1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13 [section]
15 key = value
16 key2 = value2,value3
17 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72 Currently supported debug levels:
74 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87 4, 0x0100: Configuration settings.
89 5, 0x0200: Function data.
91 6, 0x0400: Trace messages for operation functions.
93 7, 0x1000: Trace messages for internal control functions.
95 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98 9, 0x4000: Extremely low-level tracing information.
100 10, 0x10000: Even more low-level libldb tracing information. Almost
102 never really required.
103 To log required bitmask debug levels, simply add their numbers
105 together as shown in following examples:
106 Example: To log fatal failures, critical failures, serious failures
108 and function data use 0x0270.
109 Example: To log fatal failures, configuration settings, function
111 data, trace messages for internal control functions use 0x1310.
112 Note: The bitmask format of debug levels was introduced in 1.7.0.
114 Default: 0x0070 (i.e. fatal, critical and serious failures;
116 corresponds to setting 2 in decimal notation)
117 debug (integer)
119 SSSD 1.14 and later also includes the debug alias for debug_level
120 as a convenience feature. If both are specified, the value of
121 debug_level will be used.
122 debug_timestamps (bool)
124 Add a timestamp to the debug messages. If journald is enabled for
125 SSSD debug logging this option is ignored.
126 Default: true
128 debug_microseconds (bool)
130 Add microseconds to the timestamp in debug messages. If journald is
131 enabled for SSSD debug logging this option is ignored.
132 Default: false
134 debug_backtrace_enabled (bool)
136 Enable debug backtrace.
137 In case SSSD is run with debug_level less than 9, everything is
139 logged to a ring buffer in memory and flushed to a log file on any
140 error up to and including `min(0x0040, debug_level)` (i.e. if
141 debug_level is explicitly set to 0 or 1 then only those error
142 levels will trigger backtrace, otherwise up to 2).
143 Feature is only supported for `logger == files` (i.e. setting
145 doesn't have effect for other logger types).
146 Default: true
148 Options usable in SERVICE and DOMAIN sections
150 timeout (integer)
151 Timeout in seconds between heartbeats for this service. This is
152 used to ensure that the process is alive and capable of answering
153 requests. Note that after three missed heartbeats the process will
154 terminate itself.
155 Default: 10
157
159 The [sssd] section
160 Individual pieces of SSSD functionality are provided by special SSSD
161 services that are started and stopped together with SSSD. The services
162 are managed by a special service frequently called “monitor”. The
163 “[sssd]” section is used to configure the monitor as well as some other
164 important options like the identity domains.
165 Section parameters
167 config_file_version (integer)
169 Indicates what is the syntax of the config file. SSSD 0.6.0 and
170 later use version 2.
171 services
173 Comma separated list of services that are started when sssd itself
174 starts. The services' list is optional on platforms where systemd
175 is supported, as they will either be socket or D-Bus activated when
176 needed.
177 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
179 By default, all services are disabled and the administrator must
181 enable the ones allowed to be used by executing: "systemctl enable
182 sssd-@service@.socket".
183 reconnection_retries (integer)
185 Number of times services should attempt to reconnect in the event
186 of a Data Provider crash or restart before they give up
187 Default: 3
189 domains
191 A domain is a database containing user information. SSSD can use
192 more domains at the same time, but at least one must be configured
193 or SSSD won't start. This parameter describes the list of domains
194 in the order you want them to be queried. A domain name is
195 recommended to contain only alphanumeric ASCII characters, dashes,
196 dots and underscores. '/' character is forbidden.
197 re_expression (string)
199 Default regular expression that describes how to parse the string
200 containing user name and domain into these components.
201 Each domain can have an individual regular expression configured.
203 For some ID providers there are also default regular expressions.
204 See DOMAIN SECTIONS for more info on these regular expressions.
205 full_name_format (string)
207 A printf(3)-compatible format that describes how to compose a fully
208 qualified name from user name and domain name components.
209 The following expansions are supported:
211 %1$s
213 user name
214 %2$s
216 domain name as specified in the SSSD config file.
217 %3$s
219 domain flat name. Mostly usable for Active Directory domains,
220 both directly configured or discovered via IPA trusts.
221 Each domain can have an individual format string configured. See
223 DOMAIN SECTIONS for more info on this option.
224 monitor_resolv_conf (boolean)
226 Controls if SSSD should monitor the state of resolv.conf to
227 identify when it needs to update its internal DNS resolver.
228 Default: true
230 try_inotify (boolean)
232 By default, SSSD will attempt to use inotify to monitor
233 configuration files changes and will fall back to polling every
234 five seconds if inotify cannot be used.
235 There are some limited situations where it is preferred that we
237 should skip even trying to use inotify. In these rare cases, this
238 option should be set to 'false'
239 Default: true on platforms where inotify is supported. False on
241 other platforms.
242 Note: this option will have no effect on platforms where inotify is
244 unavailable. On these platforms, polling will always be used.
245 krb5_rcache_dir (string)
247 Directory on the filesystem where SSSD should store Kerberos replay
248 cache files.
249 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
251 instruct SSSD to let libkrb5 decide the appropriate location for
252 the replay cache.
253 Default: Distribution-specific and specified at build-time.
255 (__LIBKRB5_DEFAULTS__ if not configured)
256 user (string)
258 The user to drop the privileges to where appropriate to avoid
259 running as the root user. This option does not work when running
260 socket-activated services, as the user set up to run the processes
261 is set up during compilation time. The way to override the systemd
262 unit files is by creating the appropriate files in
263 /etc/systemd/system/. Keep in mind that any change in the socket
264 user, group or permissions may result in a non-usable SSSD. The
265 same may occur in case of changes of the user running the NSS
266 responder.
267 Default: not set, process will run as root
269 default_domain_suffix (string)
271 This string will be used as a default domain name for all names
272 without a domain name component. The main use case is environments
273 where the primary domain is intended for managing host policies and
274 all users are located in a trusted domain. The option allows those
275 users to log in just with their user name without giving a domain
276 name as well.
277 Please note that if this option is set all users from the primary
279 domain have to use their fully qualified name, e.g.
280 user@domain.name, to log in. Setting this option changes default of
281 use_fully_qualified_names to True. It is not allowed to use this
282 option together with use_fully_qualified_names set to False. One
283 exception from this rule are domains with “id_provider=files” that
284 always try to match the behaviour of nss_files and therefore their
285 output is not qualified even when the default_domain_suffix option
286 is used.
287 Default: not set
289 override_space (string)
291 This parameter will replace spaces (space bar) with the given
292 character for user and group names. e.g. (_). User name "john doe"
293 will be "john_doe" This feature was added to help compatibility
294 with shell scripts that have difficulty handling spaces, due to the
295 default field separator in the shell.
296 Please note it is a configuration error to use a replacement
298 character that might be used in user or group names. If a name
299 contains the replacement character SSSD tries to return the
300 unmodified name but in general the result of a lookup is undefined.
301 Default: not set (spaces will not be replaced)
303 certificate_verification (string)
305 With this parameter the certificate verification can be tuned with
306 a comma separated list of options. Supported options are:
307 no_ocsp
309 Disables Online Certificate Status Protocol (OCSP) checks. This
310 might be needed if the OCSP servers defined in the certificate
311 are not reachable from the client.
312 soft_ocsp
314 If a connection cannot be established to an OCSP responder the
315 OCSP check is skipped. This option should be used to allow
316 authentication when the system is offline and the OCSP
317 responder cannot be reached.
318 ocsp_dgst
320 Digest (hash) function used to create the certificate ID for
321 the OCSP request. Allowed values are:
322 • sha1
324 • sha256
326 • sha384
328 • sha512
330 Default: sha1 (to allow compatibility with RFC5019-compliant
332 responder)
333 no_verification
335 Disables verification completely. This option should only be
336 used for testing.
337 partial_chain
339 Allow verification to succeed even if a complete chain cannot
340 be built to a self-signed trust-anchor, provided it is possible
341 to construct a chain to a trusted certificate that might not be
342 self-signed.
343 ocsp_default_responder=URL
345 Sets the OCSP default responder which should be used instead of
346 the one mentioned in the certificate. URL must be replaced with
347 the URL of the OCSP default responder e.g.
348 http://example.com:80/ocsp.
349 ocsp_default_responder_signing_cert=NAME
351 This option is currently ignored. All needed certificates must
352 be available in the PEM file given by pam_cert_db_path.
353 crl_file=/PATH/TO/CRL/FILE
355 Use the Certificate Revocation List (CRL) from the given file
356 during the verification of the certificate. The CRL must be
357 given in PEM format, see crl(1ssl) for details.
358 soft_crl
360 If a Certificate Revocation List (CRL) is expired ignore the
361 CRL checks for the related certificates. This option should be
362 used to allow authentication when the system is offline and the
363 CRL cannot be renewed.
364 Unknown options are reported but ignored.
366 Default: not set, i.e. do not restrict certificate verification
368 disable_netlink (boolean)
370 SSSD hooks into the netlink interface to monitor changes to routes,
371 addresses, links and trigger certain actions.
372 The SSSD state changes caused by netlink events may be undesirable
374 and can be disabled by setting this option to 'true'
375 Default: false (netlink changes are detected)
377 enable_files_domain (boolean)
379 When this option is enabled, SSSD prepends an implicit domain with
380 “id_provider=files” before any explicitly configured domains.
381 Default: true
383 domain_resolution_order
385 Comma separated list of domains and subdomains representing the
386 lookup order that will be followed. The list doesn't have to
387 include all possible domains as the missing domains will be looked
388 up based on the order they're presented in the “domains”
389 configuration option. The subdomains which are not listed as part
390 of “lookup_order” will be looked up in a random order for each
391 parent domain.
392 Please, note that when this option is set the output format of all
394 commands is always fully-qualified even when using short names for
395 input, for all users but the ones managed by the files provider. In
396 case the administrator wants the output not fully-qualified, the
397 full_name_format option can be used as shown below:
398 “full_name_format=%1$s” However, keep in mind that during login,
399 login applications often canonicalize the username by calling
400 getpwnam(3) which, if a shortname is returned for a qualified input
401 (while trying to reach a user which exists in multiple domains)
402 might re-route the login attempt into the domain which uses
403 shortnames, making this workaround totally not recommended in cases
404 where usernames may overlap between domains.
405 Default: Not set
407
409 Settings that can be used to configure different services are described
410 in this section. They should reside in the [$NAME] section, for
411 example, for NSS service, the section would be “[nss]”
412 General service configuration options
414 These options can be used to configure any service.
415 reconnection_retries (integer)
417 Number of times services should attempt to reconnect in the event
418 of a Data Provider crash or restart before they give up
419 Default: 3
421 fd_limit
423 This option specifies the maximum number of file descriptors that
424 may be opened at one time by this SSSD process. On systems where
425 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
426 absolute setting. On systems without this capability, the resulting
427 value will be the lower value of this or the limits.conf "hard"
428 limit.
429 Default: 8192 (or limits.conf "hard" limit)
431 client_idle_timeout
433 This option specifies the number of seconds that a client of an
434 SSSD process can hold onto a file descriptor without communicating
435 on it. This value is limited in order to avoid resource exhaustion
436 on the system. The timeout can't be shorter than 10 seconds. If a
437 lower value is configured, it will be adjusted to 10 seconds.
438 Default: 60, KCM: 300
440 offline_timeout (integer)
442 When SSSD switches to offline mode the amount of time before it
443 tries to go back online will increase based upon the time spent
444 disconnected. By default SSSD uses incremental behaviour to
445 calculate delay in between retries. So, the wait time for a given
446 retry will be longer than the wait time for the previous ones.
447 After each unsuccessful attempt to go online, the new interval is
448 recalculated by the following:
449 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
451 random[0...offline_timeout_random_offset]
452 The offline_timeout default value is 60. The offline_timeout_max
454 default value is 3600. The offline_timeout_random_offset default
455 value is 30. The end result is amount of seconds before next retry.
456 Note that the maximum length of each interval is defined by
458 offline_timeout_max (apart of random part).
459 Default: 60
461 offline_timeout_max (integer)
463 Controls by how much the time between attempts to go online can be
464 incremented following unsuccessful attempts to go online.
465 A value of 0 disables the incrementing behaviour.
467 The value of this parameter should be set in correlation to
469 offline_timeout parameter value.
470 With offline_timeout set to 60 (default value) there is no point in
472 setting offlinet_timeout_max to less than 120 as it will saturate
473 instantly. General rule here should be to set offline_timeout_max
474 to at least 4 times offline_timeout.
475 Although a value between 0 and offline_timeout may be specified, it
477 has the effect of overriding the offline_timeout value so is of
478 little use.
479 Default: 3600
481 offline_timeout_random_offset (integer)
483 When SSSD is in offline mode it keeps probing backend servers in
484 specified time intervals:
485 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
487 random[0...offline_timeout_random_offset]
488 This parameter controls the value of the random offset used for the
490 above equation. Final random_offset value will be random number in
491 range:
492 [0 - offline_timeout_random_offset]
494 A value of 0 disables the random offset addition.
496 Default: 30
498 responder_idle_timeout
500 This option specifies the number of seconds that an SSSD responder
501 process can be up without being used. This value is limited in
502 order to avoid resource exhaustion on the system. The minimum
503 acceptable value for this option is 60 seconds. Setting this option
504 to 0 (zero) means that no timeout will be set up to the responder.
505 This option only has effect when SSSD is built with systemd support
506 and when services are either socket or D-Bus activated.
507 Default: 300
509 cache_first
511 This option specifies whether the responder should query all caches
512 before querying the Data Providers.
513 Default: false
515 NSS configuration options
517 These options can be used to configure the Name Service Switch (NSS)
518 service.
519 enum_cache_timeout (integer)
521 How many seconds should nss_sss cache enumerations (requests for
522 info about all users)
523 Default: 120
525 entry_cache_nowait_percentage (integer)
527 The entry cache can be set to automatically update entries in the
528 background if they are requested beyond a percentage of the
529 entry_cache_timeout value for the domain.
530 For example, if the domain's entry_cache_timeout is set to 30s and
532 entry_cache_nowait_percentage is set to 50 (percent), entries that
533 come in after 15 seconds past the last cache update will be
534 returned immediately, but the SSSD will go and update the cache on
535 its own, so that future requests will not need to block waiting for
536 a cache update.
537 Valid values for this option are 0-99 and represent a percentage of
539 the entry_cache_timeout for each domain. For performance reasons,
540 this percentage will never reduce the nowait timeout to less than
541 10 seconds. (0 disables this feature)
542 Default: 50
544 entry_negative_timeout (integer)
546 Specifies for how many seconds nss_sss should cache negative cache
547 hits (that is, queries for invalid database entries, like
548 nonexistent ones) before asking the back end again.
549 Default: 15
551 local_negative_timeout (integer)
553 Specifies for how many seconds nss_sss should keep local users and
554 groups in negative cache before trying to look it up in the back
555 end again. Setting the option to 0 disables this feature.
556 Default: 14400 (4 hours)
558 filter_users, filter_groups (string)
560 Exclude certain users or groups from being fetched from the sss NSS
561 database. This is particularly useful for system accounts. This
562 option can also be set per-domain or include fully-qualified names
563 to filter only users from the particular domain or by a user
564 principal name (UPN).
565 NOTE: The filter_groups option doesn't affect inheritance of nested
567 group members, since filtering happens after they are propagated
568 for returning via NSS. E.g. a group having a member group filtered
569 out will still have the member users of the latter listed.
570 Default: root
572 filter_users_in_groups (bool)
574 If you want filtered user still be group members set this option to
575 false.
576 Default: true
578 override_homedir (string)
580 Override the user's home directory. You can either provide an
581 absolute value or a template. In the template, the following
582 sequences are substituted:
583 %u
585 login name
586 %U
588 UID number
589 %d
591 domain name
592 %f
594 fully qualified user name (user@domain)
595 %l
597 The first letter of the login name.
598 %P
600 UPN - User Principal Name (name@REALM)
601 %o
603 The original home directory retrieved from the identity
604 provider.
605 %H
607 The value of configure option homedir_substring.
608 %%
610 a literal '%'
611 This option can also be set per-domain.
613 example:
615 override_homedir = /home/%u
617 Default: Not set (SSSD will use the value retrieved from LDAP)
620 Please note, the home directory from a specific override for the
622 user, either locally (see sss_override(8)) or centrally managed IPA
623 id-overrides, has a higher precedence and will be used instead of
624 the value given by override_homedir.
625 homedir_substring (string)
627 The value of this option will be used in the expansion of the
628 override_homedir option if the template contains the format string
629 %H. An LDAP directory entry can directly contain this template so
630 that this option can be used to expand the home directory path for
631 each client machine (or operating system). It can be set per-domain
632 or globally in the [nss] section. A value specified in a domain
633 section will override one set in the [nss] section.
634 Default: /home
636 fallback_homedir (string)
638 Set a default template for a user's home directory if one is not
639 specified explicitly by the domain's data provider.
640 The available values for this option are the same as for
642 override_homedir.
643 example:
645 fallback_homedir = /home/%u
647 Default: not set (no substitution for unset home directories)
650 override_shell (string)
652 Override the login shell for all users. This option supersedes any
653 other shell options if it takes effect and can be set either in the
654 [nss] section or per-domain.
655 Default: not set (SSSD will use the value retrieved from LDAP)
657 allowed_shells (string)
659 Restrict user shell to one of the listed values. The order of
660 evaluation is:
661 1. If the shell is present in “/etc/shells”, it is used.
663 2. If the shell is in the allowed_shells list but not in
665 “/etc/shells”, use the value of the shell_fallback parameter.
666 3. If the shell is not in the allowed_shells list and not in
668 “/etc/shells”, a nologin shell is used.
669 The wildcard (*) can be used to allow any shell.
671 The (*) is useful if you want to use shell_fallback in case that
673 user's shell is not in “/etc/shells” and maintaining list of all
674 allowed shells in allowed_shells would be to much overhead.
675 An empty string for shell is passed as-is to libc.
677 The “/etc/shells” is only read on SSSD start up, which means that a
679 restart of the SSSD is required in case a new shell is installed.
680 Default: Not set. The user shell is automatically used.
682 vetoed_shells (string)
684 Replace any instance of these shells with the shell_fallback
685 shell_fallback (string)
687 The default shell to use if an allowed shell is not installed on
688 the machine.
689 Default: /bin/sh
691 default_shell
693 The default shell to use if the provider does not return one during
694 lookup. This option can be specified globally in the [nss] section
695 or per-domain.
696 Default: not set (Return NULL if no shell is specified and rely on
698 libc to substitute something sensible when necessary, usually
699 /bin/sh)
700 get_domains_timeout (int)
702 Specifies time in seconds for which the list of subdomains will be
703 considered valid.
704 Default: 60
706 memcache_timeout (integer)
708 Specifies time in seconds for which records in the in-memory cache
709 will be valid. Setting this option to zero will disable the
710 in-memory cache.
711 Default: 300
713 WARNING: Disabling the in-memory cache will have significant
715 negative impact on SSSD's performance and should only be used for
716 testing.
717 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
719 "NO", client applications will not use the fast in-memory cache.
720 memcache_size_passwd (integer)
722 Size (in megabytes) of the data table allocated inside fast
723 in-memory cache for passwd requests. Setting the size to 0 will
724 disable the passwd in-memory cache.
725 Default: 8
727 WARNING: Disabled or too small in-memory cache can have significant
729 negative impact on SSSD's performance.
730 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
732 "NO", client applications will not use the fast in-memory cache.
733 memcache_size_group (integer)
735 Size (in megabytes) of the data table allocated inside fast
736 in-memory cache for group requests. Setting the size to 0 will
737 disable the group in-memory cache.
738 Default: 6
740 WARNING: Disabled or too small in-memory cache can have significant
742 negative impact on SSSD's performance.
743 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
745 "NO", client applications will not use the fast in-memory cache.
746 memcache_size_initgroups (integer)
748 Size (in megabytes) of the data table allocated inside fast
749 in-memory cache for initgroups requests. Setting the size to 0 will
750 disable the initgroups in-memory cache.
751 Default: 10
753 WARNING: Disabled or too small in-memory cache can have significant
755 negative impact on SSSD's performance.
756 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
758 "NO", client applications will not use the fast in-memory cache.
759 user_attributes (string)
761 Some of the additional NSS responder requests can return more
762 attributes than just the POSIX ones defined by the NSS interface.
763 The list of attributes is controlled by this option. It is handled
764 the same way as the “user_attributes” option of the InfoPipe
765 responder (see sssd-ifp(5) for details) but with no default values.
766 To make configuration more easy the NSS responder will check the
768 InfoPipe option if it is not set for the NSS responder.
769 Default: not set, fallback to InfoPipe option
771 pwfield (string)
773 The value that NSS operations that return users or groups will
774 return for the “password” field.
775 Default: “*”
777 Note: This option can also be set per-domain which overwrites the
779 value in [nss] section.
780 Default: “not set” (remote domains), “x” (the files domain), “x”
782 (proxy domain with nss_files and sssd-shadowutils target)
783 PAM configuration options
785 These options can be used to configure the Pluggable Authentication
786 Module (PAM) service.
787 offline_credentials_expiration (integer)
789 If the authentication provider is offline, how long should we allow
790 cached logins (in days since the last successful online login).
791 Default: 0 (No limit)
793 offline_failed_login_attempts (integer)
795 If the authentication provider is offline, how many failed login
796 attempts are allowed.
797 Default: 0 (No limit)
799 offline_failed_login_delay (integer)
801 The time in minutes which has to pass after
802 offline_failed_login_attempts has been reached before a new login
803 attempt is possible.
804 If set to 0 the user cannot authenticate offline if
806 offline_failed_login_attempts has been reached. Only a successful
807 online authentication can enable offline authentication again.
808 Default: 5
810 pam_verbosity (integer)
812 Controls what kind of messages are shown to the user during
813 authentication. The higher the number to more messages are
814 displayed.
815 Currently sssd supports the following values:
817 0: do not show any message
819 1: show only important messages
821 2: show informational messages
823 3: show all messages and debug information
825 Default: 1
827 pam_response_filter (string)
829 A comma separated list of strings which allows to remove (filter)
830 data sent by the PAM responder to pam_sss PAM module. There are
831 different kind of responses sent to pam_sss e.g. messages displayed
832 to the user or environment variables which should be set by
833 pam_sss.
834 While messages already can be controlled with the help of the
836 pam_verbosity option this option allows to filter out other kind of
837 responses as well.
838 Currently the following filters are supported:
840 ENV
842 Do not send any environment variables to any service.
843 ENV:var_name
845 Do not send environment variable var_name to any service.
846 ENV:var_name:service
848 Do not send environment variable var_name to service.
849 Default: not set
851 Example: ENV:KRB5CCNAME:sudo-i
853 pam_id_timeout (integer)
855 For any PAM request while SSSD is online, the SSSD will attempt to
856 immediately update the cached identity information for the user in
857 order to ensure that authentication takes place with the latest
858 information.
859 A complete PAM conversation may perform multiple PAM requests, such
861 as account management and session opening. This option controls (on
862 a per-client-application basis) how long (in seconds) we can cache
863 the identity information to avoid excessive round-trips to the
864 identity provider.
865 Default: 5
867 pam_pwd_expiration_warning (integer)
869 Display a warning N days before the password expires.
870 Please note that the backend server has to provide information
872 about the expiration time of the password. If this information is
873 missing, sssd cannot display a warning.
874 If zero is set, then this filter is not applied, i.e. if the
876 expiration warning was received from backend server, it will
877 automatically be displayed.
878 This setting can be overridden by setting pwd_expiration_warning
880 for a particular domain.
881 Default: 0
883 get_domains_timeout (int)
885 Specifies time in seconds for which the list of subdomains will be
886 considered valid.
887 Default: 60
889 pam_trusted_users (string)
891 Specifies the comma-separated list of UID values or user names that
892 are allowed to run PAM conversations against trusted domains. Users
893 not included in this list can only access domains marked as public
894 with “pam_public_domains”. User names are resolved to UIDs at
895 startup.
896 Default: All users are considered trusted by default
898 Please note that UID 0 is always allowed to access the PAM
900 responder even in case it is not in the pam_trusted_users list.
901 pam_public_domains (string)
903 Specifies the comma-separated list of domain names that are
904 accessible even to untrusted users.
905 Two special values for pam_public_domains option are defined:
907 all (Untrusted users are allowed to access all domains in PAM
909 responder.)
910 none (Untrusted users are not allowed to access any domains PAM in
912 responder.)
913 Default: none
915 pam_account_expired_message (string)
917 Allows a custom expiration message to be set, replacing the default
918 'Permission denied' message.
919 Note: Please be aware that message is only printed for the SSH
921 service unless pam_verbosity is set to 3 (show all messages and
922 debug information).
923 example:
925 pam_account_expired_message = Account expired, please contact help desk.
927 Default: none
930 pam_account_locked_message (string)
932 Allows a custom lockout message to be set, replacing the default
933 'Permission denied' message.
934 example:
936 pam_account_locked_message = Account locked, please contact help desk.
938 Default: none
941 pam_cert_auth (bool)
943 Enable certificate based Smartcard authentication. Since this
944 requires additional communication with the Smartcard which will
945 delay the authentication process this option is disabled by
946 default.
947 Default: False
949 pam_cert_db_path (string)
951 The path to the certificate database.
952 Default:
954 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
956 CA certificates in PEM format)
957 pam_cert_verification (string)
960 With this parameter the PAM certificate verification can be tuned
961 with a comma separated list of options that override the
962 “certificate_verification” value in “[sssd]” section. Supported
963 options are the same of “certificate_verification”.
964 example:
966 pam_cert_verification = partial_chain
968 Default: not set, i.e. use default “certificate_verification”
971 option defined in “[sssd]” section.
972 p11_child_timeout (integer)
974 How many seconds will pam_sss wait for p11_child to finish.
975 Default: 10
977 pam_app_services (string)
979 Which PAM services are permitted to contact domains of type
980 “application”
981 Default: Not set
983 pam_p11_allowed_services (integer)
985 A comma-separated list of PAM service names for which it will be
986 allowed to use Smartcards.
987 It is possible to add another PAM service name to the default set
989 by using “+service_name” or to explicitly remove a PAM service name
990 from the default set by using “-service_name”. For example, in
991 order to replace a default PAM service name for authentication with
992 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
993 “my_pam_service”), you would use the following configuration:
994 pam_p11_allowed_services = +my_pam_service, -login
996 Default: the default set of PAM service names includes:
999 • login
1001 • su
1003 • su-l
1005 • gdm-smartcard
1007 • gdm-password
1009 • kdm
1011 • sudo
1013 • sudo-i
1015 • gnome-screensaver
1017 p11_wait_for_card_timeout (integer)
1020 If Smartcard authentication is required how many extra seconds in
1021 addition to p11_child_timeout should the PAM responder wait until a
1022 Smartcard is inserted.
1023 Default: 60
1025 p11_uri (string)
1027 PKCS#11 URI (see RFC-7512 for details) which can be used to
1028 restrict the selection of devices used for Smartcard
1029 authentication. By default SSSD's p11_child will search for a
1030 PKCS#11 slot (reader) where the 'removable' flags is set and read
1031 the certificates from the inserted token from the first slot found.
1032 If multiple readers are connected p11_uri can be used to tell
1033 p11_child to use a specific reader.
1034 Example:
1036 p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
1038 or
1041 p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
1043 To find suitable URI please check the debug output of p11_child. As
1046 an alternative the GnuTLS utility 'p11tool' with e.g. the
1047 '--list-all' will show PKCS#11 URIs as well.
1048 Default: none
1050 pam_initgroups_scheme
1052 The PAM responder can force an online lookup to get the current
1053 group memberships of the user trying to log in. This option
1054 controls when this should be done and the following values are
1055 allowed:
1056 always
1058 Always do an online lookup, please note that pam_id_timeout
1059 still applies
1060 no_session
1062 Only do an online lookup if there is no active session of the
1063 user, i.e. if the user is currently not logged in
1064 never
1066 Never force an online lookup, use the data from the cache as
1067 long as they are not expired
1068 Default: no_session
1070 pam_gssapi_services
1072 Comma separated list of PAM services that are allowed to try GSSAPI
1073 authentication using pam_sss_gss.so module.
1074 To disable GSSAPI authentication, set this option to “-” (dash).
1076 Note: This option can also be set per-domain which overwrites the
1078 value in [pam] section. It can also be set for trusted domain which
1079 overwrites the value in the domain section.
1080 Example:
1082 pam_gssapi_services = sudo, sudo-i
1084 Default: - (GSSAPI authentication is disabled)
1087 pam_gssapi_check_upn
1089 If True, SSSD will require that the Kerberos user principal that
1090 successfully authenticated through GSSAPI can be associated with
1091 the user who is being authenticated. Authentication will fail if
1092 the check fails.
1093 If False, every user that is able to obtained required service
1095 ticket will be authenticated.
1096 Note: This option can also be set per-domain which overwrites the
1098 value in [pam] section. It can also be set for trusted domain which
1099 overwrites the value in the domain section.
1100 Default: True
1102 pam_gssapi_indicators_map
1104 Comma separated list of authentication indicators required to be
1105 present in a Kerberos ticket to access a PAM service that is
1106 allowed to try GSSAPI authentication using pam_sss_gss.so module.
1107 Each element of the list can be either an authentication indicator
1109 name or a pair “service:indicator”. Indicators not prefixed with
1110 the PAM service name will be required to access any PAM service
1111 configured to be used with pam_gssapi_services. A resulting list of
1112 indicators per PAM service is then checked against indicators in
1113 the Kerberos ticket during authentication by pam_sss_gss.so. Any
1114 indicator from the ticket that matches the resulting list of
1115 indicators for the PAM service would grant access. If none of the
1116 indicators in the list match, access will be denied. If the
1117 resulting list of indicators for the PAM service is empty, the
1118 check will not prevent the access.
1119 To disable GSSAPI authentication indicator check, set this option
1121 to “-” (dash). To disable the check for a specific PAM service, add
1122 “service:-”.
1123 Note: This option can also be set per-domain which overwrites the
1125 value in [pam] section. It can also be set for trusted domain which
1126 overwrites the value in the domain section.
1127 Following authentication indicators are supported by IPA Kerberos
1129 deployments:
1130 • pkinit -- pre-authentication using X.509 certificates --
1132 whether stored in files or on smart cards.
1133 • hardened -- SPAKE pre-authentication or any pre-authentication
1135 wrapped in a FAST channel.
1136 • radius -- pre-authentication with the help of a RADIUS server.
1138 • otp -- pre-authentication using integrated two-factor
1140 authentication (2FA or one-time password, OTP) in IPA.
1141 Example: to require access to SUDO services only for users which
1143 obtained their Kerberos tickets with a X.509 certificate
1144 pre-authentication (PKINIT), set
1145 pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1147 Default: not set (use of authentication indicators is not required)
1150 SUDO configuration options
1152 These options can be used to configure the sudo service. The detailed
1153 instructions for configuration of sudo(8) to work with sssd(8) are in
1154 the manual page sssd-sudo(5).
1155 sudo_timed (bool)
1157 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1158 attributes that implement time-dependent sudoers entries.
1159 Default: false
1161 sudo_threshold (integer)
1163 Maximum number of expired rules that can be refreshed at once. If
1164 number of expired rules is below threshold, those rules are
1165 refreshed with “rules refresh” mechanism. If the threshold is
1166 exceeded a “full refresh” of sudo rules is triggered instead. This
1167 threshold number also applies to IPA sudo command and command group
1168 searches.
1169 Default: 50
1171 AUTOFS configuration options
1173 These options can be used to configure the autofs service.
1174 autofs_negative_timeout (integer)
1176 Specifies for how many seconds should the autofs responder negative
1177 cache hits (that is, queries for invalid map entries, like
1178 nonexistent ones) before asking the back end again.
1179 Default: 15
1181 Please note that the automounter only reads the master map on startup,
1183 so if any autofs-related changes are made to the sssd.conf, you
1184 typically also need to restart the automounter daemon after restarting
1185 the SSSD.
1186 SSH configuration options
1188 These options can be used to configure the SSH service.
1189 ssh_hash_known_hosts (bool)
1191 Whether or not to hash host names and addresses in the managed
1192 known_hosts file.
1193 Default: true
1195 ssh_known_hosts_timeout (integer)
1197 How many seconds to keep a host in the managed known_hosts file
1198 after its host keys were requested.
1199 Default: 180
1201 ssh_use_certificate_keys (bool)
1203 If set to true the sss_ssh_authorizedkeys will return ssh keys
1204 derived from the public key of X.509 certificates stored in the
1205 user entry as well. See sss_ssh_authorizedkeys(1) for details.
1206 Default: true
1208 ssh_use_certificate_matching_rules (string)
1210 By default the ssh responder will use all available certificate
1211 matching rules to filter the certificates so that ssh keys are only
1212 derived from the matching ones. With this option the used rules can
1213 be restricted with a comma separated list of mapping and matching
1214 rule names. All other rules will be ignored.
1215 There are two special key words 'all_rules' and 'no_rules' which
1217 will enable all or no rules, respectively. The latter means that no
1218 certificates will be filtered out and ssh keys will be generated
1219 from all valid certificates.
1220 If no rules are configured using 'all_rules' will enable a default
1222 rule which enables all certificates suitable for client
1223 authentication. This is the same behavior as for the PAM responder
1224 if certificate authentication is enabled.
1225 A non-existing rule name is considered an error. If as a result no
1227 rule is selected all certificates will be ignored.
1228 Default: not set, equivalent to 'all_rules', all found rules or the
1230 default rule are used
1231 ca_db (string)
1233 Path to a storage of trusted CA certificates. The option is used to
1234 validate user certificates before deriving public ssh keys from
1235 them.
1236 Default:
1238 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1240 CA certificates in PEM format)
1241 PAC responder configuration options
1244 The PAC responder works together with the authorization data plugin for
1245 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1246 sends the PAC data during a GSSAPI authentication to the PAC responder.
1247 The sub-domain provider collects domain SID and ID ranges of the domain
1248 the client is joined to and of remote trusted domains from the local
1249 domain controller. If the PAC is decoded and evaluated some of the
1250 following operations are done:
1251 • If the remote user does not exist in the cache, it is created. The
1253 UID is determined with the help of the SID, trusted domains will
1254 have UPGs and the GID will have the same value as the UID. The home
1255 directory is set based on the subdomain_homedir parameter. The
1256 shell will be empty by default, i.e. the system defaults are used,
1257 but can be overwritten with the default_shell parameter.
1258 • If there are SIDs of groups from domains sssd knows about, the user
1260 will be added to those groups.
1261 These options can be used to configure the PAC responder.
1263 allowed_uids (string)
1265 Specifies the comma-separated list of UID values or user names that
1266 are allowed to access the PAC responder. User names are resolved to
1267 UIDs at startup.
1268 Default: 0 (only the root user is allowed to access the PAC
1270 responder)
1271 Please note that although the UID 0 is used as the default it will
1273 be overwritten with this option. If you still want to allow the
1274 root user to access the PAC responder, which would be the typical
1275 case, you have to add 0 to the list of allowed UIDs as well.
1276 pac_lifetime (integer)
1278 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1279 the PAC data can be used to determine the group memberships of a
1280 user.
1281 Default: 300
1283 Session recording configuration options
1285 Session recording works in conjunction with tlog-rec-session(8), a part
1286 of tlog package, to log what users see and type when they log in on a
1287 text terminal. See also sssd-session-recording(5).
1288 These options can be used to configure session recording.
1290 scope (string)
1292 One of the following strings specifying the scope of session
1293 recording:
1294 "none"
1296 No users are recorded.
1297 "some"
1299 Users/groups specified by users and groups options are
1300 recorded.
1301 "all"
1303 All users are recorded.
1304 Default: "none"
1306 users (string)
1308 A comma-separated list of users which should have session recording
1309 enabled. Matches user names as returned by NSS. I.e. after the
1310 possible space replacement, case changes, etc.
1311 Default: Empty. Matches no users.
1313 groups (string)
1315 A comma-separated list of groups, members of which should have
1316 session recording enabled. Matches group names as returned by NSS.
1317 I.e. after the possible space replacement, case changes, etc.
1318 NOTE: using this option (having it set to anything) has a
1320 considerable performance cost, because each uncached request for a
1321 user requires retrieving and matching the groups the user is member
1322 of.
1323 Default: Empty. Matches no groups.
1325 exclude_users (string)
1327 A comma-separated list of users to be excluded from recording, only
1328 applicable with 'scope=all'.
1329 Default: Empty. No users excluded.
1331 exclude_groups (string)
1333 A comma-separated list of groups, members of which should be
1334 excluded from recording. Only applicable with 'scope=all'.
1335 NOTE: using this option (having it set to anything) has a
1337 considerable performance cost, because each uncached request for a
1338 user requires retrieving and matching the groups the user is member
1339 of.
1340 Default: Empty. No groups excluded.
1342
1344 These configuration options can be present in a domain configuration
1345 section, that is, in a section called “[domain/NAME]”
1346 enabled
1348 Explicitly enable or disable the domain. If “true”, the domain is
1349 always “enabled”. If “false”, the domain is always “disabled”. If
1350 this option is not set, the domain is enabled only if it is listed
1351 in the domains option in the “[sssd]” section.
1352 domain_type (string)
1354 Specifies whether the domain is meant to be used by POSIX-aware
1355 clients such as the Name Service Switch or by applications that do
1356 not need POSIX data to be present or generated. Only objects from
1357 POSIX domains are available to the operating system interfaces and
1358 utilities.
1359 Allowed values for this option are “posix” and “application”.
1361 POSIX domains are reachable by all services. Application domains
1363 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1364 and the PAM responder.
1365 NOTE: The application domains are currently well tested with
1367 “id_provider=ldap” only.
1368 For an easy way to configure a non-POSIX domains, please see the
1370 “Application domains” section.
1371 Default: posix
1373 min_id,max_id (integer)
1375 UID and GID limits for the domain. If a domain contains an entry
1376 that is outside these limits, it is ignored.
1377 For users, this affects the primary GID limit. The user will not be
1379 returned to NSS if either the UID or the primary GID is outside the
1380 range. For non-primary group memberships, those that are in range
1381 will be reported as expected.
1382 These ID limits affect even saving entries to cache, not only
1384 returning them by name or ID.
1385 Default: 1 for min_id, 0 (no limit) for max_id
1387 enumerate (bool)
1389 Determines if a domain can be enumerated, that is, whether the
1390 domain can list all the users and group it contains. Note that it
1391 is not required to enable enumeration in order for secondary groups
1392 to be displayed. This parameter can have one of the following
1393 values:
1394 TRUE = Users and groups are enumerated
1396 FALSE = No enumerations for this domain
1398 Default: FALSE
1400 Enumerating a domain requires SSSD to download and store ALL user
1402 and group entries from the remote server.
1403 Note: Enabling enumeration has a moderate performance impact on
1405 SSSD while enumeration is running. It may take up to several
1406 minutes after SSSD startup to fully complete enumerations. During
1407 this time, individual requests for information will go directly to
1408 LDAP, though it may be slow, due to the heavy enumeration
1409 processing. Saving a large number of entries to cache after the
1410 enumeration completes might also be CPU intensive as the
1411 memberships have to be recomputed. This can lead to the “sssd_be”
1412 process becoming unresponsive or even restarted by the internal
1413 watchdog.
1414 While the first enumeration is running, requests for the complete
1416 user or group lists may return no results until it completes.
1417 Further, enabling enumeration may increase the time necessary to
1419 detect network disconnection, as longer timeouts are required to
1420 ensure that enumeration lookups are completed successfully. For
1421 more information, refer to the man pages for the specific
1422 id_provider in use.
1423 For the reasons cited above, enabling enumeration is not
1425 recommended, especially in large environments.
1426 subdomain_enumerate (string)
1428 Whether any of autodetected trusted domains should be enumerated.
1429 The supported values are:
1430 all
1432 All discovered trusted domains will be enumerated
1433 none
1435 No discovered trusted domains will be enumerated
1436 Optionally, a list of one or more domain names can enable
1438 enumeration just for these trusted domains.
1439 Default: none
1441 entry_cache_timeout (integer)
1443 How many seconds should nss_sss consider entries valid before
1444 asking the backend again
1445 The cache expiration timestamps are stored as attributes of
1447 individual objects in the cache. Therefore, changing the cache
1448 timeout only has effect for newly added or expired entries. You
1449 should run the sss_cache(8) tool in order to force refresh of
1450 entries that have already been cached.
1451 Default: 5400
1453 entry_cache_user_timeout (integer)
1455 How many seconds should nss_sss consider user entries valid before
1456 asking the backend again
1457 Default: entry_cache_timeout
1459 entry_cache_group_timeout (integer)
1461 How many seconds should nss_sss consider group entries valid before
1462 asking the backend again
1463 Default: entry_cache_timeout
1465 entry_cache_netgroup_timeout (integer)
1467 How many seconds should nss_sss consider netgroup entries valid
1468 before asking the backend again
1469 Default: entry_cache_timeout
1471 entry_cache_service_timeout (integer)
1473 How many seconds should nss_sss consider service entries valid
1474 before asking the backend again
1475 Default: entry_cache_timeout
1477 entry_cache_resolver_timeout (integer)
1479 How many seconds should nss_sss consider hosts and networks entries
1480 valid before asking the backend again
1481 Default: entry_cache_timeout
1483 entry_cache_sudo_timeout (integer)
1485 How many seconds should sudo consider rules valid before asking the
1486 backend again
1487 Default: entry_cache_timeout
1489 entry_cache_autofs_timeout (integer)
1491 How many seconds should the autofs service consider automounter
1492 maps valid before asking the backend again
1493 Default: entry_cache_timeout
1495 entry_cache_ssh_host_timeout (integer)
1497 How many seconds to keep a host ssh key after refresh. IE how long
1498 to cache the host key for.
1499 Default: entry_cache_timeout
1501 entry_cache_computer_timeout (integer)
1503 How many seconds to keep the local computer entry before asking the
1504 backend again
1505 Default: entry_cache_timeout
1507 refresh_expired_interval (integer)
1509 Specifies how many seconds SSSD has to wait before triggering a
1510 background refresh task which will refresh all expired or nearly
1511 expired records.
1512 The background refresh will process users, groups and netgroups in
1514 the cache. For users who have performed the initgroups (get group
1515 membership for user, typically ran at login) operation in the past,
1516 both the user entry and the group membership are updated.
1517 This option is automatically inherited for all trusted domains.
1519 You can consider setting this value to 3/4 * entry_cache_timeout.
1521 Cache entry will be refreshed by background task when 2/3 of cache
1523 timeout has already passed. If there are existing cached entries,
1524 the background task will refer to their original cache timeout
1525 values instead of current configuration value. This may lead to a
1526 situation in which background refresh task appears to not be
1527 working. This is done by design to improve offline mode operation
1528 and reuse of existing valid cache entries. To make this change
1529 instant the user may want to manually invalidate existing cache.
1530 Default: 0 (disabled)
1532 cache_credentials (bool)
1534 Determines if user credentials are also cached in the local LDB
1535 cache
1536 User credentials are stored in a SHA512 hash, not in plaintext
1538 Default: FALSE
1540 cache_credentials_minimal_first_factor_length (int)
1542 If 2-Factor-Authentication (2FA) is used and credentials should be
1543 saved this value determines the minimal length the first
1544 authentication factor (long term password) must have to be saved as
1545 SHA512 hash into the cache.
1546 This should avoid that the short PINs of a PIN based 2FA scheme are
1548 saved in the cache which would make them easy targets for
1549 brute-force attacks.
1550 Default: 8
1552 account_cache_expiration (integer)
1554 Number of days entries are left in cache after last successful
1555 login before being removed during a cleanup of the cache. 0 means
1556 keep forever. The value of this parameter must be greater than or
1557 equal to offline_credentials_expiration.
1558 Default: 0 (unlimited)
1560 pwd_expiration_warning (integer)
1562 Display a warning N days before the password expires.
1563 If zero is set, then this filter is not applied, i.e. if the
1565 expiration warning was received from backend server, it will
1566 automatically be displayed.
1567 Please note that the backend server has to provide information
1569 about the expiration time of the password. If this information is
1570 missing, sssd cannot display a warning. Also an auth provider has
1571 to be configured for the backend.
1572 Default: 7 (Kerberos), 0 (LDAP)
1574 id_provider (string)
1576 The identification provider used for the domain. Supported ID
1577 providers are:
1578 “proxy”: Support a legacy NSS provider.
1580 “files”: FILES provider. See sssd-files(5) for more information on
1582 how to mirror local users and groups into SSSD.
1583 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1585 configuring LDAP.
1586 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1588 See sssd-ipa(5) for more information on configuring FreeIPA.
1589 “ad”: Active Directory provider. See sssd-ad(5) for more
1591 information on configuring Active Directory.
1592 use_fully_qualified_names (bool)
1594 Use the full name and domain (as formatted by the domain's
1595 full_name_format) as the user's login name reported to NSS.
1596 If set to TRUE, all requests to this domain must use fully
1598 qualified names. For example, if used in LOCAL domain that contains
1599 a "test" user, getent passwd test wouldn't find the user while
1600 getent passwd test@LOCAL would.
1601 NOTE: This option has no effect on netgroup lookups due to their
1603 tendency to include nested netgroups without qualified names. For
1604 netgroups, all domains will be searched when an unqualified name is
1605 requested.
1606 Default: FALSE (TRUE for trusted domain/sub-domains or if
1608 default_domain_suffix is used)
1609 ignore_group_members (bool)
1611 Do not return group members for group lookups.
1612 If set to TRUE, the group membership attribute is not requested
1614 from the ldap server, and group members are not returned when
1615 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1616 As an effect, “getent group $groupname” would return the requested
1617 group as if it was empty.
1618 Enabling this option can also make access provider checks for group
1620 membership significantly faster, especially for groups containing
1621 many members.
1622 Default: FALSE
1624 auth_provider (string)
1626 The authentication provider used for the domain. Supported auth
1627 providers are:
1628 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1630 information on configuring LDAP.
1631 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1633 information on configuring Kerberos.
1634 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1636 See sssd-ipa(5) for more information on configuring FreeIPA.
1637 “ad”: Active Directory provider. See sssd-ad(5) for more
1639 information on configuring Active Directory.
1640 “proxy” for relaying authentication to some other PAM target.
1642 “none” disables authentication explicitly.
1644 Default: “id_provider” is used if it is set and can handle
1646 authentication requests.
1647 access_provider (string)
1649 The access control provider used for the domain. There are two
1650 built-in access providers (in addition to any included in installed
1651 backends) Internal special providers are:
1652 “permit” always allow access. It's the only permitted access
1654 provider for a local domain.
1655 “deny” always deny access.
1657 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1659 information on configuring LDAP.
1660 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1662 See sssd-ipa(5) for more information on configuring FreeIPA.
1663 “ad”: Active Directory provider. See sssd-ad(5) for more
1665 information on configuring Active Directory.
1666 “simple” access control based on access or deny lists. See sssd-
1668 simple(5) for more information on configuring the simple access
1669 module.
1670 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1672 information on configuring Kerberos.
1673 “proxy” for relaying access control to another PAM module.
1675 Default: “permit”
1677 chpass_provider (string)
1679 The provider which should handle change password operations for the
1680 domain. Supported change password providers are:
1681 “ldap” to change a password stored in a LDAP server. See sssd-
1683 ldap(5) for more information on configuring LDAP.
1684 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1686 information on configuring Kerberos.
1687 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1689 See sssd-ipa(5) for more information on configuring FreeIPA.
1690 “ad”: Active Directory provider. See sssd-ad(5) for more
1692 information on configuring Active Directory.
1693 “proxy” for relaying password changes to some other PAM target.
1695 “none” disallows password changes explicitly.
1697 Default: “auth_provider” is used if it is set and can handle change
1699 password requests.
1700 sudo_provider (string)
1702 The SUDO provider used for the domain. Supported SUDO providers
1703 are:
1704 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1706 information on configuring LDAP.
1707 “ipa” the same as “ldap” but with IPA default settings.
1709 “ad” the same as “ldap” but with AD default settings.
1711 “none” disables SUDO explicitly.
1713 Default: The value of “id_provider” is used if it is set.
1715 The detailed instructions for configuration of sudo_provider are in
1717 the manual page sssd-sudo(5). There are many configuration options
1718 that can be used to adjust the behavior. Please refer to
1719 "ldap_sudo_*" in sssd-ldap(5).
1720 NOTE: Sudo rules are periodically downloaded in the background
1722 unless the sudo provider is explicitly disabled. Set sudo_provider
1723 = None to disable all sudo-related activity in SSSD if you do not
1724 want to use sudo with SSSD at all.
1725 selinux_provider (string)
1727 The provider which should handle loading of selinux settings. Note
1728 that this provider will be called right after access provider ends.
1729 Supported selinux providers are:
1730 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1732 for more information on configuring IPA.
1733 “none” disallows fetching selinux settings explicitly.
1735 Default: “id_provider” is used if it is set and can handle selinux
1737 loading requests.
1738 subdomains_provider (string)
1740 The provider which should handle fetching of subdomains. This value
1741 should be always the same as id_provider. Supported subdomain
1742 providers are:
1743 “ipa” to load a list of subdomains from an IPA server. See sssd-
1745 ipa(5) for more information on configuring IPA.
1746 “ad” to load a list of subdomains from an Active Directory server.
1748 See sssd-ad(5) for more information on configuring the AD provider.
1749 “none” disallows fetching subdomains explicitly.
1751 Default: The value of “id_provider” is used if it is set.
1753 session_provider (string)
1755 The provider which configures and manages user session related
1756 tasks. The only user session task currently provided is the
1757 integration with Fleet Commander, which works only with IPA.
1758 Supported session providers are:
1759 “ipa” to allow performing user session related tasks.
1761 “none” does not perform any kind of user session related tasks.
1763 Default: “id_provider” is used if it is set and can perform session
1765 related tasks.
1766 NOTE: In order to have this feature working as expected SSSD must
1768 be running as "root" and not as the unprivileged user.
1769 autofs_provider (string)
1771 The autofs provider used for the domain. Supported autofs providers
1772 are:
1773 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1775 information on configuring LDAP.
1776 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1778 more information on configuring IPA.
1779 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1781 information on configuring the AD provider.
1782 “none” disables autofs explicitly.
1784 Default: The value of “id_provider” is used if it is set.
1786 hostid_provider (string)
1788 The provider used for retrieving host identity information.
1789 Supported hostid providers are:
1790 “ipa” to load host identity stored in an IPA server. See sssd-
1792 ipa(5) for more information on configuring IPA.
1793 “none” disables hostid explicitly.
1795 Default: The value of “id_provider” is used if it is set.
1797 resolver_provider (string)
1799 The provider which should handle hosts and networks lookups.
1800 Supported resolver providers are:
1801 “proxy” to forward lookups to another NSS library. See
1803 “proxy_resolver_lib_name”
1804 “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1806 for more information on configuring LDAP.
1807 “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1809 more information on configuring the AD provider.
1810 “none” disallows fetching hosts and networks explicitly.
1812 Default: The value of “id_provider” is used if it is set.
1814 re_expression (string)
1816 Regular expression for this domain that describes how to parse the
1817 string containing user name and domain into these components. The
1818 "domain" can match either the SSSD configuration domain name, or,
1819 in the case of IPA trust subdomains and Active Directory domains,
1820 the flat (NetBIOS) name of the domain.
1821 Default for the AD and IPA provider:
1823 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1824 which allows three different styles for user names:
1825 • username
1827 • username@domain.name
1829 • domain\username
1831 While the first two correspond to the general default the third one
1833 is introduced to allow easy integration of users from Windows
1834 domains.
1835 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1837 "the name is everything up to the “@” sign, the domain everything
1838 after that"
1839 NOTE: Some Active Directory groups, typically those used for MS
1841 Exchange contain an “@” sign in the name, which clashes with the
1842 default re_expression value for the AD and IPA providers. To
1843 support these groups, consider changing the re_expression value to:
1844 “((?P<name>.+)@(?P<domain>[^@]+$))”.
1845 full_name_format (string)
1847 A printf(3)-compatible format that describes how to compose a fully
1848 qualified name from user name and domain name components.
1849 The following expansions are supported:
1851 %1$s
1853 user name
1854 %2$s
1856 domain name as specified in the SSSD config file.
1857 %3$s
1859 domain flat name. Mostly usable for Active Directory domains,
1860 both directly configured or discovered via IPA trusts.
1861 Default: “%1$s@%2$s”.
1863 lookup_family_order (string)
1865 Provides the ability to select preferred address family to use when
1866 performing DNS lookups.
1867 Supported values:
1869 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1871 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1873 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1875 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1877 Default: ipv4_first
1879 dns_resolver_timeout (integer)
1881 Defines the amount of time (in seconds) to wait for a reply from
1882 the internal fail over service before assuming that the service is
1883 unreachable. If this timeout is reached, the domain will continue
1884 to operate in offline mode.
1885 Please see the section “FAILOVER” for more information about the
1887 service resolution.
1888 Default: 6
1890 dns_discovery_domain (string)
1892 If service discovery is used in the back end, specifies the domain
1893 part of the service discovery DNS query.
1894 Default: Use the domain part of machine's hostname
1896 override_gid (integer)
1898 Override the primary GID value with the one specified.
1899 case_sensitive (string)
1901 Treat user and group names as case sensitive. Possible option
1902 values are:
1903 True
1905 Case sensitive. This value is invalid for AD provider.
1906 False
1908 Case insensitive.
1909 Preserving
1911 Same as False (case insensitive), but does not lowercase names
1912 in the result of NSS operations. Note that name aliases (and in
1913 case of services also protocol names) are still lowercased in
1914 the output.
1915 If you want to set this value for trusted domain with IPA
1917 provider, you need to set it on both the client and SSSD on the
1918 server.
1919 This option can be also set per subdomain or inherited via
1921 subdomain_inherit.
1922 Default: True (False for AD provider)
1924 subdomain_inherit (string)
1926 Specifies a list of configuration parameters that should be
1927 inherited by a subdomain. Please note that only selected parameters
1928 can be inherited. Currently the following options can be inherited:
1929 ignore_group_members
1931 ldap_purge_cache_timeout
1933 ldap_use_tokengroups
1935 ldap_user_principal
1937 ldap_krb5_keytab (the value of krb5_keytab will be used if
1939 ldap_krb5_keytab is not set explicitly)
1940 auto_private_groups
1942 case_sensitive
1944 Example:
1946 subdomain_inherit = ldap_purge_cache_timeout
1948 Default: none
1951 Note: This option only works with the IPA and AD provider.
1953 subdomain_homedir (string)
1955 Use this homedir as default value for all subdomains within this
1956 domain in IPA AD trust. See override_homedir for info about
1957 possible values. In addition to those, the expansion below can only
1958 be used with subdomain_homedir.
1959 %F
1961 flat (NetBIOS) name of a subdomain.
1962 The value can be overridden by override_homedir option.
1964 Default: /home/%d/%u
1966 realmd_tags (string)
1968 Various tags stored by the realmd configuration service for this
1969 domain.
1970 cached_auth_timeout (int)
1972 Specifies time in seconds since last successful online
1973 authentication for which user will be authenticated using cached
1974 credentials while SSSD is in the online mode. If the credentials
1975 are incorrect, SSSD falls back to online authentication.
1976 This option's value is inherited by all trusted domains. At the
1978 moment it is not possible to set a different value per trusted
1979 domain.
1980 Special value 0 implies that this feature is disabled.
1982 Please note that if “cached_auth_timeout” is longer than
1984 “pam_id_timeout” then the back end could be called to handle
1985 “initgroups.”
1986 Default: 0
1988 auto_private_groups (string)
1990 This option takes any of three available values:
1991 true
1993 Create user's private group unconditionally from user's UID
1994 number. The GID number is ignored in this case.
1995 NOTE: Because the GID number and the user private group are
1997 inferred from the UID number, it is not supported to have
1998 multiple entries with the same UID or GID number with this
1999 option. In other words, enabling this option enforces
2000 uniqueness across the ID space.
2001 false
2003 Always use the user's primary GID number. The GID number must
2004 refer to a group object in the LDAP database.
2005 hybrid
2007 A primary group is autogenerated for user entries whose UID and
2008 GID numbers have the same value and at the same time the GID
2009 number does not correspond to a real group object in LDAP. If
2010 the values are the same, but the primary GID in the user entry
2011 is also used by a group object, the primary GID of the user
2012 resolves to that group object.
2013 If the UID and GID of a user are different, then the GID must
2015 correspond to a group entry, otherwise the GID is simply not
2016 resolvable.
2017 This feature is useful for environments that wish to stop
2019 maintaining a separate group objects for the user private
2020 groups, but also wish to retain the existing user private
2021 groups.
2022 For subdomains, the default value is False for subdomains that use
2024 assigned POSIX IDs and True for subdomains that use automatic
2025 ID-mapping.
2026 The value of auto_private_groups can either be set per subdomains
2028 in a subsection, for example:
2029 [domain/forest.domain/sub.domain]
2031 auto_private_groups = false
2032 or globally for all subdomains in the main domain section using the
2034 subdomain_inherit option:
2035 [domain/forest.domain]
2037 subdomain_inherit = auto_private_groups
2038 auto_private_groups = false
2039 Options valid for proxy domains.
2042 proxy_pam_target (string)
2044 The proxy target PAM proxies to.
2045 Default: not set by default, you have to take an existing pam
2047 configuration or create a new one and add the service name here.
2048 proxy_lib_name (string)
2050 The name of the NSS library to use in proxy domains. The NSS
2051 functions searched for in the library are in the form of
2052 _nss_$(libName)_$(function), for example _nss_files_getpwent.
2053 proxy_resolver_lib_name (string)
2055 The name of the NSS library to use for hosts and networks lookups
2056 in proxy domains. The NSS functions searched for in the library are
2057 in the form of _nss_$(libName)_$(function), for example
2058 _nss_dns_gethostbyname2_r.
2059 proxy_fast_alias (boolean)
2061 When a user or group is looked up by name in the proxy provider, a
2062 second lookup by ID is performed to "canonicalize" the name in case
2063 the requested name was an alias. Setting this option to true would
2064 cause the SSSD to perform the ID lookup from cache for performance
2065 reasons.
2066 Default: false
2068 proxy_max_children (integer)
2070 This option specifies the number of pre-forked proxy children. It
2071 is useful for high-load SSSD environments where sssd may run out of
2072 available child slots, which would cause some issues due to the
2073 requests being queued.
2074 Default: 10
2076 Application domains
2078 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2079 applications as a gateway to an LDAP directory where users and groups
2080 are stored. However, contrary to the traditional SSSD deployment where
2081 all users and groups either have POSIX attributes or those attributes
2082 can be inferred from the Windows SIDs, in many cases the users and
2083 groups in the application support scenario have no POSIX attributes.
2084 Instead of setting a “[domain/NAME]” section, the administrator can set
2085 up an “[application/NAME]” section that internally represents a domain
2086 with type “application” optionally inherits settings from a tradition
2087 SSSD domain.
2088 Please note that the application domain must still be explicitly
2090 enabled in the “domains” parameter so that the lookup order between the
2091 application domain and its POSIX sibling domain is set correctly.
2092 Application domain parameters
2094 inherit_from (string)
2096 The SSSD POSIX-type domain the application domain inherits all
2097 settings from. The application domain can moreover add its own
2098 settings to the application settings that augment or override the
2099 “sibling” domain settings.
2100 Default: Not set
2102 The following example illustrates the use of an application domain. In
2104 this setup, the POSIX domain is connected to an LDAP server and is used
2105 by the OS through the NSS responder. In addition, the application
2106 domain also requests the telephoneNumber attribute, stores it as the
2107 phone attribute in the cache and makes the phone attribute reachable
2108 through the D-Bus interface.
2109 [sssd]
2111 domains = appdom, posixdom
2112 [ifp]
2114 user_attributes = +phone
2115 [domain/posixdom]
2117 id_provider = ldap
2118 ldap_uri = ldap://ldap.example.com
2119 ldap_search_base = dc=example,dc=com
2120 [application/appdom]
2122 inherit_from = posixdom
2123 ldap_user_extra_attrs = phone:telephoneNumber
2124
2126 Some options used in the domain section can also be used in the trusted
2127 domain section, that is, in a section called
2128 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2129 actual joined-to base domain. Please refer to examples below for
2130 explanation. Currently supported options in the trusted domain section
2131 are:
2132 ldap_search_base,
2134 ldap_user_search_base,
2136 ldap_group_search_base,
2138 ldap_netgroup_search_base,
2140 ldap_service_search_base,
2142 ldap_sasl_mech,
2144 ad_server,
2146 ad_backup_server,
2148 ad_site,
2150 use_fully_qualified_names
2152 pam_gssapi_services
2154 pam_gssapi_check_upn
2156 For more details about these options see their individual description
2158 in the manual page.
2159
2161 To allow authentication with Smartcards and certificates SSSD must be
2162 able to map certificates to users. This can be done by adding the full
2163 certificate to the LDAP object of the user or to a local override.
2164 While using the full certificate is required to use the Smartcard
2165 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2166 details) it might be cumbersome or not even possible to do this for the
2167 general case where local services use PAM for authentication.
2168 To make the mapping more flexible mapping and matching rules were added
2170 to SSSD (see sss-certmap(5) for details).
2171 A mapping and matching rule can be added to the SSSD configuration in a
2173 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2174 In this section the following options are allowed:
2175 matchrule (string)
2177 Only certificates from the Smartcard which matches this rule will
2178 be processed, all others are ignored.
2179 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2181 the Extended Key Usage “clientAuth”
2182 maprule (string)
2184 Defines how the user is found for a given certificate.
2185 Default:
2187 • LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2189 providers like “ldap”, “AD” or “ipa”.
2190 • The RULE_NAME for the “files” provider which tries to find a
2192 user with the same name.
2193 domains (string)
2196 Comma separated list of domain names the rule should be applied. By
2197 default a rule is only valid in the domain configured in sssd.conf.
2198 If the provider supports subdomains this option can be used to add
2199 the rule to subdomains as well.
2200 Default: the configured domain in sssd.conf
2202 priority (integer)
2204 Unsigned integer value defining the priority of the rule. The
2205 higher the number the lower the priority. “0” stands for the
2206 highest priority while “4294967295” is the lowest.
2207 Default: the lowest priority
2209 To make the configuration simple and reduce the amount of configuration
2211 options the “files” provider has some special properties:
2212 • if maprule is not set the RULE_NAME name is assumed to be the name
2214 of the matching user
2215 • if a maprule is used both a single user name or a template like
2217 “{subject_rfc822_name.short_name}” must be in braces like e.g.
2218 “(username)” or “({subject_rfc822_name.short_name})”
2219 • the “domains” option is ignored
2221
2224 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2225 SSSD's PAM module pam_sss will ask SSSD to figure out which
2226 authentication methods are available for the user trying to log in.
2227 Based on the results pam_sss will prompt the user for appropriate
2228 credentials.
2229 With the growing number of authentication methods and the possibility
2231 that there are multiple ones for a single user the heuristic used by
2232 pam_sss to select the prompting might not be suitable for all use
2233 cases. The following options should provide a better flexibility here.
2234 Each supported authentication method has its own configuration
2236 subsection under “[prompting/...]”. Currently there are:
2237 [prompting/password]
2239 to configure password prompting, allowed options are:
2240 password_prompt
2242 to change the string of the password prompt
2243 [prompting/2fa]
2246 to configure two-factor authentication prompting, allowed options
2247 are:
2248 first_prompt
2250 to change the string of the prompt for the first factor
2251 second_prompt
2253 to change the string of the prompt for the second factor
2254 single_prompt
2256 boolean value, if True there will be only a single prompt using
2257 the value of first_prompt where it is expected that both
2258 factors are entered as a single string. Please note that both
2259 factors have to be entered here, even if the second factor is
2260 optional.
2261 If the second factor is optional and it should be possible to log
2263 in either only with the password or with both factors two-step
2264 prompting has to be used.
2265 It is possible to add a subsection for specific PAM services, e.g.
2267 “[prompting/password/sshd]” to individual change the prompting for this
2268 service.
2269
2271 1. The following example shows a typical SSSD config. It does not
2272 describe configuration of the domains themselves - refer to
2273 documentation on configuring domains for more details.
2274 [sssd]
2276 domains = LDAP
2277 services = nss, pam
2278 config_file_version = 2
2279 [nss]
2281 filter_groups = root
2282 filter_users = root
2283 [pam]
2285 [domain/LDAP]
2287 id_provider = ldap
2288 ldap_uri = ldap://ldap.example.com
2289 ldap_search_base = dc=example,dc=com
2290 auth_provider = krb5
2292 krb5_server = kerberos.example.com
2293 krb5_realm = EXAMPLE.COM
2294 cache_credentials = true
2295 min_id = 10000
2297 max_id = 20000
2298 enumerate = False
2299 2. The following example shows configuration of IPA AD trust where the
2301 AD forest consists of two domains in a parent-child structure. Suppose
2302 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2303 domain (child.ad.com). To enable shortnames in the child domain the
2304 following configuration should be used.
2305 [domain/ipa.com/child.ad.com]
2307 use_fully_qualified_names = false
2308 3. The following example shows the configuration for two certificate
2310 mapping rules. The first is valid for the configured domain “my.domain”
2311 and additionally for the subdomains “your.domain” and uses the full
2312 certificate in the search filter. The second example is valid for the
2313 domain “files” where it is assumed the files provider is used for this
2314 domain and contains a matching rule for the local user “myname”.
2315 [certmap/my.domain/rule_name]
2317 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2318 maprule = (userCertificate;binary={cert!bin})
2319 domains = my.domain, your.domain
2320 priority = 10
2321 [certmap/files/myname]
2323 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
2324
2327 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2328 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2329 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2330 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2331 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
2332 sssd-systemtap(5)
2333
2335 The SSSD upstream - https://github.com/SSSD/sssd/
2336SSSD 05/19/2021 SSSD.CONF(5)