1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13 [section]
15 key = value
16 key2 = value2,value3
17 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72 Currently supported debug levels:
74 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87 4, 0x0100: Configuration settings.
89 5, 0x0200: Function data.
91 6, 0x0400: Trace messages for operation functions.
93 7, 0x1000: Trace messages for internal control functions.
95 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98 9, 0x4000: Extremely low-level tracing information.
100 9, 0x20000: Performance and statistical data, please note that due
102 to the way requests are processed internally the logged execution
103 time of a request might be longer than it actually was.
104 10, 0x10000: Even more low-level libldb tracing information. Almost
106 never really required.
107 To log required bitmask debug levels, simply add their numbers
109 together as shown in following examples:
110 Example: To log fatal failures, critical failures, serious failures
112 and function data use 0x0270.
113 Example: To log fatal failures, configuration settings, function
115 data, trace messages for internal control functions use 0x1310.
116 Note: The bitmask format of debug levels was introduced in 1.7.0.
118 Default: 0x0070 (i.e. fatal, critical and serious failures;
120 corresponds to setting 2 in decimal notation)
121 debug (integer)
123 SSSD 1.14 and later also includes the debug alias for debug_level
124 as a convenience feature. If both are specified, the value of
125 debug_level will be used.
126 debug_timestamps (bool)
128 Add a timestamp to the debug messages. If journald is enabled for
129 SSSD debug logging this option is ignored.
130 Default: true
132 debug_microseconds (bool)
134 Add microseconds to the timestamp in debug messages. If journald is
135 enabled for SSSD debug logging this option is ignored.
136 Default: false
138 debug_backtrace_enabled (bool)
140 Enable debug backtrace.
141 In case SSSD is run with debug_level less than 9, everything is
143 logged to a ring buffer in memory and flushed to a log file on any
144 error up to and including `min(0x0040, debug_level)` (i.e. if
145 debug_level is explicitly set to 0 or 1 then only those error
146 levels will trigger backtrace, otherwise up to 2).
147 Feature is only supported for `logger == files` (i.e. setting
149 doesn't have effect for other logger types).
150 Default: true
152 Options usable in SERVICE and DOMAIN sections
154 timeout (integer)
155 Timeout in seconds between heartbeats for this service. This is
156 used to ensure that the process is alive and capable of answering
157 requests. Note that after three missed heartbeats the process will
158 terminate itself.
159 Default: 10
161
163 The [sssd] section
164 Individual pieces of SSSD functionality are provided by special SSSD
165 services that are started and stopped together with SSSD. The services
166 are managed by a special service frequently called “monitor”. The
167 “[sssd]” section is used to configure the monitor as well as some other
168 important options like the identity domains.
169 Section parameters
171 config_file_version (integer)
173 Indicates what is the syntax of the config file. SSSD 0.6.0 and
174 later use version 2.
175 services
177 Comma separated list of services that are started when sssd itself
178 starts. The services' list is optional on platforms where systemd
179 is supported, as they will either be socket or D-Bus activated when
180 needed.
181 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
183 By default, all services are disabled and the administrator must
185 enable the ones allowed to be used by executing: "systemctl enable
186 sssd-@service@.socket".
187 reconnection_retries (integer)
189 Number of times services should attempt to reconnect in the event
190 of a Data Provider crash or restart before they give up
191 Default: 3
193 domains
195 A domain is a database containing user information. SSSD can use
196 more domains at the same time, but at least one must be configured
197 or SSSD won't start. This parameter describes the list of domains
198 in the order you want them to be queried. A domain name is
199 recommended to contain only alphanumeric ASCII characters, dashes,
200 dots and underscores. '/' character is forbidden.
201 re_expression (string)
203 Default regular expression that describes how to parse the string
204 containing user name and domain into these components.
205 Each domain can have an individual regular expression configured.
207 For some ID providers there are also default regular expressions.
208 See DOMAIN SECTIONS for more info on these regular expressions.
209 full_name_format (string)
211 A printf(3)-compatible format that describes how to compose a fully
212 qualified name from user name and domain name components.
213 The following expansions are supported:
215 %1$s
217 user name
218 %2$s
220 domain name as specified in the SSSD config file.
221 %3$s
223 domain flat name. Mostly usable for Active Directory domains,
224 both directly configured or discovered via IPA trusts.
225 Each domain can have an individual format string configured. See
227 DOMAIN SECTIONS for more info on this option.
228 monitor_resolv_conf (boolean)
230 Controls if SSSD should monitor the state of resolv.conf to
231 identify when it needs to update its internal DNS resolver.
232 Default: true
234 try_inotify (boolean)
236 By default, SSSD will attempt to use inotify to monitor
237 configuration files changes and will fall back to polling every
238 five seconds if inotify cannot be used.
239 There are some limited situations where it is preferred that we
241 should skip even trying to use inotify. In these rare cases, this
242 option should be set to 'false'
243 Default: true on platforms where inotify is supported. False on
245 other platforms.
246 Note: this option will have no effect on platforms where inotify is
248 unavailable. On these platforms, polling will always be used.
249 krb5_rcache_dir (string)
251 Directory on the filesystem where SSSD should store Kerberos replay
252 cache files.
253 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
255 instruct SSSD to let libkrb5 decide the appropriate location for
256 the replay cache.
257 Default: Distribution-specific and specified at build-time.
259 (__LIBKRB5_DEFAULTS__ if not configured)
260 default_domain_suffix (string)
262 This string will be used as a default domain name for all names
263 without a domain name component. The main use case is environments
264 where the primary domain is intended for managing host policies and
265 all users are located in a trusted domain. The option allows those
266 users to log in just with their user name without giving a domain
267 name as well.
268 Please note that if this option is set all users from the primary
270 domain have to use their fully qualified name, e.g.
271 user@domain.name, to log in. Setting this option changes default of
272 use_fully_qualified_names to True. It is not allowed to use this
273 option together with use_fully_qualified_names set to False. One
274 exception from this rule are domains with “id_provider=files” that
275 always try to match the behaviour of nss_files and therefore their
276 output is not qualified even when the default_domain_suffix option
277 is used.
278 Default: not set
280 override_space (string)
282 This parameter will replace spaces (space bar) with the given
283 character for user and group names. e.g. (_). User name "john doe"
284 will be "john_doe" This feature was added to help compatibility
285 with shell scripts that have difficulty handling spaces, due to the
286 default field separator in the shell.
287 Please note it is a configuration error to use a replacement
289 character that might be used in user or group names. If a name
290 contains the replacement character SSSD tries to return the
291 unmodified name but in general the result of a lookup is undefined.
292 Default: not set (spaces will not be replaced)
294 certificate_verification (string)
296 With this parameter the certificate verification can be tuned with
297 a comma separated list of options. Supported options are:
298 no_ocsp
300 Disables Online Certificate Status Protocol (OCSP) checks. This
301 might be needed if the OCSP servers defined in the certificate
302 are not reachable from the client.
303 soft_ocsp
305 If a connection cannot be established to an OCSP responder the
306 OCSP check is skipped. This option should be used to allow
307 authentication when the system is offline and the OCSP
308 responder cannot be reached.
309 ocsp_dgst
311 Digest (hash) function used to create the certificate ID for
312 the OCSP request. Allowed values are:
313 • sha1
315 • sha256
317 • sha384
319 • sha512
321 Default: sha1 (to allow compatibility with RFC5019-compliant
323 responder)
324 no_verification
326 Disables verification completely. This option should only be
327 used for testing.
328 partial_chain
330 Allow verification to succeed even if a complete chain cannot
331 be built to a self-signed trust-anchor, provided it is possible
332 to construct a chain to a trusted certificate that might not be
333 self-signed.
334 ocsp_default_responder=URL
336 Sets the OCSP default responder which should be used instead of
337 the one mentioned in the certificate. URL must be replaced with
338 the URL of the OCSP default responder e.g.
339 http://example.com:80/ocsp.
340 ocsp_default_responder_signing_cert=NAME
342 This option is currently ignored. All needed certificates must
343 be available in the PEM file given by pam_cert_db_path.
344 crl_file=/PATH/TO/CRL/FILE
346 Use the Certificate Revocation List (CRL) from the given file
347 during the verification of the certificate. The CRL must be
348 given in PEM format, see crl(1ssl) for details.
349 soft_crl
351 If a Certificate Revocation List (CRL) is expired ignore the
352 CRL checks for the related certificates. This option should be
353 used to allow authentication when the system is offline and the
354 CRL cannot be renewed.
355 Unknown options are reported but ignored.
357 Default: not set, i.e. do not restrict certificate verification
359 disable_netlink (boolean)
361 SSSD hooks into the netlink interface to monitor changes to routes,
362 addresses, links and trigger certain actions.
363 The SSSD state changes caused by netlink events may be undesirable
365 and can be disabled by setting this option to 'true'
366 Default: false (netlink changes are detected)
368 enable_files_domain (boolean)
370 When this option is enabled, SSSD prepends an implicit domain with
371 “id_provider=files” before any explicitly configured domains.
372 Default: false
374 domain_resolution_order
376 Comma separated list of domains and subdomains representing the
377 lookup order that will be followed. The list doesn't have to
378 include all possible domains as the missing domains will be looked
379 up based on the order they're presented in the “domains”
380 configuration option. The subdomains which are not listed as part
381 of “lookup_order” will be looked up in a random order for each
382 parent domain.
383 Please, note that when this option is set the output format of all
385 commands is always fully-qualified even when using short names for
386 input , for all users but the ones managed by the files provider.
387 In case the administrator wants the output not fully-qualified, the
388 full_name_format option can be used as shown below:
389 “full_name_format=%1$s” However, keep in mind that during login,
390 login applications often canonicalize the username by calling
391 getpwnam(3) which, if a shortname is returned for a qualified input
392 (while trying to reach a user which exists in multiple domains)
393 might re-route the login attempt into the domain which uses
394 shortnames, making this workaround totally not recommended in cases
395 where usernames may overlap between domains.
396 Default: Not set
398 implicit_pac_responder (boolean)
400 The PAC responder is enabled automatically for the IPA and AD
401 provider to evaluate and check the PAC. If it has to be disabled
402 set this option to 'false'.
403 Default: true
405 core_dumpable (boolean)
407 This option can be used for general system hardening: setting it to
408 'false' forbids core dumps for all SSSD processes to avoid leaking
409 plain text passwords. See man page prctl:PR_SET_DUMPABLE for
410 details.
411 Default: true
413 passkey_verification (string)
415 With this parameter the passkey verification can be tuned with a
416 comma separated list of options. Supported options are:
417 user_verification (boolean)
419 Enable or disable the user verification (i.e. PIN, fingerprint)
420 during authentication. If enabled, the PIN will always be
421 requested.
422 The default is that the key settings decide what to do. In the
424 IPA or kerberos pre-authentication case, this value will be
425 overwritten by the server.
426
429 Settings that can be used to configure different services are described
430 in this section. They should reside in the [$NAME] section, for
431 example, for NSS service, the section would be “[nss]”
432 General service configuration options
434 These options can be used to configure any service.
435 reconnection_retries (integer)
437 Number of times services should attempt to reconnect in the event
438 of a Data Provider crash or restart before they give up
439 Default: 3
441 fd_limit
443 This option specifies the maximum number of file descriptors that
444 may be opened at one time by this SSSD process. On systems where
445 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
446 absolute setting. On systems without this capability, the resulting
447 value will be the lower value of this or the limits.conf "hard"
448 limit.
449 Default: 8192 (or limits.conf "hard" limit)
451 client_idle_timeout
453 This option specifies the number of seconds that a client of an
454 SSSD process can hold onto a file descriptor without communicating
455 on it. This value is limited in order to avoid resource exhaustion
456 on the system. The timeout can't be shorter than 10 seconds. If a
457 lower value is configured, it will be adjusted to 10 seconds.
458 Default: 60, KCM: 300
460 offline_timeout (integer)
462 When SSSD switches to offline mode the amount of time before it
463 tries to go back online will increase based upon the time spent
464 disconnected. By default SSSD uses incremental behaviour to
465 calculate delay in between retries. So, the wait time for a given
466 retry will be longer than the wait time for the previous ones.
467 After each unsuccessful attempt to go online, the new interval is
468 recalculated by the following:
469 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
471 random[0...offline_timeout_random_offset]
472 The offline_timeout default value is 60. The offline_timeout_max
474 default value is 3600. The offline_timeout_random_offset default
475 value is 30. The end result is amount of seconds before next retry.
476 Note that the maximum length of each interval is defined by
478 offline_timeout_max (apart of random part).
479 Default: 60
481 offline_timeout_max (integer)
483 Controls by how much the time between attempts to go online can be
484 incremented following unsuccessful attempts to go online.
485 A value of 0 disables the incrementing behaviour.
487 The value of this parameter should be set in correlation to
489 offline_timeout parameter value.
490 With offline_timeout set to 60 (default value) there is no point in
492 setting offlinet_timeout_max to less than 120 as it will saturate
493 instantly. General rule here should be to set offline_timeout_max
494 to at least 4 times offline_timeout.
495 Although a value between 0 and offline_timeout may be specified, it
497 has the effect of overriding the offline_timeout value so is of
498 little use.
499 Default: 3600
501 offline_timeout_random_offset (integer)
503 When SSSD is in offline mode it keeps probing backend servers in
504 specified time intervals:
505 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
507 random[0...offline_timeout_random_offset]
508 This parameter controls the value of the random offset used for the
510 above equation. Final random_offset value will be random number in
511 range:
512 [0 - offline_timeout_random_offset]
514 A value of 0 disables the random offset addition.
516 Default: 30
518 responder_idle_timeout
520 This option specifies the number of seconds that an SSSD responder
521 process can be up without being used. This value is limited in
522 order to avoid resource exhaustion on the system. The minimum
523 acceptable value for this option is 60 seconds. Setting this option
524 to 0 (zero) means that no timeout will be set up to the responder.
525 This option only has effect when SSSD is built with systemd support
526 and when services are either socket or D-Bus activated.
527 Default: 300
529 cache_first
531 This option specifies whether the responder should query all caches
532 before querying the Data Providers.
533 Default: false
535 NSS configuration options
537 These options can be used to configure the Name Service Switch (NSS)
538 service.
539 enum_cache_timeout (integer)
541 How many seconds should nss_sss cache enumerations (requests for
542 info about all users)
543 Default: 120
545 entry_cache_nowait_percentage (integer)
547 The entry cache can be set to automatically update entries in the
548 background if they are requested beyond a percentage of the
549 entry_cache_timeout value for the domain.
550 For example, if the domain's entry_cache_timeout is set to 30s and
552 entry_cache_nowait_percentage is set to 50 (percent), entries that
553 come in after 15 seconds past the last cache update will be
554 returned immediately, but the SSSD will go and update the cache on
555 its own, so that future requests will not need to block waiting for
556 a cache update.
557 Valid values for this option are 0-99 and represent a percentage of
559 the entry_cache_timeout for each domain. For performance reasons,
560 this percentage will never reduce the nowait timeout to less than
561 10 seconds. (0 disables this feature)
562 Default: 50
564 entry_negative_timeout (integer)
566 Specifies for how many seconds nss_sss should cache negative cache
567 hits (that is, queries for invalid database entries, like
568 nonexistent ones) before asking the back end again.
569 Default: 15
571 local_negative_timeout (integer)
573 Specifies for how many seconds nss_sss should keep local users and
574 groups in negative cache before trying to look it up in the back
575 end again. Setting the option to 0 disables this feature.
576 Default: 14400 (4 hours)
578 filter_users, filter_groups (string)
580 Exclude certain users or groups from being fetched from the sss NSS
581 database. This is particularly useful for system accounts. This
582 option can also be set per-domain or include fully-qualified names
583 to filter only users from the particular domain or by a user
584 principal name (UPN).
585 NOTE: The filter_groups option doesn't affect inheritance of nested
587 group members, since filtering happens after they are propagated
588 for returning via NSS. E.g. a group having a member group filtered
589 out will still have the member users of the latter listed.
590 Default: root
592 filter_users_in_groups (bool)
594 If you want filtered user still be group members set this option to
595 false.
596 Default: true
598 override_homedir (string)
600 Override the user's home directory. You can either provide an
601 absolute value or a template. In the template, the following
602 sequences are substituted:
603 %u
605 login name
606 %U
608 UID number
609 %d
611 domain name
612 %f
614 fully qualified user name (user@domain)
615 %l
617 The first letter of the login name.
618 %P
620 UPN - User Principal Name (name@REALM)
621 %o
623 The original home directory retrieved from the identity
624 provider.
625 %h
627 The original home directory retrieved from the identity
628 provider, but in lower case.
629 %H
631 The value of configure option homedir_substring.
632 %%
634 a literal '%'
635 This option can also be set per-domain.
637 example:
639 override_homedir = /home/%u
641 Default: Not set (SSSD will use the value retrieved from LDAP)
644 Please note, the home directory from a specific override for the
646 user, either locally (see sss_override(8)) or centrally managed IPA
647 id-overrides, has a higher precedence and will be used instead of
648 the value given by override_homedir.
649 homedir_substring (string)
651 The value of this option will be used in the expansion of the
652 override_homedir option if the template contains the format string
653 %H. An LDAP directory entry can directly contain this template so
654 that this option can be used to expand the home directory path for
655 each client machine (or operating system). It can be set per-domain
656 or globally in the [nss] section. A value specified in a domain
657 section will override one set in the [nss] section.
658 Default: /home
660 fallback_homedir (string)
662 Set a default template for a user's home directory if one is not
663 specified explicitly by the domain's data provider.
664 The available values for this option are the same as for
666 override_homedir.
667 example:
669 fallback_homedir = /home/%u
671 Default: not set (no substitution for unset home directories)
674 override_shell (string)
676 Override the login shell for all users. This option supersedes any
677 other shell options if it takes effect and can be set either in the
678 [nss] section or per-domain.
679 Default: not set (SSSD will use the value retrieved from LDAP)
681 allowed_shells (string)
683 Restrict user shell to one of the listed values. The order of
684 evaluation is:
685 1. If the shell is present in “/etc/shells”, it is used.
687 2. If the shell is in the allowed_shells list but not in
689 “/etc/shells”, use the value of the shell_fallback parameter.
690 3. If the shell is not in the allowed_shells list and not in
692 “/etc/shells”, a nologin shell is used.
693 The wildcard (*) can be used to allow any shell.
695 The (*) is useful if you want to use shell_fallback in case that
697 user's shell is not in “/etc/shells” and maintaining list of all
698 allowed shells in allowed_shells would be to much overhead.
699 An empty string for shell is passed as-is to libc.
701 The “/etc/shells” is only read on SSSD start up, which means that a
703 restart of the SSSD is required in case a new shell is installed.
704 Default: Not set. The user shell is automatically used.
706 vetoed_shells (string)
708 Replace any instance of these shells with the shell_fallback
709 shell_fallback (string)
711 The default shell to use if an allowed shell is not installed on
712 the machine.
713 Default: /bin/sh
715 default_shell
717 The default shell to use if the provider does not return one during
718 lookup. This option can be specified globally in the [nss] section
719 or per-domain.
720 Default: not set (Return NULL if no shell is specified and rely on
722 libc to substitute something sensible when necessary, usually
723 /bin/sh)
724 get_domains_timeout (int)
726 Specifies time in seconds for which the list of subdomains will be
727 considered valid.
728 Default: 60
730 memcache_timeout (integer)
732 Specifies time in seconds for which records in the in-memory cache
733 will be valid. Setting this option to zero will disable the
734 in-memory cache.
735 Default: 300
737 WARNING: Disabling the in-memory cache will have significant
739 negative impact on SSSD's performance and should only be used for
740 testing.
741 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
743 "NO", client applications will not use the fast in-memory cache.
744 memcache_size_passwd (integer)
746 Size (in megabytes) of the data table allocated inside fast
747 in-memory cache for passwd requests. Setting the size to 0 will
748 disable the passwd in-memory cache.
749 Default: 8
751 WARNING: Disabled or too small in-memory cache can have significant
753 negative impact on SSSD's performance.
754 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
756 "NO", client applications will not use the fast in-memory cache.
757 memcache_size_group (integer)
759 Size (in megabytes) of the data table allocated inside fast
760 in-memory cache for group requests. Setting the size to 0 will
761 disable the group in-memory cache.
762 Default: 6
764 WARNING: Disabled or too small in-memory cache can have significant
766 negative impact on SSSD's performance.
767 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
769 "NO", client applications will not use the fast in-memory cache.
770 memcache_size_initgroups (integer)
772 Size (in megabytes) of the data table allocated inside fast
773 in-memory cache for initgroups requests. Setting the size to 0 will
774 disable the initgroups in-memory cache.
775 Default: 10
777 WARNING: Disabled or too small in-memory cache can have significant
779 negative impact on SSSD's performance.
780 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
782 "NO", client applications will not use the fast in-memory cache.
783 memcache_size_sid (integer)
785 Size (in megabytes) of the data table allocated inside fast
786 in-memory cache for SID related requests. Only SID-by-ID and
787 ID-by-SID requests are currently cached in fast in-memory cache.
788 Setting the size to 0 will disable the SID in-memory cache.
789 Default: 6
791 WARNING: Disabled or too small in-memory cache can have significant
793 negative impact on SSSD's performance.
794 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
796 "NO", client applications will not use the fast in-memory cache.
797 user_attributes (string)
799 Some of the additional NSS responder requests can return more
800 attributes than just the POSIX ones defined by the NSS interface.
801 The list of attributes is controlled by this option. It is handled
802 the same way as the “user_attributes” option of the InfoPipe
803 responder (see sssd-ifp(5) for details) but with no default values.
804 To make configuration more easy the NSS responder will check the
806 InfoPipe option if it is not set for the NSS responder.
807 Default: not set, fallback to InfoPipe option
809 pwfield (string)
811 The value that NSS operations that return users or groups will
812 return for the “password” field.
813 Default: “*”
815 Note: This option can also be set per-domain which overwrites the
817 value in [nss] section.
818 Default: “not set” (remote domains), “x” (the files domain), “x”
820 (proxy domain with nss_files and sssd-shadowutils target)
821 PAM configuration options
823 These options can be used to configure the Pluggable Authentication
824 Module (PAM) service.
825 offline_credentials_expiration (integer)
827 If the authentication provider is offline, how long should we allow
828 cached logins (in days since the last successful online login).
829 Default: 0 (No limit)
831 offline_failed_login_attempts (integer)
833 If the authentication provider is offline, how many failed login
834 attempts are allowed.
835 Default: 0 (No limit)
837 offline_failed_login_delay (integer)
839 The time in minutes which has to pass after
840 offline_failed_login_attempts has been reached before a new login
841 attempt is possible.
842 If set to 0 the user cannot authenticate offline if
844 offline_failed_login_attempts has been reached. Only a successful
845 online authentication can enable offline authentication again.
846 Default: 5
848 pam_verbosity (integer)
850 Controls what kind of messages are shown to the user during
851 authentication. The higher the number to more messages are
852 displayed.
853 Currently sssd supports the following values:
855 0: do not show any message
857 1: show only important messages
859 2: show informational messages
861 3: show all messages and debug information
863 Default: 1
865 pam_response_filter (string)
867 A comma separated list of strings which allows to remove (filter)
868 data sent by the PAM responder to pam_sss PAM module. There are
869 different kind of responses sent to pam_sss e.g. messages displayed
870 to the user or environment variables which should be set by
871 pam_sss.
872 While messages already can be controlled with the help of the
874 pam_verbosity option this option allows to filter out other kind of
875 responses as well.
876 Currently the following filters are supported:
878 ENV
880 Do not send any environment variables to any service.
881 ENV:var_name
883 Do not send environment variable var_name to any service.
884 ENV:var_name:service
886 Do not send environment variable var_name to service.
887 The list of strings can either be the list of filters which would
889 set this list of filters and overwrite the defaults. Or each
890 element of the list can be prefixed by a '+' or '-' character which
891 would add the filter to the existing default or remove it from the
892 defaults, respectively. Please note that either all list elements
893 must have a '+' or '-' prefix or none. It is considered as an error
894 to mix both styles.
895 Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
897 Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the
899 default list
900 pam_id_timeout (integer)
902 For any PAM request while SSSD is online, the SSSD will attempt to
903 immediately update the cached identity information for the user in
904 order to ensure that authentication takes place with the latest
905 information.
906 A complete PAM conversation may perform multiple PAM requests, such
908 as account management and session opening. This option controls (on
909 a per-client-application basis) how long (in seconds) we can cache
910 the identity information to avoid excessive round-trips to the
911 identity provider.
912 Default: 5
914 pam_pwd_expiration_warning (integer)
916 Display a warning N days before the password expires.
917 Please note that the backend server has to provide information
919 about the expiration time of the password. If this information is
920 missing, sssd cannot display a warning.
921 If zero is set, then this filter is not applied, i.e. if the
923 expiration warning was received from backend server, it will
924 automatically be displayed.
925 This setting can be overridden by setting pwd_expiration_warning
927 for a particular domain.
928 Default: 0
930 get_domains_timeout (int)
932 Specifies time in seconds for which the list of subdomains will be
933 considered valid.
934 Default: 60
936 pam_trusted_users (string)
938 Specifies the comma-separated list of UID values or user names that
939 are allowed to run PAM conversations against trusted domains. Users
940 not included in this list can only access domains marked as public
941 with “pam_public_domains”. User names are resolved to UIDs at
942 startup.
943 Default: All users are considered trusted by default
945 Please note that UID 0 is always allowed to access the PAM
947 responder even in case it is not in the pam_trusted_users list.
948 pam_public_domains (string)
950 Specifies the comma-separated list of domain names that are
951 accessible even to untrusted users.
952 Two special values for pam_public_domains option are defined:
954 all (Untrusted users are allowed to access all domains in PAM
956 responder.)
957 none (Untrusted users are not allowed to access any domains PAM in
959 responder.)
960 Default: none
962 pam_account_expired_message (string)
964 Allows a custom expiration message to be set, replacing the default
965 'Permission denied' message.
966 Note: Please be aware that message is only printed for the SSH
968 service unless pam_verbosity is set to 3 (show all messages and
969 debug information).
970 example:
972 pam_account_expired_message = Account expired, please contact help desk.
974 Default: none
977 pam_account_locked_message (string)
979 Allows a custom lockout message to be set, replacing the default
980 'Permission denied' message.
981 example:
983 pam_account_locked_message = Account locked, please contact help desk.
985 Default: none
988 pam_passkey_auth (bool)
990 Enable passkey device based authentication.
991 Default: False
993 passkey_debug_libfido2 (bool)
995 Enable libfido2 library debug messages.
996 Default: False
998 pam_cert_auth (bool)
1000 Enable certificate based Smartcard authentication. Since this
1001 requires additional communication with the Smartcard which will
1002 delay the authentication process this option is disabled by
1003 default.
1004 Default: False
1006 pam_cert_db_path (string)
1008 The path to the certificate database.
1009 Default:
1011 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1013 CA certificates in PEM format)
1014 pam_cert_verification (string)
1017 With this parameter the PAM certificate verification can be tuned
1018 with a comma separated list of options that override the
1019 “certificate_verification” value in “[sssd]” section. Supported
1020 options are the same of “certificate_verification”.
1021 example:
1023 pam_cert_verification = partial_chain
1025 Default: not set, i.e. use default “certificate_verification”
1028 option defined in “[sssd]” section.
1029 p11_child_timeout (integer)
1031 How many seconds will pam_sss wait for p11_child to finish.
1032 Default: 10
1034 passkey_child_timeout (integer)
1036 How many seconds will the PAM responder wait for passkey_child to
1037 finish.
1038 Default: 15
1040 pam_app_services (string)
1042 Which PAM services are permitted to contact domains of type
1043 “application”
1044 Default: Not set
1046 pam_p11_allowed_services (integer)
1048 A comma-separated list of PAM service names for which it will be
1049 allowed to use Smartcards.
1050 It is possible to add another PAM service name to the default set
1052 by using “+service_name” or to explicitly remove a PAM service name
1053 from the default set by using “-service_name”. For example, in
1054 order to replace a default PAM service name for authentication with
1055 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
1056 “my_pam_service”), you would use the following configuration:
1057 pam_p11_allowed_services = +my_pam_service, -login
1059 Default: the default set of PAM service names includes:
1062 • login
1064 • su
1066 • su-l
1068 • gdm-smartcard
1070 • gdm-password
1072 • kdm
1074 • sudo
1076 • sudo-i
1078 • gnome-screensaver
1080 p11_wait_for_card_timeout (integer)
1083 If Smartcard authentication is required how many extra seconds in
1084 addition to p11_child_timeout should the PAM responder wait until a
1085 Smartcard is inserted.
1086 Default: 60
1088 p11_uri (string)
1090 PKCS#11 URI (see RFC-7512 for details) which can be used to
1091 restrict the selection of devices used for Smartcard
1092 authentication. By default SSSD's p11_child will search for a
1093 PKCS#11 slot (reader) where the 'removable' flags is set and read
1094 the certificates from the inserted token from the first slot found.
1095 If multiple readers are connected p11_uri can be used to tell
1096 p11_child to use a specific reader.
1097 Example:
1099 p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
1101 or
1104 p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
1106 To find suitable URI please check the debug output of p11_child. As
1109 an alternative the GnuTLS utility 'p11tool' with e.g. the
1110 '--list-all' will show PKCS#11 URIs as well.
1111 Default: none
1113 pam_initgroups_scheme
1115 The PAM responder can force an online lookup to get the current
1116 group memberships of the user trying to log in. This option
1117 controls when this should be done and the following values are
1118 allowed:
1119 always
1121 Always do an online lookup, please note that pam_id_timeout
1122 still applies
1123 no_session
1125 Only do an online lookup if there is no active session of the
1126 user, i.e. if the user is currently not logged in
1127 never
1129 Never force an online lookup, use the data from the cache as
1130 long as they are not expired
1131 Default: no_session
1133 pam_gssapi_services
1135 Comma separated list of PAM services that are allowed to try GSSAPI
1136 authentication using pam_sss_gss.so module.
1137 To disable GSSAPI authentication, set this option to “-” (dash).
1139 Note: This option can also be set per-domain which overwrites the
1141 value in [pam] section. It can also be set for trusted domain which
1142 overwrites the value in the domain section.
1143 Example:
1145 pam_gssapi_services = sudo, sudo-i
1147 Default: - (GSSAPI authentication is disabled)
1150 pam_gssapi_check_upn
1152 If True, SSSD will require that the Kerberos user principal that
1153 successfully authenticated through GSSAPI can be associated with
1154 the user who is being authenticated. Authentication will fail if
1155 the check fails.
1156 If False, every user that is able to obtained required service
1158 ticket will be authenticated.
1159 Note: This option can also be set per-domain which overwrites the
1161 value in [pam] section. It can also be set for trusted domain which
1162 overwrites the value in the domain section.
1163 Default: True
1165 pam_gssapi_indicators_map
1167 Comma separated list of authentication indicators required to be
1168 present in a Kerberos ticket to access a PAM service that is
1169 allowed to try GSSAPI authentication using pam_sss_gss.so module.
1170 Each element of the list can be either an authentication indicator
1172 name or a pair “service:indicator”. Indicators not prefixed with
1173 the PAM service name will be required to access any PAM service
1174 configured to be used with pam_gssapi_services. A resulting list of
1175 indicators per PAM service is then checked against indicators in
1176 the Kerberos ticket during authentication by pam_sss_gss.so. Any
1177 indicator from the ticket that matches the resulting list of
1178 indicators for the PAM service would grant access. If none of the
1179 indicators in the list match, access will be denied. If the
1180 resulting list of indicators for the PAM service is empty, the
1181 check will not prevent the access.
1182 To disable GSSAPI authentication indicator check, set this option
1184 to “-” (dash). To disable the check for a specific PAM service, add
1185 “service:-”.
1186 Note: This option can also be set per-domain which overwrites the
1188 value in [pam] section. It can also be set for trusted domain which
1189 overwrites the value in the domain section.
1190 Following authentication indicators are supported by IPA Kerberos
1192 deployments:
1193 • pkinit -- pre-authentication using X.509 certificates --
1195 whether stored in files or on smart cards.
1196 • hardened -- SPAKE pre-authentication or any pre-authentication
1198 wrapped in a FAST channel.
1199 • radius -- pre-authentication with the help of a RADIUS server.
1201 • otp -- pre-authentication using integrated two-factor
1203 authentication (2FA or one-time password, OTP) in IPA.
1204 • idp -- pre-authentication using external identity provider.
1206 Example: to require access to SUDO services only for users which
1208 obtained their Kerberos tickets with a X.509 certificate
1209 pre-authentication (PKINIT), set
1210 pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1212 Default: not set (use of authentication indicators is not required)
1215 SUDO configuration options
1217 These options can be used to configure the sudo service. The detailed
1218 instructions for configuration of sudo(8) to work with sssd(8) are in
1219 the manual page sssd-sudo(5).
1220 sudo_timed (bool)
1222 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1223 attributes that implement time-dependent sudoers entries.
1224 Default: false
1226 sudo_threshold (integer)
1228 Maximum number of expired rules that can be refreshed at once. If
1229 number of expired rules is below threshold, those rules are
1230 refreshed with “rules refresh” mechanism. If the threshold is
1231 exceeded a “full refresh” of sudo rules is triggered instead. This
1232 threshold number also applies to IPA sudo command and command group
1233 searches.
1234 Default: 50
1236 AUTOFS configuration options
1238 These options can be used to configure the autofs service.
1239 autofs_negative_timeout (integer)
1241 Specifies for how many seconds should the autofs responder negative
1242 cache hits (that is, queries for invalid map entries, like
1243 nonexistent ones) before asking the back end again.
1244 Default: 15
1246 Please note that the automounter only reads the master map on startup,
1248 so if any autofs-related changes are made to the sssd.conf, you
1249 typically also need to restart the automounter daemon after restarting
1250 the SSSD.
1251 SSH configuration options
1253 These options can be used to configure the SSH service.
1254 ssh_hash_known_hosts (bool)
1256 Whether or not to hash host names and addresses in the managed
1257 known_hosts file.
1258 Default: false
1260 ssh_known_hosts_timeout (integer)
1262 How many seconds to keep a host in the managed known_hosts file
1263 after its host keys were requested.
1264 Default: 180
1266 ssh_use_certificate_keys (bool)
1268 If set to true the sss_ssh_authorizedkeys will return ssh keys
1269 derived from the public key of X.509 certificates stored in the
1270 user entry as well. See sss_ssh_authorizedkeys(1) for details.
1271 Default: true
1273 ssh_use_certificate_matching_rules (string)
1275 By default the ssh responder will use all available certificate
1276 matching rules to filter the certificates so that ssh keys are only
1277 derived from the matching ones. With this option the used rules can
1278 be restricted with a comma separated list of mapping and matching
1279 rule names. All other rules will be ignored.
1280 There are two special key words 'all_rules' and 'no_rules' which
1282 will enable all or no rules, respectively. The latter means that no
1283 certificates will be filtered out and ssh keys will be generated
1284 from all valid certificates.
1285 If no rules are configured using 'all_rules' will enable a default
1287 rule which enables all certificates suitable for client
1288 authentication. This is the same behavior as for the PAM responder
1289 if certificate authentication is enabled.
1290 A non-existing rule name is considered an error. If as a result no
1292 rule is selected all certificates will be ignored.
1293 Default: not set, equivalent to 'all_rules', all found rules or the
1295 default rule are used
1296 ca_db (string)
1298 Path to a storage of trusted CA certificates. The option is used to
1299 validate user certificates before deriving public ssh keys from
1300 them.
1301 Default:
1303 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1305 CA certificates in PEM format)
1306 PAC responder configuration options
1309 The PAC responder works together with the authorization data plugin for
1310 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1311 sends the PAC data during a GSSAPI authentication to the PAC responder.
1312 The sub-domain provider collects domain SID and ID ranges of the domain
1313 the client is joined to and of remote trusted domains from the local
1314 domain controller. If the PAC is decoded and evaluated some of the
1315 following operations are done:
1316 • If the remote user does not exist in the cache, it is created. The
1318 UID is determined with the help of the SID, trusted domains will
1319 have UPGs and the GID will have the same value as the UID. The home
1320 directory is set based on the subdomain_homedir parameter. The
1321 shell will be empty by default, i.e. the system defaults are used,
1322 but can be overwritten with the default_shell parameter.
1323 • If there are SIDs of groups from domains sssd knows about, the user
1325 will be added to those groups.
1326 These options can be used to configure the PAC responder.
1328 allowed_uids (string)
1330 Specifies the comma-separated list of UID values or user names that
1331 are allowed to access the PAC responder. User names are resolved to
1332 UIDs at startup.
1333 Default: 0 (only the root user is allowed to access the PAC
1335 responder)
1336 Please note that although the UID 0 is used as the default it will
1338 be overwritten with this option. If you still want to allow the
1339 root user to access the PAC responder, which would be the typical
1340 case, you have to add 0 to the list of allowed UIDs as well.
1341 pac_lifetime (integer)
1343 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1344 the PAC data can be used to determine the group memberships of a
1345 user.
1346 Default: 300
1348 pac_check (string)
1350 Apply additional checks on the PAC of the Kerberos ticket which is
1351 available in Active Directory and FreeIPA domains, if configured.
1352 Please note that Kerberos ticket validation must be enabled to be
1353 able to check the PAC, i.e. the krb5_validate option must be set to
1354 'True' which is the default for the IPA and AD provider. If
1355 krb5_validate is set to 'False' the PAC checks will be skipped.
1356 The following options can be used alone or in a comma-separated
1358 list:
1359 no_check
1361 The PAC must not be present and even if it is present no
1362 additional checks will be done.
1363 pac_present
1365 The PAC must be present in the service ticket which SSSD will
1366 request with the help of the user's TGT. If the PAC is not
1367 available the authentication will fail.
1368 check_upn
1370 If the PAC is present check if the user principal name (UPN)
1371 information is consistent.
1372 check_upn_allow_missing
1374 This option should be used together with 'check_upn' and
1375 handles the case where a UPN is set on the server-side but is
1376 not read by SSSD. The typical example is a FreeIPA domain where
1377 'ldap_user_principal' is set to a not existing attribute name.
1378 This was typically done to work-around issues in the handling
1379 of enterprise principals. But this is fixed since quite some
1380 time and FreeIPA can handle enterprise principals just fine and
1381 there is no need anymore to set 'ldap_user_principal'.
1382 Currently this option is set by default to avoid regressions in
1384 such environments. A log message will be added to the system
1385 log and SSSD's debug log in case a UPN is found in the PAC but
1386 not in SSSD's cache. To avoid this log message it would be best
1387 to evaluate if the 'ldap_user_principal' option can be removed.
1388 If this is not possible, removing 'check_upn' will skip the
1389 test and avoid the log message.
1390 upn_dns_info_present
1392 The PAC must contain the UPN-DNS-INFO buffer, implies
1393 'check_upn'.
1394 check_upn_dns_info_ex
1396 If the PAC is present and the extension to the UPN-DNS-INFO
1397 buffer is available check if the information in the extension
1398 is consistent.
1399 upn_dns_info_ex_present
1401 The PAC must contain the extension of the UPN-DNS-INFO buffer,
1402 implies 'check_upn_dns_info_ex', 'upn_dns_info_present' and
1403 'check_upn'.
1404 Default: no_check (AD and IPA provider 'check_upn,
1406 check_upn_allow_missing, check_upn_dns_info_ex')
1407 Session recording configuration options
1409 Session recording works in conjunction with tlog-rec-session(8), a part
1410 of tlog package, to log what users see and type when they log in on a
1411 text terminal. See also sssd-session-recording(5).
1412 These options can be used to configure session recording.
1414 scope (string)
1416 One of the following strings specifying the scope of session
1417 recording:
1418 "none"
1420 No users are recorded.
1421 "some"
1423 Users/groups specified by users and groups options are
1424 recorded.
1425 "all"
1427 All users are recorded.
1428 Default: "none"
1430 users (string)
1432 A comma-separated list of users which should have session recording
1433 enabled. Matches user names as returned by NSS. I.e. after the
1434 possible space replacement, case changes, etc.
1435 Default: Empty. Matches no users.
1437 groups (string)
1439 A comma-separated list of groups, members of which should have
1440 session recording enabled. Matches group names as returned by NSS.
1441 I.e. after the possible space replacement, case changes, etc.
1442 NOTE: using this option (having it set to anything) has a
1444 considerable performance cost, because each uncached request for a
1445 user requires retrieving and matching the groups the user is member
1446 of.
1447 Default: Empty. Matches no groups.
1449 exclude_users (string)
1451 A comma-separated list of users to be excluded from recording, only
1452 applicable with 'scope=all'.
1453 Default: Empty. No users excluded.
1455 exclude_groups (string)
1457 A comma-separated list of groups, members of which should be
1458 excluded from recording. Only applicable with 'scope=all'.
1459 NOTE: using this option (having it set to anything) has a
1461 considerable performance cost, because each uncached request for a
1462 user requires retrieving and matching the groups the user is member
1463 of.
1464 Default: Empty. No groups excluded.
1466
1468 These configuration options can be present in a domain configuration
1469 section, that is, in a section called “[domain/NAME]”
1470 enabled
1472 Explicitly enable or disable the domain. If “true”, the domain is
1473 always “enabled”. If “false”, the domain is always “disabled”. If
1474 this option is not set, the domain is enabled only if it is listed
1475 in the domains option in the “[sssd]” section.
1476 domain_type (string)
1478 Specifies whether the domain is meant to be used by POSIX-aware
1479 clients such as the Name Service Switch or by applications that do
1480 not need POSIX data to be present or generated. Only objects from
1481 POSIX domains are available to the operating system interfaces and
1482 utilities.
1483 Allowed values for this option are “posix” and “application”.
1485 POSIX domains are reachable by all services. Application domains
1487 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1488 and the PAM responder.
1489 NOTE: The application domains are currently well tested with
1491 “id_provider=ldap” only.
1492 For an easy way to configure a non-POSIX domains, please see the
1494 “Application domains” section.
1495 Default: posix
1497 min_id,max_id (integer)
1499 UID and GID limits for the domain. If a domain contains an entry
1500 that is outside these limits, it is ignored.
1501 For users, this affects the primary GID limit. The user will not be
1503 returned to NSS if either the UID or the primary GID is outside the
1504 range. For non-primary group memberships, those that are in range
1505 will be reported as expected.
1506 These ID limits affect even saving entries to cache, not only
1508 returning them by name or ID.
1509 Default: 1 for min_id, 0 (no limit) for max_id
1511 enumerate (bool)
1513 Determines if a domain can be enumerated, that is, whether the
1514 domain can list all the users and group it contains. Note that it
1515 is not required to enable enumeration in order for secondary groups
1516 to be displayed. This parameter can have one of the following
1517 values:
1518 TRUE = Users and groups are enumerated
1520 FALSE = No enumerations for this domain
1522 Default: FALSE
1524 Enumerating a domain requires SSSD to download and store ALL user
1526 and group entries from the remote server.
1527 Note: Enabling enumeration has a moderate performance impact on
1529 SSSD while enumeration is running. It may take up to several
1530 minutes after SSSD startup to fully complete enumerations. During
1531 this time, individual requests for information will go directly to
1532 LDAP, though it may be slow, due to the heavy enumeration
1533 processing. Saving a large number of entries to cache after the
1534 enumeration completes might also be CPU intensive as the
1535 memberships have to be recomputed. This can lead to the “sssd_be”
1536 process becoming unresponsive or even restarted by the internal
1537 watchdog.
1538 While the first enumeration is running, requests for the complete
1540 user or group lists may return no results until it completes.
1541 Further, enabling enumeration may increase the time necessary to
1543 detect network disconnection, as longer timeouts are required to
1544 ensure that enumeration lookups are completed successfully. For
1545 more information, refer to the man pages for the specific
1546 id_provider in use.
1547 For the reasons cited above, enabling enumeration is not
1549 recommended, especially in large environments.
1550 subdomain_enumerate (string)
1552 Whether any of autodetected trusted domains should be enumerated.
1553 The supported values are:
1554 all
1556 All discovered trusted domains will be enumerated
1557 none
1559 No discovered trusted domains will be enumerated
1560 Optionally, a list of one or more domain names can enable
1562 enumeration just for these trusted domains.
1563 Default: none
1565 entry_cache_timeout (integer)
1567 How many seconds should nss_sss consider entries valid before
1568 asking the backend again
1569 The cache expiration timestamps are stored as attributes of
1571 individual objects in the cache. Therefore, changing the cache
1572 timeout only has effect for newly added or expired entries. You
1573 should run the sss_cache(8) tool in order to force refresh of
1574 entries that have already been cached.
1575 Default: 5400
1577 entry_cache_user_timeout (integer)
1579 How many seconds should nss_sss consider user entries valid before
1580 asking the backend again
1581 Default: entry_cache_timeout
1583 entry_cache_group_timeout (integer)
1585 How many seconds should nss_sss consider group entries valid before
1586 asking the backend again
1587 Default: entry_cache_timeout
1589 entry_cache_netgroup_timeout (integer)
1591 How many seconds should nss_sss consider netgroup entries valid
1592 before asking the backend again
1593 Default: entry_cache_timeout
1595 entry_cache_service_timeout (integer)
1597 How many seconds should nss_sss consider service entries valid
1598 before asking the backend again
1599 Default: entry_cache_timeout
1601 entry_cache_resolver_timeout (integer)
1603 How many seconds should nss_sss consider hosts and networks entries
1604 valid before asking the backend again
1605 Default: entry_cache_timeout
1607 entry_cache_sudo_timeout (integer)
1609 How many seconds should sudo consider rules valid before asking the
1610 backend again
1611 Default: entry_cache_timeout
1613 entry_cache_autofs_timeout (integer)
1615 How many seconds should the autofs service consider automounter
1616 maps valid before asking the backend again
1617 Default: entry_cache_timeout
1619 entry_cache_ssh_host_timeout (integer)
1621 How many seconds to keep a host ssh key after refresh. IE how long
1622 to cache the host key for.
1623 Default: entry_cache_timeout
1625 entry_cache_computer_timeout (integer)
1627 How many seconds to keep the local computer entry before asking the
1628 backend again
1629 Default: entry_cache_timeout
1631 refresh_expired_interval (integer)
1633 Specifies how many seconds SSSD has to wait before triggering a
1634 background refresh task which will refresh all expired or nearly
1635 expired records.
1636 The background refresh will process users, groups and netgroups in
1638 the cache. For users who have performed the initgroups (get group
1639 membership for user, typically ran at login) operation in the past,
1640 both the user entry and the group membership are updated.
1641 This option is automatically inherited for all trusted domains.
1643 You can consider setting this value to 3/4 * entry_cache_timeout.
1645 Cache entry will be refreshed by background task when 2/3 of cache
1647 timeout has already passed. If there are existing cached entries,
1648 the background task will refer to their original cache timeout
1649 values instead of current configuration value. This may lead to a
1650 situation in which background refresh task appears to not be
1651 working. This is done by design to improve offline mode operation
1652 and reuse of existing valid cache entries. To make this change
1653 instant the user may want to manually invalidate existing cache.
1654 Default: 0 (disabled)
1656 cache_credentials (bool)
1658 Determines if user credentials are also cached in the local LDB
1659 cache. The cached credentials refer to passwords, which includes
1660 the first (long term) factor of two-factor authentication, not
1661 other authentication mechanisms. Passkey and Smartcard
1662 authentications are expected to work offline as long as a
1663 successful online authentication is recorded in the cache without
1664 additional configuration.
1665 Take a note that while credentials are stored as a salted SHA512
1667 hash, this still potentially poses some security risk in case an
1668 attacker manages to get access to a cache file (normally requires
1669 privileged access) and to break a password using brute force
1670 attack.
1671 Default: FALSE
1673 cache_credentials_minimal_first_factor_length (int)
1675 If 2-Factor-Authentication (2FA) is used and credentials should be
1676 saved this value determines the minimal length the first
1677 authentication factor (long term password) must have to be saved as
1678 SHA512 hash into the cache.
1679 This should avoid that the short PINs of a PIN based 2FA scheme are
1681 saved in the cache which would make them easy targets for
1682 brute-force attacks.
1683 Default: 8
1685 account_cache_expiration (integer)
1687 Number of days entries are left in cache after last successful
1688 login before being removed during a cleanup of the cache. 0 means
1689 keep forever. The value of this parameter must be greater than or
1690 equal to offline_credentials_expiration.
1691 Default: 0 (unlimited)
1693 pwd_expiration_warning (integer)
1695 Display a warning N days before the password expires.
1696 If zero is set, then this filter is not applied, i.e. if the
1698 expiration warning was received from backend server, it will
1699 automatically be displayed.
1700 Please note that the backend server has to provide information
1702 about the expiration time of the password. If this information is
1703 missing, sssd cannot display a warning. Also an auth provider has
1704 to be configured for the backend.
1705 Default: 7 (Kerberos), 0 (LDAP)
1707 id_provider (string)
1709 The identification provider used for the domain. Supported ID
1710 providers are:
1711 “proxy”: Support a legacy NSS provider.
1713 “files”: FILES provider. See sssd-files(5) for more information on
1715 how to mirror local users and groups into SSSD.
1716 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1718 configuring LDAP.
1719 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1721 See sssd-ipa(5) for more information on configuring FreeIPA.
1722 “ad”: Active Directory provider. See sssd-ad(5) for more
1724 information on configuring Active Directory.
1725 use_fully_qualified_names (bool)
1727 Use the full name and domain (as formatted by the domain's
1728 full_name_format) as the user's login name reported to NSS.
1729 If set to TRUE, all requests to this domain must use fully
1731 qualified names. For example, if used in LOCAL domain that contains
1732 a "test" user, getent passwd test wouldn't find the user while
1733 getent passwd test@LOCAL would.
1734 NOTE: This option has no effect on netgroup lookups due to their
1736 tendency to include nested netgroups without qualified names. For
1737 netgroups, all domains will be searched when an unqualified name is
1738 requested.
1739 Default: FALSE (TRUE for trusted domain/sub-domains or if
1741 default_domain_suffix is used)
1742 ignore_group_members (bool)
1744 Do not return group members for group lookups.
1745 If set to TRUE, the group membership attribute is not requested
1747 from the ldap server, and group members are not returned when
1748 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1749 As an effect, “getent group $groupname” would return the requested
1750 group as if it was empty.
1751 Enabling this option can also make access provider checks for group
1753 membership significantly faster, especially for groups containing
1754 many members.
1755 This option can be also set per subdomain or inherited via
1757 subdomain_inherit.
1758 Default: FALSE
1760 auth_provider (string)
1762 The authentication provider used for the domain. Supported auth
1763 providers are:
1764 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1766 information on configuring LDAP.
1767 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1769 information on configuring Kerberos.
1770 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1772 See sssd-ipa(5) for more information on configuring FreeIPA.
1773 “ad”: Active Directory provider. See sssd-ad(5) for more
1775 information on configuring Active Directory.
1776 “proxy” for relaying authentication to some other PAM target.
1778 “none” disables authentication explicitly.
1780 Default: “id_provider” is used if it is set and can handle
1782 authentication requests.
1783 access_provider (string)
1785 The access control provider used for the domain. There are two
1786 built-in access providers (in addition to any included in installed
1787 backends) Internal special providers are:
1788 “permit” always allow access. It's the only permitted access
1790 provider for a local domain.
1791 “deny” always deny access.
1793 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1795 information on configuring LDAP.
1796 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1798 See sssd-ipa(5) for more information on configuring FreeIPA.
1799 “ad”: Active Directory provider. See sssd-ad(5) for more
1801 information on configuring Active Directory.
1802 “simple” access control based on access or deny lists. See sssd-
1804 simple(5) for more information on configuring the simple access
1805 module.
1806 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1808 information on configuring Kerberos.
1809 “proxy” for relaying access control to another PAM module.
1811 Default: “permit”
1813 chpass_provider (string)
1815 The provider which should handle change password operations for the
1816 domain. Supported change password providers are:
1817 “ldap” to change a password stored in a LDAP server. See sssd-
1819 ldap(5) for more information on configuring LDAP.
1820 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1822 information on configuring Kerberos.
1823 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1825 See sssd-ipa(5) for more information on configuring FreeIPA.
1826 “ad”: Active Directory provider. See sssd-ad(5) for more
1828 information on configuring Active Directory.
1829 “proxy” for relaying password changes to some other PAM target.
1831 “none” disallows password changes explicitly.
1833 Default: “auth_provider” is used if it is set and can handle change
1835 password requests.
1836 sudo_provider (string)
1838 The SUDO provider used for the domain. Supported SUDO providers
1839 are:
1840 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1842 information on configuring LDAP.
1843 “ipa” the same as “ldap” but with IPA default settings.
1845 “ad” the same as “ldap” but with AD default settings.
1847 “none” disables SUDO explicitly.
1849 Default: The value of “id_provider” is used if it is set.
1851 The detailed instructions for configuration of sudo_provider are in
1853 the manual page sssd-sudo(5). There are many configuration options
1854 that can be used to adjust the behavior. Please refer to
1855 "ldap_sudo_*" in sssd-ldap(5).
1856 NOTE: Sudo rules are periodically downloaded in the background
1858 unless the sudo provider is explicitly disabled. Set sudo_provider
1859 = None to disable all sudo-related activity in SSSD if you do not
1860 want to use sudo with SSSD at all.
1861 selinux_provider (string)
1863 The provider which should handle loading of selinux settings. Note
1864 that this provider will be called right after access provider ends.
1865 Supported selinux providers are:
1866 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1868 for more information on configuring IPA.
1869 “none” disallows fetching selinux settings explicitly.
1871 Default: “id_provider” is used if it is set and can handle selinux
1873 loading requests.
1874 subdomains_provider (string)
1876 The provider which should handle fetching of subdomains. This value
1877 should be always the same as id_provider. Supported subdomain
1878 providers are:
1879 “ipa” to load a list of subdomains from an IPA server. See sssd-
1881 ipa(5) for more information on configuring IPA.
1882 “ad” to load a list of subdomains from an Active Directory server.
1884 See sssd-ad(5) for more information on configuring the AD provider.
1885 “none” disallows fetching subdomains explicitly.
1887 Default: The value of “id_provider” is used if it is set.
1889 session_provider (string)
1891 The provider which configures and manages user session related
1892 tasks. The only user session task currently provided is the
1893 integration with Fleet Commander, which works only with IPA.
1894 Supported session providers are:
1895 “ipa” to allow performing user session related tasks.
1897 “none” does not perform any kind of user session related tasks.
1899 Default: “id_provider” is used if it is set and can perform session
1901 related tasks.
1902 NOTE: In order to have this feature working as expected SSSD must
1904 be running as "root" and not as the unprivileged user.
1905 autofs_provider (string)
1907 The autofs provider used for the domain. Supported autofs providers
1908 are:
1909 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1911 information on configuring LDAP.
1912 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1914 more information on configuring IPA.
1915 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1917 information on configuring the AD provider.
1918 “none” disables autofs explicitly.
1920 Default: The value of “id_provider” is used if it is set.
1922 hostid_provider (string)
1924 The provider used for retrieving host identity information.
1925 Supported hostid providers are:
1926 “ipa” to load host identity stored in an IPA server. See sssd-
1928 ipa(5) for more information on configuring IPA.
1929 “none” disables hostid explicitly.
1931 Default: The value of “id_provider” is used if it is set.
1933 resolver_provider (string)
1935 The provider which should handle hosts and networks lookups.
1936 Supported resolver providers are:
1937 “proxy” to forward lookups to another NSS library. See
1939 “proxy_resolver_lib_name”
1940 “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1942 for more information on configuring LDAP.
1943 “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1945 more information on configuring the AD provider.
1946 “none” disallows fetching hosts and networks explicitly.
1948 Default: The value of “id_provider” is used if it is set.
1950 re_expression (string)
1952 Regular expression for this domain that describes how to parse the
1953 string containing user name and domain into these components. The
1954 "domain" can match either the SSSD configuration domain name, or,
1955 in the case of IPA trust subdomains and Active Directory domains,
1956 the flat (NetBIOS) name of the domain.
1957 Default: “^((?P<name>.+)@(?P<domain>[^@]*)|(?P<name>[^@]+))$” which
1959 allows two different styles for user names:
1960 • username
1962 • username@domain.name
1964 Default for the AD and IPA provider:
1966 “^(((?P<domain>[^\\]+)\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<name>[^@\\]+)))$”
1967 which allows three different styles for user names:
1968 • username
1970 • username@domain.name
1972 • domain\username
1974 While the first two correspond to the general default the third one
1976 is introduced to allow easy integration of users from Windows
1977 domains.
1978 The default re_expression uses the “@” character as a separator
1980 between the name and the domain. As a result of this setting the
1981 default does not accept the “@” character in short names (as it is
1982 allowed in Windows group names). If a user wishes to use short
1983 names with “@” they must create their own re_expression.
1984 full_name_format (string)
1986 A printf(3)-compatible format that describes how to compose a fully
1987 qualified name from user name and domain name components.
1988 The following expansions are supported:
1990 %1$s
1992 user name
1993 %2$s
1995 domain name as specified in the SSSD config file.
1996 %3$s
1998 domain flat name. Mostly usable for Active Directory domains,
1999 both directly configured or discovered via IPA trusts.
2000 Default: “%1$s@%2$s”.
2002 lookup_family_order (string)
2004 Provides the ability to select preferred address family to use when
2005 performing DNS lookups.
2006 Supported values:
2008 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
2010 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
2012 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
2014 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
2016 Default: ipv4_first
2018 dns_resolver_server_timeout (integer)
2020 Defines the amount of time (in milliseconds) SSSD would try to talk
2021 to DNS server before trying next DNS server.
2022 The AD provider will use this option for the CLDAP ping timeouts as
2024 well.
2025 Please see the section “FAILOVER” for more information about the
2027 service resolution.
2028 Default: 1000
2030 dns_resolver_op_timeout (integer)
2032 Defines the amount of time (in seconds) to wait to resolve single
2033 DNS query (e.g. resolution of a hostname or an SRV record) before
2034 trying the next hostname or DNS discovery.
2035 Please see the section “FAILOVER” for more information about the
2037 service resolution.
2038 Default: 3
2040 dns_resolver_timeout (integer)
2042 Defines the amount of time (in seconds) to wait for a reply from
2043 the internal fail over service before assuming that the service is
2044 unreachable. If this timeout is reached, the domain will continue
2045 to operate in offline mode.
2046 Please see the section “FAILOVER” for more information about the
2048 service resolution.
2049 Default: 6
2051 dns_resolver_use_search_list (bool)
2053 Normally, the DNS resolver searches the domain list defined in the
2054 "search" directive from the resolv.conf file. This can lead to
2055 delays in environments with improperly configured DNS.
2056 If fully qualified domain names (or _srv_) are used in the SSSD
2058 configuration, setting this option to FALSE can prevent unnecessary
2059 DNS lookups in such environments.
2060 Default: TRUE
2062 dns_discovery_domain (string)
2064 If service discovery is used in the back end, specifies the domain
2065 part of the service discovery DNS query.
2066 Default: Use the domain part of machine's hostname
2068 override_gid (integer)
2070 Override the primary GID value with the one specified.
2071 case_sensitive (string)
2073 Treat user and group names as case sensitive. Possible option
2074 values are:
2075 True
2077 Case sensitive. This value is invalid for AD provider.
2078 False
2080 Case insensitive.
2081 Preserving
2083 Same as False (case insensitive), but does not lowercase names
2084 in the result of NSS operations. Note that name aliases (and in
2085 case of services also protocol names) are still lowercased in
2086 the output.
2087 If you want to set this value for trusted domain with IPA
2089 provider, you need to set it on both the client and SSSD on the
2090 server.
2091 This option can be also set per subdomain or inherited via
2093 subdomain_inherit.
2094 Default: True (False for AD provider)
2096 subdomain_inherit (string)
2098 Specifies a list of configuration parameters that should be
2099 inherited by a subdomain. Please note that only selected parameters
2100 can be inherited. Currently the following options can be inherited:
2101 ldap_search_timeout
2103 ldap_network_timeout
2105 ldap_opt_timeout
2107 ldap_offline_timeout
2109 ldap_enumeration_refresh_timeout
2111 ldap_enumeration_refresh_offset
2113 ldap_purge_cache_timeout
2115 ldap_purge_cache_offset
2117 ldap_krb5_keytab (the value of krb5_keytab will be used if
2119 ldap_krb5_keytab is not set explicitly)
2120 ldap_krb5_ticket_lifetime
2122 ldap_enumeration_search_timeout
2124 ldap_connection_expire_timeout
2126 ldap_connection_expire_offset
2128 ldap_connection_idle_timeout
2130 ldap_use_tokengroups
2132 ldap_user_principal
2134 ignore_group_members
2136 auto_private_groups
2138 case_sensitive
2140 Example:
2142 subdomain_inherit = ldap_purge_cache_timeout
2144 Default: none
2147 Note: This option only works with the IPA and AD provider.
2149 subdomain_homedir (string)
2151 Use this homedir as default value for all subdomains within this
2152 domain in IPA AD trust. See override_homedir for info about
2153 possible values. In addition to those, the expansion below can only
2154 be used with subdomain_homedir.
2155 %F
2157 flat (NetBIOS) name of a subdomain.
2158 The value can be overridden by override_homedir option.
2160 Default: /home/%d/%u
2162 realmd_tags (string)
2164 Various tags stored by the realmd configuration service for this
2165 domain.
2166 cached_auth_timeout (int)
2168 Specifies time in seconds since last successful online
2169 authentication for which user will be authenticated using cached
2170 credentials while SSSD is in the online mode. If the credentials
2171 are incorrect, SSSD falls back to online authentication.
2172 This option's value is inherited by all trusted domains. At the
2174 moment it is not possible to set a different value per trusted
2175 domain.
2176 Special value 0 implies that this feature is disabled.
2178 Please note that if “cached_auth_timeout” is longer than
2180 “pam_id_timeout” then the back end could be called to handle
2181 “initgroups.”
2182 Default: 0
2184 local_auth_policy (string)
2186 Local authentication methods policy. Some backends (i.e. LDAP,
2187 proxy provider) only support a password based authentication, while
2188 others can handle PKINIT based Smartcard authentication (AD, IPA),
2189 two-factor authentication (IPA), or other methods against a central
2190 instance. By default in such cases authentication is only performed
2191 with the methods supported by the backend.
2192 There are three possible values for this option: match, only,
2194 enable. “match” is used to match offline and online states for
2195 Kerberos methods. “only” ignores the online methods and only offer
2196 the local ones. enable allows explicitly defining the methods for
2197 local authentication. As an example, “enable:passkey”, only enables
2198 passkey for local authentication. Multiple enable values should be
2199 comma-separated, such as “enable:passkey, enable:smartcard”
2200 Please note that if local Smartcard authentication is enabled and a
2202 Smartcard is present, Smartcard authentication will be preferred
2203 over the authentication methods supported by the backend. I.e.
2204 there will be a PIN prompt instead of e.g. a password prompt.
2205 The following configuration example allows local users to
2207 authenticate locally using any enabled method (i.e. smartcard,
2208 passkey).
2209 [domain/shadowutils]
2211 id_provider = proxy
2212 proxy_lib_name = files
2213 auth_provider = none
2214 local_auth_policy = only
2215 This option is ignored for the files provider.
2217 Default: match
2219 auto_private_groups (string)
2221 This option takes any of three available values:
2222 true
2224 Create user's private group unconditionally from user's UID
2225 number. The GID number is ignored in this case.
2226 NOTE: Because the GID number and the user private group are
2228 inferred from the UID number, it is not supported to have
2229 multiple entries with the same UID or GID number with this
2230 option. In other words, enabling this option enforces
2231 uniqueness across the ID space.
2232 false
2234 Always use the user's primary GID number. The GID number must
2235 refer to a group object in the LDAP database.
2236 hybrid
2238 A primary group is autogenerated for user entries whose UID and
2239 GID numbers have the same value and at the same time the GID
2240 number does not correspond to a real group object in LDAP. If
2241 the values are the same, but the primary GID in the user entry
2242 is also used by a group object, the primary GID of the user
2243 resolves to that group object.
2244 If the UID and GID of a user are different, then the GID must
2246 correspond to a group entry, otherwise the GID is simply not
2247 resolvable.
2248 This feature is useful for environments that wish to stop
2250 maintaining a separate group objects for the user private
2251 groups, but also wish to retain the existing user private
2252 groups.
2253 For subdomains, the default value is False for subdomains that use
2255 assigned POSIX IDs and True for subdomains that use automatic
2256 ID-mapping.
2257 The value of auto_private_groups can either be set per subdomains
2259 in a subsection, for example:
2260 [domain/forest.domain/sub.domain]
2262 auto_private_groups = false
2263 or globally for all subdomains in the main domain section using the
2265 subdomain_inherit option:
2266 [domain/forest.domain]
2268 subdomain_inherit = auto_private_groups
2269 auto_private_groups = false
2270 Options valid for proxy domains.
2273 proxy_pam_target (string)
2275 The proxy target PAM proxies to.
2276 Default: not set by default, you have to take an existing pam
2278 configuration or create a new one and add the service name here. As
2279 an alternative you can enable local authentication with the
2280 local_auth_policy option.
2281 proxy_lib_name (string)
2283 The name of the NSS library to use in proxy domains. The NSS
2284 functions searched for in the library are in the form of
2285 _nss_$(libName)_$(function), for example _nss_files_getpwent.
2286 proxy_resolver_lib_name (string)
2288 The name of the NSS library to use for hosts and networks lookups
2289 in proxy domains. The NSS functions searched for in the library are
2290 in the form of _nss_$(libName)_$(function), for example
2291 _nss_dns_gethostbyname2_r.
2292 proxy_fast_alias (boolean)
2294 When a user or group is looked up by name in the proxy provider, a
2295 second lookup by ID is performed to "canonicalize" the name in case
2296 the requested name was an alias. Setting this option to true would
2297 cause the SSSD to perform the ID lookup from cache for performance
2298 reasons.
2299 Default: false
2301 proxy_max_children (integer)
2303 This option specifies the number of pre-forked proxy children. It
2304 is useful for high-load SSSD environments where sssd may run out of
2305 available child slots, which would cause some issues due to the
2306 requests being queued.
2307 Default: 10
2309 Application domains
2311 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2312 applications as a gateway to an LDAP directory where users and groups
2313 are stored. However, contrary to the traditional SSSD deployment where
2314 all users and groups either have POSIX attributes or those attributes
2315 can be inferred from the Windows SIDs, in many cases the users and
2316 groups in the application support scenario have no POSIX attributes.
2317 Instead of setting a “[domain/NAME]” section, the administrator can set
2318 up an “[application/NAME]” section that internally represents a domain
2319 with type “application” optionally inherits settings from a tradition
2320 SSSD domain.
2321 Please note that the application domain must still be explicitly
2323 enabled in the “domains” parameter so that the lookup order between the
2324 application domain and its POSIX sibling domain is set correctly.
2325 Application domain parameters
2327 inherit_from (string)
2329 The SSSD POSIX-type domain the application domain inherits all
2330 settings from. The application domain can moreover add its own
2331 settings to the application settings that augment or override the
2332 “sibling” domain settings.
2333 Default: Not set
2335 The following example illustrates the use of an application domain. In
2337 this setup, the POSIX domain is connected to an LDAP server and is used
2338 by the OS through the NSS responder. In addition, the application
2339 domain also requests the telephoneNumber attribute, stores it as the
2340 phone attribute in the cache and makes the phone attribute reachable
2341 through the D-Bus interface.
2342 [sssd]
2344 domains = appdom, posixdom
2345 [ifp]
2347 user_attributes = +phone
2348 [domain/posixdom]
2350 id_provider = ldap
2351 ldap_uri = ldap://ldap.example.com
2352 ldap_search_base = dc=example,dc=com
2353 [application/appdom]
2355 inherit_from = posixdom
2356 ldap_user_extra_attrs = phone:telephoneNumber
2357
2359 Some options used in the domain section can also be used in the trusted
2360 domain section, that is, in a section called
2361 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2362 actual joined-to base domain. Please refer to examples below for
2363 explanation. Currently supported options in the trusted domain section
2364 are:
2365 ldap_search_base,
2367 ldap_user_search_base,
2369 ldap_group_search_base,
2371 ldap_netgroup_search_base,
2373 ldap_service_search_base,
2375 ldap_sasl_mech,
2377 ad_server,
2379 ad_backup_server,
2381 ad_site,
2383 use_fully_qualified_names
2385 pam_gssapi_services
2387 pam_gssapi_check_upn
2389 For more details about these options see their individual description
2391 in the manual page.
2392
2394 To allow authentication with Smartcards and certificates SSSD must be
2395 able to map certificates to users. This can be done by adding the full
2396 certificate to the LDAP object of the user or to a local override.
2397 While using the full certificate is required to use the Smartcard
2398 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2399 details) it might be cumbersome or not even possible to do this for the
2400 general case where local services use PAM for authentication.
2401 To make the mapping more flexible mapping and matching rules were added
2403 to SSSD (see sss-certmap(5) for details).
2404 A mapping and matching rule can be added to the SSSD configuration in a
2406 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2407 In this section the following options are allowed:
2408 matchrule (string)
2410 Only certificates from the Smartcard which matches this rule will
2411 be processed, all others are ignored.
2412 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2414 the Extended Key Usage “clientAuth”
2415 maprule (string)
2417 Defines how the user is found for a given certificate.
2418 Default:
2420 • LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2422 providers like “ldap”, “AD” or “ipa”.
2423 • The RULE_NAME for the “files” provider which tries to find a
2425 user with the same name.
2426 domains (string)
2429 Comma separated list of domain names the rule should be applied. By
2430 default a rule is only valid in the domain configured in sssd.conf.
2431 If the provider supports subdomains this option can be used to add
2432 the rule to subdomains as well.
2433 Default: the configured domain in sssd.conf
2435 priority (integer)
2437 Unsigned integer value defining the priority of the rule. The
2438 higher the number the lower the priority. “0” stands for the
2439 highest priority while “4294967295” is the lowest.
2440 Default: the lowest priority
2442 To make the configuration simple and reduce the amount of configuration
2444 options the “files” provider has some special properties:
2445 • if maprule is not set the RULE_NAME name is assumed to be the name
2447 of the matching user
2448 • if a maprule is used both a single user name or a template like
2450 “{subject_rfc822_name.short_name}” must be in braces like e.g.
2451 “(username)” or “({subject_rfc822_name.short_name})”
2452 • the “domains” option is ignored
2454
2457 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2458 SSSD's PAM module pam_sss will ask SSSD to figure out which
2459 authentication methods are available for the user trying to log in.
2460 Based on the results pam_sss will prompt the user for appropriate
2461 credentials.
2462 With the growing number of authentication methods and the possibility
2464 that there are multiple ones for a single user the heuristic used by
2465 pam_sss to select the prompting might not be suitable for all use
2466 cases. The following options should provide a better flexibility here.
2467 Each supported authentication method has its own configuration
2469 subsection under “[prompting/...]”. Currently there are:
2470 [prompting/password]
2472 to configure password prompting, allowed options are:
2473 password_prompt
2475 to change the string of the password prompt
2476 [prompting/2fa]
2479 to configure two-factor authentication prompting, allowed options
2480 are:
2481 first_prompt
2483 to change the string of the prompt for the first factor
2484 second_prompt
2486 to change the string of the prompt for the second factor
2487 single_prompt
2489 boolean value, if True there will be only a single prompt using
2490 the value of first_prompt where it is expected that both
2491 factors are entered as a single string. Please note that both
2492 factors have to be entered here, even if the second factor is
2493 optional.
2494 If the second factor is optional and it should be possible to log
2496 in either only with the password or with both factors two-step
2497 prompting has to be used.
2498 [prompting/passkey]
2500 to configure passkey authentication prompting, allowed options are:
2501 interactive
2503 boolean value, if True prompt a message and wait before testing
2504 the presence of a passkey device. Recommended if your device
2505 doesn’t have a tactile trigger.
2506 interactive_prompt
2508 to change the message of the interactive prompt.
2509 touch
2511 boolean value, if True prompt a message to remind the user to
2512 touch the device.
2513 touch_prompt
2515 to change the message of the touch prompt.
2516 It is possible to add a subsection for specific PAM services, e.g.
2519 “[prompting/password/sshd]” to individual change the prompting for this
2520 service.
2521
2523 1. The following example shows a typical SSSD config. It does not
2524 describe configuration of the domains themselves - refer to
2525 documentation on configuring domains for more details.
2526 [sssd]
2528 domains = LDAP
2529 services = nss, pam
2530 config_file_version = 2
2531 [nss]
2533 filter_groups = root
2534 filter_users = root
2535 [pam]
2537 [domain/LDAP]
2539 id_provider = ldap
2540 ldap_uri = ldap://ldap.example.com
2541 ldap_search_base = dc=example,dc=com
2542 auth_provider = krb5
2544 krb5_server = kerberos.example.com
2545 krb5_realm = EXAMPLE.COM
2546 cache_credentials = true
2547 min_id = 10000
2549 max_id = 20000
2550 enumerate = False
2551 2. The following example shows configuration of IPA AD trust where the
2553 AD forest consists of two domains in a parent-child structure. Suppose
2554 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2555 domain (child.ad.com). To enable shortnames in the child domain the
2556 following configuration should be used.
2557 [domain/ipa.com/child.ad.com]
2559 use_fully_qualified_names = false
2560 3. The following example shows the configuration of a certificate
2562 mapping rule. It is valid for the configured domain “my.domain” and
2563 additionally for the subdomains “your.domain” and uses the full
2564 certificate in the search filter.
2565 [certmap/my.domain/rule_name]
2567 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2568 maprule = (userCertificate;binary={cert!bin})
2569 domains = my.domain, your.domain
2570 priority = 10
2571
2574 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-
2575 krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-
2576 sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8),
2577 sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8),
2578 sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5),
2579 pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5)
2580
2582 The SSSD upstream - https://github.com/SSSD/sssd/
2583SSSD 11/15/2023 SSSD.CONF(5)