1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
3
4
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13
14 [section]
15 key = value
16 key2 = value2,value3
17
18
19 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21
22 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24
25 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27
28 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35
36 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38
39 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45
46 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51
52 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60
61 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67
68 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72
73 Currently supported debug levels:
74
75 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77
78 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81
82 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84
85 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87
88 4, 0x0100: Configuration settings.
89
90 5, 0x0200: Function data.
91
92 6, 0x0400: Trace messages for operation functions.
93
94 7, 0x1000: Trace messages for internal control functions.
95
96 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98
99 9, 0x4000: Extremely low-level tracing information.
100
101 10, 0x10000: Even more low-level libldb tracing information. Almost
102 never really required.
103
104 To log required bitmask debug levels, simply add their numbers
105 together as shown in following examples:
106
107 Example: To log fatal failures, critical failures, serious failures
108 and function data use 0x0270.
109
110 Example: To log fatal failures, configuration settings, function
111 data, trace messages for internal control functions use 0x1310.
112
113 Note: The bitmask format of debug levels was introduced in 1.7.0.
114
115 Default: 0x0070 (i.e. fatal, critical and serious failures;
116 corresponds to setting 2 in decimal notation)
117
118 debug (integer)
119 SSSD 1.14 and later also includes the debug alias for debug_level
120 as a convenience feature. If both are specified, the value of
121 debug_level will be used.
122
123 debug_timestamps (bool)
124 Add a timestamp to the debug messages. If journald is enabled for
125 SSSD debug logging this option is ignored.
126
127 Default: true
128
129 debug_microseconds (bool)
130 Add microseconds to the timestamp in debug messages. If journald is
131 enabled for SSSD debug logging this option is ignored.
132
133 Default: false
134
135 Options usable in SERVICE and DOMAIN sections
136 timeout (integer)
137 Timeout in seconds between heartbeats for this service. This is
138 used to ensure that the process is alive and capable of answering
139 requests. Note that after three missed heartbeats the process will
140 terminate itself.
141
142 Default: 10
143
145 The [sssd] section
146 Individual pieces of SSSD functionality are provided by special SSSD
147 services that are started and stopped together with SSSD. The services
148 are managed by a special service frequently called “monitor”. The
149 “[sssd]” section is used to configure the monitor as well as some other
150 important options like the identity domains.
151
152 Section parameters
153
154 config_file_version (integer)
155 Indicates what is the syntax of the config file. SSSD 0.6.0 and
156 later use version 2.
157
158 services
159 Comma separated list of services that are started when sssd itself
160 starts. The services' list is optional on platforms where systemd
161 is supported, as they will either be socket or D-Bus activated when
162 needed.
163
164 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
165
166 By default, all services are disabled and the administrator must
167 enable the ones allowed to be used by executing: "systemctl enable
168 sssd-@service@.socket".
169
170 reconnection_retries (integer)
171 Number of times services should attempt to reconnect in the event
172 of a Data Provider crash or restart before they give up
173
174 Default: 3
175
176 domains
177 A domain is a database containing user information. SSSD can use
178 more domains at the same time, but at least one must be configured
179 or SSSD won't start. This parameter describes the list of domains
180 in the order you want them to be queried. A domain name is
181 recommended to contain only alphanumeric ASCII characters, dashes,
182 dots and underscores. '/' character is forbidden.
183
184 re_expression (string)
185 Default regular expression that describes how to parse the string
186 containing user name and domain into these components.
187
188 Each domain can have an individual regular expression configured.
189 For some ID providers there are also default regular expressions.
190 See DOMAIN SECTIONS for more info on these regular expressions.
191
192 full_name_format (string)
193 A printf(3)-compatible format that describes how to compose a fully
194 qualified name from user name and domain name components.
195
196 The following expansions are supported:
197
198 %1$s
199 user name
200
201 %2$s
202 domain name as specified in the SSSD config file.
203
204 %3$s
205 domain flat name. Mostly usable for Active Directory domains,
206 both directly configured or discovered via IPA trusts.
207
208 Each domain can have an individual format string configured. See
209 DOMAIN SECTIONS for more info on this option.
210
211 monitor_resolv_conf (boolean)
212 Controls if SSSD should monitor the state of resolv.conf to
213 identify when it needs to update its internal DNS resolver.
214
215 Default: true
216
217 try_inotify (boolean)
218 By default, SSSD will attempt to use inotify to monitor
219 configuration files changes and will fall back to polling every
220 five seconds if inotify cannot be used.
221
222 There are some limited situations where it is preferred that we
223 should skip even trying to use inotify. In these rare cases, this
224 option should be set to 'false'
225
226 Default: true on platforms where inotify is supported. False on
227 other platforms.
228
229 Note: this option will have no effect on platforms where inotify is
230 unavailable. On these platforms, polling will always be used.
231
232 krb5_rcache_dir (string)
233 Directory on the filesystem where SSSD should store Kerberos replay
234 cache files.
235
236 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
237 instruct SSSD to let libkrb5 decide the appropriate location for
238 the replay cache.
239
240 Default: Distribution-specific and specified at build-time.
241 (__LIBKRB5_DEFAULTS__ if not configured)
242
243 user (string)
244 The user to drop the privileges to where appropriate to avoid
245 running as the root user. This option does not work when running
246 socket-activated services, as the user set up to run the processes
247 is set up during compilation time. The way to override the systemd
248 unit files is by creating the appropriate files in
249 /etc/systemd/system/. Keep in mind that any change in the socket
250 user, group or permissions may result in a non-usable SSSD. The
251 same may occur in case of changes of the user running the NSS
252 responder.
253
254 Default: not set, process will run as root
255
256 default_domain_suffix (string)
257 This string will be used as a default domain name for all names
258 without a domain name component. The main use case is environments
259 where the primary domain is intended for managing host policies and
260 all users are located in a trusted domain. The option allows those
261 users to log in just with their user name without giving a domain
262 name as well.
263
264 Please note that if this option is set all users from the primary
265 domain have to use their fully qualified name, e.g.
266 user@domain.name, to log in. Setting this option changes default of
267 use_fully_qualified_names to True. It is not allowed to use this
268 option together with use_fully_qualified_names set to False. One
269 exception from this rule are domains with “id_provider=files” that
270 always try to match the behaviour of nss_files and therefore their
271 output is not qualified even when the default_domain_suffix option
272 is used.
273
274 Default: not set
275
276 override_space (string)
277 This parameter will replace spaces (space bar) with the given
278 character for user and group names. e.g. (_). User name "john doe"
279 will be "john_doe" This feature was added to help compatibility
280 with shell scripts that have difficulty handling spaces, due to the
281 default field separator in the shell.
282
283 Please note it is a configuration error to use a replacement
284 character that might be used in user or group names. If a name
285 contains the replacement character SSSD tries to return the
286 unmodified name but in general the result of a lookup is undefined.
287
288 Default: not set (spaces will not be replaced)
289
290 certificate_verification (string)
291 With this parameter the certificate verification can be tuned with
292 a comma separated list of options. Supported options are:
293
294 no_ocsp
295 Disables Online Certificate Status Protocol (OCSP) checks. This
296 might be needed if the OCSP servers defined in the certificate
297 are not reachable from the client.
298
299 soft_ocsp
300 If a connection cannot be established to an OCSP responder the
301 OCSP check is skipped. This option should be used to allow
302 authentication when the system is offline and the OCSP
303 responder cannot be reached.
304
305 ocsp_dgst
306 Digest (hash) function used to create the certificate ID for
307 the OCSP request. Allowed values are:
308
309 · sha1
310
311 · sha256
312
313 · sha384
314
315 · sha512
316
317 Default: sha1 (to allow compatibility with RFC5019-compliant
318 responder)
319
320 no_verification
321 Disables verification completely. This option should only be
322 used for testing.
323
324 ocsp_default_responder=URL
325 Sets the OCSP default responder which should be used instead of
326 the one mentioned in the certificate. URL must be replaced with
327 the URL of the OCSP default responder e.g.
328 http://example.com:80/ocsp.
329
330 ocsp_default_responder_signing_cert=NAME
331 This option is currently ignored. All needed certificates must
332 be available in the PEM file given by pam_cert_db_path.
333
334 crl_file=/PATH/TO/CRL/FILE
335 Use the Certificate Revocation List (CRL) from the given file
336 during the verification of the certificate. The CRL must be
337 given in PEM format, see crl(1ssl) for details.
338
339 soft_crl
340 If a Certificate Revocation List (CRL) is expired ignore the
341 CRL checks for the related certificates. This option should be
342 used to allow authentication when the system is offline and the
343 CRL cannot be renewed.
344
345 Unknown options are reported but ignored.
346
347 Default: not set, i.e. do not restrict certificate verification
348
349 disable_netlink (boolean)
350 SSSD hooks into the netlink interface to monitor changes to routes,
351 addresses, links and trigger certain actions.
352
353 The SSSD state changes caused by netlink events may be undesirable
354 and can be disabled by setting this option to 'true'
355
356 Default: false (netlink changes are detected)
357
358 enable_files_domain (boolean)
359 When this option is enabled, SSSD prepends an implicit domain with
360 “id_provider=files” before any explicitly configured domains.
361
362 Default: true
363
364 domain_resolution_order
365 Comma separated list of domains and subdomains representing the
366 lookup order that will be followed. The list doesn't have to
367 include all possible domains as the missing domains will be looked
368 up based on the order they're presented in the “domains”
369 configuration option. The subdomains which are not listed as part
370 of “lookup_order” will be looked up in a random order for each
371 parent domain.
372
373 Please, note that when this option is set the output format of all
374 commands is always fully-qualified even when using short names for
375 input, for all users but the ones managed by the files provider. In
376 case the administrator wants the output not fully-qualified, the
377 full_name_format option can be used as shown below:
378 “full_name_format=%1$s” However, keep in mind that during login,
379 login applications often canonicalize the username by calling
380 getpwnam(3) which, if a shortname is returned for a qualified input
381 (while trying to reach a user which exists in multiple domains)
382 might re-route the login attempt into the domain which uses
383 shortnames, making this workaround totally not recommended in cases
384 where usernames may overlap between domains.
385
386 Default: Not set
387
389 Settings that can be used to configure different services are described
390 in this section. They should reside in the [$NAME] section, for
391 example, for NSS service, the section would be “[nss]”
392
393 General service configuration options
394 These options can be used to configure any service.
395
396 reconnection_retries (integer)
397 Number of times services should attempt to reconnect in the event
398 of a Data Provider crash or restart before they give up
399
400 Default: 3
401
402 fd_limit
403 This option specifies the maximum number of file descriptors that
404 may be opened at one time by this SSSD process. On systems where
405 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
406 absolute setting. On systems without this capability, the resulting
407 value will be the lower value of this or the limits.conf "hard"
408 limit.
409
410 Default: 8192 (or limits.conf "hard" limit)
411
412 client_idle_timeout
413 This option specifies the number of seconds that a client of an
414 SSSD process can hold onto a file descriptor without communicating
415 on it. This value is limited in order to avoid resource exhaustion
416 on the system. The timeout can't be shorter than 10 seconds. If a
417 lower value is configured, it will be adjusted to 10 seconds.
418
419 Default: 60, KCM: 300
420
421 offline_timeout (integer)
422 When SSSD switches to offline mode the amount of time before it
423 tries to go back online will increase based upon the time spent
424 disconnected. This value is in seconds and calculated by the
425 following:
426
427 offline_timeout + random_offset
428
429 The random offset value is from 0 to 30. After each unsuccessful
430 attempt to go online, the new interval is recalculated by the
431 following:
432
433 new_interval = (old_interval * 2) + random_offset
434
435 Note that the maximum length of each interval is defined by
436 offline_timeout_max, which defaults to one hour. If the calculated
437 length of new_interval is greater than offline_timeout_max, it will
438 be forced to the offline_timeout_max value.
439
440 Default: 60
441
442 offline_timeout_max (integer)
443 Controls by how much the time between attempts to go online can be
444 incremented following unsuccessful attempts to go online.
445
446 A value of 0 disables the incrementing behaviour.
447
448 The value of this parameter should be set in correlation to
449 offline_timeout parameter value.
450
451 With offline_timeout set to 60 (default value) there is no point in
452 setting offlinet_timeout_max to less than 120 as it will saturate
453 instantly. General rule here should be to set offline_timeout_max
454 to at least 4 times offline_timeout.
455
456 Although a value between 0 and offline_timeout may be specified, it
457 has the effect of overriding the offline_timeout value so is of
458 little use.
459
460 Default: 3600
461
462 responder_idle_timeout
463 This option specifies the number of seconds that an SSSD responder
464 process can be up without being used. This value is limited in
465 order to avoid resource exhaustion on the system. The minimum
466 acceptable value for this option is 60 seconds. Setting this option
467 to 0 (zero) means that no timeout will be set up to the responder.
468 This option only has effect when SSSD is built with systemd support
469 and when services are either socket or D-Bus activated.
470
471 Default: 300
472
473 cache_first
474 This option specifies whether the responder should query all caches
475 before querying the Data Providers.
476
477 Default: false
478
479 NSS configuration options
480 These options can be used to configure the Name Service Switch (NSS)
481 service.
482
483 enum_cache_timeout (integer)
484 How many seconds should nss_sss cache enumerations (requests for
485 info about all users)
486
487 Default: 120
488
489 entry_cache_nowait_percentage (integer)
490 The entry cache can be set to automatically update entries in the
491 background if they are requested beyond a percentage of the
492 entry_cache_timeout value for the domain.
493
494 For example, if the domain's entry_cache_timeout is set to 30s and
495 entry_cache_nowait_percentage is set to 50 (percent), entries that
496 come in after 15 seconds past the last cache update will be
497 returned immediately, but the SSSD will go and update the cache on
498 its own, so that future requests will not need to block waiting for
499 a cache update.
500
501 Valid values for this option are 0-99 and represent a percentage of
502 the entry_cache_timeout for each domain. For performance reasons,
503 this percentage will never reduce the nowait timeout to less than
504 10 seconds. (0 disables this feature)
505
506 Default: 50
507
508 entry_negative_timeout (integer)
509 Specifies for how many seconds nss_sss should cache negative cache
510 hits (that is, queries for invalid database entries, like
511 nonexistent ones) before asking the back end again.
512
513 Default: 15
514
515 local_negative_timeout (integer)
516 Specifies for how many seconds nss_sss should keep local users and
517 groups in negative cache before trying to look it up in the back
518 end again. Setting the option to 0 disables this feature.
519
520 Default: 14400 (4 hours)
521
522 filter_users, filter_groups (string)
523 Exclude certain users or groups from being fetched from the sss NSS
524 database. This is particularly useful for system accounts. This
525 option can also be set per-domain or include fully-qualified names
526 to filter only users from the particular domain or by a user
527 principal name (UPN).
528
529 NOTE: The filter_groups option doesn't affect inheritance of nested
530 group members, since filtering happens after they are propagated
531 for returning via NSS. E.g. a group having a member group filtered
532 out will still have the member users of the latter listed.
533
534 Default: root
535
536 filter_users_in_groups (bool)
537 If you want filtered user still be group members set this option to
538 false.
539
540 Default: true
541
542 override_homedir (string)
543 Override the user's home directory. You can either provide an
544 absolute value or a template. In the template, the following
545 sequences are substituted:
546
547 %u
548 login name
549
550 %U
551 UID number
552
553 %d
554 domain name
555
556 %f
557 fully qualified user name (user@domain)
558
559 %l
560 The first letter of the login name.
561
562 %P
563 UPN - User Principal Name (name@REALM)
564
565 %o
566 The original home directory retrieved from the identity
567 provider.
568
569 %H
570 The value of configure option homedir_substring.
571
572 %%
573 a literal '%'
574
575 This option can also be set per-domain.
576
577 example:
578
579 override_homedir = /home/%u
580
581
582 Default: Not set (SSSD will use the value retrieved from LDAP)
583
584 homedir_substring (string)
585 The value of this option will be used in the expansion of the
586 override_homedir option if the template contains the format string
587 %H. An LDAP directory entry can directly contain this template so
588 that this option can be used to expand the home directory path for
589 each client machine (or operating system). It can be set per-domain
590 or globally in the [nss] section. A value specified in a domain
591 section will override one set in the [nss] section.
592
593 Default: /home
594
595 fallback_homedir (string)
596 Set a default template for a user's home directory if one is not
597 specified explicitly by the domain's data provider.
598
599 The available values for this option are the same as for
600 override_homedir.
601
602 example:
603
604 fallback_homedir = /home/%u
605
606
607 Default: not set (no substitution for unset home directories)
608
609 override_shell (string)
610 Override the login shell for all users. This option supersedes any
611 other shell options if it takes effect and can be set either in the
612 [nss] section or per-domain.
613
614 Default: not set (SSSD will use the value retrieved from LDAP)
615
616 allowed_shells (string)
617 Restrict user shell to one of the listed values. The order of
618 evaluation is:
619
620 1. If the shell is present in “/etc/shells”, it is used.
621
622 2. If the shell is in the allowed_shells list but not in
623 “/etc/shells”, use the value of the shell_fallback parameter.
624
625 3. If the shell is not in the allowed_shells list and not in
626 “/etc/shells”, a nologin shell is used.
627
628 The wildcard (*) can be used to allow any shell.
629
630 The (*) is useful if you want to use shell_fallback in case that
631 user's shell is not in “/etc/shells” and maintaining list of all
632 allowed shells in allowed_shells would be to much overhead.
633
634 An empty string for shell is passed as-is to libc.
635
636 The “/etc/shells” is only read on SSSD start up, which means that a
637 restart of the SSSD is required in case a new shell is installed.
638
639 Default: Not set. The user shell is automatically used.
640
641 vetoed_shells (string)
642 Replace any instance of these shells with the shell_fallback
643
644 shell_fallback (string)
645 The default shell to use if an allowed shell is not installed on
646 the machine.
647
648 Default: /bin/sh
649
650 default_shell
651 The default shell to use if the provider does not return one during
652 lookup. This option can be specified globally in the [nss] section
653 or per-domain.
654
655 Default: not set (Return NULL if no shell is specified and rely on
656 libc to substitute something sensible when necessary, usually
657 /bin/sh)
658
659 get_domains_timeout (int)
660 Specifies time in seconds for which the list of subdomains will be
661 considered valid.
662
663 Default: 60
664
665 memcache_timeout (integer)
666 Specifies time in seconds for which records in the in-memory cache
667 will be valid. Setting this option to zero will disable the
668 in-memory cache.
669
670 Default: 300
671
672 WARNING: Disabling the in-memory cache will have significant
673 negative impact on SSSD's performance and should only be used for
674 testing.
675
676 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
677 "NO", client applications will not use the fast in-memory cache.
678
679 memcache_size_passwd (integer)
680 Size (in megabytes) of the data table allocated inside fast
681 in-memory cache for passwd requests. Setting the size to 0 will
682 disable the passwd in-memory cache.
683
684 Default: 8
685
686 WARNING: Disabled or too small in-memory cache can have significant
687 negative impact on SSSD's performance.
688
689 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
690 "NO", client applications will not use the fast in-memory cache.
691
692 memcache_size_group (integer)
693 Size (in megabytes) of the data table allocated inside fast
694 in-memory cache for group requests. Setting the size to 0 will
695 disable the group in-memory cache.
696
697 Default: 6
698
699 WARNING: Disabled or too small in-memory cache can have significant
700 negative impact on SSSD's performance.
701
702 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
703 "NO", client applications will not use the fast in-memory cache.
704
705 memcache_size_initgroups (integer)
706 Size (in megabytes) of the data table allocated inside fast
707 in-memory cache for initgroups requests. Setting the size to 0 will
708 disable the initgroups in-memory cache.
709
710 Default: 10
711
712 WARNING: Disabled or too small in-memory cache can have significant
713 negative impact on SSSD's performance.
714
715 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
716 "NO", client applications will not use the fast in-memory cache.
717
718 user_attributes (string)
719 Some of the additional NSS responder requests can return more
720 attributes than just the POSIX ones defined by the NSS interface.
721 The list of attributes is controlled by this option. It is handled
722 the same way as the “user_attributes” option of the InfoPipe
723 responder (see sssd-ifp(5) for details) but with no default values.
724
725 To make configuration more easy the NSS responder will check the
726 InfoPipe option if it is not set for the NSS responder.
727
728 Default: not set, fallback to InfoPipe option
729
730 pwfield (string)
731 The value that NSS operations that return users or groups will
732 return for the “password” field.
733
734 Default: “*”
735
736 Note: This option can also be set per-domain which overwrites the
737 value in [nss] section.
738
739 Default: “not set” (remote domains), “x” (the files domain), “x”
740 (proxy domain with nss_files and sssd-shadowutils target)
741
742 PAM configuration options
743 These options can be used to configure the Pluggable Authentication
744 Module (PAM) service.
745
746 offline_credentials_expiration (integer)
747 If the authentication provider is offline, how long should we allow
748 cached logins (in days since the last successful online login).
749
750 Default: 0 (No limit)
751
752 offline_failed_login_attempts (integer)
753 If the authentication provider is offline, how many failed login
754 attempts are allowed.
755
756 Default: 0 (No limit)
757
758 offline_failed_login_delay (integer)
759 The time in minutes which has to pass after
760 offline_failed_login_attempts has been reached before a new login
761 attempt is possible.
762
763 If set to 0 the user cannot authenticate offline if
764 offline_failed_login_attempts has been reached. Only a successful
765 online authentication can enable offline authentication again.
766
767 Default: 5
768
769 pam_verbosity (integer)
770 Controls what kind of messages are shown to the user during
771 authentication. The higher the number to more messages are
772 displayed.
773
774 Currently sssd supports the following values:
775
776 0: do not show any message
777
778 1: show only important messages
779
780 2: show informational messages
781
782 3: show all messages and debug information
783
784 Default: 1
785
786 pam_response_filter (string)
787 A comma separated list of strings which allows to remove (filter)
788 data sent by the PAM responder to pam_sss PAM module. There are
789 different kind of responses sent to pam_sss e.g. messages displayed
790 to the user or environment variables which should be set by
791 pam_sss.
792
793 While messages already can be controlled with the help of the
794 pam_verbosity option this option allows to filter out other kind of
795 responses as well.
796
797 Currently the following filters are supported:
798
799 ENV
800 Do not send any environment variables to any service.
801
802 ENV:var_name
803 Do not send environment variable var_name to any service.
804
805 ENV:var_name:service
806 Do not send environment variable var_name to service.
807
808 Default: not set
809
810 Example: ENV:KRB5CCNAME:sudo-i
811
812 pam_id_timeout (integer)
813 For any PAM request while SSSD is online, the SSSD will attempt to
814 immediately update the cached identity information for the user in
815 order to ensure that authentication takes place with the latest
816 information.
817
818 A complete PAM conversation may perform multiple PAM requests, such
819 as account management and session opening. This option controls (on
820 a per-client-application basis) how long (in seconds) we can cache
821 the identity information to avoid excessive round-trips to the
822 identity provider.
823
824 Default: 5
825
826 pam_pwd_expiration_warning (integer)
827 Display a warning N days before the password expires.
828
829 Please note that the backend server has to provide information
830 about the expiration time of the password. If this information is
831 missing, sssd cannot display a warning.
832
833 If zero is set, then this filter is not applied, i.e. if the
834 expiration warning was received from backend server, it will
835 automatically be displayed.
836
837 This setting can be overridden by setting pwd_expiration_warning
838 for a particular domain.
839
840 Default: 0
841
842 get_domains_timeout (int)
843 Specifies time in seconds for which the list of subdomains will be
844 considered valid.
845
846 Default: 60
847
848 pam_trusted_users (string)
849 Specifies the comma-separated list of UID values or user names that
850 are allowed to run PAM conversations against trusted domains. Users
851 not included in this list can only access domains marked as public
852 with “pam_public_domains”. User names are resolved to UIDs at
853 startup.
854
855 Default: All users are considered trusted by default
856
857 Please note that UID 0 is always allowed to access the PAM
858 responder even in case it is not in the pam_trusted_users list.
859
860 pam_public_domains (string)
861 Specifies the comma-separated list of domain names that are
862 accessible even to untrusted users.
863
864 Two special values for pam_public_domains option are defined:
865
866 all (Untrusted users are allowed to access all domains in PAM
867 responder.)
868
869 none (Untrusted users are not allowed to access any domains PAM in
870 responder.)
871
872 Default: none
873
874 pam_account_expired_message (string)
875 Allows a custom expiration message to be set, replacing the default
876 'Permission denied' message.
877
878 Note: Please be aware that message is only printed for the SSH
879 service unless pam_verbosity is set to 3 (show all messages and
880 debug information).
881
882 example:
883
884 pam_account_expired_message = Account expired, please contact help desk.
885
886
887 Default: none
888
889 pam_account_locked_message (string)
890 Allows a custom lockout message to be set, replacing the default
891 'Permission denied' message.
892
893 example:
894
895 pam_account_locked_message = Account locked, please contact help desk.
896
897
898 Default: none
899
900 pam_cert_auth (bool)
901 Enable certificate based Smartcard authentication. Since this
902 requires additional communication with the Smartcard which will
903 delay the authentication process this option is disabled by
904 default.
905
906 Default: False
907
908 pam_cert_db_path (string)
909 The path to the certificate database.
910
911 Default:
912
913 · /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
914 CA certificates in PEM format)
915
916
917 p11_child_timeout (integer)
918 How many seconds will pam_sss wait for p11_child to finish.
919
920 Default: 10
921
922 pam_app_services (string)
923 Which PAM services are permitted to contact domains of type
924 “application”
925
926 Default: Not set
927
928 pam_p11_allowed_services (integer)
929 A comma-separated list of PAM service names for which it will be
930 allowed to use Smartcards.
931
932 It is possible to add another PAM service name to the default set
933 by using “+service_name” or to explicitly remove a PAM service name
934 from the default set by using “-service_name”. For example, in
935 order to replace a default PAM service name for authentication with
936 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
937 “my_pam_service”), you would use the following configuration:
938
939 pam_p11_allowed_services = +my_pam_service, -login
940
941
942 Default: the default set of PAM service names includes:
943
944 · login
945
946 · su
947
948 · su-l
949
950 · gdm-smartcard
951
952 · gdm-password
953
954 · kdm
955
956 · sudo
957
958 · sudo-i
959
960 · gnome-screensaver
961
962
963 p11_wait_for_card_timeout (integer)
964 If Smartcard authentication is required how many extra seconds in
965 addition to p11_child_timeout should the PAM responder wait until a
966 Smartcard is inserted.
967
968 Default: 60
969
970 p11_uri (string)
971 PKCS#11 URI (see RFC-7512 for details) which can be used to
972 restrict the selection of devices used for Smartcard
973 authentication. By default SSSD's p11_child will search for a
974 PKCS#11 slot (reader) where the 'removable' flags is set and read
975 the certificates from the inserted token from the first slot found.
976 If multiple readers are connected p11_uri can be used to tell
977 p11_child to use a specific reader.
978
979 Example:
980
981 p11_uri = slot-description=My%20Smartcard%20Reader
982
983
984 or
985
986 p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
987
988
989 To find suitable URI please check the debug output of p11_child. As
990 an alternative the GnuTLS utility 'p11tool' with e.g. the
991 '--list-all' will show PKCS#11 URIs as well.
992
993 Default: none
994
995 pam_initgroups_scheme
996 The PAM responder can force an online lookup to get the current
997 group memberships of the user trying to log in. This option
998 controls when this should be done and the following values are
999 allowed:
1000
1001 always
1002 Always do an online lookup, please note that pam_id_timeout
1003 still applies
1004
1005 no_session
1006 Only do an online lookup if there is no active session of the
1007 user, i.e. if the user is currently not logged in
1008
1009 never
1010 Never force an online lookup, use the data from the cache as
1011 long as they are not expired
1012
1013 Default: no_session
1014
1015 pam_gssapi_services
1016 Comma separated list of PAM services that are allowed to try GSSAPI
1017 authentication using pam_sss_gss.so module.
1018
1019 To disable GSSAPI authentication, set this option to “-” (dash).
1020
1021 Note: This option can also be set per-domain which overwrites the
1022 value in [pam] section. It can also be set for trusted domain which
1023 overwrites the value in the domain section.
1024
1025 Example:
1026
1027 pam_gssapi_services = sudo, sudo-i
1028
1029
1030 Default: - (GSSAPI authentication is disabled)
1031
1032 pam_gssapi_check_upn
1033 If True, SSSD will require that the Kerberos user principal that
1034 successfully authenticated through GSSAPI can be associated with
1035 the user who is being authenticated. Authentication will fail if
1036 the check fails.
1037
1038 If False, every user that is able to obtained required service
1039 ticket will be authenticated.
1040
1041 Note: This option can also be set per-domain which overwrites the
1042 value in [pam] section. It can also be set for trusted domain which
1043 overwrites the value in the domain section.
1044
1045 Default: True
1046
1047 pam_gssapi_indicators_map
1048 Comma separated list of authentication indicators required to be
1049 present in a Kerberos ticket to access a PAM service that is
1050 allowed to try GSSAPI authentication using pam_sss_gss.so module.
1051
1052 Each element of the list can be either an authentication indicator
1053 name or a pair “service:indicator”. Indicators not prefixed with
1054 the PAM service name will be required to access any PAM service
1055 configured to be used with pam_gssapi_services. A resulting list of
1056 indicators per PAM service is then checked against indicators in
1057 the Kerberos ticket during authentication by pam_sss_gss.so. Any
1058 indicator from the ticket that matches the resulting list of
1059 indicators for the PAM service would grant access. If none of the
1060 indicators in the list match, access will be denied. If the
1061 resulting list of indicators for the PAM service is empty, the
1062 check will not prevent the access.
1063
1064 To disable GSSAPI authentication indicator check, set this option
1065 to “-” (dash). To disable the check for a specific PAM service, add
1066 “service:-”.
1067
1068 Note: This option can also be set per-domain which overwrites the
1069 value in [pam] section. It can also be set for trusted domain which
1070 overwrites the value in the domain section.
1071
1072 Following authentication indicators are supported by IPA Kerberos
1073 deployments:
1074
1075 · pkinit -- pre-authentication using X.509 certificates --
1076 whether stored in files or on smart cards.
1077
1078 · hardened -- SPAKE pre-authentication or any pre-authentication
1079 wrapped in a FAST channel.
1080
1081 · radius -- pre-authentication with the help of a RADIUS server.
1082
1083 · otp -- pre-authentication using integrated two-factor
1084 authentication (2FA or one-time password, OTP) in IPA.
1085
1086 Example: to require access to SUDO services only for users which
1087 obtained their Kerberos tickets with a X.509 certificate
1088 pre-authentication (PKINIT), set
1089
1090 pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1091
1092
1093 Default: not set (use of authentication indicators is not required)
1094
1095 SUDO configuration options
1096 These options can be used to configure the sudo service. The detailed
1097 instructions for configuration of sudo(8) to work with sssd(8) are in
1098 the manual page sssd-sudo(5).
1099
1100 sudo_timed (bool)
1101 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1102 attributes that implement time-dependent sudoers entries.
1103
1104 Default: false
1105
1106 sudo_threshold (integer)
1107 Maximum number of expired rules that can be refreshed at once. If
1108 number of expired rules is below threshold, those rules are
1109 refreshed with “rules refresh” mechanism. If the threshold is
1110 exceeded a “full refresh” of sudo rules is triggered instead. This
1111 threshold number also applies to IPA sudo command and command group
1112 searches.
1113
1114 Default: 50
1115
1116 AUTOFS configuration options
1117 These options can be used to configure the autofs service.
1118
1119 autofs_negative_timeout (integer)
1120 Specifies for how many seconds should the autofs responder negative
1121 cache hits (that is, queries for invalid map entries, like
1122 nonexistent ones) before asking the back end again.
1123
1124 Default: 15
1125
1126 Please note that the automounter only reads the master map on startup,
1127 so if any autofs-related changes are made to the sssd.conf, you
1128 typically also need to restart the automounter daemon after restarting
1129 the SSSD.
1130
1131 SSH configuration options
1132 These options can be used to configure the SSH service.
1133
1134 ssh_hash_known_hosts (bool)
1135 Whether or not to hash host names and addresses in the managed
1136 known_hosts file.
1137
1138 Default: true
1139
1140 ssh_known_hosts_timeout (integer)
1141 How many seconds to keep a host in the managed known_hosts file
1142 after its host keys were requested.
1143
1144 Default: 180
1145
1146 ssh_use_certificate_keys (bool)
1147 If set to true the sss_ssh_authorizedkeys will return ssh keys
1148 derived from the public key of X.509 certificates stored in the
1149 user entry as well. See sss_ssh_authorizedkeys(1) for details.
1150
1151 Default: true
1152
1153 ssh_use_certificate_matching_rules (string)
1154 By default the ssh responder will use all available certificate
1155 matching rules to filter the certificates so that ssh keys are only
1156 derived from the matching ones. With this option the used rules can
1157 be restricted with a comma separated list of mapping and matching
1158 rule names. All other rules will be ignored.
1159
1160 There are two special key words 'all_rules' and 'no_rules' which
1161 will enable all or no rules, respectively. The latter means that no
1162 certificates will be filtered out and ssh keys will be generated
1163 from all valid certificates.
1164
1165 If no rules are configured using 'all_rules' will enable a default
1166 rule which enables all certificates suitable for client
1167 authentication. This is the same behavior as for the PAM responder
1168 if certificate authentication is enabled.
1169
1170 A non-existing rule name is considered an error. If as a result no
1171 rule is selected all certificates will be ignored.
1172
1173 Default: not set, equivalent to 'all_rules', all found rules or the
1174 default rule are used
1175
1176 ca_db (string)
1177 Path to a storage of trusted CA certificates. The option is used to
1178 validate user certificates before deriving public ssh keys from
1179 them.
1180
1181 Default:
1182
1183 · /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1184 CA certificates in PEM format)
1185
1186
1187 PAC responder configuration options
1188 The PAC responder works together with the authorization data plugin for
1189 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1190 sends the PAC data during a GSSAPI authentication to the PAC responder.
1191 The sub-domain provider collects domain SID and ID ranges of the domain
1192 the client is joined to and of remote trusted domains from the local
1193 domain controller. If the PAC is decoded and evaluated some of the
1194 following operations are done:
1195
1196 · If the remote user does not exist in the cache, it is created. The
1197 UID is determined with the help of the SID, trusted domains will
1198 have UPGs and the GID will have the same value as the UID. The home
1199 directory is set based on the subdomain_homedir parameter. The
1200 shell will be empty by default, i.e. the system defaults are used,
1201 but can be overwritten with the default_shell parameter.
1202
1203 · If there are SIDs of groups from domains sssd knows about, the user
1204 will be added to those groups.
1205
1206 These options can be used to configure the PAC responder.
1207
1208 allowed_uids (string)
1209 Specifies the comma-separated list of UID values or user names that
1210 are allowed to access the PAC responder. User names are resolved to
1211 UIDs at startup.
1212
1213 Default: 0 (only the root user is allowed to access the PAC
1214 responder)
1215
1216 Please note that although the UID 0 is used as the default it will
1217 be overwritten with this option. If you still want to allow the
1218 root user to access the PAC responder, which would be the typical
1219 case, you have to add 0 to the list of allowed UIDs as well.
1220
1221 pac_lifetime (integer)
1222 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1223 the PAC data can be used to determine the group memberships of a
1224 user.
1225
1226 Default: 300
1227
1228 Session recording configuration options
1229 Session recording works in conjunction with tlog-rec-session(8), a part
1230 of tlog package, to log what users see and type when they log in on a
1231 text terminal. See also sssd-session-recording(5).
1232
1233 These options can be used to configure session recording.
1234
1235 scope (string)
1236 One of the following strings specifying the scope of session
1237 recording:
1238
1239 "none"
1240 No users are recorded.
1241
1242 "some"
1243 Users/groups specified by users and groups options are
1244 recorded.
1245
1246 "all"
1247 All users are recorded.
1248
1249 Default: "none"
1250
1251 users (string)
1252 A comma-separated list of users which should have session recording
1253 enabled. Matches user names as returned by NSS. I.e. after the
1254 possible space replacement, case changes, etc.
1255
1256 Default: Empty. Matches no users.
1257
1258 groups (string)
1259 A comma-separated list of groups, members of which should have
1260 session recording enabled. Matches group names as returned by NSS.
1261 I.e. after the possible space replacement, case changes, etc.
1262
1263 NOTE: using this option (having it set to anything) has a
1264 considerable performance cost, because each uncached request for a
1265 user requires retrieving and matching the groups the user is member
1266 of.
1267
1268 Default: Empty. Matches no groups.
1269
1270 exclude_users (string)
1271 A comma-separated list of users to be excluded from recording, only
1272 applicable with 'scope=all'.
1273
1274 Default: Empty. No users excluded.
1275
1276 exclude_groups (string)
1277 A comma-separated list of groups, members of which should be
1278 excluded from recording. Only applicable with 'scope=all'.
1279
1280 NOTE: using this option (having it set to anything) has a
1281 considerable performance cost, because each uncached request for a
1282 user requires retrieving and matching the groups the user is member
1283 of.
1284
1285 Default: Empty. No groups excluded.
1286
1288 These configuration options can be present in a domain configuration
1289 section, that is, in a section called “[domain/NAME]”
1290
1291 enabled
1292 Explicitly enable or disable the domain. If “true”, the domain is
1293 always “enabled”. If “false”, the domain is always “disabled”. If
1294 this option is not set, the domain is enabled only if it is listed
1295 in the domains option in the “[sssd]” section.
1296
1297 domain_type (string)
1298 Specifies whether the domain is meant to be used by POSIX-aware
1299 clients such as the Name Service Switch or by applications that do
1300 not need POSIX data to be present or generated. Only objects from
1301 POSIX domains are available to the operating system interfaces and
1302 utilities.
1303
1304 Allowed values for this option are “posix” and “application”.
1305
1306 POSIX domains are reachable by all services. Application domains
1307 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1308 and the PAM responder.
1309
1310 NOTE: The application domains are currently well tested with
1311 “id_provider=ldap” only.
1312
1313 For an easy way to configure a non-POSIX domains, please see the
1314 “Application domains” section.
1315
1316 Default: posix
1317
1318 min_id,max_id (integer)
1319 UID and GID limits for the domain. If a domain contains an entry
1320 that is outside these limits, it is ignored.
1321
1322 For users, this affects the primary GID limit. The user will not be
1323 returned to NSS if either the UID or the primary GID is outside the
1324 range. For non-primary group memberships, those that are in range
1325 will be reported as expected.
1326
1327 These ID limits affect even saving entries to cache, not only
1328 returning them by name or ID.
1329
1330 Default: 1 for min_id, 0 (no limit) for max_id
1331
1332 enumerate (bool)
1333 Determines if a domain can be enumerated, that is, whether the
1334 domain can list all the users and group it contains. Note that it
1335 is not required to enable enumeration in order for secondary groups
1336 to be displayed. This parameter can have one of the following
1337 values:
1338
1339 TRUE = Users and groups are enumerated
1340
1341 FALSE = No enumerations for this domain
1342
1343 Default: FALSE
1344
1345 Enumerating a domain requires SSSD to download and store ALL user
1346 and group entries from the remote server.
1347
1348 Note: Enabling enumeration has a moderate performance impact on
1349 SSSD while enumeration is running. It may take up to several
1350 minutes after SSSD startup to fully complete enumerations. During
1351 this time, individual requests for information will go directly to
1352 LDAP, though it may be slow, due to the heavy enumeration
1353 processing. Saving a large number of entries to cache after the
1354 enumeration completes might also be CPU intensive as the
1355 memberships have to be recomputed. This can lead to the “sssd_be”
1356 process becoming unresponsive or even restarted by the internal
1357 watchdog.
1358
1359 While the first enumeration is running, requests for the complete
1360 user or group lists may return no results until it completes.
1361
1362 Further, enabling enumeration may increase the time necessary to
1363 detect network disconnection, as longer timeouts are required to
1364 ensure that enumeration lookups are completed successfully. For
1365 more information, refer to the man pages for the specific
1366 id_provider in use.
1367
1368 For the reasons cited above, enabling enumeration is not
1369 recommended, especially in large environments.
1370
1371 subdomain_enumerate (string)
1372 Whether any of autodetected trusted domains should be enumerated.
1373 The supported values are:
1374
1375 all
1376 All discovered trusted domains will be enumerated
1377
1378 none
1379 No discovered trusted domains will be enumerated
1380
1381 Optionally, a list of one or more domain names can enable
1382 enumeration just for these trusted domains.
1383
1384 Default: none
1385
1386 entry_cache_timeout (integer)
1387 How many seconds should nss_sss consider entries valid before
1388 asking the backend again
1389
1390 The cache expiration timestamps are stored as attributes of
1391 individual objects in the cache. Therefore, changing the cache
1392 timeout only has effect for newly added or expired entries. You
1393 should run the sss_cache(8) tool in order to force refresh of
1394 entries that have already been cached.
1395
1396 Default: 5400
1397
1398 entry_cache_user_timeout (integer)
1399 How many seconds should nss_sss consider user entries valid before
1400 asking the backend again
1401
1402 Default: entry_cache_timeout
1403
1404 entry_cache_group_timeout (integer)
1405 How many seconds should nss_sss consider group entries valid before
1406 asking the backend again
1407
1408 Default: entry_cache_timeout
1409
1410 entry_cache_netgroup_timeout (integer)
1411 How many seconds should nss_sss consider netgroup entries valid
1412 before asking the backend again
1413
1414 Default: entry_cache_timeout
1415
1416 entry_cache_service_timeout (integer)
1417 How many seconds should nss_sss consider service entries valid
1418 before asking the backend again
1419
1420 Default: entry_cache_timeout
1421
1422 entry_cache_resolver_timeout (integer)
1423 How many seconds should nss_sss consider hosts and networks entries
1424 valid before asking the backend again
1425
1426 Default: entry_cache_timeout
1427
1428 entry_cache_sudo_timeout (integer)
1429 How many seconds should sudo consider rules valid before asking the
1430 backend again
1431
1432 Default: entry_cache_timeout
1433
1434 entry_cache_autofs_timeout (integer)
1435 How many seconds should the autofs service consider automounter
1436 maps valid before asking the backend again
1437
1438 Default: entry_cache_timeout
1439
1440 entry_cache_ssh_host_timeout (integer)
1441 How many seconds to keep a host ssh key after refresh. IE how long
1442 to cache the host key for.
1443
1444 Default: entry_cache_timeout
1445
1446 entry_cache_computer_timeout (integer)
1447 How many seconds to keep the local computer entry before asking the
1448 backend again
1449
1450 Default: entry_cache_timeout
1451
1452 refresh_expired_interval (integer)
1453 Specifies how many seconds SSSD has to wait before triggering a
1454 background refresh task which will refresh all expired or nearly
1455 expired records.
1456
1457 The background refresh will process users, groups and netgroups in
1458 the cache. For users who have performed the initgroups (get group
1459 membership for user, typically ran at login) operation in the past,
1460 both the user entry and the group membership are updated.
1461
1462 This option is automatically inherited for all trusted domains.
1463
1464 You can consider setting this value to 3/4 * entry_cache_timeout.
1465
1466 Cache entry will be refreshed by background task when 2/3 of cache
1467 timeout has already passed. If there are existing cached entries,
1468 the background task will refer to their original cache timeout
1469 values instead of current configuration value. This may lead to a
1470 situation in which background refresh task appears to not be
1471 working. This is done by design to improve offline mode operation
1472 and reuse of existing valid cache entries. To make this change
1473 instant the user may want to manually invalidate existing cache.
1474
1475 Default: 0 (disabled)
1476
1477 cache_credentials (bool)
1478 Determines if user credentials are also cached in the local LDB
1479 cache
1480
1481 User credentials are stored in a SHA512 hash, not in plaintext
1482
1483 Default: FALSE
1484
1485 cache_credentials_minimal_first_factor_length (int)
1486 If 2-Factor-Authentication (2FA) is used and credentials should be
1487 saved this value determines the minimal length the first
1488 authentication factor (long term password) must have to be saved as
1489 SHA512 hash into the cache.
1490
1491 This should avoid that the short PINs of a PIN based 2FA scheme are
1492 saved in the cache which would make them easy targets for
1493 brute-force attacks.
1494
1495 Default: 8
1496
1497 account_cache_expiration (integer)
1498 Number of days entries are left in cache after last successful
1499 login before being removed during a cleanup of the cache. 0 means
1500 keep forever. The value of this parameter must be greater than or
1501 equal to offline_credentials_expiration.
1502
1503 Default: 0 (unlimited)
1504
1505 pwd_expiration_warning (integer)
1506 Display a warning N days before the password expires.
1507
1508 If zero is set, then this filter is not applied, i.e. if the
1509 expiration warning was received from backend server, it will
1510 automatically be displayed.
1511
1512 Please note that the backend server has to provide information
1513 about the expiration time of the password. If this information is
1514 missing, sssd cannot display a warning. Also an auth provider has
1515 to be configured for the backend.
1516
1517 Default: 7 (Kerberos), 0 (LDAP)
1518
1519 id_provider (string)
1520 The identification provider used for the domain. Supported ID
1521 providers are:
1522
1523 “proxy”: Support a legacy NSS provider.
1524
1525 “files”: FILES provider. See sssd-files(5) for more information on
1526 how to mirror local users and groups into SSSD.
1527
1528 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1529 configuring LDAP.
1530
1531 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1532 See sssd-ipa(5) for more information on configuring FreeIPA.
1533
1534 “ad”: Active Directory provider. See sssd-ad(5) for more
1535 information on configuring Active Directory.
1536
1537 use_fully_qualified_names (bool)
1538 Use the full name and domain (as formatted by the domain's
1539 full_name_format) as the user's login name reported to NSS.
1540
1541 If set to TRUE, all requests to this domain must use fully
1542 qualified names. For example, if used in LOCAL domain that contains
1543 a "test" user, getent passwd test wouldn't find the user while
1544 getent passwd test@LOCAL would.
1545
1546 NOTE: This option has no effect on netgroup lookups due to their
1547 tendency to include nested netgroups without qualified names. For
1548 netgroups, all domains will be searched when an unqualified name is
1549 requested.
1550
1551 Default: FALSE (TRUE for trusted domain/sub-domains or if
1552 default_domain_suffix is used)
1553
1554 ignore_group_members (bool)
1555 Do not return group members for group lookups.
1556
1557 If set to TRUE, the group membership attribute is not requested
1558 from the ldap server, and group members are not returned when
1559 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1560 As an effect, “getent group $groupname” would return the requested
1561 group as if it was empty.
1562
1563 Enabling this option can also make access provider checks for group
1564 membership significantly faster, especially for groups containing
1565 many members.
1566
1567 Default: FALSE
1568
1569 auth_provider (string)
1570 The authentication provider used for the domain. Supported auth
1571 providers are:
1572
1573 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1574 information on configuring LDAP.
1575
1576 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1577 information on configuring Kerberos.
1578
1579 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1580 See sssd-ipa(5) for more information on configuring FreeIPA.
1581
1582 “ad”: Active Directory provider. See sssd-ad(5) for more
1583 information on configuring Active Directory.
1584
1585 “proxy” for relaying authentication to some other PAM target.
1586
1587 “none” disables authentication explicitly.
1588
1589 Default: “id_provider” is used if it is set and can handle
1590 authentication requests.
1591
1592 access_provider (string)
1593 The access control provider used for the domain. There are two
1594 built-in access providers (in addition to any included in installed
1595 backends) Internal special providers are:
1596
1597 “permit” always allow access. It's the only permitted access
1598 provider for a local domain.
1599
1600 “deny” always deny access.
1601
1602 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1603 information on configuring LDAP.
1604
1605 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1606 See sssd-ipa(5) for more information on configuring FreeIPA.
1607
1608 “ad”: Active Directory provider. See sssd-ad(5) for more
1609 information on configuring Active Directory.
1610
1611 “simple” access control based on access or deny lists. See sssd-
1612 simple(5) for more information on configuring the simple access
1613 module.
1614
1615 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1616 information on configuring Kerberos.
1617
1618 “proxy” for relaying access control to another PAM module.
1619
1620 Default: “permit”
1621
1622 chpass_provider (string)
1623 The provider which should handle change password operations for the
1624 domain. Supported change password providers are:
1625
1626 “ldap” to change a password stored in a LDAP server. See sssd-
1627 ldap(5) for more information on configuring LDAP.
1628
1629 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1630 information on configuring Kerberos.
1631
1632 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1633 See sssd-ipa(5) for more information on configuring FreeIPA.
1634
1635 “ad”: Active Directory provider. See sssd-ad(5) for more
1636 information on configuring Active Directory.
1637
1638 “proxy” for relaying password changes to some other PAM target.
1639
1640 “none” disallows password changes explicitly.
1641
1642 Default: “auth_provider” is used if it is set and can handle change
1643 password requests.
1644
1645 sudo_provider (string)
1646 The SUDO provider used for the domain. Supported SUDO providers
1647 are:
1648
1649 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1650 information on configuring LDAP.
1651
1652 “ipa” the same as “ldap” but with IPA default settings.
1653
1654 “ad” the same as “ldap” but with AD default settings.
1655
1656 “none” disables SUDO explicitly.
1657
1658 Default: The value of “id_provider” is used if it is set.
1659
1660 The detailed instructions for configuration of sudo_provider are in
1661 the manual page sssd-sudo(5). There are many configuration options
1662 that can be used to adjust the behavior. Please refer to
1663 "ldap_sudo_*" in sssd-ldap(5).
1664
1665 NOTE: Sudo rules are periodically downloaded in the background
1666 unless the sudo provider is explicitly disabled. Set sudo_provider
1667 = None to disable all sudo-related activity in SSSD if you do not
1668 want to use sudo with SSSD at all.
1669
1670 selinux_provider (string)
1671 The provider which should handle loading of selinux settings. Note
1672 that this provider will be called right after access provider ends.
1673 Supported selinux providers are:
1674
1675 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1676 for more information on configuring IPA.
1677
1678 “none” disallows fetching selinux settings explicitly.
1679
1680 Default: “id_provider” is used if it is set and can handle selinux
1681 loading requests.
1682
1683 subdomains_provider (string)
1684 The provider which should handle fetching of subdomains. This value
1685 should be always the same as id_provider. Supported subdomain
1686 providers are:
1687
1688 “ipa” to load a list of subdomains from an IPA server. See sssd-
1689 ipa(5) for more information on configuring IPA.
1690
1691 “ad” to load a list of subdomains from an Active Directory server.
1692 See sssd-ad(5) for more information on configuring the AD provider.
1693
1694 “none” disallows fetching subdomains explicitly.
1695
1696 Default: The value of “id_provider” is used if it is set.
1697
1698 session_provider (string)
1699 The provider which configures and manages user session related
1700 tasks. The only user session task currently provided is the
1701 integration with Fleet Commander, which works only with IPA.
1702 Supported session providers are:
1703
1704 “ipa” to allow performing user session related tasks.
1705
1706 “none” does not perform any kind of user session related tasks.
1707
1708 Default: “id_provider” is used if it is set and can perform session
1709 related tasks.
1710
1711 NOTE: In order to have this feature working as expected SSSD must
1712 be running as "root" and not as the unprivileged user.
1713
1714 autofs_provider (string)
1715 The autofs provider used for the domain. Supported autofs providers
1716 are:
1717
1718 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1719 information on configuring LDAP.
1720
1721 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1722 more information on configuring IPA.
1723
1724 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1725 information on configuring the AD provider.
1726
1727 “none” disables autofs explicitly.
1728
1729 Default: The value of “id_provider” is used if it is set.
1730
1731 hostid_provider (string)
1732 The provider used for retrieving host identity information.
1733 Supported hostid providers are:
1734
1735 “ipa” to load host identity stored in an IPA server. See sssd-
1736 ipa(5) for more information on configuring IPA.
1737
1738 “none” disables hostid explicitly.
1739
1740 Default: The value of “id_provider” is used if it is set.
1741
1742 resolver_provider (string)
1743 The provider which should handle hosts and networks lookups.
1744 Supported resolver providers are:
1745
1746 “proxy” to forward lookups to another NSS library. See
1747 “proxy_resolver_lib_name”
1748
1749 “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1750 for more information on configuring LDAP.
1751
1752 “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1753 more information on configuring the AD provider.
1754
1755 “none” disallows fetching hosts and networks explicitly.
1756
1757 Default: The value of “id_provider” is used if it is set.
1758
1759 re_expression (string)
1760 Regular expression for this domain that describes how to parse the
1761 string containing user name and domain into these components. The
1762 "domain" can match either the SSSD configuration domain name, or,
1763 in the case of IPA trust subdomains and Active Directory domains,
1764 the flat (NetBIOS) name of the domain.
1765
1766 Default for the AD and IPA provider:
1767 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1768 which allows three different styles for user names:
1769
1770 · username
1771
1772 · username@domain.name
1773
1774 · domain\username
1775
1776 While the first two correspond to the general default the third one
1777 is introduced to allow easy integration of users from Windows
1778 domains.
1779
1780 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1781 "the name is everything up to the “@” sign, the domain everything
1782 after that"
1783
1784 NOTE: Some Active Directory groups, typically those used for MS
1785 Exchange contain an “@” sign in the name, which clashes with the
1786 default re_expression value for the AD and IPA providers. To
1787 support these groups, consider changing the re_expression value to:
1788 “((?P<name>.+)@(?P<domain>[^@]+$))”.
1789
1790 full_name_format (string)
1791 A printf(3)-compatible format that describes how to compose a fully
1792 qualified name from user name and domain name components.
1793
1794 The following expansions are supported:
1795
1796 %1$s
1797 user name
1798
1799 %2$s
1800 domain name as specified in the SSSD config file.
1801
1802 %3$s
1803 domain flat name. Mostly usable for Active Directory domains,
1804 both directly configured or discovered via IPA trusts.
1805
1806 Default: “%1$s@%2$s”.
1807
1808 lookup_family_order (string)
1809 Provides the ability to select preferred address family to use when
1810 performing DNS lookups.
1811
1812 Supported values:
1813
1814 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1815
1816 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1817
1818 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1819
1820 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1821
1822 Default: ipv4_first
1823
1824 dns_resolver_timeout (integer)
1825 Defines the amount of time (in seconds) to wait for a reply from
1826 the internal fail over service before assuming that the service is
1827 unreachable. If this timeout is reached, the domain will continue
1828 to operate in offline mode.
1829
1830 Please see the section “FAILOVER” for more information about the
1831 service resolution.
1832
1833 Default: 6
1834
1835 dns_discovery_domain (string)
1836 If service discovery is used in the back end, specifies the domain
1837 part of the service discovery DNS query.
1838
1839 Default: Use the domain part of machine's hostname
1840
1841 override_gid (integer)
1842 Override the primary GID value with the one specified.
1843
1844 case_sensitive (string)
1845 Treat user and group names as case sensitive. Possible option
1846 values are:
1847
1848 True
1849 Case sensitive. This value is invalid for AD provider.
1850
1851 False
1852 Case insensitive.
1853
1854 Preserving
1855 Same as False (case insensitive), but does not lowercase names
1856 in the result of NSS operations. Note that name aliases (and in
1857 case of services also protocol names) are still lowercased in
1858 the output.
1859
1860 If you want to set this value for trusted domain with IPA
1861 provider, you need to set it on both the client and SSSD on the
1862 server.
1863
1864 This option can be also set per subdomain or inherited via
1865 subdomain_inherit.
1866
1867 Default: True (False for AD provider)
1868
1869 subdomain_inherit (string)
1870 Specifies a list of configuration parameters that should be
1871 inherited by a subdomain. Please note that only selected parameters
1872 can be inherited. Currently the following options can be inherited:
1873
1874 ignore_group_members
1875
1876 ldap_purge_cache_timeout
1877
1878 ldap_use_tokengroups
1879
1880 ldap_user_principal
1881
1882 ldap_krb5_keytab (the value of krb5_keytab will be used if
1883 ldap_krb5_keytab is not set explicitly)
1884
1885 auto_private_groups
1886
1887 case_sensitive
1888
1889 Example:
1890
1891 subdomain_inherit = ldap_purge_cache_timeout
1892
1893
1894 Default: none
1895
1896 Note: This option only works with the IPA and AD provider.
1897
1898 subdomain_homedir (string)
1899 Use this homedir as default value for all subdomains within this
1900 domain in IPA AD trust. See override_homedir for info about
1901 possible values. In addition to those, the expansion below can only
1902 be used with subdomain_homedir.
1903
1904 %F
1905 flat (NetBIOS) name of a subdomain.
1906
1907 The value can be overridden by override_homedir option.
1908
1909 Default: /home/%d/%u
1910
1911 realmd_tags (string)
1912 Various tags stored by the realmd configuration service for this
1913 domain.
1914
1915 cached_auth_timeout (int)
1916 Specifies time in seconds since last successful online
1917 authentication for which user will be authenticated using cached
1918 credentials while SSSD is in the online mode. If the credentials
1919 are incorrect, SSSD falls back to online authentication.
1920
1921 This option's value is inherited by all trusted domains. At the
1922 moment it is not possible to set a different value per trusted
1923 domain.
1924
1925 Special value 0 implies that this feature is disabled.
1926
1927 Please note that if “cached_auth_timeout” is longer than
1928 “pam_id_timeout” then the back end could be called to handle
1929 “initgroups.”
1930
1931 Default: 0
1932
1933 auto_private_groups (string)
1934 This option takes any of three available values:
1935
1936 true
1937 Create user's private group unconditionally from user's UID
1938 number. The GID number is ignored in this case.
1939
1940 NOTE: Because the GID number and the user private group are
1941 inferred from the UID number, it is not supported to have
1942 multiple entries with the same UID or GID number with this
1943 option. In other words, enabling this option enforces
1944 uniqueness across the ID space.
1945
1946 false
1947 Always use the user's primary GID number. The GID number must
1948 refer to a group object in the LDAP database.
1949
1950 hybrid
1951 A primary group is autogenerated for user entries whose UID and
1952 GID numbers have the same value and at the same time the GID
1953 number does not correspond to a real group object in LDAP. If
1954 the values are the same, but the primary GID in the user entry
1955 is also used by a group object, the primary GID of the user
1956 resolves to that group object.
1957
1958 If the UID and GID of a user are different, then the GID must
1959 correspond to a group entry, otherwise the GID is simply not
1960 resolvable.
1961
1962 This feature is useful for environments that wish to stop
1963 maintaining a separate group objects for the user private
1964 groups, but also wish to retain the existing user private
1965 groups.
1966
1967 For subdomains, the default value is False for subdomains that use
1968 assigned POSIX IDs and True for subdomains that use automatic
1969 ID-mapping.
1970
1971 The value of auto_private_groups can either be set per subdomains
1972 in a subsection, for example:
1973
1974 [domain/forest.domain/sub.domain]
1975 auto_private_groups = false
1976
1977 or globally for all subdomains in the main domain section using the
1978 subdomain_inherit option:
1979
1980 [domain/forest.domain]
1981 subdomain_inherit = auto_private_groups
1982 auto_private_groups = false
1983
1984
1985 Options valid for proxy domains.
1986
1987 proxy_pam_target (string)
1988 The proxy target PAM proxies to.
1989
1990 Default: not set by default, you have to take an existing pam
1991 configuration or create a new one and add the service name here.
1992
1993 proxy_lib_name (string)
1994 The name of the NSS library to use in proxy domains. The NSS
1995 functions searched for in the library are in the form of
1996 _nss_$(libName)_$(function), for example _nss_files_getpwent.
1997
1998 proxy_resolver_lib_name (string)
1999 The name of the NSS library to use for hosts and networks lookups
2000 in proxy domains. The NSS functions searched for in the library are
2001 in the form of _nss_$(libName)_$(function), for example
2002 _nss_dns_gethostbyname2_r.
2003
2004 proxy_fast_alias (boolean)
2005 When a user or group is looked up by name in the proxy provider, a
2006 second lookup by ID is performed to "canonicalize" the name in case
2007 the requested name was an alias. Setting this option to true would
2008 cause the SSSD to perform the ID lookup from cache for performance
2009 reasons.
2010
2011 Default: false
2012
2013 proxy_max_children (integer)
2014 This option specifies the number of pre-forked proxy children. It
2015 is useful for high-load SSSD environments where sssd may run out of
2016 available child slots, which would cause some issues due to the
2017 requests being queued.
2018
2019 Default: 10
2020
2021 Application domains
2022 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2023 applications as a gateway to an LDAP directory where users and groups
2024 are stored. However, contrary to the traditional SSSD deployment where
2025 all users and groups either have POSIX attributes or those attributes
2026 can be inferred from the Windows SIDs, in many cases the users and
2027 groups in the application support scenario have no POSIX attributes.
2028 Instead of setting a “[domain/NAME]” section, the administrator can set
2029 up an “[application/NAME]” section that internally represents a domain
2030 with type “application” optionally inherits settings from a tradition
2031 SSSD domain.
2032
2033 Please note that the application domain must still be explicitly
2034 enabled in the “domains” parameter so that the lookup order between the
2035 application domain and its POSIX sibling domain is set correctly.
2036
2037 Application domain parameters
2038
2039 inherit_from (string)
2040 The SSSD POSIX-type domain the application domain inherits all
2041 settings from. The application domain can moreover add its own
2042 settings to the application settings that augment or override the
2043 “sibling” domain settings.
2044
2045 Default: Not set
2046
2047 The following example illustrates the use of an application domain. In
2048 this setup, the POSIX domain is connected to an LDAP server and is used
2049 by the OS through the NSS responder. In addition, the application
2050 domain also requests the telephoneNumber attribute, stores it as the
2051 phone attribute in the cache and makes the phone attribute reachable
2052 through the D-Bus interface.
2053
2054 [sssd]
2055 domains = appdom, posixdom
2056
2057 [ifp]
2058 user_attributes = +phone
2059
2060 [domain/posixdom]
2061 id_provider = ldap
2062 ldap_uri = ldap://ldap.example.com
2063 ldap_search_base = dc=example,dc=com
2064
2065 [application/appdom]
2066 inherit_from = posixdom
2067 ldap_user_extra_attrs = phone:telephoneNumber
2068
2070 Some options used in the domain section can also be used in the trusted
2071 domain section, that is, in a section called
2072 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2073 actual joined-to base domain. Please refer to examples below for
2074 explanation. Currently supported options in the trusted domain section
2075 are:
2076
2077 ldap_search_base,
2078
2079 ldap_user_search_base,
2080
2081 ldap_group_search_base,
2082
2083 ldap_netgroup_search_base,
2084
2085 ldap_service_search_base,
2086
2087 ldap_sasl_mech,
2088
2089 ad_server,
2090
2091 ad_backup_server,
2092
2093 ad_site,
2094
2095 use_fully_qualified_names
2096
2097 pam_gssapi_services
2098
2099 pam_gssapi_check_upn
2100
2101 For more details about these options see their individual description
2102 in the manual page.
2103
2105 To allow authentication with Smartcards and certificates SSSD must be
2106 able to map certificates to users. This can be done by adding the full
2107 certificate to the LDAP object of the user or to a local override.
2108 While using the full certificate is required to use the Smartcard
2109 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2110 details) it might be cumbersome or not even possible to do this for the
2111 general case where local services use PAM for authentication.
2112
2113 To make the mapping more flexible mapping and matching rules were added
2114 to SSSD (see sss-certmap(5) for details).
2115
2116 A mapping and matching rule can be added to the SSSD configuration in a
2117 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2118 In this section the following options are allowed:
2119
2120 matchrule (string)
2121 Only certificates from the Smartcard which matches this rule will
2122 be processed, all others are ignored.
2123
2124 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2125 the Extended Key Usage “clientAuth”
2126
2127 maprule (string)
2128 Defines how the user is found for a given certificate.
2129
2130 Default:
2131
2132 · LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2133 providers like “ldap”, “AD” or “ipa”.
2134
2135 · The RULE_NAME for the “files” provider which tries to find a
2136 user with the same name.
2137
2138
2139 domains (string)
2140 Comma separated list of domain names the rule should be applied. By
2141 default a rule is only valid in the domain configured in sssd.conf.
2142 If the provider supports subdomains this option can be used to add
2143 the rule to subdomains as well.
2144
2145 Default: the configured domain in sssd.conf
2146
2147 priority (integer)
2148 Unsigned integer value defining the priority of the rule. The
2149 higher the number the lower the priority. “0” stands for the
2150 highest priority while “4294967295” is the lowest.
2151
2152 Default: the lowest priority
2153
2154 To make the configuration simple and reduce the amount of configuration
2155 options the “files” provider has some special properties:
2156
2157 · if maprule is not set the RULE_NAME name is assumed to be the name
2158 of the matching user
2159
2160 · if a maprule is used both a single user name or a template like
2161 “{subject_rfc822_name.short_name}” must be in braces like e.g.
2162 “(username)” or “({subject_rfc822_name.short_name})”
2163
2164 · the “domains” option is ignored
2165
2166
2168 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2169 SSSD's PAM module pam_sss will ask SSSD to figure out which
2170 authentication methods are available for the user trying to log in.
2171 Based on the results pam_sss will prompt the user for appropriate
2172 credentials.
2173
2174 With the growing number of authentication methods and the possibility
2175 that there are multiple ones for a single user the heuristic used by
2176 pam_sss to select the prompting might not be suitable for all use
2177 cases. The following options should provide a better flexibility here.
2178
2179 Each supported authentication method has its own configuration
2180 subsection under “[prompting/...]”. Currently there are:
2181
2182 [prompting/password]
2183 to configure password prompting, allowed options are:
2184
2185 password_prompt
2186 to change the string of the password prompt
2187
2188
2189 [prompting/2fa]
2190 to configure two-factor authentication prompting, allowed options
2191 are:
2192
2193 first_prompt
2194 to change the string of the prompt for the first factor
2195
2196 second_prompt
2197 to change the string of the prompt for the second factor
2198
2199 single_prompt
2200 boolean value, if True there will be only a single prompt using
2201 the value of first_prompt where it is expected that both
2202 factors are entered as a single string
2203
2204
2205 It is possible to add a subsection for specific PAM services, e.g.
2206 “[prompting/password/sshd]” to individual change the prompting for this
2207 service.
2208
2210 1. The following example shows a typical SSSD config. It does not
2211 describe configuration of the domains themselves - refer to
2212 documentation on configuring domains for more details.
2213
2214 [sssd]
2215 domains = LDAP
2216 services = nss, pam
2217 config_file_version = 2
2218
2219 [nss]
2220 filter_groups = root
2221 filter_users = root
2222
2223 [pam]
2224
2225 [domain/LDAP]
2226 id_provider = ldap
2227 ldap_uri = ldap://ldap.example.com
2228 ldap_search_base = dc=example,dc=com
2229
2230 auth_provider = krb5
2231 krb5_server = kerberos.example.com
2232 krb5_realm = EXAMPLE.COM
2233 cache_credentials = true
2234
2235 min_id = 10000
2236 max_id = 20000
2237 enumerate = False
2238
2239 2. The following example shows configuration of IPA AD trust where the
2240 AD forest consists of two domains in a parent-child structure. Suppose
2241 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2242 domain (child.ad.com). To enable shortnames in the child domain the
2243 following configuration should be used.
2244
2245 [domain/ipa.com/child.ad.com]
2246 use_fully_qualified_names = false
2247
2248 3. The following example shows the configuration for two certificate
2249 mapping rules. The first is valid for the configured domain “my.domain”
2250 and additionally for the subdomains “your.domain” and uses the full
2251 certificate in the search filter. The second example is valid for the
2252 domain “files” where it is assumed the files provider is used for this
2253 domain and contains a matching rule for the local user “myname”.
2254
2255 [certmap/my.domain/rule_name]
2256 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2257 maprule = (userCertificate;binary={cert!bin})
2258 domains = my.domain, your.domain
2259 priority = 10
2260
2261 [certmap/files/myname]
2262 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
2263
2264
2266 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2267 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2268 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2269 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2270 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
2271 sssd-systemtap(5)
2272
2274 The SSSD upstream - https://github.com/SSSD/sssd/
2275
2276
2277
2278SSSD 02/19/2021 SSSD.CONF(5)