_name:service
806               Do not send environment variable var_name to service.
807
808           Default: not set
809
810           Example: ENV:KRB5CCNAME:sudo-i
811
812       pam_id_timeout (integer)
813           For any PAM request while SSSD is online, the SSSD will attempt to
814           immediately update the cached identity information for the user in
815           order to ensure that authentication takes place with the latest
816           information.
817
818           A complete PAM conversation may perform multiple PAM requests, such
819           as account management and session opening. This option controls (on
820           a per-client-application basis) how long (in seconds) we can cache
821           the identity information to avoid excessive round-trips to the
822           identity provider.
823
824           Default: 5
825
826       pam_pwd_expiration_warning (integer)
827           Display a warning N days before the password expires.
828
829           Please note that the backend server has to provide information
830           about the expiration time of the password. If this information is
831           missing, sssd cannot display a warning.
832
833           If zero is set, then this filter is not applied, i.e. if the
834           expiration warning was received from backend server, it will
835           automatically be displayed.
836
837           This setting can be overridden by setting pwd_expiration_warning
838           for a particular domain.
839
840           Default: 0
841
842       get_domains_timeout (int)
843           Specifies time in seconds for which the list of subdomains will be
844           considered valid.
845
846           Default: 60
847
848       pam_trusted_users (string)
849           Specifies the comma-separated list of UID values or user names that
850           are allowed to run PAM conversations against trusted domains. Users
851           not included in this list can only access domains marked as public
852           with “pam_public_domains”. User names are resolved to UIDs at
853           startup.
854
855           Default: All users are considered trusted by default
856
857           Please note that UID 0 is always allowed to access the PAM
858           responder even in case it is not in the pam_trusted_users list.
859
860       pam_public_domains (string)
861           Specifies the comma-separated list of domain names that are
862           accessible even to untrusted users.
863
864           Two special values for pam_public_domains option are defined:
865
866           all (Untrusted users are allowed to access all domains in PAM
867           responder.)
868
869           none (Untrusted users are not allowed to access any domains PAM in
870           responder.)
871
872           Default: none
873
874       pam_account_expired_message (string)
875           Allows a custom expiration message to be set, replacing the default
876           'Permission denied' message.
877
878           Note: Please be aware that message is only printed for the SSH
879           service unless pam_verbosity is set to 3 (show all messages and
880           debug information).
881
882           example:
883
884               pam_account_expired_message = Account expired, please contact help desk.
885
886
887           Default: none
888
889       pam_account_locked_message (string)
890           Allows a custom lockout message to be set, replacing the default
891           'Permission denied' message.
892
893           example:
894
895               pam_account_locked_message = Account locked, please contact help desk.
896
897
898           Default: none
899
900       pam_cert_auth (bool)
901           Enable certificate based Smartcard authentication. Since this
902           requires additional communication with the Smartcard which will
903           delay the authentication process this option is disabled by
904           default.
905
906           Default: False
907
908       pam_cert_db_path (string)
909           The path to the certificate database.
910
911           Default:
912
913           ·   /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
914               CA certificates in PEM format)
915
916
917       p11_child_timeout (integer)
918           How many seconds will pam_sss wait for p11_child to finish.
919
920           Default: 10
921
922       pam_app_services (string)
923           Which PAM services are permitted to contact domains of type
924           “application”
925
926           Default: Not set
927
928       pam_p11_allowed_services (integer)
929           A comma-separated list of PAM service names for which it will be
930           allowed to use Smartcards.
931
932           It is possible to add another PAM service name to the default set
933           by using “+service_name” or to explicitly remove a PAM service name
934           from the default set by using “-service_name”. For example, in
935           order to replace a default PAM service name for authentication with
936           Smartcards (e.g.  “login”) with a custom PAM service name (e.g.
937           “my_pam_service”), you would use the following configuration:
938
939               pam_p11_allowed_services = +my_pam_service, -login
940
941
942           Default: the default set of PAM service names includes:
943
944           ·   login
945
946           ·   su
947
948           ·   su-l
949
950           ·   gdm-smartcard
951
952           ·   gdm-password
953
954           ·   kdm
955
956           ·   sudo
957
958           ·   sudo-i
959
960           ·   gnome-screensaver
961
962
963       p11_wait_for_card_timeout (integer)
964           If Smartcard authentication is required how many extra seconds in
965           addition to p11_child_timeout should the PAM responder wait until a
966           Smartcard is inserted.
967
968           Default: 60
969
970       p11_uri (string)
971           PKCS#11 URI (see RFC-7512 for details) which can be used to
972           restrict the selection of devices used for Smartcard
973           authentication. By default SSSD's p11_child will search for a
974           PKCS#11 slot (reader) where the 'removable' flags is set and read
975           the certificates from the inserted token from the first slot found.
976           If multiple readers are connected p11_uri can be used to tell
977           p11_child to use a specific reader.
978
979           Example:
980
981               p11_uri = slot-description=My%20Smartcard%20Reader
982
983
984           or
985
986               p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
987
988
989           To find suitable URI please check the debug output of p11_child. As
990           an alternative the GnuTLS utility 'p11tool' with e.g. the
991           '--list-all' will show PKCS#11 URIs as well.
992
993           Default: none
994
995       pam_initgroups_scheme
996           The PAM responder can force an online lookup to get the current
997           group memberships of the user trying to log in. This option
998           controls when this should be done and the following values are
999           allowed:
1000
1001           always
1002               Always do an online lookup, please note that pam_id_timeout
1003               still applies
1004
1005           no_session
1006               Only do an online lookup if there is no active session of the
1007               user, i.e. if the user is currently not logged in
1008
1009           never
1010               Never force an online lookup, use the data from the cache as
1011               long as they are not expired
1012
1013           Default: no_session
1014
1015       pam_gssapi_services
1016           Comma separated list of PAM services that are allowed to try GSSAPI
1017           authentication using pam_sss_gss.so module.
1018
1019           To disable GSSAPI authentication, set this option to “-” (dash).
1020
1021           Note: This option can also be set per-domain which overwrites the
1022           value in [pam] section. It can also be set for trusted domain which
1023           overwrites the value in the domain section.
1024
1025           Example:
1026
1027               pam_gssapi_services = sudo, sudo-i
1028
1029
1030           Default: - (GSSAPI authentication is disabled)
1031
1032       pam_gssapi_check_upn
1033           If True, SSSD will require that the Kerberos user principal that
1034           successfully authenticated through GSSAPI can be associated with
1035           the user who is being authenticated. Authentication will fail if
1036           the check fails.
1037
1038           If False, every user that is able to obtained required service
1039           ticket will be authenticated.
1040
1041           Note: This option can also be set per-domain which overwrites the
1042           value in [pam] section. It can also be set for trusted domain which
1043           overwrites the value in the domain section.
1044
1045           Default: True
1046
1047       pam_gssapi_indicators_map
1048           Comma separated list of authentication indicators required to be
1049           present in a Kerberos ticket to access a PAM service that is
1050           allowed to try GSSAPI authentication using pam_sss_gss.so module.
1051
1052           Each element of the list can be either an authentication indicator
1053           name or a pair “service:indicator”. Indicators not prefixed with
1054           the PAM service name will be required to access any PAM service
1055           configured to be used with pam_gssapi_services. A resulting list of
1056           indicators per PAM service is then checked against indicators in
1057           the Kerberos ticket during authentication by pam_sss_gss.so. Any
1058           indicator from the ticket that matches the resulting list of
1059           indicators for the PAM service would grant access. If none of the
1060           indicators in the list match, access will be denied. If the
1061           resulting list of indicators for the PAM service is empty, the
1062           check will not prevent the access.
1063
1064           To disable GSSAPI authentication indicator check, set this option
1065           to “-” (dash). To disable the check for a specific PAM service, add
1066           “service:-”.
1067
1068           Note: This option can also be set per-domain which overwrites the
1069           value in [pam] section. It can also be set for trusted domain which
1070           overwrites the value in the domain section.
1071
1072           Following authentication indicators are supported by IPA Kerberos
1073           deployments:
1074
1075           ·   pkinit -- pre-authentication using X.509 certificates --
1076               whether stored in files or on smart cards.
1077
1078           ·   hardened -- SPAKE pre-authentication or any pre-authentication
1079               wrapped in a FAST channel.
1080
1081           ·   radius -- pre-authentication with the help of a RADIUS server.
1082
1083           ·   otp -- pre-authentication using integrated two-factor
1084               authentication (2FA or one-time password, OTP) in IPA.
1085
1086           Example: to require access to SUDO services only for users which
1087           obtained their Kerberos tickets with a X.509 certificate
1088           pre-authentication (PKINIT), set
1089
1090               pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1091
1092
1093           Default: not set (use of authentication indicators is not required)
1094
1095   SUDO configuration options
1096       These options can be used to configure the sudo service. The detailed
1097       instructions for configuration of sudo(8) to work with sssd(8) are in
1098       the manual page sssd-sudo(5).
1099
1100       sudo_timed (bool)
1101           Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1102           attributes that implement time-dependent sudoers entries.
1103
1104           Default: false
1105
1106       sudo_threshold (integer)
1107           Maximum number of expired rules that can be refreshed at once. If
1108           number of expired rules is below threshold, those rules are
1109           refreshed with “rules refresh” mechanism. If the threshold is
1110           exceeded a “full refresh” of sudo rules is triggered instead. This
1111           threshold number also applies to IPA sudo command and command group
1112           searches.
1113
1114           Default: 50
1115
1116   AUTOFS configuration options
1117       These options can be used to configure the autofs service.
1118
1119       autofs_negative_timeout (integer)
1120           Specifies for how many seconds should the autofs responder negative
1121           cache hits (that is, queries for invalid map entries, like
1122           nonexistent ones) before asking the back end again.
1123
1124           Default: 15
1125
1126       Please note that the automounter only reads the master map on startup,
1127       so if any autofs-related changes are made to the sssd.conf, you
1128       typically also need to restart the automounter daemon after restarting
1129       the SSSD.
1130
1131   SSH configuration options
1132       These options can be used to configure the SSH service.
1133
1134       ssh_hash_known_hosts (bool)
1135           Whether or not to hash host names and addresses in the managed
1136           known_hosts file.
1137
1138           Default: true
1139
1140       ssh_known_hosts_timeout (integer)
1141           How many seconds to keep a host in the managed known_hosts file
1142           after its host keys were requested.
1143
1144           Default: 180
1145
1146       ssh_use_certificate_keys (bool)
1147           If set to true the sss_ssh_authorizedkeys will return ssh keys
1148           derived from the public key of X.509 certificates stored in the
1149           user entry as well. See sss_ssh_authorizedkeys(1) for details.
1150
1151           Default: true
1152
1153       ssh_use_certificate_matching_rules (string)
1154           By default the ssh responder will use all available certificate
1155           matching rules to filter the certificates so that ssh keys are only
1156           derived from the matching ones. With this option the used rules can
1157           be restricted with a comma separated list of mapping and matching
1158           rule names. All other rules will be ignored.
1159
1160           There are two special key words 'all_rules' and 'no_rules' which
1161           will enable all or no rules, respectively. The latter means that no
1162           certificates will be filtered out and ssh keys will be generated
1163           from all valid certificates.
1164
1165           If no rules are configured using 'all_rules' will enable a default
1166           rule which enables all certificates suitable for client
1167           authentication. This is the same behavior as for the PAM responder
1168           if certificate authentication is enabled.
1169
1170           A non-existing rule name is considered an error. If as a result no
1171           rule is selected all certificates will be ignored.
1172
1173           Default: not set, equivalent to 'all_rules', all found rules or the
1174           default rule are used
1175
1176       ca_db (string)
1177           Path to a storage of trusted CA certificates. The option is used to
1178           validate user certificates before deriving public ssh keys from
1179           them.
1180
1181           Default:
1182
1183           ·   /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1184               CA certificates in PEM format)
1185
1186
1187   PAC responder configuration options
1188       The PAC responder works together with the authorization data plugin for
1189       MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1190       sends the PAC data during a GSSAPI authentication to the PAC responder.
1191       The sub-domain provider collects domain SID and ID ranges of the domain
1192       the client is joined to and of remote trusted domains from the local
1193       domain controller. If the PAC is decoded and evaluated some of the
1194       following operations are done:
1195
1196       ·   If the remote user does not exist in the cache, it is created. The
1197           UID is determined with the help of the SID, trusted domains will
1198           have UPGs and the GID will have the same value as the UID. The home
1199           directory is set based on the subdomain_homedir parameter. The
1200           shell will be empty by default, i.e. the system defaults are used,
1201           but can be overwritten with the default_shell parameter.
1202
1203       ·   If there are SIDs of groups from domains sssd knows about, the user
1204           will be added to those groups.
1205
1206       These options can be used to configure the PAC responder.
1207
1208       allowed_uids (string)
1209           Specifies the comma-separated list of UID values or user names that
1210           are allowed to access the PAC responder. User names are resolved to
1211           UIDs at startup.
1212
1213           Default: 0 (only the root user is allowed to access the PAC
1214           responder)
1215
1216           Please note that although the UID 0 is used as the default it will
1217           be overwritten with this option. If you still want to allow the
1218           root user to access the PAC responder, which would be the typical
1219           case, you have to add 0 to the list of allowed UIDs as well.
1220
1221       pac_lifetime (integer)
1222           Lifetime of the PAC entry in seconds. As long as the PAC is valid
1223           the PAC data can be used to determine the group memberships of a
1224           user.
1225
1226           Default: 300
1227
1228   Session recording configuration options
1229       Session recording works in conjunction with tlog-rec-session(8), a part
1230       of tlog package, to log what users see and type when they log in on a
1231       text terminal. See also sssd-session-recording(5).
1232
1233       These options can be used to configure session recording.
1234
1235       scope (string)
1236           One of the following strings specifying the scope of session
1237           recording:
1238
1239           "none"
1240               No users are recorded.
1241
1242           "some"
1243               Users/groups specified by users and groups options are
1244               recorded.
1245
1246           "all"
1247               All users are recorded.
1248
1249           Default: "none"
1250
1251       users (string)
1252           A comma-separated list of users which should have session recording
1253           enabled. Matches user names as returned by NSS. I.e. after the
1254           possible space replacement, case changes, etc.
1255
1256           Default: Empty. Matches no users.
1257
1258       groups (string)
1259           A comma-separated list of groups, members of which should have
1260           session recording enabled. Matches group names as returned by NSS.
1261           I.e. after the possible space replacement, case changes, etc.
1262
1263           NOTE: using this option (having it set to anything) has a
1264           considerable performance cost, because each uncached request for a
1265           user requires retrieving and matching the groups the user is member
1266           of.
1267
1268           Default: Empty. Matches no groups.
1269
1270       exclude_users (string)
1271           A comma-separated list of users to be excluded from recording, only
1272           applicable with 'scope=all'.
1273
1274           Default: Empty. No users excluded.
1275
1276       exclude_groups (string)
1277           A comma-separated list of groups, members of which should be
1278           excluded from recording. Only applicable with 'scope=all'.
1279
1280           NOTE: using this option (having it set to anything) has a
1281           considerable performance cost, because each uncached request for a
1282           user requires retrieving and matching the groups the user is member
1283           of.
1284
1285           Default: Empty. No groups excluded.
1286

DOMAIN SECTIONS

1288       These configuration options can be present in a domain configuration
1289       section, that is, in a section called “[domain/NAME]”
1290
1291       enabled
1292           Explicitly enable or disable the domain. If “true”, the domain is
1293           always “enabled”. If “false”, the domain is always “disabled”. If
1294           this option is not set, the domain is enabled only if it is listed
1295           in the domains option in the “[sssd]” section.
1296
1297       domain_type (string)
1298           Specifies whether the domain is meant to be used by POSIX-aware
1299           clients such as the Name Service Switch or by applications that do
1300           not need POSIX data to be present or generated. Only objects from
1301           POSIX domains are available to the operating system interfaces and
1302           utilities.
1303
1304           Allowed values for this option are “posix” and “application”.
1305
1306           POSIX domains are reachable by all services. Application domains
1307           are only reachable from the InfoPipe responder (see sssd-ifp(5))
1308           and the PAM responder.
1309
1310           NOTE: The application domains are currently well tested with
1311           “id_provider=ldap” only.
1312
1313           For an easy way to configure a non-POSIX domains, please see the
1314           “Application domains” section.
1315
1316           Default: posix
1317
1318       min_id,max_id (integer)
1319           UID and GID limits for the domain. If a domain contains an entry
1320           that is outside these limits, it is ignored.
1321
1322           For users, this affects the primary GID limit. The user will not be
1323           returned to NSS if either the UID or the primary GID is outside the
1324           range. For non-primary group memberships, those that are in range
1325           will be reported as expected.
1326
1327           These ID limits affect even saving entries to cache, not only
1328           returning them by name or ID.
1329
1330           Default: 1 for min_id, 0 (no limit) for max_id
1331
1332       enumerate (bool)
1333           Determines if a domain can be enumerated, that is, whether the
1334           domain can list all the users and group it contains. Note that it
1335           is not required to enable enumeration in order for secondary groups
1336           to be displayed. This parameter can have one of the following
1337           values:
1338
1339           TRUE = Users and groups are enumerated
1340
1341           FALSE = No enumerations for this domain
1342
1343           Default: FALSE
1344
1345           Enumerating a domain requires SSSD to download and store ALL user
1346           and group entries from the remote server.
1347
1348           Note: Enabling enumeration has a moderate performance impact on
1349           SSSD while enumeration is running. It may take up to several
1350           minutes after SSSD startup to fully complete enumerations. During
1351           this time, individual requests for information will go directly to
1352           LDAP, though it may be slow, due to the heavy enumeration
1353           processing. Saving a large number of entries to cache after the
1354           enumeration completes might also be CPU intensive as the
1355           memberships have to be recomputed. This can lead to the “sssd_be”
1356           process becoming unresponsive or even restarted by the internal
1357           watchdog.
1358
1359           While the first enumeration is running, requests for the complete
1360           user or group lists may return no results until it completes.
1361
1362           Further, enabling enumeration may increase the time necessary to
1363           detect network disconnection, as longer timeouts are required to
1364           ensure that enumeration lookups are completed successfully. For
1365           more information, refer to the man pages for the specific
1366           id_provider in use.
1367
1368           For the reasons cited above, enabling enumeration is not
1369           recommended, especially in large environments.
1370
1371       subdomain_enumerate (string)
1372           Whether any of autodetected trusted domains should be enumerated.
1373           The supported values are:
1374
1375           all
1376               All discovered trusted domains will be enumerated
1377
1378           none
1379               No discovered trusted domains will be enumerated
1380
1381           Optionally, a list of one or more domain names can enable
1382           enumeration just for these trusted domains.
1383
1384           Default: none
1385
1386       entry_cache_timeout (integer)
1387           How many seconds should nss_sss consider entries valid before
1388           asking the backend again
1389
1390           The cache expiration timestamps are stored as attributes of
1391           individual objects in the cache. Therefore, changing the cache
1392           timeout only has effect for newly added or expired entries. You
1393           should run the sss_cache(8) tool in order to force refresh of
1394           entries that have already been cached.
1395
1396           Default: 5400
1397
1398       entry_cache_user_timeout (integer)
1399           How many seconds should nss_sss consider user entries valid before
1400           asking the backend again
1401
1402           Default: entry_cache_timeout
1403
1404       entry_cache_group_timeout (integer)
1405           How many seconds should nss_sss consider group entries valid before
1406           asking the backend again
1407
1408           Default: entry_cache_timeout
1409
1410       entry_cache_netgroup_timeout (integer)
1411           How many seconds should nss_sss consider netgroup entries valid
1412           before asking the backend again
1413
1414           Default: entry_cache_timeout
1415
1416       entry_cache_service_timeout (integer)
1417           How many seconds should nss_sss consider service entries valid
1418           before asking the backend again
1419
1420           Default: entry_cache_timeout
1421
1422       entry_cache_resolver_timeout (integer)
1423           How many seconds should nss_sss consider hosts and networks entries
1424           valid before asking the backend again
1425
1426           Default: entry_cache_timeout
1427
1428       entry_cache_sudo_timeout (integer)
1429           How many seconds should sudo consider rules valid before asking the
1430           backend again
1431
1432           Default: entry_cache_timeout
1433
1434       entry_cache_autofs_timeout (integer)
1435           How many seconds should the autofs service consider automounter
1436           maps valid before asking the backend again
1437
1438           Default: entry_cache_timeout
1439
1440       entry_cache_ssh_host_timeout (integer)
1441           How many seconds to keep a host ssh key after refresh. IE how long
1442           to cache the host key for.
1443
1444           Default: entry_cache_timeout
1445
1446       entry_cache_computer_timeout (integer)
1447           How many seconds to keep the local computer entry before asking the
1448           backend again
1449
1450           Default: entry_cache_timeout
1451
1452       refresh_expired_interval (integer)
1453           Specifies how many seconds SSSD has to wait before triggering a
1454           background refresh task which will refresh all expired or nearly
1455           expired records.
1456
1457           The background refresh will process users, groups and netgroups in
1458           the cache. For users who have performed the initgroups (get group
1459           membership for user, typically ran at login) operation in the past,
1460           both the user entry and the group membership are updated.
1461
1462           This option is automatically inherited for all trusted domains.
1463
1464           You can consider setting this value to 3/4 * entry_cache_timeout.
1465
1466           Cache entry will be refreshed by background task when 2/3 of cache
1467           timeout has already passed. If there are existing cached entries,
1468           the background task will refer to their original cache timeout
1469           values instead of current configuration value. This may lead to a
1470           situation in which background refresh task appears to not be
1471           working. This is done by design to improve offline mode operation
1472           and reuse of existing valid cache entries. To make this change
1473           instant the user may want to manually invalidate existing cache.
1474
1475           Default: 0 (disabled)
1476
1477       cache_credentials (bool)
1478           Determines if user credentials are also cached in the local LDB
1479           cache
1480
1481           User credentials are stored in a SHA512 hash, not in plaintext
1482
1483           Default: FALSE
1484
1485       cache_credentials_minimal_first_factor_length (int)
1486           If 2-Factor-Authentication (2FA) is used and credentials should be
1487           saved this value determines the minimal length the first
1488           authentication factor (long term password) must have to be saved as
1489           SHA512 hash into the cache.
1490
1491           This should avoid that the short PINs of a PIN based 2FA scheme are
1492           saved in the cache which would make them easy targets for
1493           brute-force attacks.
1494
1495           Default: 8
1496
1497       account_cache_expiration (integer)
1498           Number of days entries are left in cache after last successful
1499           login before being removed during a cleanup of the cache. 0 means
1500           keep forever. The value of this parameter must be greater than or
1501           equal to offline_credentials_expiration.
1502
1503           Default: 0 (unlimited)
1504
1505       pwd_expiration_warning (integer)
1506           Display a warning N days before the password expires.
1507
1508           If zero is set, then this filter is not applied, i.e. if the
1509           expiration warning was received from backend server, it will
1510           automatically be displayed.
1511
1512           Please note that the backend server has to provide information
1513           about the expiration time of the password. If this information is
1514           missing, sssd cannot display a warning. Also an auth provider has
1515           to be configured for the backend.
1516
1517           Default: 7 (Kerberos), 0 (LDAP)
1518
1519       id_provider (string)
1520           The identification provider used for the domain. Supported ID
1521           providers are:
1522
1523           “proxy”: Support a legacy NSS provider.
1524
1525           “files”: FILES provider. See sssd-files(5) for more information on
1526           how to mirror local users and groups into SSSD.
1527
1528           “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1529           configuring LDAP.
1530
1531           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1532           See sssd-ipa(5) for more information on configuring FreeIPA.
1533
1534           “ad”: Active Directory provider. See sssd-ad(5) for more
1535           information on configuring Active Directory.
1536
1537       use_fully_qualified_names (bool)
1538           Use the full name and domain (as formatted by the domain's
1539           full_name_format) as the user's login name reported to NSS.
1540
1541           If set to TRUE, all requests to this domain must use fully
1542           qualified names. For example, if used in LOCAL domain that contains
1543           a "test" user, getent passwd test wouldn't find the user while
1544           getent passwd test@LOCAL would.
1545
1546           NOTE: This option has no effect on netgroup lookups due to their
1547           tendency to include nested netgroups without qualified names. For
1548           netgroups, all domains will be searched when an unqualified name is
1549           requested.
1550
1551           Default: FALSE (TRUE for trusted domain/sub-domains or if
1552           default_domain_suffix is used)
1553
1554       ignore_group_members (bool)
1555           Do not return group members for group lookups.
1556
1557           If set to TRUE, the group membership attribute is not requested
1558           from the ldap server, and group members are not returned when
1559           processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1560           As an effect, “getent group $groupname” would return the requested
1561           group as if it was empty.
1562
1563           Enabling this option can also make access provider checks for group
1564           membership significantly faster, especially for groups containing
1565           many members.
1566
1567           Default: FALSE
1568
1569       auth_provider (string)
1570           The authentication provider used for the domain. Supported auth
1571           providers are:
1572
1573           “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1574           information on configuring LDAP.
1575
1576           “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1577           information on configuring Kerberos.
1578
1579           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1580           See sssd-ipa(5) for more information on configuring FreeIPA.
1581
1582           “ad”: Active Directory provider. See sssd-ad(5) for more
1583           information on configuring Active Directory.
1584
1585           “proxy” for relaying authentication to some other PAM target.
1586
1587           “none” disables authentication explicitly.
1588
1589           Default: “id_provider” is used if it is set and can handle
1590           authentication requests.
1591
1592       access_provider (string)
1593           The access control provider used for the domain. There are two
1594           built-in access providers (in addition to any included in installed
1595           backends) Internal special providers are:
1596
1597           “permit” always allow access. It's the only permitted access
1598           provider for a local domain.
1599
1600           “deny” always deny access.
1601
1602           “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1603           information on configuring LDAP.
1604
1605           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1606           See sssd-ipa(5) for more information on configuring FreeIPA.
1607
1608           “ad”: Active Directory provider. See sssd-ad(5) for more
1609           information on configuring Active Directory.
1610
1611           “simple” access control based on access or deny lists. See sssd-
1612           simple(5) for more information on configuring the simple access
1613           module.
1614
1615           “krb5”: .k5login based access control. See sssd-krb5(5) for more
1616           information on configuring Kerberos.
1617
1618           “proxy” for relaying access control to another PAM module.
1619
1620           Default: “permit”
1621
1622       chpass_provider (string)
1623           The provider which should handle change password operations for the
1624           domain. Supported change password providers are:
1625
1626           “ldap” to change a password stored in a LDAP server. See sssd-
1627           ldap(5) for more information on configuring LDAP.
1628
1629           “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1630           information on configuring Kerberos.
1631
1632           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1633           See sssd-ipa(5) for more information on configuring FreeIPA.
1634
1635           “ad”: Active Directory provider. See sssd-ad(5) for more
1636           information on configuring Active Directory.
1637
1638           “proxy” for relaying password changes to some other PAM target.
1639
1640           “none” disallows password changes explicitly.
1641
1642           Default: “auth_provider” is used if it is set and can handle change
1643           password requests.
1644
1645       sudo_provider (string)
1646           The SUDO provider used for the domain. Supported SUDO providers
1647           are:
1648
1649           “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1650           information on configuring LDAP.
1651
1652           “ipa” the same as “ldap” but with IPA default settings.
1653
1654           “ad” the same as “ldap” but with AD default settings.
1655
1656           “none” disables SUDO explicitly.
1657
1658           Default: The value of “id_provider” is used if it is set.
1659
1660           The detailed instructions for configuration of sudo_provider are in
1661           the manual page sssd-sudo(5). There are many configuration options
1662           that can be used to adjust the behavior. Please refer to
1663           "ldap_sudo_*" in sssd-ldap(5).
1664
1665           NOTE: Sudo rules are periodically downloaded in the background
1666           unless the sudo provider is explicitly disabled. Set sudo_provider
1667           = None to disable all sudo-related activity in SSSD if you do not
1668           want to use sudo with SSSD at all.
1669
1670       selinux_provider (string)
1671           The provider which should handle loading of selinux settings. Note
1672           that this provider will be called right after access provider ends.
1673           Supported selinux providers are:
1674
1675           “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1676           for more information on configuring IPA.
1677
1678           “none” disallows fetching selinux settings explicitly.
1679
1680           Default: “id_provider” is used if it is set and can handle selinux
1681           loading requests.
1682
1683       subdomains_provider (string)
1684           The provider which should handle fetching of subdomains. This value
1685           should be always the same as id_provider. Supported subdomain
1686           providers are:
1687
1688           “ipa” to load a list of subdomains from an IPA server. See sssd-
1689           ipa(5) for more information on configuring IPA.
1690
1691           “ad” to load a list of subdomains from an Active Directory server.
1692           See sssd-ad(5) for more information on configuring the AD provider.
1693
1694           “none” disallows fetching subdomains explicitly.
1695
1696           Default: The value of “id_provider” is used if it is set.
1697
1698       session_provider (string)
1699           The provider which configures and manages user session related
1700           tasks. The only user session task currently provided is the
1701           integration with Fleet Commander, which works only with IPA.
1702           Supported session providers are:
1703
1704           “ipa” to allow performing user session related tasks.
1705
1706           “none” does not perform any kind of user session related tasks.
1707
1708           Default: “id_provider” is used if it is set and can perform session
1709           related tasks.
1710
1711           NOTE: In order to have this feature working as expected SSSD must
1712           be running as "root" and not as the unprivileged user.
1713
1714       autofs_provider (string)
1715           The autofs provider used for the domain. Supported autofs providers
1716           are:
1717
1718           “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1719           information on configuring LDAP.
1720
1721           “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1722           more information on configuring IPA.
1723
1724           “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1725           information on configuring the AD provider.
1726
1727           “none” disables autofs explicitly.
1728
1729           Default: The value of “id_provider” is used if it is set.
1730
1731       hostid_provider (string)
1732           The provider used for retrieving host identity information.
1733           Supported hostid providers are:
1734
1735           “ipa” to load host identity stored in an IPA server. See sssd-
1736           ipa(5) for more information on configuring IPA.
1737
1738           “none” disables hostid explicitly.
1739
1740           Default: The value of “id_provider” is used if it is set.
1741
1742       resolver_provider (string)
1743           The provider which should handle hosts and networks lookups.
1744           Supported resolver providers are:
1745
1746           “proxy” to forward lookups to another NSS library. See
1747           “proxy_resolver_lib_name”
1748
1749           “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1750           for more information on configuring LDAP.
1751
1752           “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1753           more information on configuring the AD provider.
1754
1755           “none” disallows fetching hosts and networks explicitly.
1756
1757           Default: The value of “id_provider” is used if it is set.
1758
1759       re_expression (string)
1760           Regular expression for this domain that describes how to parse the
1761           string containing user name and domain into these components. The
1762           "domain" can match either the SSSD configuration domain name, or,
1763           in the case of IPA trust subdomains and Active Directory domains,
1764           the flat (NetBIOS) name of the domain.
1765
1766           Default for the AD and IPA provider:
1767           “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1768           which allows three different styles for user names:
1769
1770           ·   username
1771
1772           ·   username@domain.name
1773
1774           ·   domain\username
1775
1776           While the first two correspond to the general default the third one
1777           is introduced to allow easy integration of users from Windows
1778           domains.
1779
1780           Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1781           "the name is everything up to the “@” sign, the domain everything
1782           after that"
1783
1784           NOTE: Some Active Directory groups, typically those used for MS
1785           Exchange contain an “@” sign in the name, which clashes with the
1786           default re_expression value for the AD and IPA providers. To
1787           support these groups, consider changing the re_expression value to:
1788           “((?P<name>.+)@(?P<domain>[^@]+$))”.
1789
1790       full_name_format (string)
1791           A printf(3)-compatible format that describes how to compose a fully
1792           qualified name from user name and domain name components.
1793
1794           The following expansions are supported:
1795
1796           %1$s
1797               user name
1798
1799           %2$s
1800               domain name as specified in the SSSD config file.
1801
1802           %3$s
1803               domain flat name. Mostly usable for Active Directory domains,
1804               both directly configured or discovered via IPA trusts.
1805
1806           Default: “%1$s@%2$s”.
1807
1808       lookup_family_order (string)
1809           Provides the ability to select preferred address family to use when
1810           performing DNS lookups.
1811
1812           Supported values:
1813
1814           ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1815
1816           ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1817
1818           ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1819
1820           ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1821
1822           Default: ipv4_first
1823
1824       dns_resolver_timeout (integer)
1825           Defines the amount of time (in seconds) to wait for a reply from
1826           the internal fail over service before assuming that the service is
1827           unreachable. If this timeout is reached, the domain will continue
1828           to operate in offline mode.
1829
1830           Please see the section “FAILOVER” for more information about the
1831           service resolution.
1832
1833           Default: 6
1834
1835       dns_discovery_domain (string)
1836           If service discovery is used in the back end, specifies the domain
1837           part of the service discovery DNS query.
1838
1839           Default: Use the domain part of machine's hostname
1840
1841       override_gid (integer)
1842           Override the primary GID value with the one specified.
1843
1844       case_sensitive (string)
1845           Treat user and group names as case sensitive. Possible option
1846           values are:
1847
1848           True
1849               Case sensitive. This value is invalid for AD provider.
1850
1851           False
1852               Case insensitive.
1853
1854           Preserving
1855               Same as False (case insensitive), but does not lowercase names
1856               in the result of NSS operations. Note that name aliases (and in
1857               case of services also protocol names) are still lowercased in
1858               the output.
1859
1860               If you want to set this value for trusted domain with IPA
1861               provider, you need to set it on both the client and SSSD on the
1862               server.
1863
1864           This option can be also set per subdomain or inherited via
1865           subdomain_inherit.
1866
1867           Default: True (False for AD provider)
1868
1869       subdomain_inherit (string)
1870           Specifies a list of configuration parameters that should be
1871           inherited by a subdomain. Please note that only selected parameters
1872           can be inherited. Currently the following options can be inherited:
1873
1874           ignore_group_members
1875
1876           ldap_purge_cache_timeout
1877
1878           ldap_use_tokengroups
1879
1880           ldap_user_principal
1881
1882           ldap_krb5_keytab (the value of krb5_keytab will be used if
1883           ldap_krb5_keytab is not set explicitly)
1884
1885           auto_private_groups
1886
1887           case_sensitive
1888
1889           Example:
1890
1891               subdomain_inherit = ldap_purge_cache_timeout
1892
1893
1894           Default: none
1895
1896           Note: This option only works with the IPA and AD provider.
1897
1898       subdomain_homedir (string)
1899           Use this homedir as default value for all subdomains within this
1900           domain in IPA AD trust. See override_homedir for info about
1901           possible values. In addition to those, the expansion below can only
1902           be used with subdomain_homedir.
1903
1904           %F
1905               flat (NetBIOS) name of a subdomain.
1906
1907           The value can be overridden by override_homedir option.
1908
1909           Default: /home/%d/%u
1910
1911       realmd_tags (string)
1912           Various tags stored by the realmd configuration service for this
1913           domain.
1914
1915       cached_auth_timeout (int)
1916           Specifies time in seconds since last successful online
1917           authentication for which user will be authenticated using cached
1918           credentials while SSSD is in the online mode. If the credentials
1919           are incorrect, SSSD falls back to online authentication.
1920
1921           This option's value is inherited by all trusted domains. At the
1922           moment it is not possible to set a different value per trusted
1923           domain.
1924
1925           Special value 0 implies that this feature is disabled.
1926
1927           Please note that if “cached_auth_timeout” is longer than
1928           “pam_id_timeout” then the back end could be called to handle
1929           “initgroups.”
1930
1931           Default: 0
1932
1933       auto_private_groups (string)
1934           This option takes any of three available values:
1935
1936           true
1937               Create user's private group unconditionally from user's UID
1938               number. The GID number is ignored in this case.
1939
1940               NOTE: Because the GID number and the user private group are
1941               inferred from the UID number, it is not supported to have
1942               multiple entries with the same UID or GID number with this
1943               option. In other words, enabling this option enforces
1944               uniqueness across the ID space.
1945
1946           false
1947               Always use the user's primary GID number. The GID number must
1948               refer to a group object in the LDAP database.
1949
1950           hybrid
1951               A primary group is autogenerated for user entries whose UID and
1952               GID numbers have the same value and at the same time the GID
1953               number does not correspond to a real group object in LDAP. If
1954               the values are the same, but the primary GID in the user entry
1955               is also used by a group object, the primary GID of the user
1956               resolves to that group object.
1957
1958               If the UID and GID of a user are different, then the GID must
1959               correspond to a group entry, otherwise the GID is simply not
1960               resolvable.
1961
1962               This feature is useful for environments that wish to stop
1963               maintaining a separate group objects for the user private
1964               groups, but also wish to retain the existing user private
1965               groups.
1966
1967           For subdomains, the default value is False for subdomains that use
1968           assigned POSIX IDs and True for subdomains that use automatic
1969           ID-mapping.
1970
1971           The value of auto_private_groups can either be set per subdomains
1972           in a subsection, for example:
1973
1974               [domain/forest.domain/sub.domain]
1975               auto_private_groups = false
1976
1977           or globally for all subdomains in the main domain section using the
1978           subdomain_inherit option:
1979
1980               [domain/forest.domain]
1981               subdomain_inherit = auto_private_groups
1982               auto_private_groups = false
1983
1984
1985       Options valid for proxy domains.
1986
1987       proxy_pam_target (string)
1988           The proxy target PAM proxies to.
1989
1990           Default: not set by default, you have to take an existing pam
1991           configuration or create a new one and add the service name here.
1992
1993       proxy_lib_name (string)
1994           The name of the NSS library to use in proxy domains. The NSS
1995           functions searched for in the library are in the form of
1996           _nss_$(libName)_$(function), for example _nss_files_getpwent.
1997
1998       proxy_resolver_lib_name (string)
1999           The name of the NSS library to use for hosts and networks lookups
2000           in proxy domains. The NSS functions searched for in the library are
2001           in the form of _nss_$(libName)_$(function), for example
2002           _nss_dns_gethostbyname2_r.
2003
2004       proxy_fast_alias (boolean)
2005           When a user or group is looked up by name in the proxy provider, a
2006           second lookup by ID is performed to "canonicalize" the name in case
2007           the requested name was an alias. Setting this option to true would
2008           cause the SSSD to perform the ID lookup from cache for performance
2009           reasons.
2010
2011           Default: false
2012
2013       proxy_max_children (integer)
2014           This option specifies the number of pre-forked proxy children. It
2015           is useful for high-load SSSD environments where sssd may run out of
2016           available child slots, which would cause some issues due to the
2017           requests being queued.
2018
2019           Default: 10
2020
2021   Application domains
2022       SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2023       applications as a gateway to an LDAP directory where users and groups
2024       are stored. However, contrary to the traditional SSSD deployment where
2025       all users and groups either have POSIX attributes or those attributes
2026       can be inferred from the Windows SIDs, in many cases the users and
2027       groups in the application support scenario have no POSIX attributes.
2028       Instead of setting a “[domain/NAME]” section, the administrator can set
2029       up an “[application/NAME]” section that internally represents a domain
2030       with type “application” optionally inherits settings from a tradition
2031       SSSD domain.
2032
2033       Please note that the application domain must still be explicitly
2034       enabled in the “domains” parameter so that the lookup order between the
2035       application domain and its POSIX sibling domain is set correctly.
2036
2037       Application domain parameters
2038
2039       inherit_from (string)
2040           The SSSD POSIX-type domain the application domain inherits all
2041           settings from. The application domain can moreover add its own
2042           settings to the application settings that augment or override the
2043           “sibling” domain settings.
2044
2045           Default: Not set
2046
2047       The following example illustrates the use of an application domain. In
2048       this setup, the POSIX domain is connected to an LDAP server and is used
2049       by the OS through the NSS responder. In addition, the application
2050       domain also requests the telephoneNumber attribute, stores it as the
2051       phone attribute in the cache and makes the phone attribute reachable
2052       through the D-Bus interface.
2053
2054           [sssd]
2055           domains = appdom, posixdom
2056
2057           [ifp]
2058           user_attributes = +phone
2059
2060           [domain/posixdom]
2061           id_provider = ldap
2062           ldap_uri = ldap://ldap.example.com
2063           ldap_search_base = dc=example,dc=com
2064
2065           [application/appdom]
2066           inherit_from = posixdom
2067           ldap_user_extra_attrs = phone:telephoneNumber
2068

TRUSTED DOMAIN SECTION

2070       Some options used in the domain section can also be used in the trusted
2071       domain section, that is, in a section called
2072       “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2073       actual joined-to base domain. Please refer to examples below for
2074       explanation. Currently supported options in the trusted domain section
2075       are:
2076
2077       ldap_search_base,
2078
2079       ldap_user_search_base,
2080
2081       ldap_group_search_base,
2082
2083       ldap_netgroup_search_base,
2084
2085       ldap_service_search_base,
2086
2087       ldap_sasl_mech,
2088
2089       ad_server,
2090
2091       ad_backup_server,
2092
2093       ad_site,
2094
2095       use_fully_qualified_names
2096
2097       pam_gssapi_services
2098
2099       pam_gssapi_check_upn
2100
2101       For more details about these options see their individual description
2102       in the manual page.
2103

CERTIFICATE MAPPING SECTION

2105       To allow authentication with Smartcards and certificates SSSD must be
2106       able to map certificates to users. This can be done by adding the full
2107       certificate to the LDAP object of the user or to a local override.
2108       While using the full certificate is required to use the Smartcard
2109       authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2110       details) it might be cumbersome or not even possible to do this for the
2111       general case where local services use PAM for authentication.
2112
2113       To make the mapping more flexible mapping and matching rules were added
2114       to SSSD (see sss-certmap(5) for details).
2115
2116       A mapping and matching rule can be added to the SSSD configuration in a
2117       section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2118       In this section the following options are allowed:
2119
2120       matchrule (string)
2121           Only certificates from the Smartcard which matches this rule will
2122           be processed, all others are ignored.
2123
2124           Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2125           the Extended Key Usage “clientAuth”
2126
2127       maprule (string)
2128           Defines how the user is found for a given certificate.
2129
2130           Default:
2131
2132           ·   LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2133               providers like “ldap”, “AD” or “ipa”.
2134
2135           ·   The RULE_NAME for the “files” provider which tries to find a
2136               user with the same name.
2137
2138
2139       domains (string)
2140           Comma separated list of domain names the rule should be applied. By
2141           default a rule is only valid in the domain configured in sssd.conf.
2142           If the provider supports subdomains this option can be used to add
2143           the rule to subdomains as well.
2144
2145           Default: the configured domain in sssd.conf
2146
2147       priority (integer)
2148           Unsigned integer value defining the priority of the rule. The
2149           higher the number the lower the priority.  “0” stands for the
2150           highest priority while “4294967295” is the lowest.
2151
2152           Default: the lowest priority
2153
2154       To make the configuration simple and reduce the amount of configuration
2155       options the “files” provider has some special properties:
2156
2157       ·   if maprule is not set the RULE_NAME name is assumed to be the name
2158           of the matching user
2159
2160       ·   if a maprule is used both a single user name or a template like
2161           “{subject_rfc822_name.short_name}” must be in braces like e.g.
2162           “(username)” or “({subject_rfc822_name.short_name})”
2163
2164       ·   the “domains” option is ignored
2165
2166

PROMPTING CONFIGURATION SECTION

2168       If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2169       SSSD's PAM module pam_sss will ask SSSD to figure out which
2170       authentication methods are available for the user trying to log in.
2171       Based on the results pam_sss will prompt the user for appropriate
2172       credentials.
2173
2174       With the growing number of authentication methods and the possibility
2175       that there are multiple ones for a single user the heuristic used by
2176       pam_sss to select the prompting might not be suitable for all use
2177       cases. The following options should provide a better flexibility here.
2178
2179       Each supported authentication method has its own configuration
2180       subsection under “[prompting/...]”. Currently there are:
2181
2182       [prompting/password]
2183           to configure password prompting, allowed options are:
2184
2185           password_prompt
2186               to change the string of the password prompt
2187
2188
2189       [prompting/2fa]
2190           to configure two-factor authentication prompting, allowed options
2191           are:
2192
2193           first_prompt
2194               to change the string of the prompt for the first factor
2195
2196           second_prompt
2197               to change the string of the prompt for the second factor
2198
2199           single_prompt
2200               boolean value, if True there will be only a single prompt using
2201               the value of first_prompt where it is expected that both
2202               factors are entered as a single string
2203
2204
2205       It is possible to add a subsection for specific PAM services, e.g.
2206       “[prompting/password/sshd]” to individual change the prompting for this
2207       service.
2208

EXAMPLES

2210       1. The following example shows a typical SSSD config. It does not
2211       describe configuration of the domains themselves - refer to
2212       documentation on configuring domains for more details.
2213
2214           [sssd]
2215           domains = LDAP
2216           services = nss, pam
2217           config_file_version = 2
2218
2219           [nss]
2220           filter_groups = root
2221           filter_users = root
2222
2223           [pam]
2224
2225           [domain/LDAP]
2226           id_provider = ldap
2227           ldap_uri = ldap://ldap.example.com
2228           ldap_search_base = dc=example,dc=com
2229
2230           auth_provider = krb5
2231           krb5_server = kerberos.example.com
2232           krb5_realm = EXAMPLE.COM
2233           cache_credentials = true
2234
2235           min_id = 10000
2236           max_id = 20000
2237           enumerate = False
2238
2239       2. The following example shows configuration of IPA AD trust where the
2240       AD forest consists of two domains in a parent-child structure. Suppose
2241       IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2242       domain (child.ad.com). To enable shortnames in the child domain the
2243       following configuration should be used.
2244
2245           [domain/ipa.com/child.ad.com]
2246           use_fully_qualified_names = false
2247
2248       3. The following example shows the configuration for two certificate
2249       mapping rules. The first is valid for the configured domain “my.domain”
2250       and additionally for the subdomains “your.domain” and uses the full
2251       certificate in the search filter. The second example is valid for the
2252       domain “files” where it is assumed the files provider is used for this
2253       domain and contains a matching rule for the local user “myname”.
2254
2255           [certmap/my.domain/rule_name]
2256           matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2257           maprule = (userCertificate;binary={cert!bin})
2258           domains = my.domain, your.domain
2259           priority = 10
2260
2261           [certmap/files/myname]
2262           matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
2263
2264

SEE ALSO

2266       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2267       sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2268       recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2269       sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2270       sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8).  sss_rpcidmapd(5)
2271       sssd-systemtap(5)
2272

AUTHORS

2274       The SSSD upstream - https://github.com/SSSD/sssd/
2275
2276
2277
2278SSSD                              02/19/2021                      SSSD.CONF(5)
Impressum