1SSSD.CONF(5)             File Formats and Conventions             SSSD.CONF(5)
2
3
4

NAME

6       sssd.conf - the configuration file for SSSD
7

FILE FORMAT

9       The file has an ini-style syntax and consists of sections and
10       parameters. A section begins with the name of the section in square
11       brackets and continues until the next section begins. An example of
12       section with single and multi-valued parameters:
13
14           [section]
15           key = value
16           key2 = value2,value3
17
18
19       The data types used are string (no quotes needed), integer and bool
20       (with values of “TRUE/FALSE”).
21
22       A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23       Inline comments are not supported.
24
25       All sections can have an optional description parameter. Its function
26       is only as a label for the section.
27
28       sssd.conf must be a regular file, owned by root and only root may read
29       from or write to the file.
30

CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY

32       The configuration file sssd.conf will include configuration snippets
33       using the include directory conf.d. This feature is available if SSSD
34       was compiled with libini version 1.3.0 or later.
35
36       Any file placed in conf.d that ends in “.conf” and does not begin with
37       a dot (“.”) will be used together with sssd.conf to configure SSSD.
38
39       The configuration snippets from conf.d have higher priority than
40       sssd.conf and will override sssd.conf when conflicts occur. If several
41       snippets are present in conf.d, then they are included in alphabetical
42       order (based on locale). Files included later have higher priority.
43       Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44       visualize the priority (higher number means higher priority).
45
46       The snippet files require the same owner and permissions as sssd.conf.
47       Which are by default root:root and 0600.
48

GENERAL OPTIONS

50       Following options are usable in more than one configuration sections.
51
52   Options usable in all sections
53       debug_level (integer)
54           SSSD supports two representations for specifying the debug level.
55           The simplest is to specify a decimal value from 0-9, which
56           represents enabling that level and all lower-level debug messages.
57           The more comprehensive option is to specify a hexadecimal bitmask
58           to enable or disable specific levels (such as if you wish to
59           suppress a level).
60
61           Please note that each SSSD service logs into its own log file. Also
62           please note that enabling “debug_level” in the “[sssd]” section
63           only enables debugging just for the sssd process itself, not for
64           the responder or provider processes. The “debug_level” parameter
65           should be added to all sections that you wish to produce debug logs
66           from.
67
68           In addition to changing the log level in the config file using the
69           “debug_level” parameter, which is persistent, but requires SSSD
70           restart, it is also possible to change the debug level on the fly
71           using the sss_debuglevel(8) tool.
72
73           Currently supported debug levels:
74
75           0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76           starting up or causes it to cease running.
77
78           1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79           one that indicates that at least one major feature is not going to
80           work properly.
81
82           2, 0x0040: Serious failures. An error announcing that a particular
83           request or operation has failed.
84
85           3, 0x0080: Minor failures. These are the errors that would
86           percolate down to cause the operation failure of 2.
87
88           4, 0x0100: Configuration settings.
89
90           5, 0x0200: Function data.
91
92           6, 0x0400: Trace messages for operation functions.
93
94           7, 0x1000: Trace messages for internal control functions.
95
96           8, 0x2000: Contents of function-internal variables that may be
97           interesting.
98
99           9, 0x4000: Extremely low-level tracing information.
100
101           9, 0x20000: Performance and statistical data, please note that due
102           to the way requests are processed internally the logged execution
103           time of a request might be longer than it actually was.
104
105           10, 0x10000: Even more low-level libldb tracing information. Almost
106           never really required.
107
108           To log required bitmask debug levels, simply add their numbers
109           together as shown in following examples:
110
111           Example: To log fatal failures, critical failures, serious failures
112           and function data use 0x0270.
113
114           Example: To log fatal failures, configuration settings, function
115           data, trace messages for internal control functions use 0x1310.
116
117           Note: The bitmask format of debug levels was introduced in 1.7.0.
118
119           Default: 0x0070 (i.e. fatal, critical and serious failures;
120           corresponds to setting 2 in decimal notation)
121
122       debug (integer)
123           SSSD 1.14 and later also includes the debug alias for debug_level
124           as a convenience feature. If both are specified, the value of
125           debug_level will be used.
126
127       debug_timestamps (bool)
128           Add a timestamp to the debug messages. If journald is enabled for
129           SSSD debug logging this option is ignored.
130
131           Default: true
132
133       debug_microseconds (bool)
134           Add microseconds to the timestamp in debug messages. If journald is
135           enabled for SSSD debug logging this option is ignored.
136
137           Default: false
138
139       debug_backtrace_enabled (bool)
140           Enable debug backtrace.
141
142           In case SSSD is run with debug_level less than 9, everything is
143           logged to a ring buffer in memory and flushed to a log file on any
144           error up to and including `min(0x0040, debug_level)` (i.e. if
145           debug_level is explicitly set to 0 or 1 then only those error
146           levels will trigger backtrace, otherwise up to 2).
147
148           Feature is only supported for `logger == files` (i.e. setting
149           doesn't have effect for other logger types).
150
151           Default: true
152
153   Options usable in SERVICE and DOMAIN sections
154       timeout (integer)
155           Timeout in seconds between heartbeats for this service. This is
156           used to ensure that the process is alive and capable of answering
157           requests. Note that after three missed heartbeats the process will
158           terminate itself.
159
160           Default: 10
161

SPECIAL SECTIONS

163   The [sssd] section
164       Individual pieces of SSSD functionality are provided by special SSSD
165       services that are started and stopped together with SSSD. The services
166       are managed by a special service frequently called “monitor”. The
167       “[sssd]” section is used to configure the monitor as well as some other
168       important options like the identity domains.
169
170       Section parameters
171
172       config_file_version (integer)
173           Indicates what is the syntax of the config file. SSSD 0.6.0 and
174           later use version 2.
175
176       services
177           Comma separated list of services that are started when sssd itself
178           starts.  The services' list is optional on platforms where systemd
179           is supported, as they will either be socket or D-Bus activated when
180           needed.
181
182           Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
183
184           By default, all services are disabled and the administrator must
185           enable the ones allowed to be used by executing: "systemctl enable
186           sssd-@service@.socket".
187
188       reconnection_retries (integer)
189           Number of times services should attempt to reconnect in the event
190           of a Data Provider crash or restart before they give up
191
192           Default: 3
193
194       domains
195           A domain is a database containing user information. SSSD can use
196           more domains at the same time, but at least one must be configured
197           or SSSD won't start. This parameter describes the list of domains
198           in the order you want them to be queried. A domain name is
199           recommended to contain only alphanumeric ASCII characters, dashes,
200           dots and underscores. '/' character is forbidden.
201
202       re_expression (string)
203           Default regular expression that describes how to parse the string
204           containing user name and domain into these components.
205
206           Each domain can have an individual regular expression configured.
207           For some ID providers there are also default regular expressions.
208           See DOMAIN SECTIONS for more info on these regular expressions.
209
210       full_name_format (string)
211           A printf(3)-compatible format that describes how to compose a fully
212           qualified name from user name and domain name components.
213
214           The following expansions are supported:
215
216           %1$s
217               user name
218
219           %2$s
220               domain name as specified in the SSSD config file.
221
222           %3$s
223               domain flat name. Mostly usable for Active Directory domains,
224               both directly configured or discovered via IPA trusts.
225
226           Each domain can have an individual format string configured. See
227           DOMAIN SECTIONS for more info on this option.
228
229       monitor_resolv_conf (boolean)
230           Controls if SSSD should monitor the state of resolv.conf to
231           identify when it needs to update its internal DNS resolver.
232
233           Default: true
234
235       try_inotify (boolean)
236           By default, SSSD will attempt to use inotify to monitor
237           configuration files changes and will fall back to polling every
238           five seconds if inotify cannot be used.
239
240           There are some limited situations where it is preferred that we
241           should skip even trying to use inotify. In these rare cases, this
242           option should be set to 'false'
243
244           Default: true on platforms where inotify is supported. False on
245           other platforms.
246
247           Note: this option will have no effect on platforms where inotify is
248           unavailable. On these platforms, polling will always be used.
249
250       krb5_rcache_dir (string)
251           Directory on the filesystem where SSSD should store Kerberos replay
252           cache files.
253
254           This option accepts a special value __LIBKRB5_DEFAULTS__ that will
255           instruct SSSD to let libkrb5 decide the appropriate location for
256           the replay cache.
257
258           Default: Distribution-specific and specified at build-time.
259           (__LIBKRB5_DEFAULTS__ if not configured)
260
261       default_domain_suffix (string)
262           This string will be used as a default domain name for all names
263           without a domain name component. The main use case is environments
264           where the primary domain is intended for managing host policies and
265           all users are located in a trusted domain. The option allows those
266           users to log in just with their user name without giving a domain
267           name as well.
268
269           Please note that if this option is set all users from the primary
270           domain have to use their fully qualified name, e.g.
271           user@domain.name, to log in. Setting this option changes default of
272           use_fully_qualified_names to True. It is not allowed to use this
273           option together with use_fully_qualified_names set to False.  One
274           exception from this rule are domains with “id_provider=files” that
275           always try to match the behaviour of nss_files and therefore their
276           output is not qualified even when the default_domain_suffix option
277           is used.
278
279           Default: not set
280
281       override_space (string)
282           This parameter will replace spaces (space bar) with the given
283           character for user and group names. e.g. (_). User name "john doe"
284           will be "john_doe" This feature was added to help compatibility
285           with shell scripts that have difficulty handling spaces, due to the
286           default field separator in the shell.
287
288           Please note it is a configuration error to use a replacement
289           character that might be used in user or group names. If a name
290           contains the replacement character SSSD tries to return the
291           unmodified name but in general the result of a lookup is undefined.
292
293           Default: not set (spaces will not be replaced)
294
295       certificate_verification (string)
296           With this parameter the certificate verification can be tuned with
297           a comma separated list of options. Supported options are:
298
299           no_ocsp
300               Disables Online Certificate Status Protocol (OCSP) checks. This
301               might be needed if the OCSP servers defined in the certificate
302               are not reachable from the client.
303
304           soft_ocsp
305               If a connection cannot be established to an OCSP responder the
306               OCSP check is skipped. This option should be used to allow
307               authentication when the system is offline and the OCSP
308               responder cannot be reached.
309
310           ocsp_dgst
311               Digest (hash) function used to create the certificate ID for
312               the OCSP request. Allowed values are:
313
314               •   sha1
315
316               •   sha256
317
318               •   sha384
319
320               •   sha512
321
322               Default: sha1 (to allow compatibility with RFC5019-compliant
323               responder)
324
325           no_verification
326               Disables verification completely. This option should only be
327               used for testing.
328
329           partial_chain
330               Allow verification to succeed even if a complete chain cannot
331               be built to a self-signed trust-anchor, provided it is possible
332               to construct a chain to a trusted certificate that might not be
333               self-signed.
334
335           ocsp_default_responder=URL
336               Sets the OCSP default responder which should be used instead of
337               the one mentioned in the certificate. URL must be replaced with
338               the URL of the OCSP default responder e.g.
339               http://example.com:80/ocsp.
340
341           ocsp_default_responder_signing_cert=NAME
342               This option is currently ignored. All needed certificates must
343               be available in the PEM file given by pam_cert_db_path.
344
345           crl_file=/PATH/TO/CRL/FILE
346               Use the Certificate Revocation List (CRL) from the given file
347               during the verification of the certificate. The CRL must be
348               given in PEM format, see crl(1ssl) for details.
349
350           soft_crl
351               If a Certificate Revocation List (CRL) is expired ignore the
352               CRL checks for the related certificates. This option should be
353               used to allow authentication when the system is offline and the
354               CRL cannot be renewed.
355
356           Unknown options are reported but ignored.
357
358           Default: not set, i.e. do not restrict certificate verification
359
360       disable_netlink (boolean)
361           SSSD hooks into the netlink interface to monitor changes to routes,
362           addresses, links and trigger certain actions.
363
364           The SSSD state changes caused by netlink events may be undesirable
365           and can be disabled by setting this option to 'true'
366
367           Default: false (netlink changes are detected)
368
369       enable_files_domain (boolean)
370           When this option is enabled, SSSD prepends an implicit domain with
371           “id_provider=files” before any explicitly configured domains.
372
373           Default: false
374
375       domain_resolution_order
376           Comma separated list of domains and subdomains representing the
377           lookup order that will be followed. The list doesn't have to
378           include all possible domains as the missing domains will be looked
379           up based on the order they're presented in the “domains”
380           configuration option. The subdomains which are not listed as part
381           of “lookup_order” will be looked up in a random order for each
382           parent domain.
383
384           Please, note that when this option is set the output format of all
385           commands is always fully-qualified even when using short names for
386           input , for all users but the ones managed by the files provider.
387           In case the administrator wants the output not fully-qualified, the
388           full_name_format option can be used as shown below:
389           “full_name_format=%1$s” However, keep in mind that during login,
390           login applications often canonicalize the username by calling
391           getpwnam(3) which, if a shortname is returned for a qualified input
392           (while trying to reach a user which exists in multiple domains)
393           might re-route the login attempt into the domain which uses
394           shortnames, making this workaround totally not recommended in cases
395           where usernames may overlap between domains.
396
397           Default: Not set
398
399       implicit_pac_responder (boolean)
400           The PAC responder is enabled automatically for the IPA and AD
401           provider to evaluate and check the PAC. If it has to be disabled
402           set this option to 'false'.
403
404           Default: true
405
406       core_dumpable (boolean)
407           This option can be used for general system hardening: setting it to
408           'false' forbids core dumps for all SSSD processes to avoid leaking
409           plain text passwords. See man page prctl:PR_SET_DUMPABLE for
410           details.
411
412           Default: true
413
414       passkey_verification (string)
415           With this parameter the passkey verification can be tuned with a
416           comma separated list of options. Supported options are:
417
418           user_verification (boolean)
419               Enable or disable the user verification (i.e. PIN, fingerprint)
420               during authentication. If enabled, the PIN will always be
421               requested.
422
423               The default is that the key settings decide what to do. In the
424               IPA or kerberos pre-authentication case, this value will be
425               overwritten by the server.
426
427

SERVICES SECTIONS

429       Settings that can be used to configure different services are described
430       in this section. They should reside in the [$NAME] section, for
431       example, for NSS service, the section would be “[nss]”
432
433   General service configuration options
434       These options can be used to configure any service.
435
436       reconnection_retries (integer)
437           Number of times services should attempt to reconnect in the event
438           of a Data Provider crash or restart before they give up
439
440           Default: 3
441
442       fd_limit
443           This option specifies the maximum number of file descriptors that
444           may be opened at one time by this SSSD process. On systems where
445           SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
446           absolute setting. On systems without this capability, the resulting
447           value will be the lower value of this or the limits.conf "hard"
448           limit.
449
450           Default: 8192 (or limits.conf "hard" limit)
451
452       client_idle_timeout
453           This option specifies the number of seconds that a client of an
454           SSSD process can hold onto a file descriptor without communicating
455           on it. This value is limited in order to avoid resource exhaustion
456           on the system. The timeout can't be shorter than 10 seconds. If a
457           lower value is configured, it will be adjusted to 10 seconds.
458
459           Default: 60, KCM: 300
460
461       offline_timeout (integer)
462           When SSSD switches to offline mode the amount of time before it
463           tries to go back online will increase based upon the time spent
464           disconnected. By default SSSD uses incremental behaviour to
465           calculate delay in between retries. So, the wait time for a given
466           retry will be longer than the wait time for the previous ones.
467           After each unsuccessful attempt to go online, the new interval is
468           recalculated by the following:
469
470           new_delay = Minimum(old_delay * 2, offline_timeout_max) +
471           random[0...offline_timeout_random_offset]
472
473           The offline_timeout default value is 60. The offline_timeout_max
474           default value is 3600. The offline_timeout_random_offset default
475           value is 30. The end result is amount of seconds before next retry.
476
477           Note that the maximum length of each interval is defined by
478           offline_timeout_max (apart of random part).
479
480           Default: 60
481
482       offline_timeout_max (integer)
483           Controls by how much the time between attempts to go online can be
484           incremented following unsuccessful attempts to go online.
485
486           A value of 0 disables the incrementing behaviour.
487
488           The value of this parameter should be set in correlation to
489           offline_timeout parameter value.
490
491           With offline_timeout set to 60 (default value) there is no point in
492           setting offlinet_timeout_max to less than 120 as it will saturate
493           instantly. General rule here should be to set offline_timeout_max
494           to at least 4 times offline_timeout.
495
496           Although a value between 0 and offline_timeout may be specified, it
497           has the effect of overriding the offline_timeout value so is of
498           little use.
499
500           Default: 3600
501
502       offline_timeout_random_offset (integer)
503           When SSSD is in offline mode it keeps probing backend servers in
504           specified time intervals:
505
506           new_delay = Minimum(old_delay * 2, offline_timeout_max) +
507           random[0...offline_timeout_random_offset]
508
509           This parameter controls the value of the random offset used for the
510           above equation. Final random_offset value will be random number in
511           range:
512
513           [0 - offline_timeout_random_offset]
514
515           A value of 0 disables the random offset addition.
516
517           Default: 30
518
519       responder_idle_timeout
520           This option specifies the number of seconds that an SSSD responder
521           process can be up without being used. This value is limited in
522           order to avoid resource exhaustion on the system. The minimum
523           acceptable value for this option is 60 seconds. Setting this option
524           to 0 (zero) means that no timeout will be set up to the responder.
525           This option only has effect when SSSD is built with systemd support
526           and when services are either socket or D-Bus activated.
527
528           Default: 300
529
530       cache_first
531           This option specifies whether the responder should query all caches
532           before querying the Data Providers.
533
534           Default: false
535
536   NSS configuration options
537       These options can be used to configure the Name Service Switch (NSS)
538       service.
539
540       enum_cache_timeout (integer)
541           How many seconds should nss_sss cache enumerations (requests for
542           info about all users)
543
544           Default: 120
545
546       entry_cache_nowait_percentage (integer)
547           The entry cache can be set to automatically update entries in the
548           background if they are requested beyond a percentage of the
549           entry_cache_timeout value for the domain.
550
551           For example, if the domain's entry_cache_timeout is set to 30s and
552           entry_cache_nowait_percentage is set to 50 (percent), entries that
553           come in after 15 seconds past the last cache update will be
554           returned immediately, but the SSSD will go and update the cache on
555           its own, so that future requests will not need to block waiting for
556           a cache update.
557
558           Valid values for this option are 0-99 and represent a percentage of
559           the entry_cache_timeout for each domain. For performance reasons,
560           this percentage will never reduce the nowait timeout to less than
561           10 seconds. (0 disables this feature)
562
563           Default: 50
564
565       entry_negative_timeout (integer)
566           Specifies for how many seconds nss_sss should cache negative cache
567           hits (that is, queries for invalid database entries, like
568           nonexistent ones) before asking the back end again.
569
570           Default: 15
571
572       local_negative_timeout (integer)
573           Specifies for how many seconds nss_sss should keep local users and
574           groups in negative cache before trying to look it up in the back
575           end again. Setting the option to 0 disables this feature.
576
577           Default: 14400 (4 hours)
578
579       filter_users, filter_groups (string)
580           Exclude certain users or groups from being fetched from the sss NSS
581           database. This is particularly useful for system accounts. This
582           option can also be set per-domain or include fully-qualified names
583           to filter only users from the particular domain or by a user
584           principal name (UPN).
585
586           NOTE: The filter_groups option doesn't affect inheritance of nested
587           group members, since filtering happens after they are propagated
588           for returning via NSS. E.g. a group having a member group filtered
589           out will still have the member users of the latter listed.
590
591           Default: root
592
593       filter_users_in_groups (bool)
594           If you want filtered user still be group members set this option to
595           false.
596
597           Default: true
598
599       override_homedir (string)
600           Override the user's home directory. You can either provide an
601           absolute value or a template. In the template, the following
602           sequences are substituted:
603
604           %u
605               login name
606
607           %U
608               UID number
609
610           %d
611               domain name
612
613           %f
614               fully qualified user name (user@domain)
615
616           %l
617               The first letter of the login name.
618
619           %P
620               UPN - User Principal Name (name@REALM)
621
622           %o
623               The original home directory retrieved from the identity
624               provider.
625
626           %h
627               The original home directory retrieved from the identity
628               provider, but in lower case.
629
630           %H
631               The value of configure option homedir_substring.
632
633           %%
634               a literal '%'
635
636           This option can also be set per-domain.
637
638           example:
639
640               override_homedir = /home/%u
641
642
643           Default: Not set (SSSD will use the value retrieved from LDAP)
644
645           Please note, the home directory from a specific override for the
646           user, either locally (see sss_override(8)) or centrally managed IPA
647           id-overrides, has a higher precedence and will be used instead of
648           the value given by override_homedir.
649
650       homedir_substring (string)
651           The value of this option will be used in the expansion of the
652           override_homedir option if the template contains the format string
653           %H. An LDAP directory entry can directly contain this template so
654           that this option can be used to expand the home directory path for
655           each client machine (or operating system). It can be set per-domain
656           or globally in the [nss] section. A value specified in a domain
657           section will override one set in the [nss] section.
658
659           Default: /home
660
661       fallback_homedir (string)
662           Set a default template for a user's home directory if one is not
663           specified explicitly by the domain's data provider.
664
665           The available values for this option are the same as for
666           override_homedir.
667
668           example:
669
670               fallback_homedir = /home/%u
671
672
673           Default: not set (no substitution for unset home directories)
674
675       override_shell (string)
676           Override the login shell for all users. This option supersedes any
677           other shell options if it takes effect and can be set either in the
678           [nss] section or per-domain.
679
680           Default: not set (SSSD will use the value retrieved from LDAP)
681
682       allowed_shells (string)
683           Restrict user shell to one of the listed values. The order of
684           evaluation is:
685
686           1. If the shell is present in “/etc/shells”, it is used.
687
688           2. If the shell is in the allowed_shells list but not in
689           “/etc/shells”, use the value of the shell_fallback parameter.
690
691           3. If the shell is not in the allowed_shells list and not in
692           “/etc/shells”, a nologin shell is used.
693
694           The wildcard (*) can be used to allow any shell.
695
696           The (*) is useful if you want to use shell_fallback in case that
697           user's shell is not in “/etc/shells” and maintaining list of all
698           allowed shells in allowed_shells would be to much overhead.
699
700           An empty string for shell is passed as-is to libc.
701
702           The “/etc/shells” is only read on SSSD start up, which means that a
703           restart of the SSSD is required in case a new shell is installed.
704
705           Default: Not set. The user shell is automatically used.
706
707       vetoed_shells (string)
708           Replace any instance of these shells with the shell_fallback
709
710       shell_fallback (string)
711           The default shell to use if an allowed shell is not installed on
712           the machine.
713
714           Default: /bin/sh
715
716       default_shell
717           The default shell to use if the provider does not return one during
718           lookup. This option can be specified globally in the [nss] section
719           or per-domain.
720
721           Default: not set (Return NULL if no shell is specified and rely on
722           libc to substitute something sensible when necessary, usually
723           /bin/sh)
724
725       get_domains_timeout (int)
726           Specifies time in seconds for which the list of subdomains will be
727           considered valid.
728
729           Default: 60
730
731       memcache_timeout (integer)
732           Specifies time in seconds for which records in the in-memory cache
733           will be valid. Setting this option to zero will disable the
734           in-memory cache.
735
736           Default: 300
737
738           WARNING: Disabling the in-memory cache will have significant
739           negative impact on SSSD's performance and should only be used for
740           testing.
741
742           NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
743           "NO", client applications will not use the fast in-memory cache.
744
745       memcache_size_passwd (integer)
746           Size (in megabytes) of the data table allocated inside fast
747           in-memory cache for passwd requests. Setting the size to 0 will
748           disable the passwd in-memory cache.
749
750           Default: 8
751
752           WARNING: Disabled or too small in-memory cache can have significant
753           negative impact on SSSD's performance.
754
755           NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
756           "NO", client applications will not use the fast in-memory cache.
757
758       memcache_size_group (integer)
759           Size (in megabytes) of the data table allocated inside fast
760           in-memory cache for group requests. Setting the size to 0 will
761           disable the group in-memory cache.
762
763           Default: 6
764
765           WARNING: Disabled or too small in-memory cache can have significant
766           negative impact on SSSD's performance.
767
768           NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
769           "NO", client applications will not use the fast in-memory cache.
770
771       memcache_size_initgroups (integer)
772           Size (in megabytes) of the data table allocated inside fast
773           in-memory cache for initgroups requests. Setting the size to 0 will
774           disable the initgroups in-memory cache.
775
776           Default: 10
777
778           WARNING: Disabled or too small in-memory cache can have significant
779           negative impact on SSSD's performance.
780
781           NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
782           "NO", client applications will not use the fast in-memory cache.
783
784       memcache_size_sid (integer)
785           Size (in megabytes) of the data table allocated inside fast
786           in-memory cache for SID related requests. Only SID-by-ID and
787           ID-by-SID requests are currently cached in fast in-memory cache.
788           Setting the size to 0 will disable the SID in-memory cache.
789
790           Default: 6
791
792           WARNING: Disabled or too small in-memory cache can have significant
793           negative impact on SSSD's performance.
794
795           NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
796           "NO", client applications will not use the fast in-memory cache.
797
798       user_attributes (string)
799           Some of the additional NSS responder requests can return more
800           attributes than just the POSIX ones defined by the NSS interface.
801           The list of attributes is controlled by this option. It is handled
802           the same way as the “user_attributes” option of the InfoPipe
803           responder (see sssd-ifp(5) for details) but with no default values.
804
805           To make configuration more easy the NSS responder will check the
806           InfoPipe option if it is not set for the NSS responder.
807
808           Default: not set, fallback to InfoPipe option
809
810       pwfield (string)
811           The value that NSS operations that return users or groups will
812           return for the “password” field.
813
814           Default: “*”
815
816           Note: This option can also be set per-domain which overwrites the
817           value in [nss] section.
818
819           Default: “not set” (remote domains), “x” (the files domain), “x”
820           (proxy domain with nss_files and sssd-shadowutils target)
821
822   PAM configuration options
823       These options can be used to configure the Pluggable Authentication
824       Module (PAM) service.
825
826       offline_credentials_expiration (integer)
827           If the authentication provider is offline, how long should we allow
828           cached logins (in days since the last successful online login).
829
830           Default: 0 (No limit)
831
832       offline_failed_login_attempts (integer)
833           If the authentication provider is offline, how many failed login
834           attempts are allowed.
835
836           Default: 0 (No limit)
837
838       offline_failed_login_delay (integer)
839           The time in minutes which has to pass after
840           offline_failed_login_attempts has been reached before a new login
841           attempt is possible.
842
843           If set to 0 the user cannot authenticate offline if
844           offline_failed_login_attempts has been reached. Only a successful
845           online authentication can enable offline authentication again.
846
847           Default: 5
848
849       pam_verbosity (integer)
850           Controls what kind of messages are shown to the user during
851           authentication. The higher the number to more messages are
852           displayed.
853
854           Currently sssd supports the following values:
855
856           0: do not show any message
857
858           1: show only important messages
859
860           2: show informational messages
861
862           3: show all messages and debug information
863
864           Default: 1
865
866       pam_response_filter (string)
867           A comma separated list of strings which allows to remove (filter)
868           data sent by the PAM responder to pam_sss PAM module. There are
869           different kind of responses sent to pam_sss e.g. messages displayed
870           to the user or environment variables which should be set by
871           pam_sss.
872
873           While messages already can be controlled with the help of the
874           pam_verbosity option this option allows to filter out other kind of
875           responses as well.
876
877           Currently the following filters are supported:
878
879           ENV
880               Do not send any environment variables to any service.
881
882           ENV:var_name
883               Do not send environment variable var_name to any service.
884
885           ENV:var_name:service
886               Do not send environment variable var_name to service.
887
888           The list of strings can either be the list of filters which would
889           set this list of filters and overwrite the defaults. Or each
890           element of the list can be prefixed by a '+' or '-' character which
891           would add the filter to the existing default or remove it from the
892           defaults, respectively. Please note that either all list elements
893           must have a '+' or '-' prefix or none. It is considered as an error
894           to mix both styles.
895
896           Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
897
898           Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the
899           default list
900
901       pam_id_timeout (integer)
902           For any PAM request while SSSD is online, the SSSD will attempt to
903           immediately update the cached identity information for the user in
904           order to ensure that authentication takes place with the latest
905           information.
906
907           A complete PAM conversation may perform multiple PAM requests, such
908           as account management and session opening. This option controls (on
909           a per-client-application basis) how long (in seconds) we can cache
910           the identity information to avoid excessive round-trips to the
911           identity provider.
912
913           Default: 5
914
915       pam_pwd_expiration_warning (integer)
916           Display a warning N days before the password expires.
917
918           Please note that the backend server has to provide information
919           about the expiration time of the password. If this information is
920           missing, sssd cannot display a warning.
921
922           If zero is set, then this filter is not applied, i.e. if the
923           expiration warning was received from backend server, it will
924           automatically be displayed.
925
926           This setting can be overridden by setting pwd_expiration_warning
927           for a particular domain.
928
929           Default: 0
930
931       get_domains_timeout (int)
932           Specifies time in seconds for which the list of subdomains will be
933           considered valid.
934
935           Default: 60
936
937       pam_trusted_users (string)
938           Specifies the comma-separated list of UID values or user names that
939           are allowed to run PAM conversations against trusted domains. Users
940           not included in this list can only access domains marked as public
941           with “pam_public_domains”. User names are resolved to UIDs at
942           startup.
943
944           Default: All users are considered trusted by default
945
946           Please note that UID 0 is always allowed to access the PAM
947           responder even in case it is not in the pam_trusted_users list.
948
949       pam_public_domains (string)
950           Specifies the comma-separated list of domain names that are
951           accessible even to untrusted users.
952
953           Two special values for pam_public_domains option are defined:
954
955           all (Untrusted users are allowed to access all domains in PAM
956           responder.)
957
958           none (Untrusted users are not allowed to access any domains PAM in
959           responder.)
960
961           Default: none
962
963       pam_account_expired_message (string)
964           Allows a custom expiration message to be set, replacing the default
965           'Permission denied' message.
966
967           Note: Please be aware that message is only printed for the SSH
968           service unless pam_verbosity is set to 3 (show all messages and
969           debug information).
970
971           example:
972
973               pam_account_expired_message = Account expired, please contact help desk.
974
975
976           Default: none
977
978       pam_account_locked_message (string)
979           Allows a custom lockout message to be set, replacing the default
980           'Permission denied' message.
981
982           example:
983
984               pam_account_locked_message = Account locked, please contact help desk.
985
986
987           Default: none
988
989       pam_passkey_auth (bool)
990           Enable passkey device based authentication.
991
992           Default: False
993
994       passkey_debug_libfido2 (bool)
995           Enable libfido2 library debug messages.
996
997           Default: False
998
999       pam_cert_auth (bool)
1000           Enable certificate based Smartcard authentication. Since this
1001           requires additional communication with the Smartcard which will
1002           delay the authentication process this option is disabled by
1003           default.
1004
1005           Default: False
1006
1007       pam_cert_db_path (string)
1008           The path to the certificate database.
1009
1010           Default:
1011
1012           •   /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1013               CA certificates in PEM format)
1014
1015
1016       pam_cert_verification (string)
1017           With this parameter the PAM certificate verification can be tuned
1018           with a comma separated list of options that override the
1019           “certificate_verification” value in “[sssd]” section. Supported
1020           options are the same of “certificate_verification”.
1021
1022           example:
1023
1024               pam_cert_verification = partial_chain
1025
1026
1027           Default: not set, i.e. use default “certificate_verification”
1028           option defined in “[sssd]” section.
1029
1030       p11_child_timeout (integer)
1031           How many seconds will pam_sss wait for p11_child to finish.
1032
1033           Default: 10
1034
1035       passkey_child_timeout (integer)
1036           How many seconds will the PAM responder wait for passkey_child to
1037           finish.
1038
1039           Default: 15
1040
1041       pam_app_services (string)
1042           Which PAM services are permitted to contact domains of type
1043           “application”
1044
1045           Default: Not set
1046
1047       pam_p11_allowed_services (integer)
1048           A comma-separated list of PAM service names for which it will be
1049           allowed to use Smartcards.
1050
1051           It is possible to add another PAM service name to the default set
1052           by using “+service_name” or to explicitly remove a PAM service name
1053           from the default set by using “-service_name”. For example, in
1054           order to replace a default PAM service name for authentication with
1055           Smartcards (e.g.  “login”) with a custom PAM service name (e.g.
1056           “my_pam_service”), you would use the following configuration:
1057
1058               pam_p11_allowed_services = +my_pam_service, -login
1059
1060
1061           Default: the default set of PAM service names includes:
1062
1063           •   login
1064
1065           •   su
1066
1067           •   su-l
1068
1069           •   gdm-smartcard
1070
1071           •   gdm-password
1072
1073           •   kdm
1074
1075           •   sudo
1076
1077           •   sudo-i
1078
1079           •   gnome-screensaver
1080
1081
1082       p11_wait_for_card_timeout (integer)
1083           If Smartcard authentication is required how many extra seconds in
1084           addition to p11_child_timeout should the PAM responder wait until a
1085           Smartcard is inserted.
1086
1087           Default: 60
1088
1089       p11_uri (string)
1090           PKCS#11 URI (see RFC-7512 for details) which can be used to
1091           restrict the selection of devices used for Smartcard
1092           authentication. By default SSSD's p11_child will search for a
1093           PKCS#11 slot (reader) where the 'removable' flags is set and read
1094           the certificates from the inserted token from the first slot found.
1095           If multiple readers are connected p11_uri can be used to tell
1096           p11_child to use a specific reader.
1097
1098           Example:
1099
1100               p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
1101
1102
1103           or
1104
1105               p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
1106
1107
1108           To find suitable URI please check the debug output of p11_child. As
1109           an alternative the GnuTLS utility 'p11tool' with e.g. the
1110           '--list-all' will show PKCS#11 URIs as well.
1111
1112           Default: none
1113
1114       pam_initgroups_scheme
1115           The PAM responder can force an online lookup to get the current
1116           group memberships of the user trying to log in. This option
1117           controls when this should be done and the following values are
1118           allowed:
1119
1120           always
1121               Always do an online lookup, please note that pam_id_timeout
1122               still applies
1123
1124           no_session
1125               Only do an online lookup if there is no active session of the
1126               user, i.e. if the user is currently not logged in
1127
1128           never
1129               Never force an online lookup, use the data from the cache as
1130               long as they are not expired
1131
1132           Default: no_session
1133
1134       pam_gssapi_services
1135           Comma separated list of PAM services that are allowed to try GSSAPI
1136           authentication using pam_sss_gss.so module.
1137
1138           To disable GSSAPI authentication, set this option to “-” (dash).
1139
1140           Note: This option can also be set per-domain which overwrites the
1141           value in [pam] section. It can also be set for trusted domain which
1142           overwrites the value in the domain section.
1143
1144           Example:
1145
1146               pam_gssapi_services = sudo, sudo-i
1147
1148
1149           Default: - (GSSAPI authentication is disabled)
1150
1151       pam_gssapi_check_upn
1152           If True, SSSD will require that the Kerberos user principal that
1153           successfully authenticated through GSSAPI can be associated with
1154           the user who is being authenticated. Authentication will fail if
1155           the check fails.
1156
1157           If False, every user that is able to obtained required service
1158           ticket will be authenticated.
1159
1160           Note: This option can also be set per-domain which overwrites the
1161           value in [pam] section. It can also be set for trusted domain which
1162           overwrites the value in the domain section.
1163
1164           Default: True
1165
1166       pam_gssapi_indicators_map
1167           Comma separated list of authentication indicators required to be
1168           present in a Kerberos ticket to access a PAM service that is
1169           allowed to try GSSAPI authentication using pam_sss_gss.so module.
1170
1171           Each element of the list can be either an authentication indicator
1172           name or a pair “service:indicator”. Indicators not prefixed with
1173           the PAM service name will be required to access any PAM service
1174           configured to be used with pam_gssapi_services. A resulting list of
1175           indicators per PAM service is then checked against indicators in
1176           the Kerberos ticket during authentication by pam_sss_gss.so. Any
1177           indicator from the ticket that matches the resulting list of
1178           indicators for the PAM service would grant access. If none of the
1179           indicators in the list match, access will be denied. If the
1180           resulting list of indicators for the PAM service is empty, the
1181           check will not prevent the access.
1182
1183           To disable GSSAPI authentication indicator check, set this option
1184           to “-” (dash). To disable the check for a specific PAM service, add
1185           “service:-”.
1186
1187           Note: This option can also be set per-domain which overwrites the
1188           value in [pam] section. It can also be set for trusted domain which
1189           overwrites the value in the domain section.
1190
1191           Following authentication indicators are supported by IPA Kerberos
1192           deployments:
1193
1194           •   pkinit -- pre-authentication using X.509 certificates --
1195               whether stored in files or on smart cards.
1196
1197           •   hardened -- SPAKE pre-authentication or any pre-authentication
1198               wrapped in a FAST channel.
1199
1200           •   radius -- pre-authentication with the help of a RADIUS server.
1201
1202           •   otp -- pre-authentication using integrated two-factor
1203               authentication (2FA or one-time password, OTP) in IPA.
1204
1205           •   idp -- pre-authentication using external identity provider.
1206
1207           Example: to require access to SUDO services only for users which
1208           obtained their Kerberos tickets with a X.509 certificate
1209           pre-authentication (PKINIT), set
1210
1211               pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1212
1213
1214           Default: not set (use of authentication indicators is not required)
1215
1216   SUDO configuration options
1217       These options can be used to configure the sudo service. The detailed
1218       instructions for configuration of sudo(8) to work with sssd(8) are in
1219       the manual page sssd-sudo(5).
1220
1221       sudo_timed (bool)
1222           Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1223           attributes that implement time-dependent sudoers entries.
1224
1225           Default: false
1226
1227       sudo_threshold (integer)
1228           Maximum number of expired rules that can be refreshed at once. If
1229           number of expired rules is below threshold, those rules are
1230           refreshed with “rules refresh” mechanism. If the threshold is
1231           exceeded a “full refresh” of sudo rules is triggered instead. This
1232           threshold number also applies to IPA sudo command and command group
1233           searches.
1234
1235           Default: 50
1236
1237   AUTOFS configuration options
1238       These options can be used to configure the autofs service.
1239
1240       autofs_negative_timeout (integer)
1241           Specifies for how many seconds should the autofs responder negative
1242           cache hits (that is, queries for invalid map entries, like
1243           nonexistent ones) before asking the back end again.
1244
1245           Default: 15
1246
1247       Please note that the automounter only reads the master map on startup,
1248       so if any autofs-related changes are made to the sssd.conf, you
1249       typically also need to restart the automounter daemon after restarting
1250       the SSSD.
1251
1252   SSH configuration options
1253       These options can be used to configure the SSH service.
1254
1255       ssh_hash_known_hosts (bool)
1256           Whether or not to hash host names and addresses in the managed
1257           known_hosts file.
1258
1259           Default: false
1260
1261       ssh_known_hosts_timeout (integer)
1262           How many seconds to keep a host in the managed known_hosts file
1263           after its host keys were requested.
1264
1265           Default: 180
1266
1267       ssh_use_certificate_keys (bool)
1268           If set to true the sss_ssh_authorizedkeys will return ssh keys
1269           derived from the public key of X.509 certificates stored in the
1270           user entry as well. See sss_ssh_authorizedkeys(1) for details.
1271
1272           Default: true
1273
1274       ssh_use_certificate_matching_rules (string)
1275           By default the ssh responder will use all available certificate
1276           matching rules to filter the certificates so that ssh keys are only
1277           derived from the matching ones. With this option the used rules can
1278           be restricted with a comma separated list of mapping and matching
1279           rule names. All other rules will be ignored.
1280
1281           There are two special key words 'all_rules' and 'no_rules' which
1282           will enable all or no rules, respectively. The latter means that no
1283           certificates will be filtered out and ssh keys will be generated
1284           from all valid certificates.
1285
1286           If no rules are configured using 'all_rules' will enable a default
1287           rule which enables all certificates suitable for client
1288           authentication. This is the same behavior as for the PAM responder
1289           if certificate authentication is enabled.
1290
1291           A non-existing rule name is considered an error. If as a result no
1292           rule is selected all certificates will be ignored.
1293
1294           Default: not set, equivalent to 'all_rules', all found rules or the
1295           default rule are used
1296
1297       ca_db (string)
1298           Path to a storage of trusted CA certificates. The option is used to
1299           validate user certificates before deriving public ssh keys from
1300           them.
1301
1302           Default:
1303
1304           •   /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1305               CA certificates in PEM format)
1306
1307
1308   PAC responder configuration options
1309       The PAC responder works together with the authorization data plugin for
1310       MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1311       sends the PAC data during a GSSAPI authentication to the PAC responder.
1312       The sub-domain provider collects domain SID and ID ranges of the domain
1313       the client is joined to and of remote trusted domains from the local
1314       domain controller. If the PAC is decoded and evaluated some of the
1315       following operations are done:
1316
1317       •   If the remote user does not exist in the cache, it is created. The
1318           UID is determined with the help of the SID, trusted domains will
1319           have UPGs and the GID will have the same value as the UID. The home
1320           directory is set based on the subdomain_homedir parameter. The
1321           shell will be empty by default, i.e. the system defaults are used,
1322           but can be overwritten with the default_shell parameter.
1323
1324       •   If there are SIDs of groups from domains sssd knows about, the user
1325           will be added to those groups.
1326
1327       These options can be used to configure the PAC responder.
1328
1329       allowed_uids (string)
1330           Specifies the comma-separated list of UID values or user names that
1331           are allowed to access the PAC responder. User names are resolved to
1332           UIDs at startup.
1333
1334           Default: 0 (only the root user is allowed to access the PAC
1335           responder)
1336
1337           Please note that although the UID 0 is used as the default it will
1338           be overwritten with this option. If you still want to allow the
1339           root user to access the PAC responder, which would be the typical
1340           case, you have to add 0 to the list of allowed UIDs as well.
1341
1342       pac_lifetime (integer)
1343           Lifetime of the PAC entry in seconds. As long as the PAC is valid
1344           the PAC data can be used to determine the group memberships of a
1345           user.
1346
1347           Default: 300
1348
1349       pac_check (string)
1350           Apply additional checks on the PAC of the Kerberos ticket which is
1351           available in Active Directory and FreeIPA domains, if configured.
1352           Please note that Kerberos ticket validation must be enabled to be
1353           able to check the PAC, i.e. the krb5_validate option must be set to
1354           'True' which is the default for the IPA and AD provider. If
1355           krb5_validate is set to 'False' the PAC checks will be skipped.
1356
1357           The following options can be used alone or in a comma-separated
1358           list:
1359
1360           no_check
1361               The PAC must not be present and even if it is present no
1362               additional checks will be done.
1363
1364           pac_present
1365               The PAC must be present in the service ticket which SSSD will
1366               request with the help of the user's TGT. If the PAC is not
1367               available the authentication will fail.
1368
1369           check_upn
1370               If the PAC is present check if the user principal name (UPN)
1371               information is consistent.
1372
1373           check_upn_allow_missing
1374               This option should be used together with 'check_upn' and
1375               handles the case where a UPN is set on the server-side but is
1376               not read by SSSD. The typical example is a FreeIPA domain where
1377               'ldap_user_principal' is set to a not existing attribute name.
1378               This was typically done to work-around issues in the handling
1379               of enterprise principals. But this is fixed since quite some
1380               time and FreeIPA can handle enterprise principals just fine and
1381               there is no need anymore to set 'ldap_user_principal'.
1382
1383               Currently this option is set by default to avoid regressions in
1384               such environments. A log message will be added to the system
1385               log and SSSD's debug log in case a UPN is found in the PAC but
1386               not in SSSD's cache. To avoid this log message it would be best
1387               to evaluate if the 'ldap_user_principal' option can be removed.
1388               If this is not possible, removing 'check_upn' will skip the
1389               test and avoid the log message.
1390
1391           upn_dns_info_present
1392               The PAC must contain the UPN-DNS-INFO buffer, implies
1393               'check_upn'.
1394
1395           check_upn_dns_info_ex
1396               If the PAC is present and the extension to the UPN-DNS-INFO
1397               buffer is available check if the information in the extension
1398               is consistent.
1399
1400           upn_dns_info_ex_present
1401               The PAC must contain the extension of the UPN-DNS-INFO buffer,
1402               implies 'check_upn_dns_info_ex', 'upn_dns_info_present' and
1403               'check_upn'.
1404
1405           Default: no_check (AD and IPA provider 'check_upn,
1406           check_upn_allow_missing, check_upn_dns_info_ex')
1407
1408   Session recording configuration options
1409       Session recording works in conjunction with tlog-rec-session(8), a part
1410       of tlog package, to log what users see and type when they log in on a
1411       text terminal. See also sssd-session-recording(5).
1412
1413       These options can be used to configure session recording.
1414
1415       scope (string)
1416           One of the following strings specifying the scope of session
1417           recording:
1418
1419           "none"
1420               No users are recorded.
1421
1422           "some"
1423               Users/groups specified by users and groups options are
1424               recorded.
1425
1426           "all"
1427               All users are recorded.
1428
1429           Default: "none"
1430
1431       users (string)
1432           A comma-separated list of users which should have session recording
1433           enabled. Matches user names as returned by NSS. I.e. after the
1434           possible space replacement, case changes, etc.
1435
1436           Default: Empty. Matches no users.
1437
1438       groups (string)
1439           A comma-separated list of groups, members of which should have
1440           session recording enabled. Matches group names as returned by NSS.
1441           I.e. after the possible space replacement, case changes, etc.
1442
1443           NOTE: using this option (having it set to anything) has a
1444           considerable performance cost, because each uncached request for a
1445           user requires retrieving and matching the groups the user is member
1446           of.
1447
1448           Default: Empty. Matches no groups.
1449
1450       exclude_users (string)
1451           A comma-separated list of users to be excluded from recording, only
1452           applicable with 'scope=all'.
1453
1454           Default: Empty. No users excluded.
1455
1456       exclude_groups (string)
1457           A comma-separated list of groups, members of which should be
1458           excluded from recording. Only applicable with 'scope=all'.
1459
1460           NOTE: using this option (having it set to anything) has a
1461           considerable performance cost, because each uncached request for a
1462           user requires retrieving and matching the groups the user is member
1463           of.
1464
1465           Default: Empty. No groups excluded.
1466

DOMAIN SECTIONS

1468       These configuration options can be present in a domain configuration
1469       section, that is, in a section called “[domain/NAME]”
1470
1471       enabled
1472           Explicitly enable or disable the domain. If “true”, the domain is
1473           always “enabled”. If “false”, the domain is always “disabled”. If
1474           this option is not set, the domain is enabled only if it is listed
1475           in the domains option in the “[sssd]” section.
1476
1477       domain_type (string)
1478           Specifies whether the domain is meant to be used by POSIX-aware
1479           clients such as the Name Service Switch or by applications that do
1480           not need POSIX data to be present or generated. Only objects from
1481           POSIX domains are available to the operating system interfaces and
1482           utilities.
1483
1484           Allowed values for this option are “posix” and “application”.
1485
1486           POSIX domains are reachable by all services. Application domains
1487           are only reachable from the InfoPipe responder (see sssd-ifp(5))
1488           and the PAM responder.
1489
1490           NOTE: The application domains are currently well tested with
1491           “id_provider=ldap” only.
1492
1493           For an easy way to configure a non-POSIX domains, please see the
1494           “Application domains” section.
1495
1496           Default: posix
1497
1498       min_id,max_id (integer)
1499           UID and GID limits for the domain. If a domain contains an entry
1500           that is outside these limits, it is ignored.
1501
1502           For users, this affects the primary GID limit. The user will not be
1503           returned to NSS if either the UID or the primary GID is outside the
1504           range. For non-primary group memberships, those that are in range
1505           will be reported as expected.
1506
1507           These ID limits affect even saving entries to cache, not only
1508           returning them by name or ID.
1509
1510           Default: 1 for min_id, 0 (no limit) for max_id
1511
1512       enumerate (bool)
1513           Determines if a domain can be enumerated, that is, whether the
1514           domain can list all the users and group it contains. Note that it
1515           is not required to enable enumeration in order for secondary groups
1516           to be displayed. This parameter can have one of the following
1517           values:
1518
1519           TRUE = Users and groups are enumerated
1520
1521           FALSE = No enumerations for this domain
1522
1523           Default: FALSE
1524
1525           Enumerating a domain requires SSSD to download and store ALL user
1526           and group entries from the remote server.
1527
1528           Note: Enabling enumeration has a moderate performance impact on
1529           SSSD while enumeration is running. It may take up to several
1530           minutes after SSSD startup to fully complete enumerations. During
1531           this time, individual requests for information will go directly to
1532           LDAP, though it may be slow, due to the heavy enumeration
1533           processing. Saving a large number of entries to cache after the
1534           enumeration completes might also be CPU intensive as the
1535           memberships have to be recomputed. This can lead to the “sssd_be”
1536           process becoming unresponsive or even restarted by the internal
1537           watchdog.
1538
1539           While the first enumeration is running, requests for the complete
1540           user or group lists may return no results until it completes.
1541
1542           Further, enabling enumeration may increase the time necessary to
1543           detect network disconnection, as longer timeouts are required to
1544           ensure that enumeration lookups are completed successfully. For
1545           more information, refer to the man pages for the specific
1546           id_provider in use.
1547
1548           For the reasons cited above, enabling enumeration is not
1549           recommended, especially in large environments.
1550
1551       subdomain_enumerate (string)
1552           Whether any of autodetected trusted domains should be enumerated.
1553           The supported values are:
1554
1555           all
1556               All discovered trusted domains will be enumerated
1557
1558           none
1559               No discovered trusted domains will be enumerated
1560
1561           Optionally, a list of one or more domain names can enable
1562           enumeration just for these trusted domains.
1563
1564           Default: none
1565
1566       entry_cache_timeout (integer)
1567           How many seconds should nss_sss consider entries valid before
1568           asking the backend again
1569
1570           The cache expiration timestamps are stored as attributes of
1571           individual objects in the cache. Therefore, changing the cache
1572           timeout only has effect for newly added or expired entries. You
1573           should run the sss_cache(8) tool in order to force refresh of
1574           entries that have already been cached.
1575
1576           Default: 5400
1577
1578       entry_cache_user_timeout (integer)
1579           How many seconds should nss_sss consider user entries valid before
1580           asking the backend again
1581
1582           Default: entry_cache_timeout
1583
1584       entry_cache_group_timeout (integer)
1585           How many seconds should nss_sss consider group entries valid before
1586           asking the backend again
1587
1588           Default: entry_cache_timeout
1589
1590       entry_cache_netgroup_timeout (integer)
1591           How many seconds should nss_sss consider netgroup entries valid
1592           before asking the backend again
1593
1594           Default: entry_cache_timeout
1595
1596       entry_cache_service_timeout (integer)
1597           How many seconds should nss_sss consider service entries valid
1598           before asking the backend again
1599
1600           Default: entry_cache_timeout
1601
1602       entry_cache_resolver_timeout (integer)
1603           How many seconds should nss_sss consider hosts and networks entries
1604           valid before asking the backend again
1605
1606           Default: entry_cache_timeout
1607
1608       entry_cache_sudo_timeout (integer)
1609           How many seconds should sudo consider rules valid before asking the
1610           backend again
1611
1612           Default: entry_cache_timeout
1613
1614       entry_cache_autofs_timeout (integer)
1615           How many seconds should the autofs service consider automounter
1616           maps valid before asking the backend again
1617
1618           Default: entry_cache_timeout
1619
1620       entry_cache_ssh_host_timeout (integer)
1621           How many seconds to keep a host ssh key after refresh. IE how long
1622           to cache the host key for.
1623
1624           Default: entry_cache_timeout
1625
1626       entry_cache_computer_timeout (integer)
1627           How many seconds to keep the local computer entry before asking the
1628           backend again
1629
1630           Default: entry_cache_timeout
1631
1632       refresh_expired_interval (integer)
1633           Specifies how many seconds SSSD has to wait before triggering a
1634           background refresh task which will refresh all expired or nearly
1635           expired records.
1636
1637           The background refresh will process users, groups and netgroups in
1638           the cache. For users who have performed the initgroups (get group
1639           membership for user, typically ran at login) operation in the past,
1640           both the user entry and the group membership are updated.
1641
1642           This option is automatically inherited for all trusted domains.
1643
1644           You can consider setting this value to 3/4 * entry_cache_timeout.
1645
1646           Cache entry will be refreshed by background task when 2/3 of cache
1647           timeout has already passed. If there are existing cached entries,
1648           the background task will refer to their original cache timeout
1649           values instead of current configuration value. This may lead to a
1650           situation in which background refresh task appears to not be
1651           working. This is done by design to improve offline mode operation
1652           and reuse of existing valid cache entries. To make this change
1653           instant the user may want to manually invalidate existing cache.
1654
1655           Default: 0 (disabled)
1656
1657       cache_credentials (bool)
1658           Determines if user credentials are also cached in the local LDB
1659           cache. The cached credentials refer to passwords, which includes
1660           the first (long term) factor of two-factor authentication, not
1661           other authentication mechanisms. Passkey and Smartcard
1662           authentications are expected to work offline as long as a
1663           successful online authentication is recorded in the cache without
1664           additional configuration.
1665
1666           Take a note that while credentials are stored as a salted SHA512
1667           hash, this still potentially poses some security risk in case an
1668           attacker manages to get access to a cache file (normally requires
1669           privileged access) and to break a password using brute force
1670           attack.
1671
1672           Default: FALSE
1673
1674       cache_credentials_minimal_first_factor_length (int)
1675           If 2-Factor-Authentication (2FA) is used and credentials should be
1676           saved this value determines the minimal length the first
1677           authentication factor (long term password) must have to be saved as
1678           SHA512 hash into the cache.
1679
1680           This should avoid that the short PINs of a PIN based 2FA scheme are
1681           saved in the cache which would make them easy targets for
1682           brute-force attacks.
1683
1684           Default: 8
1685
1686       account_cache_expiration (integer)
1687           Number of days entries are left in cache after last successful
1688           login before being removed during a cleanup of the cache. 0 means
1689           keep forever. The value of this parameter must be greater than or
1690           equal to offline_credentials_expiration.
1691
1692           Default: 0 (unlimited)
1693
1694       pwd_expiration_warning (integer)
1695           Display a warning N days before the password expires.
1696
1697           If zero is set, then this filter is not applied, i.e. if the
1698           expiration warning was received from backend server, it will
1699           automatically be displayed.
1700
1701           Please note that the backend server has to provide information
1702           about the expiration time of the password. If this information is
1703           missing, sssd cannot display a warning. Also an auth provider has
1704           to be configured for the backend.
1705
1706           Default: 7 (Kerberos), 0 (LDAP)
1707
1708       id_provider (string)
1709           The identification provider used for the domain. Supported ID
1710           providers are:
1711
1712           “proxy”: Support a legacy NSS provider.
1713
1714           “files”: FILES provider. See sssd-files(5) for more information on
1715           how to mirror local users and groups into SSSD.
1716
1717           “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1718           configuring LDAP.
1719
1720           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1721           See sssd-ipa(5) for more information on configuring FreeIPA.
1722
1723           “ad”: Active Directory provider. See sssd-ad(5) for more
1724           information on configuring Active Directory.
1725
1726       use_fully_qualified_names (bool)
1727           Use the full name and domain (as formatted by the domain's
1728           full_name_format) as the user's login name reported to NSS.
1729
1730           If set to TRUE, all requests to this domain must use fully
1731           qualified names. For example, if used in LOCAL domain that contains
1732           a "test" user, getent passwd test wouldn't find the user while
1733           getent passwd test@LOCAL would.
1734
1735           NOTE: This option has no effect on netgroup lookups due to their
1736           tendency to include nested netgroups without qualified names. For
1737           netgroups, all domains will be searched when an unqualified name is
1738           requested.
1739
1740           Default: FALSE (TRUE for trusted domain/sub-domains or if
1741           default_domain_suffix is used)
1742
1743       ignore_group_members (bool)
1744           Do not return group members for group lookups.
1745
1746           If set to TRUE, the group membership attribute is not requested
1747           from the ldap server, and group members are not returned when
1748           processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1749           As an effect, “getent group $groupname” would return the requested
1750           group as if it was empty.
1751
1752           Enabling this option can also make access provider checks for group
1753           membership significantly faster, especially for groups containing
1754           many members.
1755
1756           This option can be also set per subdomain or inherited via
1757           subdomain_inherit.
1758
1759           Default: FALSE
1760
1761       auth_provider (string)
1762           The authentication provider used for the domain. Supported auth
1763           providers are:
1764
1765           “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1766           information on configuring LDAP.
1767
1768           “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1769           information on configuring Kerberos.
1770
1771           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1772           See sssd-ipa(5) for more information on configuring FreeIPA.
1773
1774           “ad”: Active Directory provider. See sssd-ad(5) for more
1775           information on configuring Active Directory.
1776
1777           “proxy” for relaying authentication to some other PAM target.
1778
1779           “none” disables authentication explicitly.
1780
1781           Default: “id_provider” is used if it is set and can handle
1782           authentication requests.
1783
1784       access_provider (string)
1785           The access control provider used for the domain. There are two
1786           built-in access providers (in addition to any included in installed
1787           backends) Internal special providers are:
1788
1789           “permit” always allow access. It's the only permitted access
1790           provider for a local domain.
1791
1792           “deny” always deny access.
1793
1794           “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1795           information on configuring LDAP.
1796
1797           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1798           See sssd-ipa(5) for more information on configuring FreeIPA.
1799
1800           “ad”: Active Directory provider. See sssd-ad(5) for more
1801           information on configuring Active Directory.
1802
1803           “simple” access control based on access or deny lists. See sssd-
1804           simple(5) for more information on configuring the simple access
1805           module.
1806
1807           “krb5”: .k5login based access control. See sssd-krb5(5) for more
1808           information on configuring Kerberos.
1809
1810           “proxy” for relaying access control to another PAM module.
1811
1812           Default: “permit”
1813
1814       chpass_provider (string)
1815           The provider which should handle change password operations for the
1816           domain. Supported change password providers are:
1817
1818           “ldap” to change a password stored in a LDAP server. See sssd-
1819           ldap(5) for more information on configuring LDAP.
1820
1821           “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1822           information on configuring Kerberos.
1823
1824           “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1825           See sssd-ipa(5) for more information on configuring FreeIPA.
1826
1827           “ad”: Active Directory provider. See sssd-ad(5) for more
1828           information on configuring Active Directory.
1829
1830           “proxy” for relaying password changes to some other PAM target.
1831
1832           “none” disallows password changes explicitly.
1833
1834           Default: “auth_provider” is used if it is set and can handle change
1835           password requests.
1836
1837       sudo_provider (string)
1838           The SUDO provider used for the domain. Supported SUDO providers
1839           are:
1840
1841           “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1842           information on configuring LDAP.
1843
1844           “ipa” the same as “ldap” but with IPA default settings.
1845
1846           “ad” the same as “ldap” but with AD default settings.
1847
1848           “none” disables SUDO explicitly.
1849
1850           Default: The value of “id_provider” is used if it is set.
1851
1852           The detailed instructions for configuration of sudo_provider are in
1853           the manual page sssd-sudo(5). There are many configuration options
1854           that can be used to adjust the behavior. Please refer to
1855           "ldap_sudo_*" in sssd-ldap(5).
1856
1857           NOTE: Sudo rules are periodically downloaded in the background
1858           unless the sudo provider is explicitly disabled. Set sudo_provider
1859           = None to disable all sudo-related activity in SSSD if you do not
1860           want to use sudo with SSSD at all.
1861
1862       selinux_provider (string)
1863           The provider which should handle loading of selinux settings. Note
1864           that this provider will be called right after access provider ends.
1865           Supported selinux providers are:
1866
1867           “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1868           for more information on configuring IPA.
1869
1870           “none” disallows fetching selinux settings explicitly.
1871
1872           Default: “id_provider” is used if it is set and can handle selinux
1873           loading requests.
1874
1875       subdomains_provider (string)
1876           The provider which should handle fetching of subdomains. This value
1877           should be always the same as id_provider. Supported subdomain
1878           providers are:
1879
1880           “ipa” to load a list of subdomains from an IPA server. See sssd-
1881           ipa(5) for more information on configuring IPA.
1882
1883           “ad” to load a list of subdomains from an Active Directory server.
1884           See sssd-ad(5) for more information on configuring the AD provider.
1885
1886           “none” disallows fetching subdomains explicitly.
1887
1888           Default: The value of “id_provider” is used if it is set.
1889
1890       session_provider (string)
1891           The provider which configures and manages user session related
1892           tasks. The only user session task currently provided is the
1893           integration with Fleet Commander, which works only with IPA.
1894           Supported session providers are:
1895
1896           “ipa” to allow performing user session related tasks.
1897
1898           “none” does not perform any kind of user session related tasks.
1899
1900           Default: “id_provider” is used if it is set and can perform session
1901           related tasks.
1902
1903           NOTE: In order to have this feature working as expected SSSD must
1904           be running as "root" and not as the unprivileged user.
1905
1906       autofs_provider (string)
1907           The autofs provider used for the domain. Supported autofs providers
1908           are:
1909
1910           “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1911           information on configuring LDAP.
1912
1913           “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1914           more information on configuring IPA.
1915
1916           “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1917           information on configuring the AD provider.
1918
1919           “none” disables autofs explicitly.
1920
1921           Default: The value of “id_provider” is used if it is set.
1922
1923       hostid_provider (string)
1924           The provider used for retrieving host identity information.
1925           Supported hostid providers are:
1926
1927           “ipa” to load host identity stored in an IPA server. See sssd-
1928           ipa(5) for more information on configuring IPA.
1929
1930           “none” disables hostid explicitly.
1931
1932           Default: The value of “id_provider” is used if it is set.
1933
1934       resolver_provider (string)
1935           The provider which should handle hosts and networks lookups.
1936           Supported resolver providers are:
1937
1938           “proxy” to forward lookups to another NSS library. See
1939           “proxy_resolver_lib_name”
1940
1941           “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1942           for more information on configuring LDAP.
1943
1944           “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1945           more information on configuring the AD provider.
1946
1947           “none” disallows fetching hosts and networks explicitly.
1948
1949           Default: The value of “id_provider” is used if it is set.
1950
1951       re_expression (string)
1952           Regular expression for this domain that describes how to parse the
1953           string containing user name and domain into these components. The
1954           "domain" can match either the SSSD configuration domain name, or,
1955           in the case of IPA trust subdomains and Active Directory domains,
1956           the flat (NetBIOS) name of the domain.
1957
1958           Default: “^((?P<name>.+)@(?P<domain>[^@]*)|(?P<name>[^@]+))$” which
1959           allows two different styles for user names:
1960
1961           •   username
1962
1963           •   username@domain.name
1964
1965           Default for the AD and IPA provider:
1966           “^(((?P<domain>[^\\]+)\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<name>[^@\\]+)))$”
1967           which allows three different styles for user names:
1968
1969           •   username
1970
1971           •   username@domain.name
1972
1973           •   domain\username
1974
1975           While the first two correspond to the general default the third one
1976           is introduced to allow easy integration of users from Windows
1977           domains.
1978
1979           The default re_expression uses the “@” character as a separator
1980           between the name and the domain. As a result of this setting the
1981           default does not accept the “@” character in short names (as it is
1982           allowed in Windows group names). If a user wishes to use short
1983           names with “@” they must create their own re_expression.
1984
1985       full_name_format (string)
1986           A printf(3)-compatible format that describes how to compose a fully
1987           qualified name from user name and domain name components.
1988
1989           The following expansions are supported:
1990
1991           %1$s
1992               user name
1993
1994           %2$s
1995               domain name as specified in the SSSD config file.
1996
1997           %3$s
1998               domain flat name. Mostly usable for Active Directory domains,
1999               both directly configured or discovered via IPA trusts.
2000
2001           Default: “%1$s@%2$s”.
2002
2003       lookup_family_order (string)
2004           Provides the ability to select preferred address family to use when
2005           performing DNS lookups.
2006
2007           Supported values:
2008
2009           ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
2010
2011           ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
2012
2013           ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
2014
2015           ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
2016
2017           Default: ipv4_first
2018
2019       dns_resolver_server_timeout (integer)
2020           Defines the amount of time (in milliseconds) SSSD would try to talk
2021           to DNS server before trying next DNS server.
2022
2023           The AD provider will use this option for the CLDAP ping timeouts as
2024           well.
2025
2026           Please see the section “FAILOVER” for more information about the
2027           service resolution.
2028
2029           Default: 1000
2030
2031       dns_resolver_op_timeout (integer)
2032           Defines the amount of time (in seconds) to wait to resolve single
2033           DNS query (e.g. resolution of a hostname or an SRV record) before
2034           trying the next hostname or DNS discovery.
2035
2036           Please see the section “FAILOVER” for more information about the
2037           service resolution.
2038
2039           Default: 3
2040
2041       dns_resolver_timeout (integer)
2042           Defines the amount of time (in seconds) to wait for a reply from
2043           the internal fail over service before assuming that the service is
2044           unreachable. If this timeout is reached, the domain will continue
2045           to operate in offline mode.
2046
2047           Please see the section “FAILOVER” for more information about the
2048           service resolution.
2049
2050           Default: 6
2051
2052       dns_resolver_use_search_list (bool)
2053           Normally, the DNS resolver searches the domain list defined in the
2054           "search" directive from the resolv.conf file. This can lead to
2055           delays in environments with improperly configured DNS.
2056
2057           If fully qualified domain names (or _srv_) are used in the SSSD
2058           configuration, setting this option to FALSE can prevent unnecessary
2059           DNS lookups in such environments.
2060
2061           Default: TRUE
2062
2063       dns_discovery_domain (string)
2064           If service discovery is used in the back end, specifies the domain
2065           part of the service discovery DNS query.
2066
2067           Default: Use the domain part of machine's hostname
2068
2069       override_gid (integer)
2070           Override the primary GID value with the one specified.
2071
2072       case_sensitive (string)
2073           Treat user and group names as case sensitive. Possible option
2074           values are:
2075
2076           True
2077               Case sensitive. This value is invalid for AD provider.
2078
2079           False
2080               Case insensitive.
2081
2082           Preserving
2083               Same as False (case insensitive), but does not lowercase names
2084               in the result of NSS operations. Note that name aliases (and in
2085               case of services also protocol names) are still lowercased in
2086               the output.
2087
2088               If you want to set this value for trusted domain with IPA
2089               provider, you need to set it on both the client and SSSD on the
2090               server.
2091
2092           This option can be also set per subdomain or inherited via
2093           subdomain_inherit.
2094
2095           Default: True (False for AD provider)
2096
2097       subdomain_inherit (string)
2098           Specifies a list of configuration parameters that should be
2099           inherited by a subdomain. Please note that only selected parameters
2100           can be inherited. Currently the following options can be inherited:
2101
2102           ldap_search_timeout
2103
2104           ldap_network_timeout
2105
2106           ldap_opt_timeout
2107
2108           ldap_offline_timeout
2109
2110           ldap_enumeration_refresh_timeout
2111
2112           ldap_enumeration_refresh_offset
2113
2114           ldap_purge_cache_timeout
2115
2116           ldap_purge_cache_offset
2117
2118           ldap_krb5_keytab (the value of krb5_keytab will be used if
2119           ldap_krb5_keytab is not set explicitly)
2120
2121           ldap_krb5_ticket_lifetime
2122
2123           ldap_enumeration_search_timeout
2124
2125           ldap_connection_expire_timeout
2126
2127           ldap_connection_expire_offset
2128
2129           ldap_connection_idle_timeout
2130
2131           ldap_use_tokengroups
2132
2133           ldap_user_principal
2134
2135           ignore_group_members
2136
2137           auto_private_groups
2138
2139           case_sensitive
2140
2141           Example:
2142
2143               subdomain_inherit = ldap_purge_cache_timeout
2144
2145
2146           Default: none
2147
2148           Note: This option only works with the IPA and AD provider.
2149
2150       subdomain_homedir (string)
2151           Use this homedir as default value for all subdomains within this
2152           domain in IPA AD trust. See override_homedir for info about
2153           possible values. In addition to those, the expansion below can only
2154           be used with subdomain_homedir.
2155
2156           %F
2157               flat (NetBIOS) name of a subdomain.
2158
2159           The value can be overridden by override_homedir option.
2160
2161           Default: /home/%d/%u
2162
2163       realmd_tags (string)
2164           Various tags stored by the realmd configuration service for this
2165           domain.
2166
2167       cached_auth_timeout (int)
2168           Specifies time in seconds since last successful online
2169           authentication for which user will be authenticated using cached
2170           credentials while SSSD is in the online mode. If the credentials
2171           are incorrect, SSSD falls back to online authentication.
2172
2173           This option's value is inherited by all trusted domains. At the
2174           moment it is not possible to set a different value per trusted
2175           domain.
2176
2177           Special value 0 implies that this feature is disabled.
2178
2179           Please note that if “cached_auth_timeout” is longer than
2180           “pam_id_timeout” then the back end could be called to handle
2181           “initgroups.”
2182
2183           Default: 0
2184
2185       local_auth_policy (string)
2186           Local authentication methods policy. Some backends (i.e. LDAP,
2187           proxy provider) only support a password based authentication, while
2188           others can handle PKINIT based Smartcard authentication (AD, IPA),
2189           two-factor authentication (IPA), or other methods against a central
2190           instance. By default in such cases authentication is only performed
2191           with the methods supported by the backend.
2192
2193           There are three possible values for this option: match, only,
2194           enable.  “match” is used to match offline and online states for
2195           Kerberos methods.  “only” ignores the online methods and only offer
2196           the local ones. enable allows explicitly defining the methods for
2197           local authentication. As an example, “enable:passkey”, only enables
2198           passkey for local authentication. Multiple enable values should be
2199           comma-separated, such as “enable:passkey, enable:smartcard”
2200
2201           Please note that if local Smartcard authentication is enabled and a
2202           Smartcard is present, Smartcard authentication will be preferred
2203           over the authentication methods supported by the backend. I.e.
2204           there will be a PIN prompt instead of e.g. a password prompt.
2205
2206           The following configuration example allows local users to
2207           authenticate locally using any enabled method (i.e. smartcard,
2208           passkey).
2209
2210               [domain/shadowutils]
2211               id_provider = proxy
2212               proxy_lib_name = files
2213               auth_provider = none
2214               local_auth_policy = only
2215
2216           This option is ignored for the files provider.
2217
2218           Default: match
2219
2220       auto_private_groups (string)
2221           This option takes any of three available values:
2222
2223           true
2224               Create user's private group unconditionally from user's UID
2225               number. The GID number is ignored in this case.
2226
2227               NOTE: Because the GID number and the user private group are
2228               inferred from the UID number, it is not supported to have
2229               multiple entries with the same UID or GID number with this
2230               option. In other words, enabling this option enforces
2231               uniqueness across the ID space.
2232
2233           false
2234               Always use the user's primary GID number. The GID number must
2235               refer to a group object in the LDAP database.
2236
2237           hybrid
2238               A primary group is autogenerated for user entries whose UID and
2239               GID numbers have the same value and at the same time the GID
2240               number does not correspond to a real group object in LDAP. If
2241               the values are the same, but the primary GID in the user entry
2242               is also used by a group object, the primary GID of the user
2243               resolves to that group object.
2244
2245               If the UID and GID of a user are different, then the GID must
2246               correspond to a group entry, otherwise the GID is simply not
2247               resolvable.
2248
2249               This feature is useful for environments that wish to stop
2250               maintaining a separate group objects for the user private
2251               groups, but also wish to retain the existing user private
2252               groups.
2253
2254           For subdomains, the default value is False for subdomains that use
2255           assigned POSIX IDs and True for subdomains that use automatic
2256           ID-mapping.
2257
2258           The value of auto_private_groups can either be set per subdomains
2259           in a subsection, for example:
2260
2261               [domain/forest.domain/sub.domain]
2262               auto_private_groups = false
2263
2264           or globally for all subdomains in the main domain section using the
2265           subdomain_inherit option:
2266
2267               [domain/forest.domain]
2268               subdomain_inherit = auto_private_groups
2269               auto_private_groups = false
2270
2271
2272       Options valid for proxy domains.
2273
2274       proxy_pam_target (string)
2275           The proxy target PAM proxies to.
2276
2277           Default: not set by default, you have to take an existing pam
2278           configuration or create a new one and add the service name here. As
2279           an alternative you can enable local authentication with the
2280           local_auth_policy option.
2281
2282       proxy_lib_name (string)
2283           The name of the NSS library to use in proxy domains. The NSS
2284           functions searched for in the library are in the form of
2285           _nss_$(libName)_$(function), for example _nss_files_getpwent.
2286
2287       proxy_resolver_lib_name (string)
2288           The name of the NSS library to use for hosts and networks lookups
2289           in proxy domains. The NSS functions searched for in the library are
2290           in the form of _nss_$(libName)_$(function), for example
2291           _nss_dns_gethostbyname2_r.
2292
2293       proxy_fast_alias (boolean)
2294           When a user or group is looked up by name in the proxy provider, a
2295           second lookup by ID is performed to "canonicalize" the name in case
2296           the requested name was an alias. Setting this option to true would
2297           cause the SSSD to perform the ID lookup from cache for performance
2298           reasons.
2299
2300           Default: false
2301
2302       proxy_max_children (integer)
2303           This option specifies the number of pre-forked proxy children. It
2304           is useful for high-load SSSD environments where sssd may run out of
2305           available child slots, which would cause some issues due to the
2306           requests being queued.
2307
2308           Default: 10
2309
2310   Application domains
2311       SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2312       applications as a gateway to an LDAP directory where users and groups
2313       are stored. However, contrary to the traditional SSSD deployment where
2314       all users and groups either have POSIX attributes or those attributes
2315       can be inferred from the Windows SIDs, in many cases the users and
2316       groups in the application support scenario have no POSIX attributes.
2317       Instead of setting a “[domain/NAME]” section, the administrator can set
2318       up an “[application/NAME]” section that internally represents a domain
2319       with type “application” optionally inherits settings from a tradition
2320       SSSD domain.
2321
2322       Please note that the application domain must still be explicitly
2323       enabled in the “domains” parameter so that the lookup order between the
2324       application domain and its POSIX sibling domain is set correctly.
2325
2326       Application domain parameters
2327
2328       inherit_from (string)
2329           The SSSD POSIX-type domain the application domain inherits all
2330           settings from. The application domain can moreover add its own
2331           settings to the application settings that augment or override the
2332           “sibling” domain settings.
2333
2334           Default: Not set
2335
2336       The following example illustrates the use of an application domain. In
2337       this setup, the POSIX domain is connected to an LDAP server and is used
2338       by the OS through the NSS responder. In addition, the application
2339       domain also requests the telephoneNumber attribute, stores it as the
2340       phone attribute in the cache and makes the phone attribute reachable
2341       through the D-Bus interface.
2342
2343           [sssd]
2344           domains = appdom, posixdom
2345
2346           [ifp]
2347           user_attributes = +phone
2348
2349           [domain/posixdom]
2350           id_provider = ldap
2351           ldap_uri = ldap://ldap.example.com
2352           ldap_search_base = dc=example,dc=com
2353
2354           [application/appdom]
2355           inherit_from = posixdom
2356           ldap_user_extra_attrs = phone:telephoneNumber
2357

TRUSTED DOMAIN SECTION

2359       Some options used in the domain section can also be used in the trusted
2360       domain section, that is, in a section called
2361       “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2362       actual joined-to base domain. Please refer to examples below for
2363       explanation. Currently supported options in the trusted domain section
2364       are:
2365
2366       ldap_search_base,
2367
2368       ldap_user_search_base,
2369
2370       ldap_group_search_base,
2371
2372       ldap_netgroup_search_base,
2373
2374       ldap_service_search_base,
2375
2376       ldap_sasl_mech,
2377
2378       ad_server,
2379
2380       ad_backup_server,
2381
2382       ad_site,
2383
2384       use_fully_qualified_names
2385
2386       pam_gssapi_services
2387
2388       pam_gssapi_check_upn
2389
2390       For more details about these options see their individual description
2391       in the manual page.
2392

CERTIFICATE MAPPING SECTION

2394       To allow authentication with Smartcards and certificates SSSD must be
2395       able to map certificates to users. This can be done by adding the full
2396       certificate to the LDAP object of the user or to a local override.
2397       While using the full certificate is required to use the Smartcard
2398       authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2399       details) it might be cumbersome or not even possible to do this for the
2400       general case where local services use PAM for authentication.
2401
2402       To make the mapping more flexible mapping and matching rules were added
2403       to SSSD (see sss-certmap(5) for details).
2404
2405       A mapping and matching rule can be added to the SSSD configuration in a
2406       section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2407       In this section the following options are allowed:
2408
2409       matchrule (string)
2410           Only certificates from the Smartcard which matches this rule will
2411           be processed, all others are ignored.
2412
2413           Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2414           the Extended Key Usage “clientAuth”
2415
2416       maprule (string)
2417           Defines how the user is found for a given certificate.
2418
2419           Default:
2420
2421           •   LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2422               providers like “ldap”, “AD” or “ipa”.
2423
2424           •   The RULE_NAME for the “files” provider which tries to find a
2425               user with the same name.
2426
2427
2428       domains (string)
2429           Comma separated list of domain names the rule should be applied. By
2430           default a rule is only valid in the domain configured in sssd.conf.
2431           If the provider supports subdomains this option can be used to add
2432           the rule to subdomains as well.
2433
2434           Default: the configured domain in sssd.conf
2435
2436       priority (integer)
2437           Unsigned integer value defining the priority of the rule. The
2438           higher the number the lower the priority.  “0” stands for the
2439           highest priority while “4294967295” is the lowest.
2440
2441           Default: the lowest priority
2442
2443       To make the configuration simple and reduce the amount of configuration
2444       options the “files” provider has some special properties:
2445
2446       •   if maprule is not set the RULE_NAME name is assumed to be the name
2447           of the matching user
2448
2449       •   if a maprule is used both a single user name or a template like
2450           “{subject_rfc822_name.short_name}” must be in braces like e.g.
2451           “(username)” or “({subject_rfc822_name.short_name})”
2452
2453       •   the “domains” option is ignored
2454
2455

PROMPTING CONFIGURATION SECTION

2457       If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2458       SSSD's PAM module pam_sss will ask SSSD to figure out which
2459       authentication methods are available for the user trying to log in.
2460       Based on the results pam_sss will prompt the user for appropriate
2461       credentials.
2462
2463       With the growing number of authentication methods and the possibility
2464       that there are multiple ones for a single user the heuristic used by
2465       pam_sss to select the prompting might not be suitable for all use
2466       cases. The following options should provide a better flexibility here.
2467
2468       Each supported authentication method has its own configuration
2469       subsection under “[prompting/...]”. Currently there are:
2470
2471       [prompting/password]
2472           to configure password prompting, allowed options are:
2473
2474           password_prompt
2475               to change the string of the password prompt
2476
2477
2478       [prompting/2fa]
2479           to configure two-factor authentication prompting, allowed options
2480           are:
2481
2482           first_prompt
2483               to change the string of the prompt for the first factor
2484
2485           second_prompt
2486               to change the string of the prompt for the second factor
2487
2488           single_prompt
2489               boolean value, if True there will be only a single prompt using
2490               the value of first_prompt where it is expected that both
2491               factors are entered as a single string. Please note that both
2492               factors have to be entered here, even if the second factor is
2493               optional.
2494
2495           If the second factor is optional and it should be possible to log
2496           in either only with the password or with both factors two-step
2497           prompting has to be used.
2498
2499       [prompting/passkey]
2500           to configure passkey authentication prompting, allowed options are:
2501
2502           interactive
2503               boolean value, if True prompt a message and wait before testing
2504               the presence of a passkey device. Recommended if your device
2505               doesn’t have a tactile trigger.
2506
2507           interactive_prompt
2508               to change the message of the interactive prompt.
2509
2510           touch
2511               boolean value, if True prompt a message to remind the user to
2512               touch the device.
2513
2514           touch_prompt
2515               to change the message of the touch prompt.
2516
2517
2518       It is possible to add a subsection for specific PAM services, e.g.
2519       “[prompting/password/sshd]” to individual change the prompting for this
2520       service.
2521

EXAMPLES

2523       1. The following example shows a typical SSSD config. It does not
2524       describe configuration of the domains themselves - refer to
2525       documentation on configuring domains for more details.
2526
2527           [sssd]
2528           domains = LDAP
2529           services = nss, pam
2530           config_file_version = 2
2531
2532           [nss]
2533           filter_groups = root
2534           filter_users = root
2535
2536           [pam]
2537
2538           [domain/LDAP]
2539           id_provider = ldap
2540           ldap_uri = ldap://ldap.example.com
2541           ldap_search_base = dc=example,dc=com
2542
2543           auth_provider = krb5
2544           krb5_server = kerberos.example.com
2545           krb5_realm = EXAMPLE.COM
2546           cache_credentials = true
2547
2548           min_id = 10000
2549           max_id = 20000
2550           enumerate = False
2551
2552       2. The following example shows configuration of IPA AD trust where the
2553       AD forest consists of two domains in a parent-child structure. Suppose
2554       IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2555       domain (child.ad.com). To enable shortnames in the child domain the
2556       following configuration should be used.
2557
2558           [domain/ipa.com/child.ad.com]
2559           use_fully_qualified_names = false
2560
2561       3. The following example shows the configuration of a certificate
2562       mapping rule. It is valid for the configured domain “my.domain” and
2563       additionally for the subdomains “your.domain” and uses the full
2564       certificate in the search filter.
2565
2566           [certmap/my.domain/rule_name]
2567           matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2568           maprule = (userCertificate;binary={cert!bin})
2569           domains = my.domain, your.domain
2570           priority = 10
2571
2572

SEE ALSO

2574       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-
2575       krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-
2576       sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8),
2577       sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8),
2578       sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5),
2579       pam_sss(8).  sss_rpcidmapd(5) sssd-systemtap(5)
2580

AUTHORS

2582       The SSSD upstream - https://github.com/SSSD/sssd/
2583
2584
2585
2586SSSD                              11/15/2023                      SSSD.CONF(5)
Impressum