1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
3
4
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13
14 [section]
15 key = value
16 key2 = value2,value3
17
18
19 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21
22 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24
25 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27
28 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35
36 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38
39 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45
46 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51
52 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60
61 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67
68 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72
73 Currently supported debug levels:
74
75 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77
78 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81
82 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84
85 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87
88 4, 0x0100: Configuration settings.
89
90 5, 0x0200: Function data.
91
92 6, 0x0400: Trace messages for operation functions.
93
94 7, 0x1000: Trace messages for internal control functions.
95
96 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98
99 9, 0x4000: Extremely low-level tracing information.
100
101 10, 0x10000: Even more low-level libldb tracing information. Almost
102 never really required.
103
104 To log required bitmask debug levels, simply add their numbers
105 together as shown in following examples:
106
107 Example: To log fatal failures, critical failures, serious failures
108 and function data use 0x0270.
109
110 Example: To log fatal failures, configuration settings, function
111 data, trace messages for internal control functions use 0x1310.
112
113 Note: The bitmask format of debug levels was introduced in 1.7.0.
114
115 Default: 0x0070 (i.e. fatal, critical and serious failures;
116 corresponds to setting 2 in decimal notation)
117
118 debug (integer)
119 SSSD 1.14 and later also includes the debug alias for debug_level
120 as a convenience feature. If both are specified, the value of
121 debug_level will be used.
122
123 debug_timestamps (bool)
124 Add a timestamp to the debug messages. If journald is enabled for
125 SSSD debug logging this option is ignored.
126
127 Default: true
128
129 debug_microseconds (bool)
130 Add microseconds to the timestamp in debug messages. If journald is
131 enabled for SSSD debug logging this option is ignored.
132
133 Default: false
134
135 debug_backtrace_enabled (bool)
136 Enable debug backtrace.
137
138 In case SSSD is run with debug_level less than 9, everything is
139 logged to a ring buffer in memory and flushed to a log file on any
140 error up to and including `min(0x0040, debug_level)` (i.e. if
141 debug_level is explicitly set to 0 or 1 then only those error
142 levels will trigger backtrace, otherwise up to 2).
143
144 Feature is only supported for `logger == files` (i.e. setting
145 doesn't have effect for other logger types).
146
147 Default: true
148
149 Options usable in SERVICE and DOMAIN sections
150 timeout (integer)
151 Timeout in seconds between heartbeats for this service. This is
152 used to ensure that the process is alive and capable of answering
153 requests. Note that after three missed heartbeats the process will
154 terminate itself.
155
156 Default: 10
157
159 The [sssd] section
160 Individual pieces of SSSD functionality are provided by special SSSD
161 services that are started and stopped together with SSSD. The services
162 are managed by a special service frequently called “monitor”. The
163 “[sssd]” section is used to configure the monitor as well as some other
164 important options like the identity domains.
165
166 Section parameters
167
168 config_file_version (integer)
169 Indicates what is the syntax of the config file. SSSD 0.6.0 and
170 later use version 2.
171
172 services
173 Comma separated list of services that are started when sssd itself
174 starts. The services' list is optional on platforms where systemd
175 is supported, as they will either be socket or D-Bus activated when
176 needed.
177
178 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
179
180 By default, all services are disabled and the administrator must
181 enable the ones allowed to be used by executing: "systemctl enable
182 sssd-@service@.socket".
183
184 reconnection_retries (integer)
185 Number of times services should attempt to reconnect in the event
186 of a Data Provider crash or restart before they give up
187
188 Default: 3
189
190 domains
191 A domain is a database containing user information. SSSD can use
192 more domains at the same time, but at least one must be configured
193 or SSSD won't start. This parameter describes the list of domains
194 in the order you want them to be queried. A domain name is
195 recommended to contain only alphanumeric ASCII characters, dashes,
196 dots and underscores. '/' character is forbidden.
197
198 re_expression (string)
199 Default regular expression that describes how to parse the string
200 containing user name and domain into these components.
201
202 Each domain can have an individual regular expression configured.
203 For some ID providers there are also default regular expressions.
204 See DOMAIN SECTIONS for more info on these regular expressions.
205
206 full_name_format (string)
207 A printf(3)-compatible format that describes how to compose a fully
208 qualified name from user name and domain name components.
209
210 The following expansions are supported:
211
212 %1$s
213 user name
214
215 %2$s
216 domain name as specified in the SSSD config file.
217
218 %3$s
219 domain flat name. Mostly usable for Active Directory domains,
220 both directly configured or discovered via IPA trusts.
221
222 Each domain can have an individual format string configured. See
223 DOMAIN SECTIONS for more info on this option.
224
225 monitor_resolv_conf (boolean)
226 Controls if SSSD should monitor the state of resolv.conf to
227 identify when it needs to update its internal DNS resolver.
228
229 Default: true
230
231 try_inotify (boolean)
232 By default, SSSD will attempt to use inotify to monitor
233 configuration files changes and will fall back to polling every
234 five seconds if inotify cannot be used.
235
236 There are some limited situations where it is preferred that we
237 should skip even trying to use inotify. In these rare cases, this
238 option should be set to 'false'
239
240 Default: true on platforms where inotify is supported. False on
241 other platforms.
242
243 Note: this option will have no effect on platforms where inotify is
244 unavailable. On these platforms, polling will always be used.
245
246 krb5_rcache_dir (string)
247 Directory on the filesystem where SSSD should store Kerberos replay
248 cache files.
249
250 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
251 instruct SSSD to let libkrb5 decide the appropriate location for
252 the replay cache.
253
254 Default: Distribution-specific and specified at build-time.
255 (__LIBKRB5_DEFAULTS__ if not configured)
256
257 user (string)
258 The user to drop the privileges to where appropriate to avoid
259 running as the root user. This option does not work when running
260 socket-activated services, as the user set up to run the processes
261 is set up during compilation time. The way to override the systemd
262 unit files is by creating the appropriate files in
263 /etc/systemd/system/. Keep in mind that any change in the socket
264 user, group or permissions may result in a non-usable SSSD. The
265 same may occur in case of changes of the user running the NSS
266 responder.
267
268 Default: not set, process will run as root
269
270 default_domain_suffix (string)
271 This string will be used as a default domain name for all names
272 without a domain name component. The main use case is environments
273 where the primary domain is intended for managing host policies and
274 all users are located in a trusted domain. The option allows those
275 users to log in just with their user name without giving a domain
276 name as well.
277
278 Please note that if this option is set all users from the primary
279 domain have to use their fully qualified name, e.g.
280 user@domain.name, to log in. Setting this option changes default of
281 use_fully_qualified_names to True. It is not allowed to use this
282 option together with use_fully_qualified_names set to False. One
283 exception from this rule are domains with “id_provider=files” that
284 always try to match the behaviour of nss_files and therefore their
285 output is not qualified even when the default_domain_suffix option
286 is used.
287
288 Default: not set
289
290 override_space (string)
291 This parameter will replace spaces (space bar) with the given
292 character for user and group names. e.g. (_). User name "john doe"
293 will be "john_doe" This feature was added to help compatibility
294 with shell scripts that have difficulty handling spaces, due to the
295 default field separator in the shell.
296
297 Please note it is a configuration error to use a replacement
298 character that might be used in user or group names. If a name
299 contains the replacement character SSSD tries to return the
300 unmodified name but in general the result of a lookup is undefined.
301
302 Default: not set (spaces will not be replaced)
303
304 certificate_verification (string)
305 With this parameter the certificate verification can be tuned with
306 a comma separated list of options. Supported options are:
307
308 no_ocsp
309 Disables Online Certificate Status Protocol (OCSP) checks. This
310 might be needed if the OCSP servers defined in the certificate
311 are not reachable from the client.
312
313 soft_ocsp
314 If a connection cannot be established to an OCSP responder the
315 OCSP check is skipped. This option should be used to allow
316 authentication when the system is offline and the OCSP
317 responder cannot be reached.
318
319 ocsp_dgst
320 Digest (hash) function used to create the certificate ID for
321 the OCSP request. Allowed values are:
322
323 • sha1
324
325 • sha256
326
327 • sha384
328
329 • sha512
330
331 Default: sha1 (to allow compatibility with RFC5019-compliant
332 responder)
333
334 no_verification
335 Disables verification completely. This option should only be
336 used for testing.
337
338 partial_chain
339 Allow verification to succeed even if a complete chain cannot
340 be built to a self-signed trust-anchor, provided it is possible
341 to construct a chain to a trusted certificate that might not be
342 self-signed.
343
344 ocsp_default_responder=URL
345 Sets the OCSP default responder which should be used instead of
346 the one mentioned in the certificate. URL must be replaced with
347 the URL of the OCSP default responder e.g.
348 http://example.com:80/ocsp.
349
350 ocsp_default_responder_signing_cert=NAME
351 This option is currently ignored. All needed certificates must
352 be available in the PEM file given by pam_cert_db_path.
353
354 crl_file=/PATH/TO/CRL/FILE
355 Use the Certificate Revocation List (CRL) from the given file
356 during the verification of the certificate. The CRL must be
357 given in PEM format, see crl(1ssl) for details.
358
359 soft_crl
360 If a Certificate Revocation List (CRL) is expired ignore the
361 CRL checks for the related certificates. This option should be
362 used to allow authentication when the system is offline and the
363 CRL cannot be renewed.
364
365 Unknown options are reported but ignored.
366
367 Default: not set, i.e. do not restrict certificate verification
368
369 disable_netlink (boolean)
370 SSSD hooks into the netlink interface to monitor changes to routes,
371 addresses, links and trigger certain actions.
372
373 The SSSD state changes caused by netlink events may be undesirable
374 and can be disabled by setting this option to 'true'
375
376 Default: false (netlink changes are detected)
377
378 enable_files_domain (boolean)
379 When this option is enabled, SSSD prepends an implicit domain with
380 “id_provider=files” before any explicitly configured domains.
381
382 Default: false
383
384 domain_resolution_order
385 Comma separated list of domains and subdomains representing the
386 lookup order that will be followed. The list doesn't have to
387 include all possible domains as the missing domains will be looked
388 up based on the order they're presented in the “domains”
389 configuration option. The subdomains which are not listed as part
390 of “lookup_order” will be looked up in a random order for each
391 parent domain.
392
393 Please, note that when this option is set the output format of all
394 commands is always fully-qualified even when using short names for
395 input, for all users but the ones managed by the files provider. In
396 case the administrator wants the output not fully-qualified, the
397 full_name_format option can be used as shown below:
398 “full_name_format=%1$s” However, keep in mind that during login,
399 login applications often canonicalize the username by calling
400 getpwnam(3) which, if a shortname is returned for a qualified input
401 (while trying to reach a user which exists in multiple domains)
402 might re-route the login attempt into the domain which uses
403 shortnames, making this workaround totally not recommended in cases
404 where usernames may overlap between domains.
405
406 Default: Not set
407
409 Settings that can be used to configure different services are described
410 in this section. They should reside in the [$NAME] section, for
411 example, for NSS service, the section would be “[nss]”
412
413 General service configuration options
414 These options can be used to configure any service.
415
416 reconnection_retries (integer)
417 Number of times services should attempt to reconnect in the event
418 of a Data Provider crash or restart before they give up
419
420 Default: 3
421
422 fd_limit
423 This option specifies the maximum number of file descriptors that
424 may be opened at one time by this SSSD process. On systems where
425 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
426 absolute setting. On systems without this capability, the resulting
427 value will be the lower value of this or the limits.conf "hard"
428 limit.
429
430 Default: 8192 (or limits.conf "hard" limit)
431
432 client_idle_timeout
433 This option specifies the number of seconds that a client of an
434 SSSD process can hold onto a file descriptor without communicating
435 on it. This value is limited in order to avoid resource exhaustion
436 on the system. The timeout can't be shorter than 10 seconds. If a
437 lower value is configured, it will be adjusted to 10 seconds.
438
439 Default: 60, KCM: 300
440
441 offline_timeout (integer)
442 When SSSD switches to offline mode the amount of time before it
443 tries to go back online will increase based upon the time spent
444 disconnected. By default SSSD uses incremental behaviour to
445 calculate delay in between retries. So, the wait time for a given
446 retry will be longer than the wait time for the previous ones.
447 After each unsuccessful attempt to go online, the new interval is
448 recalculated by the following:
449
450 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
451 random[0...offline_timeout_random_offset]
452
453 The offline_timeout default value is 60. The offline_timeout_max
454 default value is 3600. The offline_timeout_random_offset default
455 value is 30. The end result is amount of seconds before next retry.
456
457 Note that the maximum length of each interval is defined by
458 offline_timeout_max (apart of random part).
459
460 Default: 60
461
462 offline_timeout_max (integer)
463 Controls by how much the time between attempts to go online can be
464 incremented following unsuccessful attempts to go online.
465
466 A value of 0 disables the incrementing behaviour.
467
468 The value of this parameter should be set in correlation to
469 offline_timeout parameter value.
470
471 With offline_timeout set to 60 (default value) there is no point in
472 setting offlinet_timeout_max to less than 120 as it will saturate
473 instantly. General rule here should be to set offline_timeout_max
474 to at least 4 times offline_timeout.
475
476 Although a value between 0 and offline_timeout may be specified, it
477 has the effect of overriding the offline_timeout value so is of
478 little use.
479
480 Default: 3600
481
482 offline_timeout_random_offset (integer)
483 When SSSD is in offline mode it keeps probing backend servers in
484 specified time intervals:
485
486 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
487 random[0...offline_timeout_random_offset]
488
489 This parameter controls the value of the random offset used for the
490 above equation. Final random_offset value will be random number in
491 range:
492
493 [0 - offline_timeout_random_offset]
494
495 A value of 0 disables the random offset addition.
496
497 Default: 30
498
499 responder_idle_timeout
500 This option specifies the number of seconds that an SSSD responder
501 process can be up without being used. This value is limited in
502 order to avoid resource exhaustion on the system. The minimum
503 acceptable value for this option is 60 seconds. Setting this option
504 to 0 (zero) means that no timeout will be set up to the responder.
505 This option only has effect when SSSD is built with systemd support
506 and when services are either socket or D-Bus activated.
507
508 Default: 300
509
510 cache_first
511 This option specifies whether the responder should query all caches
512 before querying the Data Providers.
513
514 Default: false
515
516 NSS configuration options
517 These options can be used to configure the Name Service Switch (NSS)
518 service.
519
520 enum_cache_timeout (integer)
521 How many seconds should nss_sss cache enumerations (requests for
522 info about all users)
523
524 Default: 120
525
526 entry_cache_nowait_percentage (integer)
527 The entry cache can be set to automatically update entries in the
528 background if they are requested beyond a percentage of the
529 entry_cache_timeout value for the domain.
530
531 For example, if the domain's entry_cache_timeout is set to 30s and
532 entry_cache_nowait_percentage is set to 50 (percent), entries that
533 come in after 15 seconds past the last cache update will be
534 returned immediately, but the SSSD will go and update the cache on
535 its own, so that future requests will not need to block waiting for
536 a cache update.
537
538 Valid values for this option are 0-99 and represent a percentage of
539 the entry_cache_timeout for each domain. For performance reasons,
540 this percentage will never reduce the nowait timeout to less than
541 10 seconds. (0 disables this feature)
542
543 Default: 50
544
545 entry_negative_timeout (integer)
546 Specifies for how many seconds nss_sss should cache negative cache
547 hits (that is, queries for invalid database entries, like
548 nonexistent ones) before asking the back end again.
549
550 Default: 15
551
552 local_negative_timeout (integer)
553 Specifies for how many seconds nss_sss should keep local users and
554 groups in negative cache before trying to look it up in the back
555 end again. Setting the option to 0 disables this feature.
556
557 Default: 14400 (4 hours)
558
559 filter_users, filter_groups (string)
560 Exclude certain users or groups from being fetched from the sss NSS
561 database. This is particularly useful for system accounts. This
562 option can also be set per-domain or include fully-qualified names
563 to filter only users from the particular domain or by a user
564 principal name (UPN).
565
566 NOTE: The filter_groups option doesn't affect inheritance of nested
567 group members, since filtering happens after they are propagated
568 for returning via NSS. E.g. a group having a member group filtered
569 out will still have the member users of the latter listed.
570
571 Default: root
572
573 filter_users_in_groups (bool)
574 If you want filtered user still be group members set this option to
575 false.
576
577 Default: true
578
579 override_homedir (string)
580 Override the user's home directory. You can either provide an
581 absolute value or a template. In the template, the following
582 sequences are substituted:
583
584 %u
585 login name
586
587 %U
588 UID number
589
590 %d
591 domain name
592
593 %f
594 fully qualified user name (user@domain)
595
596 %l
597 The first letter of the login name.
598
599 %P
600 UPN - User Principal Name (name@REALM)
601
602 %o
603 The original home directory retrieved from the identity
604 provider.
605
606 %H
607 The value of configure option homedir_substring.
608
609 %%
610 a literal '%'
611
612 This option can also be set per-domain.
613
614 example:
615
616 override_homedir = /home/%u
617
618
619 Default: Not set (SSSD will use the value retrieved from LDAP)
620
621 Please note, the home directory from a specific override for the
622 user, either locally (see sss_override(8)) or centrally managed IPA
623 id-overrides, has a higher precedence and will be used instead of
624 the value given by override_homedir.
625
626 homedir_substring (string)
627 The value of this option will be used in the expansion of the
628 override_homedir option if the template contains the format string
629 %H. An LDAP directory entry can directly contain this template so
630 that this option can be used to expand the home directory path for
631 each client machine (or operating system). It can be set per-domain
632 or globally in the [nss] section. A value specified in a domain
633 section will override one set in the [nss] section.
634
635 Default: /home
636
637 fallback_homedir (string)
638 Set a default template for a user's home directory if one is not
639 specified explicitly by the domain's data provider.
640
641 The available values for this option are the same as for
642 override_homedir.
643
644 example:
645
646 fallback_homedir = /home/%u
647
648
649 Default: not set (no substitution for unset home directories)
650
651 override_shell (string)
652 Override the login shell for all users. This option supersedes any
653 other shell options if it takes effect and can be set either in the
654 [nss] section or per-domain.
655
656 Default: not set (SSSD will use the value retrieved from LDAP)
657
658 allowed_shells (string)
659 Restrict user shell to one of the listed values. The order of
660 evaluation is:
661
662 1. If the shell is present in “/etc/shells”, it is used.
663
664 2. If the shell is in the allowed_shells list but not in
665 “/etc/shells”, use the value of the shell_fallback parameter.
666
667 3. If the shell is not in the allowed_shells list and not in
668 “/etc/shells”, a nologin shell is used.
669
670 The wildcard (*) can be used to allow any shell.
671
672 The (*) is useful if you want to use shell_fallback in case that
673 user's shell is not in “/etc/shells” and maintaining list of all
674 allowed shells in allowed_shells would be to much overhead.
675
676 An empty string for shell is passed as-is to libc.
677
678 The “/etc/shells” is only read on SSSD start up, which means that a
679 restart of the SSSD is required in case a new shell is installed.
680
681 Default: Not set. The user shell is automatically used.
682
683 vetoed_shells (string)
684 Replace any instance of these shells with the shell_fallback
685
686 shell_fallback (string)
687 The default shell to use if an allowed shell is not installed on
688 the machine.
689
690 Default: /bin/sh
691
692 default_shell
693 The default shell to use if the provider does not return one during
694 lookup. This option can be specified globally in the [nss] section
695 or per-domain.
696
697 Default: not set (Return NULL if no shell is specified and rely on
698 libc to substitute something sensible when necessary, usually
699 /bin/sh)
700
701 get_domains_timeout (int)
702 Specifies time in seconds for which the list of subdomains will be
703 considered valid.
704
705 Default: 60
706
707 memcache_timeout (integer)
708 Specifies time in seconds for which records in the in-memory cache
709 will be valid. Setting this option to zero will disable the
710 in-memory cache.
711
712 Default: 300
713
714 WARNING: Disabling the in-memory cache will have significant
715 negative impact on SSSD's performance and should only be used for
716 testing.
717
718 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
719 "NO", client applications will not use the fast in-memory cache.
720
721 memcache_size_passwd (integer)
722 Size (in megabytes) of the data table allocated inside fast
723 in-memory cache for passwd requests. Setting the size to 0 will
724 disable the passwd in-memory cache.
725
726 Default: 8
727
728 WARNING: Disabled or too small in-memory cache can have significant
729 negative impact on SSSD's performance.
730
731 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
732 "NO", client applications will not use the fast in-memory cache.
733
734 memcache_size_group (integer)
735 Size (in megabytes) of the data table allocated inside fast
736 in-memory cache for group requests. Setting the size to 0 will
737 disable the group in-memory cache.
738
739 Default: 6
740
741 WARNING: Disabled or too small in-memory cache can have significant
742 negative impact on SSSD's performance.
743
744 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
745 "NO", client applications will not use the fast in-memory cache.
746
747 memcache_size_initgroups (integer)
748 Size (in megabytes) of the data table allocated inside fast
749 in-memory cache for initgroups requests. Setting the size to 0 will
750 disable the initgroups in-memory cache.
751
752 Default: 10
753
754 WARNING: Disabled or too small in-memory cache can have significant
755 negative impact on SSSD's performance.
756
757 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
758 "NO", client applications will not use the fast in-memory cache.
759
760 user_attributes (string)
761 Some of the additional NSS responder requests can return more
762 attributes than just the POSIX ones defined by the NSS interface.
763 The list of attributes is controlled by this option. It is handled
764 the same way as the “user_attributes” option of the InfoPipe
765 responder (see sssd-ifp(5) for details) but with no default values.
766
767 To make configuration more easy the NSS responder will check the
768 InfoPipe option if it is not set for the NSS responder.
769
770 Default: not set, fallback to InfoPipe option
771
772 pwfield (string)
773 The value that NSS operations that return users or groups will
774 return for the “password” field.
775
776 Default: “*”
777
778 Note: This option can also be set per-domain which overwrites the
779 value in [nss] section.
780
781 Default: “not set” (remote domains), “x” (the files domain), “x”
782 (proxy domain with nss_files and sssd-shadowutils target)
783
784 PAM configuration options
785 These options can be used to configure the Pluggable Authentication
786 Module (PAM) service.
787
788 offline_credentials_expiration (integer)
789 If the authentication provider is offline, how long should we allow
790 cached logins (in days since the last successful online login).
791
792 Default: 0 (No limit)
793
794 offline_failed_login_attempts (integer)
795 If the authentication provider is offline, how many failed login
796 attempts are allowed.
797
798 Default: 0 (No limit)
799
800 offline_failed_login_delay (integer)
801 The time in minutes which has to pass after
802 offline_failed_login_attempts has been reached before a new login
803 attempt is possible.
804
805 If set to 0 the user cannot authenticate offline if
806 offline_failed_login_attempts has been reached. Only a successful
807 online authentication can enable offline authentication again.
808
809 Default: 5
810
811 pam_verbosity (integer)
812 Controls what kind of messages are shown to the user during
813 authentication. The higher the number to more messages are
814 displayed.
815
816 Currently sssd supports the following values:
817
818 0: do not show any message
819
820 1: show only important messages
821
822 2: show informational messages
823
824 3: show all messages and debug information
825
826 Default: 1
827
828 pam_response_filter (string)
829 A comma separated list of strings which allows to remove (filter)
830 data sent by the PAM responder to pam_sss PAM module. There are
831 different kind of responses sent to pam_sss e.g. messages displayed
832 to the user or environment variables which should be set by
833 pam_sss.
834
835 While messages already can be controlled with the help of the
836 pam_verbosity option this option allows to filter out other kind of
837 responses as well.
838
839 Currently the following filters are supported:
840
841 ENV
842 Do not send any environment variables to any service.
843
844 ENV:var_name
845 Do not send environment variable var_name to any service.
846
847 ENV:var_name:service
848 Do not send environment variable var_name to service.
849
850 The list of strings can either be the list of filters which would
851 set this list of filters and overwrite the defaults. Or each
852 element of the list can be prefixed by a '+' or '-' character which
853 would add the filter to the existing default or remove it from the
854 defaults, respectively. Please note that either all list elements
855 must have a '+' or '-' prefix or none. It is considered as an error
856 to mix both styles.
857
858 Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
859
860 Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the
861 default list
862
863 pam_id_timeout (integer)
864 For any PAM request while SSSD is online, the SSSD will attempt to
865 immediately update the cached identity information for the user in
866 order to ensure that authentication takes place with the latest
867 information.
868
869 A complete PAM conversation may perform multiple PAM requests, such
870 as account management and session opening. This option controls (on
871 a per-client-application basis) how long (in seconds) we can cache
872 the identity information to avoid excessive round-trips to the
873 identity provider.
874
875 Default: 5
876
877 pam_pwd_expiration_warning (integer)
878 Display a warning N days before the password expires.
879
880 Please note that the backend server has to provide information
881 about the expiration time of the password. If this information is
882 missing, sssd cannot display a warning.
883
884 If zero is set, then this filter is not applied, i.e. if the
885 expiration warning was received from backend server, it will
886 automatically be displayed.
887
888 This setting can be overridden by setting pwd_expiration_warning
889 for a particular domain.
890
891 Default: 0
892
893 get_domains_timeout (int)
894 Specifies time in seconds for which the list of subdomains will be
895 considered valid.
896
897 Default: 60
898
899 pam_trusted_users (string)
900 Specifies the comma-separated list of UID values or user names that
901 are allowed to run PAM conversations against trusted domains. Users
902 not included in this list can only access domains marked as public
903 with “pam_public_domains”. User names are resolved to UIDs at
904 startup.
905
906 Default: All users are considered trusted by default
907
908 Please note that UID 0 is always allowed to access the PAM
909 responder even in case it is not in the pam_trusted_users list.
910
911 pam_public_domains (string)
912 Specifies the comma-separated list of domain names that are
913 accessible even to untrusted users.
914
915 Two special values for pam_public_domains option are defined:
916
917 all (Untrusted users are allowed to access all domains in PAM
918 responder.)
919
920 none (Untrusted users are not allowed to access any domains PAM in
921 responder.)
922
923 Default: none
924
925 pam_account_expired_message (string)
926 Allows a custom expiration message to be set, replacing the default
927 'Permission denied' message.
928
929 Note: Please be aware that message is only printed for the SSH
930 service unless pam_verbosity is set to 3 (show all messages and
931 debug information).
932
933 example:
934
935 pam_account_expired_message = Account expired, please contact help desk.
936
937
938 Default: none
939
940 pam_account_locked_message (string)
941 Allows a custom lockout message to be set, replacing the default
942 'Permission denied' message.
943
944 example:
945
946 pam_account_locked_message = Account locked, please contact help desk.
947
948
949 Default: none
950
951 pam_cert_auth (bool)
952 Enable certificate based Smartcard authentication. Since this
953 requires additional communication with the Smartcard which will
954 delay the authentication process this option is disabled by
955 default.
956
957 Default: False
958
959 pam_cert_db_path (string)
960 The path to the certificate database.
961
962 Default:
963
964 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
965 CA certificates in PEM format)
966
967
968 pam_cert_verification (string)
969 With this parameter the PAM certificate verification can be tuned
970 with a comma separated list of options that override the
971 “certificate_verification” value in “[sssd]” section. Supported
972 options are the same of “certificate_verification”.
973
974 example:
975
976 pam_cert_verification = partial_chain
977
978
979 Default: not set, i.e. use default “certificate_verification”
980 option defined in “[sssd]” section.
981
982 p11_child_timeout (integer)
983 How many seconds will pam_sss wait for p11_child to finish.
984
985 Default: 10
986
987 pam_app_services (string)
988 Which PAM services are permitted to contact domains of type
989 “application”
990
991 Default: Not set
992
993 pam_p11_allowed_services (integer)
994 A comma-separated list of PAM service names for which it will be
995 allowed to use Smartcards.
996
997 It is possible to add another PAM service name to the default set
998 by using “+service_name” or to explicitly remove a PAM service name
999 from the default set by using “-service_name”. For example, in
1000 order to replace a default PAM service name for authentication with
1001 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
1002 “my_pam_service”), you would use the following configuration:
1003
1004 pam_p11_allowed_services = +my_pam_service, -login
1005
1006
1007 Default: the default set of PAM service names includes:
1008
1009 • login
1010
1011 • su
1012
1013 • su-l
1014
1015 • gdm-smartcard
1016
1017 • gdm-password
1018
1019 • kdm
1020
1021 • sudo
1022
1023 • sudo-i
1024
1025 • gnome-screensaver
1026
1027
1028 p11_wait_for_card_timeout (integer)
1029 If Smartcard authentication is required how many extra seconds in
1030 addition to p11_child_timeout should the PAM responder wait until a
1031 Smartcard is inserted.
1032
1033 Default: 60
1034
1035 p11_uri (string)
1036 PKCS#11 URI (see RFC-7512 for details) which can be used to
1037 restrict the selection of devices used for Smartcard
1038 authentication. By default SSSD's p11_child will search for a
1039 PKCS#11 slot (reader) where the 'removable' flags is set and read
1040 the certificates from the inserted token from the first slot found.
1041 If multiple readers are connected p11_uri can be used to tell
1042 p11_child to use a specific reader.
1043
1044 Example:
1045
1046 p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
1047
1048
1049 or
1050
1051 p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
1052
1053
1054 To find suitable URI please check the debug output of p11_child. As
1055 an alternative the GnuTLS utility 'p11tool' with e.g. the
1056 '--list-all' will show PKCS#11 URIs as well.
1057
1058 Default: none
1059
1060 pam_initgroups_scheme
1061 The PAM responder can force an online lookup to get the current
1062 group memberships of the user trying to log in. This option
1063 controls when this should be done and the following values are
1064 allowed:
1065
1066 always
1067 Always do an online lookup, please note that pam_id_timeout
1068 still applies
1069
1070 no_session
1071 Only do an online lookup if there is no active session of the
1072 user, i.e. if the user is currently not logged in
1073
1074 never
1075 Never force an online lookup, use the data from the cache as
1076 long as they are not expired
1077
1078 Default: no_session
1079
1080 pam_gssapi_services
1081 Comma separated list of PAM services that are allowed to try GSSAPI
1082 authentication using pam_sss_gss.so module.
1083
1084 To disable GSSAPI authentication, set this option to “-” (dash).
1085
1086 Note: This option can also be set per-domain which overwrites the
1087 value in [pam] section. It can also be set for trusted domain which
1088 overwrites the value in the domain section.
1089
1090 Example:
1091
1092 pam_gssapi_services = sudo, sudo-i
1093
1094
1095 Default: - (GSSAPI authentication is disabled)
1096
1097 pam_gssapi_check_upn
1098 If True, SSSD will require that the Kerberos user principal that
1099 successfully authenticated through GSSAPI can be associated with
1100 the user who is being authenticated. Authentication will fail if
1101 the check fails.
1102
1103 If False, every user that is able to obtained required service
1104 ticket will be authenticated.
1105
1106 Note: This option can also be set per-domain which overwrites the
1107 value in [pam] section. It can also be set for trusted domain which
1108 overwrites the value in the domain section.
1109
1110 Default: True
1111
1112 pam_gssapi_indicators_map
1113 Comma separated list of authentication indicators required to be
1114 present in a Kerberos ticket to access a PAM service that is
1115 allowed to try GSSAPI authentication using pam_sss_gss.so module.
1116
1117 Each element of the list can be either an authentication indicator
1118 name or a pair “service:indicator”. Indicators not prefixed with
1119 the PAM service name will be required to access any PAM service
1120 configured to be used with pam_gssapi_services. A resulting list of
1121 indicators per PAM service is then checked against indicators in
1122 the Kerberos ticket during authentication by pam_sss_gss.so. Any
1123 indicator from the ticket that matches the resulting list of
1124 indicators for the PAM service would grant access. If none of the
1125 indicators in the list match, access will be denied. If the
1126 resulting list of indicators for the PAM service is empty, the
1127 check will not prevent the access.
1128
1129 To disable GSSAPI authentication indicator check, set this option
1130 to “-” (dash). To disable the check for a specific PAM service, add
1131 “service:-”.
1132
1133 Note: This option can also be set per-domain which overwrites the
1134 value in [pam] section. It can also be set for trusted domain which
1135 overwrites the value in the domain section.
1136
1137 Following authentication indicators are supported by IPA Kerberos
1138 deployments:
1139
1140 • pkinit -- pre-authentication using X.509 certificates --
1141 whether stored in files or on smart cards.
1142
1143 • hardened -- SPAKE pre-authentication or any pre-authentication
1144 wrapped in a FAST channel.
1145
1146 • radius -- pre-authentication with the help of a RADIUS server.
1147
1148 • otp -- pre-authentication using integrated two-factor
1149 authentication (2FA or one-time password, OTP) in IPA.
1150
1151 Example: to require access to SUDO services only for users which
1152 obtained their Kerberos tickets with a X.509 certificate
1153 pre-authentication (PKINIT), set
1154
1155 pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1156
1157
1158 Default: not set (use of authentication indicators is not required)
1159
1160 SUDO configuration options
1161 These options can be used to configure the sudo service. The detailed
1162 instructions for configuration of sudo(8) to work with sssd(8) are in
1163 the manual page sssd-sudo(5).
1164
1165 sudo_timed (bool)
1166 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1167 attributes that implement time-dependent sudoers entries.
1168
1169 Default: false
1170
1171 sudo_threshold (integer)
1172 Maximum number of expired rules that can be refreshed at once. If
1173 number of expired rules is below threshold, those rules are
1174 refreshed with “rules refresh” mechanism. If the threshold is
1175 exceeded a “full refresh” of sudo rules is triggered instead. This
1176 threshold number also applies to IPA sudo command and command group
1177 searches.
1178
1179 Default: 50
1180
1181 AUTOFS configuration options
1182 These options can be used to configure the autofs service.
1183
1184 autofs_negative_timeout (integer)
1185 Specifies for how many seconds should the autofs responder negative
1186 cache hits (that is, queries for invalid map entries, like
1187 nonexistent ones) before asking the back end again.
1188
1189 Default: 15
1190
1191 Please note that the automounter only reads the master map on startup,
1192 so if any autofs-related changes are made to the sssd.conf, you
1193 typically also need to restart the automounter daemon after restarting
1194 the SSSD.
1195
1196 SSH configuration options
1197 These options can be used to configure the SSH service.
1198
1199 ssh_hash_known_hosts (bool)
1200 Whether or not to hash host names and addresses in the managed
1201 known_hosts file.
1202
1203 Default: false
1204
1205 ssh_known_hosts_timeout (integer)
1206 How many seconds to keep a host in the managed known_hosts file
1207 after its host keys were requested.
1208
1209 Default: 180
1210
1211 ssh_use_certificate_keys (bool)
1212 If set to true the sss_ssh_authorizedkeys will return ssh keys
1213 derived from the public key of X.509 certificates stored in the
1214 user entry as well. See sss_ssh_authorizedkeys(1) for details.
1215
1216 Default: true
1217
1218 ssh_use_certificate_matching_rules (string)
1219 By default the ssh responder will use all available certificate
1220 matching rules to filter the certificates so that ssh keys are only
1221 derived from the matching ones. With this option the used rules can
1222 be restricted with a comma separated list of mapping and matching
1223 rule names. All other rules will be ignored.
1224
1225 There are two special key words 'all_rules' and 'no_rules' which
1226 will enable all or no rules, respectively. The latter means that no
1227 certificates will be filtered out and ssh keys will be generated
1228 from all valid certificates.
1229
1230 If no rules are configured using 'all_rules' will enable a default
1231 rule which enables all certificates suitable for client
1232 authentication. This is the same behavior as for the PAM responder
1233 if certificate authentication is enabled.
1234
1235 A non-existing rule name is considered an error. If as a result no
1236 rule is selected all certificates will be ignored.
1237
1238 Default: not set, equivalent to 'all_rules', all found rules or the
1239 default rule are used
1240
1241 ca_db (string)
1242 Path to a storage of trusted CA certificates. The option is used to
1243 validate user certificates before deriving public ssh keys from
1244 them.
1245
1246 Default:
1247
1248 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1249 CA certificates in PEM format)
1250
1251
1252 PAC responder configuration options
1253 The PAC responder works together with the authorization data plugin for
1254 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1255 sends the PAC data during a GSSAPI authentication to the PAC responder.
1256 The sub-domain provider collects domain SID and ID ranges of the domain
1257 the client is joined to and of remote trusted domains from the local
1258 domain controller. If the PAC is decoded and evaluated some of the
1259 following operations are done:
1260
1261 • If the remote user does not exist in the cache, it is created. The
1262 UID is determined with the help of the SID, trusted domains will
1263 have UPGs and the GID will have the same value as the UID. The home
1264 directory is set based on the subdomain_homedir parameter. The
1265 shell will be empty by default, i.e. the system defaults are used,
1266 but can be overwritten with the default_shell parameter.
1267
1268 • If there are SIDs of groups from domains sssd knows about, the user
1269 will be added to those groups.
1270
1271 These options can be used to configure the PAC responder.
1272
1273 allowed_uids (string)
1274 Specifies the comma-separated list of UID values or user names that
1275 are allowed to access the PAC responder. User names are resolved to
1276 UIDs at startup.
1277
1278 Default: 0 (only the root user is allowed to access the PAC
1279 responder)
1280
1281 Please note that although the UID 0 is used as the default it will
1282 be overwritten with this option. If you still want to allow the
1283 root user to access the PAC responder, which would be the typical
1284 case, you have to add 0 to the list of allowed UIDs as well.
1285
1286 pac_lifetime (integer)
1287 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1288 the PAC data can be used to determine the group memberships of a
1289 user.
1290
1291 Default: 300
1292
1293 Session recording configuration options
1294 Session recording works in conjunction with tlog-rec-session(8), a part
1295 of tlog package, to log what users see and type when they log in on a
1296 text terminal. See also sssd-session-recording(5).
1297
1298 These options can be used to configure session recording.
1299
1300 scope (string)
1301 One of the following strings specifying the scope of session
1302 recording:
1303
1304 "none"
1305 No users are recorded.
1306
1307 "some"
1308 Users/groups specified by users and groups options are
1309 recorded.
1310
1311 "all"
1312 All users are recorded.
1313
1314 Default: "none"
1315
1316 users (string)
1317 A comma-separated list of users which should have session recording
1318 enabled. Matches user names as returned by NSS. I.e. after the
1319 possible space replacement, case changes, etc.
1320
1321 Default: Empty. Matches no users.
1322
1323 groups (string)
1324 A comma-separated list of groups, members of which should have
1325 session recording enabled. Matches group names as returned by NSS.
1326 I.e. after the possible space replacement, case changes, etc.
1327
1328 NOTE: using this option (having it set to anything) has a
1329 considerable performance cost, because each uncached request for a
1330 user requires retrieving and matching the groups the user is member
1331 of.
1332
1333 Default: Empty. Matches no groups.
1334
1335 exclude_users (string)
1336 A comma-separated list of users to be excluded from recording, only
1337 applicable with 'scope=all'.
1338
1339 Default: Empty. No users excluded.
1340
1341 exclude_groups (string)
1342 A comma-separated list of groups, members of which should be
1343 excluded from recording. Only applicable with 'scope=all'.
1344
1345 NOTE: using this option (having it set to anything) has a
1346 considerable performance cost, because each uncached request for a
1347 user requires retrieving and matching the groups the user is member
1348 of.
1349
1350 Default: Empty. No groups excluded.
1351
1353 These configuration options can be present in a domain configuration
1354 section, that is, in a section called “[domain/NAME]”
1355
1356 enabled
1357 Explicitly enable or disable the domain. If “true”, the domain is
1358 always “enabled”. If “false”, the domain is always “disabled”. If
1359 this option is not set, the domain is enabled only if it is listed
1360 in the domains option in the “[sssd]” section.
1361
1362 domain_type (string)
1363 Specifies whether the domain is meant to be used by POSIX-aware
1364 clients such as the Name Service Switch or by applications that do
1365 not need POSIX data to be present or generated. Only objects from
1366 POSIX domains are available to the operating system interfaces and
1367 utilities.
1368
1369 Allowed values for this option are “posix” and “application”.
1370
1371 POSIX domains are reachable by all services. Application domains
1372 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1373 and the PAM responder.
1374
1375 NOTE: The application domains are currently well tested with
1376 “id_provider=ldap” only.
1377
1378 For an easy way to configure a non-POSIX domains, please see the
1379 “Application domains” section.
1380
1381 Default: posix
1382
1383 min_id,max_id (integer)
1384 UID and GID limits for the domain. If a domain contains an entry
1385 that is outside these limits, it is ignored.
1386
1387 For users, this affects the primary GID limit. The user will not be
1388 returned to NSS if either the UID or the primary GID is outside the
1389 range. For non-primary group memberships, those that are in range
1390 will be reported as expected.
1391
1392 These ID limits affect even saving entries to cache, not only
1393 returning them by name or ID.
1394
1395 Default: 1 for min_id, 0 (no limit) for max_id
1396
1397 enumerate (bool)
1398 Determines if a domain can be enumerated, that is, whether the
1399 domain can list all the users and group it contains. Note that it
1400 is not required to enable enumeration in order for secondary groups
1401 to be displayed. This parameter can have one of the following
1402 values:
1403
1404 TRUE = Users and groups are enumerated
1405
1406 FALSE = No enumerations for this domain
1407
1408 Default: FALSE
1409
1410 Enumerating a domain requires SSSD to download and store ALL user
1411 and group entries from the remote server.
1412
1413 Note: Enabling enumeration has a moderate performance impact on
1414 SSSD while enumeration is running. It may take up to several
1415 minutes after SSSD startup to fully complete enumerations. During
1416 this time, individual requests for information will go directly to
1417 LDAP, though it may be slow, due to the heavy enumeration
1418 processing. Saving a large number of entries to cache after the
1419 enumeration completes might also be CPU intensive as the
1420 memberships have to be recomputed. This can lead to the “sssd_be”
1421 process becoming unresponsive or even restarted by the internal
1422 watchdog.
1423
1424 While the first enumeration is running, requests for the complete
1425 user or group lists may return no results until it completes.
1426
1427 Further, enabling enumeration may increase the time necessary to
1428 detect network disconnection, as longer timeouts are required to
1429 ensure that enumeration lookups are completed successfully. For
1430 more information, refer to the man pages for the specific
1431 id_provider in use.
1432
1433 For the reasons cited above, enabling enumeration is not
1434 recommended, especially in large environments.
1435
1436 subdomain_enumerate (string)
1437 Whether any of autodetected trusted domains should be enumerated.
1438 The supported values are:
1439
1440 all
1441 All discovered trusted domains will be enumerated
1442
1443 none
1444 No discovered trusted domains will be enumerated
1445
1446 Optionally, a list of one or more domain names can enable
1447 enumeration just for these trusted domains.
1448
1449 Default: none
1450
1451 entry_cache_timeout (integer)
1452 How many seconds should nss_sss consider entries valid before
1453 asking the backend again
1454
1455 The cache expiration timestamps are stored as attributes of
1456 individual objects in the cache. Therefore, changing the cache
1457 timeout only has effect for newly added or expired entries. You
1458 should run the sss_cache(8) tool in order to force refresh of
1459 entries that have already been cached.
1460
1461 Default: 5400
1462
1463 entry_cache_user_timeout (integer)
1464 How many seconds should nss_sss consider user entries valid before
1465 asking the backend again
1466
1467 Default: entry_cache_timeout
1468
1469 entry_cache_group_timeout (integer)
1470 How many seconds should nss_sss consider group entries valid before
1471 asking the backend again
1472
1473 Default: entry_cache_timeout
1474
1475 entry_cache_netgroup_timeout (integer)
1476 How many seconds should nss_sss consider netgroup entries valid
1477 before asking the backend again
1478
1479 Default: entry_cache_timeout
1480
1481 entry_cache_service_timeout (integer)
1482 How many seconds should nss_sss consider service entries valid
1483 before asking the backend again
1484
1485 Default: entry_cache_timeout
1486
1487 entry_cache_resolver_timeout (integer)
1488 How many seconds should nss_sss consider hosts and networks entries
1489 valid before asking the backend again
1490
1491 Default: entry_cache_timeout
1492
1493 entry_cache_sudo_timeout (integer)
1494 How many seconds should sudo consider rules valid before asking the
1495 backend again
1496
1497 Default: entry_cache_timeout
1498
1499 entry_cache_autofs_timeout (integer)
1500 How many seconds should the autofs service consider automounter
1501 maps valid before asking the backend again
1502
1503 Default: entry_cache_timeout
1504
1505 entry_cache_ssh_host_timeout (integer)
1506 How many seconds to keep a host ssh key after refresh. IE how long
1507 to cache the host key for.
1508
1509 Default: entry_cache_timeout
1510
1511 entry_cache_computer_timeout (integer)
1512 How many seconds to keep the local computer entry before asking the
1513 backend again
1514
1515 Default: entry_cache_timeout
1516
1517 refresh_expired_interval (integer)
1518 Specifies how many seconds SSSD has to wait before triggering a
1519 background refresh task which will refresh all expired or nearly
1520 expired records.
1521
1522 The background refresh will process users, groups and netgroups in
1523 the cache. For users who have performed the initgroups (get group
1524 membership for user, typically ran at login) operation in the past,
1525 both the user entry and the group membership are updated.
1526
1527 This option is automatically inherited for all trusted domains.
1528
1529 You can consider setting this value to 3/4 * entry_cache_timeout.
1530
1531 Cache entry will be refreshed by background task when 2/3 of cache
1532 timeout has already passed. If there are existing cached entries,
1533 the background task will refer to their original cache timeout
1534 values instead of current configuration value. This may lead to a
1535 situation in which background refresh task appears to not be
1536 working. This is done by design to improve offline mode operation
1537 and reuse of existing valid cache entries. To make this change
1538 instant the user may want to manually invalidate existing cache.
1539
1540 Default: 0 (disabled)
1541
1542 cache_credentials (bool)
1543 Determines if user credentials are also cached in the local LDB
1544 cache
1545
1546 User credentials are stored in a SHA512 hash, not in plaintext
1547
1548 Default: FALSE
1549
1550 cache_credentials_minimal_first_factor_length (int)
1551 If 2-Factor-Authentication (2FA) is used and credentials should be
1552 saved this value determines the minimal length the first
1553 authentication factor (long term password) must have to be saved as
1554 SHA512 hash into the cache.
1555
1556 This should avoid that the short PINs of a PIN based 2FA scheme are
1557 saved in the cache which would make them easy targets for
1558 brute-force attacks.
1559
1560 Default: 8
1561
1562 account_cache_expiration (integer)
1563 Number of days entries are left in cache after last successful
1564 login before being removed during a cleanup of the cache. 0 means
1565 keep forever. The value of this parameter must be greater than or
1566 equal to offline_credentials_expiration.
1567
1568 Default: 0 (unlimited)
1569
1570 pwd_expiration_warning (integer)
1571 Display a warning N days before the password expires.
1572
1573 If zero is set, then this filter is not applied, i.e. if the
1574 expiration warning was received from backend server, it will
1575 automatically be displayed.
1576
1577 Please note that the backend server has to provide information
1578 about the expiration time of the password. If this information is
1579 missing, sssd cannot display a warning. Also an auth provider has
1580 to be configured for the backend.
1581
1582 Default: 7 (Kerberos), 0 (LDAP)
1583
1584 id_provider (string)
1585 The identification provider used for the domain. Supported ID
1586 providers are:
1587
1588 “proxy”: Support a legacy NSS provider.
1589
1590 “files”: FILES provider. See sssd-files(5) for more information on
1591 how to mirror local users and groups into SSSD.
1592
1593 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1594 configuring LDAP.
1595
1596 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1597 See sssd-ipa(5) for more information on configuring FreeIPA.
1598
1599 “ad”: Active Directory provider. See sssd-ad(5) for more
1600 information on configuring Active Directory.
1601
1602 use_fully_qualified_names (bool)
1603 Use the full name and domain (as formatted by the domain's
1604 full_name_format) as the user's login name reported to NSS.
1605
1606 If set to TRUE, all requests to this domain must use fully
1607 qualified names. For example, if used in LOCAL domain that contains
1608 a "test" user, getent passwd test wouldn't find the user while
1609 getent passwd test@LOCAL would.
1610
1611 NOTE: This option has no effect on netgroup lookups due to their
1612 tendency to include nested netgroups without qualified names. For
1613 netgroups, all domains will be searched when an unqualified name is
1614 requested.
1615
1616 Default: FALSE (TRUE for trusted domain/sub-domains or if
1617 default_domain_suffix is used)
1618
1619 ignore_group_members (bool)
1620 Do not return group members for group lookups.
1621
1622 If set to TRUE, the group membership attribute is not requested
1623 from the ldap server, and group members are not returned when
1624 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1625 As an effect, “getent group $groupname” would return the requested
1626 group as if it was empty.
1627
1628 Enabling this option can also make access provider checks for group
1629 membership significantly faster, especially for groups containing
1630 many members.
1631
1632 Default: FALSE
1633
1634 auth_provider (string)
1635 The authentication provider used for the domain. Supported auth
1636 providers are:
1637
1638 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1639 information on configuring LDAP.
1640
1641 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1642 information on configuring Kerberos.
1643
1644 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1645 See sssd-ipa(5) for more information on configuring FreeIPA.
1646
1647 “ad”: Active Directory provider. See sssd-ad(5) for more
1648 information on configuring Active Directory.
1649
1650 “proxy” for relaying authentication to some other PAM target.
1651
1652 “none” disables authentication explicitly.
1653
1654 Default: “id_provider” is used if it is set and can handle
1655 authentication requests.
1656
1657 access_provider (string)
1658 The access control provider used for the domain. There are two
1659 built-in access providers (in addition to any included in installed
1660 backends) Internal special providers are:
1661
1662 “permit” always allow access. It's the only permitted access
1663 provider for a local domain.
1664
1665 “deny” always deny access.
1666
1667 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1668 information on configuring LDAP.
1669
1670 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1671 See sssd-ipa(5) for more information on configuring FreeIPA.
1672
1673 “ad”: Active Directory provider. See sssd-ad(5) for more
1674 information on configuring Active Directory.
1675
1676 “simple” access control based on access or deny lists. See sssd-
1677 simple(5) for more information on configuring the simple access
1678 module.
1679
1680 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1681 information on configuring Kerberos.
1682
1683 “proxy” for relaying access control to another PAM module.
1684
1685 Default: “permit”
1686
1687 chpass_provider (string)
1688 The provider which should handle change password operations for the
1689 domain. Supported change password providers are:
1690
1691 “ldap” to change a password stored in a LDAP server. See sssd-
1692 ldap(5) for more information on configuring LDAP.
1693
1694 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1695 information on configuring Kerberos.
1696
1697 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1698 See sssd-ipa(5) for more information on configuring FreeIPA.
1699
1700 “ad”: Active Directory provider. See sssd-ad(5) for more
1701 information on configuring Active Directory.
1702
1703 “proxy” for relaying password changes to some other PAM target.
1704
1705 “none” disallows password changes explicitly.
1706
1707 Default: “auth_provider” is used if it is set and can handle change
1708 password requests.
1709
1710 sudo_provider (string)
1711 The SUDO provider used for the domain. Supported SUDO providers
1712 are:
1713
1714 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1715 information on configuring LDAP.
1716
1717 “ipa” the same as “ldap” but with IPA default settings.
1718
1719 “ad” the same as “ldap” but with AD default settings.
1720
1721 “none” disables SUDO explicitly.
1722
1723 Default: The value of “id_provider” is used if it is set.
1724
1725 The detailed instructions for configuration of sudo_provider are in
1726 the manual page sssd-sudo(5). There are many configuration options
1727 that can be used to adjust the behavior. Please refer to
1728 "ldap_sudo_*" in sssd-ldap(5).
1729
1730 NOTE: Sudo rules are periodically downloaded in the background
1731 unless the sudo provider is explicitly disabled. Set sudo_provider
1732 = None to disable all sudo-related activity in SSSD if you do not
1733 want to use sudo with SSSD at all.
1734
1735 selinux_provider (string)
1736 The provider which should handle loading of selinux settings. Note
1737 that this provider will be called right after access provider ends.
1738 Supported selinux providers are:
1739
1740 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1741 for more information on configuring IPA.
1742
1743 “none” disallows fetching selinux settings explicitly.
1744
1745 Default: “id_provider” is used if it is set and can handle selinux
1746 loading requests.
1747
1748 subdomains_provider (string)
1749 The provider which should handle fetching of subdomains. This value
1750 should be always the same as id_provider. Supported subdomain
1751 providers are:
1752
1753 “ipa” to load a list of subdomains from an IPA server. See sssd-
1754 ipa(5) for more information on configuring IPA.
1755
1756 “ad” to load a list of subdomains from an Active Directory server.
1757 See sssd-ad(5) for more information on configuring the AD provider.
1758
1759 “none” disallows fetching subdomains explicitly.
1760
1761 Default: The value of “id_provider” is used if it is set.
1762
1763 session_provider (string)
1764 The provider which configures and manages user session related
1765 tasks. The only user session task currently provided is the
1766 integration with Fleet Commander, which works only with IPA.
1767 Supported session providers are:
1768
1769 “ipa” to allow performing user session related tasks.
1770
1771 “none” does not perform any kind of user session related tasks.
1772
1773 Default: “id_provider” is used if it is set and can perform session
1774 related tasks.
1775
1776 NOTE: In order to have this feature working as expected SSSD must
1777 be running as "root" and not as the unprivileged user.
1778
1779 autofs_provider (string)
1780 The autofs provider used for the domain. Supported autofs providers
1781 are:
1782
1783 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1784 information on configuring LDAP.
1785
1786 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1787 more information on configuring IPA.
1788
1789 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1790 information on configuring the AD provider.
1791
1792 “none” disables autofs explicitly.
1793
1794 Default: The value of “id_provider” is used if it is set.
1795
1796 hostid_provider (string)
1797 The provider used for retrieving host identity information.
1798 Supported hostid providers are:
1799
1800 “ipa” to load host identity stored in an IPA server. See sssd-
1801 ipa(5) for more information on configuring IPA.
1802
1803 “none” disables hostid explicitly.
1804
1805 Default: The value of “id_provider” is used if it is set.
1806
1807 resolver_provider (string)
1808 The provider which should handle hosts and networks lookups.
1809 Supported resolver providers are:
1810
1811 “proxy” to forward lookups to another NSS library. See
1812 “proxy_resolver_lib_name”
1813
1814 “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1815 for more information on configuring LDAP.
1816
1817 “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1818 more information on configuring the AD provider.
1819
1820 “none” disallows fetching hosts and networks explicitly.
1821
1822 Default: The value of “id_provider” is used if it is set.
1823
1824 re_expression (string)
1825 Regular expression for this domain that describes how to parse the
1826 string containing user name and domain into these components. The
1827 "domain" can match either the SSSD configuration domain name, or,
1828 in the case of IPA trust subdomains and Active Directory domains,
1829 the flat (NetBIOS) name of the domain.
1830
1831 Default for the AD and IPA provider:
1832 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1833 which allows three different styles for user names:
1834
1835 • username
1836
1837 • username@domain.name
1838
1839 • domain\username
1840
1841 While the first two correspond to the general default the third one
1842 is introduced to allow easy integration of users from Windows
1843 domains.
1844
1845 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1846 "the name is everything up to the “@” sign, the domain everything
1847 after that"
1848
1849 NOTE: Some Active Directory groups, typically those used for MS
1850 Exchange contain an “@” sign in the name, which clashes with the
1851 default re_expression value for the AD and IPA providers. To
1852 support these groups, consider changing the re_expression value to:
1853 “((?P<name>.+)@(?P<domain>[^@]+$))”.
1854
1855 full_name_format (string)
1856 A printf(3)-compatible format that describes how to compose a fully
1857 qualified name from user name and domain name components.
1858
1859 The following expansions are supported:
1860
1861 %1$s
1862 user name
1863
1864 %2$s
1865 domain name as specified in the SSSD config file.
1866
1867 %3$s
1868 domain flat name. Mostly usable for Active Directory domains,
1869 both directly configured or discovered via IPA trusts.
1870
1871 Default: “%1$s@%2$s”.
1872
1873 lookup_family_order (string)
1874 Provides the ability to select preferred address family to use when
1875 performing DNS lookups.
1876
1877 Supported values:
1878
1879 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1880
1881 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1882
1883 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1884
1885 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1886
1887 Default: ipv4_first
1888
1889 dns_resolver_server_timeout (integer)
1890 Defines the amount of time (in milliseconds) SSSD would try to talk
1891 to DNS server before trying next DNS server.
1892
1893 Please see the section “FAILOVER” for more information about the
1894 service resolution.
1895
1896 Default: 1000
1897
1898 dns_resolver_op_timeout (integer)
1899 Defines the amount of time (in seconds) to wait to resolve single
1900 DNS query (e.g. resolution of a hostname or an SRV record) before
1901 try next hostname or DNS discovery.
1902
1903 Please see the section “FAILOVER” for more information about the
1904 service resolution.
1905
1906 Default: 3
1907
1908 dns_resolver_server_timeout (integer)
1909 Defines the amount of time (in milliseconds) SSSD would try to talk
1910 to DNS server before trying next DNS server.
1911
1912 Please see the section “FAILOVER” for more information about the
1913 service resolution.
1914
1915 Default: 1000
1916
1917 dns_resolver_op_timeout (integer)
1918 Defines the amount of time (in seconds) to wait to resolve single
1919 DNS query (e.g. resolution of a hostname or an SRV record) before
1920 try next hostname or DNS discovery.
1921
1922 Please see the section “FAILOVER” for more information about the
1923 service resolution.
1924
1925 Default: 3
1926
1927 dns_resolver_timeout (integer)
1928 Defines the amount of time (in seconds) to wait for a reply from
1929 the internal fail over service before assuming that the service is
1930 unreachable. If this timeout is reached, the domain will continue
1931 to operate in offline mode.
1932
1933 Please see the section “FAILOVER” for more information about the
1934 service resolution.
1935
1936 Default: 6
1937
1938 dns_discovery_domain (string)
1939 If service discovery is used in the back end, specifies the domain
1940 part of the service discovery DNS query.
1941
1942 Default: Use the domain part of machine's hostname
1943
1944 override_gid (integer)
1945 Override the primary GID value with the one specified.
1946
1947 case_sensitive (string)
1948 Treat user and group names as case sensitive. Possible option
1949 values are:
1950
1951 True
1952 Case sensitive. This value is invalid for AD provider.
1953
1954 False
1955 Case insensitive.
1956
1957 Preserving
1958 Same as False (case insensitive), but does not lowercase names
1959 in the result of NSS operations. Note that name aliases (and in
1960 case of services also protocol names) are still lowercased in
1961 the output.
1962
1963 If you want to set this value for trusted domain with IPA
1964 provider, you need to set it on both the client and SSSD on the
1965 server.
1966
1967 This option can be also set per subdomain or inherited via
1968 subdomain_inherit.
1969
1970 Default: True (False for AD provider)
1971
1972 subdomain_inherit (string)
1973 Specifies a list of configuration parameters that should be
1974 inherited by a subdomain. Please note that only selected parameters
1975 can be inherited. Currently the following options can be inherited:
1976
1977 ignore_group_members
1978
1979 ldap_purge_cache_timeout
1980
1981 ldap_use_tokengroups
1982
1983 ldap_user_principal
1984
1985 ldap_krb5_keytab (the value of krb5_keytab will be used if
1986 ldap_krb5_keytab is not set explicitly)
1987
1988 auto_private_groups
1989
1990 case_sensitive
1991
1992 Example:
1993
1994 subdomain_inherit = ldap_purge_cache_timeout
1995
1996
1997 Default: none
1998
1999 Note: This option only works with the IPA and AD provider.
2000
2001 subdomain_homedir (string)
2002 Use this homedir as default value for all subdomains within this
2003 domain in IPA AD trust. See override_homedir for info about
2004 possible values. In addition to those, the expansion below can only
2005 be used with subdomain_homedir.
2006
2007 %F
2008 flat (NetBIOS) name of a subdomain.
2009
2010 The value can be overridden by override_homedir option.
2011
2012 Default: /home/%d/%u
2013
2014 realmd_tags (string)
2015 Various tags stored by the realmd configuration service for this
2016 domain.
2017
2018 cached_auth_timeout (int)
2019 Specifies time in seconds since last successful online
2020 authentication for which user will be authenticated using cached
2021 credentials while SSSD is in the online mode. If the credentials
2022 are incorrect, SSSD falls back to online authentication.
2023
2024 This option's value is inherited by all trusted domains. At the
2025 moment it is not possible to set a different value per trusted
2026 domain.
2027
2028 Special value 0 implies that this feature is disabled.
2029
2030 Please note that if “cached_auth_timeout” is longer than
2031 “pam_id_timeout” then the back end could be called to handle
2032 “initgroups.”
2033
2034 Default: 0
2035
2036 auto_private_groups (string)
2037 This option takes any of three available values:
2038
2039 true
2040 Create user's private group unconditionally from user's UID
2041 number. The GID number is ignored in this case.
2042
2043 NOTE: Because the GID number and the user private group are
2044 inferred from the UID number, it is not supported to have
2045 multiple entries with the same UID or GID number with this
2046 option. In other words, enabling this option enforces
2047 uniqueness across the ID space.
2048
2049 false
2050 Always use the user's primary GID number. The GID number must
2051 refer to a group object in the LDAP database.
2052
2053 hybrid
2054 A primary group is autogenerated for user entries whose UID and
2055 GID numbers have the same value and at the same time the GID
2056 number does not correspond to a real group object in LDAP. If
2057 the values are the same, but the primary GID in the user entry
2058 is also used by a group object, the primary GID of the user
2059 resolves to that group object.
2060
2061 If the UID and GID of a user are different, then the GID must
2062 correspond to a group entry, otherwise the GID is simply not
2063 resolvable.
2064
2065 This feature is useful for environments that wish to stop
2066 maintaining a separate group objects for the user private
2067 groups, but also wish to retain the existing user private
2068 groups.
2069
2070 For subdomains, the default value is False for subdomains that use
2071 assigned POSIX IDs and True for subdomains that use automatic
2072 ID-mapping.
2073
2074 The value of auto_private_groups can either be set per subdomains
2075 in a subsection, for example:
2076
2077 [domain/forest.domain/sub.domain]
2078 auto_private_groups = false
2079
2080 or globally for all subdomains in the main domain section using the
2081 subdomain_inherit option:
2082
2083 [domain/forest.domain]
2084 subdomain_inherit = auto_private_groups
2085 auto_private_groups = false
2086
2087
2088 Options valid for proxy domains.
2089
2090 proxy_pam_target (string)
2091 The proxy target PAM proxies to.
2092
2093 Default: not set by default, you have to take an existing pam
2094 configuration or create a new one and add the service name here.
2095
2096 proxy_lib_name (string)
2097 The name of the NSS library to use in proxy domains. The NSS
2098 functions searched for in the library are in the form of
2099 _nss_$(libName)_$(function), for example _nss_files_getpwent.
2100
2101 proxy_resolver_lib_name (string)
2102 The name of the NSS library to use for hosts and networks lookups
2103 in proxy domains. The NSS functions searched for in the library are
2104 in the form of _nss_$(libName)_$(function), for example
2105 _nss_dns_gethostbyname2_r.
2106
2107 proxy_fast_alias (boolean)
2108 When a user or group is looked up by name in the proxy provider, a
2109 second lookup by ID is performed to "canonicalize" the name in case
2110 the requested name was an alias. Setting this option to true would
2111 cause the SSSD to perform the ID lookup from cache for performance
2112 reasons.
2113
2114 Default: false
2115
2116 proxy_max_children (integer)
2117 This option specifies the number of pre-forked proxy children. It
2118 is useful for high-load SSSD environments where sssd may run out of
2119 available child slots, which would cause some issues due to the
2120 requests being queued.
2121
2122 Default: 10
2123
2124 Application domains
2125 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2126 applications as a gateway to an LDAP directory where users and groups
2127 are stored. However, contrary to the traditional SSSD deployment where
2128 all users and groups either have POSIX attributes or those attributes
2129 can be inferred from the Windows SIDs, in many cases the users and
2130 groups in the application support scenario have no POSIX attributes.
2131 Instead of setting a “[domain/NAME]” section, the administrator can set
2132 up an “[application/NAME]” section that internally represents a domain
2133 with type “application” optionally inherits settings from a tradition
2134 SSSD domain.
2135
2136 Please note that the application domain must still be explicitly
2137 enabled in the “domains” parameter so that the lookup order between the
2138 application domain and its POSIX sibling domain is set correctly.
2139
2140 Application domain parameters
2141
2142 inherit_from (string)
2143 The SSSD POSIX-type domain the application domain inherits all
2144 settings from. The application domain can moreover add its own
2145 settings to the application settings that augment or override the
2146 “sibling” domain settings.
2147
2148 Default: Not set
2149
2150 The following example illustrates the use of an application domain. In
2151 this setup, the POSIX domain is connected to an LDAP server and is used
2152 by the OS through the NSS responder. In addition, the application
2153 domain also requests the telephoneNumber attribute, stores it as the
2154 phone attribute in the cache and makes the phone attribute reachable
2155 through the D-Bus interface.
2156
2157 [sssd]
2158 domains = appdom, posixdom
2159
2160 [ifp]
2161 user_attributes = +phone
2162
2163 [domain/posixdom]
2164 id_provider = ldap
2165 ldap_uri = ldap://ldap.example.com
2166 ldap_search_base = dc=example,dc=com
2167
2168 [application/appdom]
2169 inherit_from = posixdom
2170 ldap_user_extra_attrs = phone:telephoneNumber
2171
2173 Some options used in the domain section can also be used in the trusted
2174 domain section, that is, in a section called
2175 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2176 actual joined-to base domain. Please refer to examples below for
2177 explanation. Currently supported options in the trusted domain section
2178 are:
2179
2180 ldap_search_base,
2181
2182 ldap_user_search_base,
2183
2184 ldap_group_search_base,
2185
2186 ldap_netgroup_search_base,
2187
2188 ldap_service_search_base,
2189
2190 ldap_sasl_mech,
2191
2192 ad_server,
2193
2194 ad_backup_server,
2195
2196 ad_site,
2197
2198 use_fully_qualified_names
2199
2200 pam_gssapi_services
2201
2202 pam_gssapi_check_upn
2203
2204 For more details about these options see their individual description
2205 in the manual page.
2206
2208 To allow authentication with Smartcards and certificates SSSD must be
2209 able to map certificates to users. This can be done by adding the full
2210 certificate to the LDAP object of the user or to a local override.
2211 While using the full certificate is required to use the Smartcard
2212 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2213 details) it might be cumbersome or not even possible to do this for the
2214 general case where local services use PAM for authentication.
2215
2216 To make the mapping more flexible mapping and matching rules were added
2217 to SSSD (see sss-certmap(5) for details).
2218
2219 A mapping and matching rule can be added to the SSSD configuration in a
2220 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2221 In this section the following options are allowed:
2222
2223 matchrule (string)
2224 Only certificates from the Smartcard which matches this rule will
2225 be processed, all others are ignored.
2226
2227 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2228 the Extended Key Usage “clientAuth”
2229
2230 maprule (string)
2231 Defines how the user is found for a given certificate.
2232
2233 Default:
2234
2235 • LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2236 providers like “ldap”, “AD” or “ipa”.
2237
2238 • The RULE_NAME for the “files” provider which tries to find a
2239 user with the same name.
2240
2241
2242 domains (string)
2243 Comma separated list of domain names the rule should be applied. By
2244 default a rule is only valid in the domain configured in sssd.conf.
2245 If the provider supports subdomains this option can be used to add
2246 the rule to subdomains as well.
2247
2248 Default: the configured domain in sssd.conf
2249
2250 priority (integer)
2251 Unsigned integer value defining the priority of the rule. The
2252 higher the number the lower the priority. “0” stands for the
2253 highest priority while “4294967295” is the lowest.
2254
2255 Default: the lowest priority
2256
2257 To make the configuration simple and reduce the amount of configuration
2258 options the “files” provider has some special properties:
2259
2260 • if maprule is not set the RULE_NAME name is assumed to be the name
2261 of the matching user
2262
2263 • if a maprule is used both a single user name or a template like
2264 “{subject_rfc822_name.short_name}” must be in braces like e.g.
2265 “(username)” or “({subject_rfc822_name.short_name})”
2266
2267 • the “domains” option is ignored
2268
2269
2271 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2272 SSSD's PAM module pam_sss will ask SSSD to figure out which
2273 authentication methods are available for the user trying to log in.
2274 Based on the results pam_sss will prompt the user for appropriate
2275 credentials.
2276
2277 With the growing number of authentication methods and the possibility
2278 that there are multiple ones for a single user the heuristic used by
2279 pam_sss to select the prompting might not be suitable for all use
2280 cases. The following options should provide a better flexibility here.
2281
2282 Each supported authentication method has its own configuration
2283 subsection under “[prompting/...]”. Currently there are:
2284
2285 [prompting/password]
2286 to configure password prompting, allowed options are:
2287
2288 password_prompt
2289 to change the string of the password prompt
2290
2291
2292 [prompting/2fa]
2293 to configure two-factor authentication prompting, allowed options
2294 are:
2295
2296 first_prompt
2297 to change the string of the prompt for the first factor
2298
2299 second_prompt
2300 to change the string of the prompt for the second factor
2301
2302 single_prompt
2303 boolean value, if True there will be only a single prompt using
2304 the value of first_prompt where it is expected that both
2305 factors are entered as a single string. Please note that both
2306 factors have to be entered here, even if the second factor is
2307 optional.
2308
2309 If the second factor is optional and it should be possible to log
2310 in either only with the password or with both factors two-step
2311 prompting has to be used.
2312
2313 It is possible to add a subsection for specific PAM services, e.g.
2314 “[prompting/password/sshd]” to individual change the prompting for this
2315 service.
2316
2318 1. The following example shows a typical SSSD config. It does not
2319 describe configuration of the domains themselves - refer to
2320 documentation on configuring domains for more details.
2321
2322 [sssd]
2323 domains = LDAP
2324 services = nss, pam
2325 config_file_version = 2
2326
2327 [nss]
2328 filter_groups = root
2329 filter_users = root
2330
2331 [pam]
2332
2333 [domain/LDAP]
2334 id_provider = ldap
2335 ldap_uri = ldap://ldap.example.com
2336 ldap_search_base = dc=example,dc=com
2337
2338 auth_provider = krb5
2339 krb5_server = kerberos.example.com
2340 krb5_realm = EXAMPLE.COM
2341 cache_credentials = true
2342
2343 min_id = 10000
2344 max_id = 20000
2345 enumerate = False
2346
2347 2. The following example shows configuration of IPA AD trust where the
2348 AD forest consists of two domains in a parent-child structure. Suppose
2349 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2350 domain (child.ad.com). To enable shortnames in the child domain the
2351 following configuration should be used.
2352
2353 [domain/ipa.com/child.ad.com]
2354 use_fully_qualified_names = false
2355
2356 3. The following example shows the configuration for two certificate
2357 mapping rules. The first is valid for the configured domain “my.domain”
2358 and additionally for the subdomains “your.domain” and uses the full
2359 certificate in the search filter. The second example is valid for the
2360 domain “files” where it is assumed the files provider is used for this
2361 domain and contains a matching rule for the local user “myname”.
2362
2363 [certmap/my.domain/rule_name]
2364 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2365 maprule = (userCertificate;binary={cert!bin})
2366 domains = my.domain, your.domain
2367 priority = 10
2368
2369 [certmap/files/myname]
2370 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
2371
2372
2374 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2375 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2376 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2377 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2378 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
2379 sssd-systemtap(5)
2380
2382 The SSSD upstream - https://github.com/SSSD/sssd/
2383
2384
2385
2386SSSD 11/08/2021 SSSD.CONF(5)