1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13 [section]
15 key = value
16 key2 = value2,value3
17 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72 Currently supported debug levels:
74 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87 4, 0x0100: Configuration settings.
89 5, 0x0200: Function data.
91 6, 0x0400: Trace messages for operation functions.
93 7, 0x1000: Trace messages for internal control functions.
95 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98 9, 0x4000: Extremely low-level tracing information.
100 10, 0x10000: Even more low-level libldb tracing information. Almost
102 never really required.
103 To log required bitmask debug levels, simply add their numbers
105 together as shown in following examples:
106 Example: To log fatal failures, critical failures, serious failures
108 and function data use 0x0270.
109 Example: To log fatal failures, configuration settings, function
111 data, trace messages for internal control functions use 0x1310.
112 Note: The bitmask format of debug levels was introduced in 1.7.0.
114 Default: 0x0070 (i.e. fatal, critical and serious failures;
116 corresponds to setting 2 in decimal notation)
117 debug (integer)
119 SSSD 1.14 and later also includes the debug alias for debug_level
120 as a convenience feature. If both are specified, the value of
121 debug_level will be used.
122 debug_timestamps (bool)
124 Add a timestamp to the debug messages. If journald is enabled for
125 SSSD debug logging this option is ignored.
126 Default: true
128 debug_microseconds (bool)
130 Add microseconds to the timestamp in debug messages. If journald is
131 enabled for SSSD debug logging this option is ignored.
132 Default: false
134 debug_backtrace_enabled (bool)
136 Enable debug backtrace.
137 In case SSSD is run with debug_level less than 9, everything is
139 logged to a ring buffer in memory and flushed to a log file on any
140 error up to and including `min(0x0040, debug_level)` (i.e. if
141 debug_level is explicitly set to 0 or 1 then only those error
142 levels will trigger backtrace, otherwise up to 2).
143 Feature is only supported for `logger == files` (i.e. setting
145 doesn't have effect for other logger types).
146 Default: true
148 Options usable in SERVICE and DOMAIN sections
150 timeout (integer)
151 Timeout in seconds between heartbeats for this service. This is
152 used to ensure that the process is alive and capable of answering
153 requests. Note that after three missed heartbeats the process will
154 terminate itself.
155 Default: 10
157
159 The [sssd] section
160 Individual pieces of SSSD functionality are provided by special SSSD
161 services that are started and stopped together with SSSD. The services
162 are managed by a special service frequently called “monitor”. The
163 “[sssd]” section is used to configure the monitor as well as some other
164 important options like the identity domains.
165 Section parameters
167 config_file_version (integer)
169 Indicates what is the syntax of the config file. SSSD 0.6.0 and
170 later use version 2.
171 services
173 Comma separated list of services that are started when sssd itself
174 starts. The services' list is optional on platforms where systemd
175 is supported, as they will either be socket or D-Bus activated when
176 needed.
177 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
179 By default, all services are disabled and the administrator must
181 enable the ones allowed to be used by executing: "systemctl enable
182 sssd-@service@.socket".
183 reconnection_retries (integer)
185 Number of times services should attempt to reconnect in the event
186 of a Data Provider crash or restart before they give up
187 Default: 3
189 domains
191 A domain is a database containing user information. SSSD can use
192 more domains at the same time, but at least one must be configured
193 or SSSD won't start. This parameter describes the list of domains
194 in the order you want them to be queried. A domain name is
195 recommended to contain only alphanumeric ASCII characters, dashes,
196 dots and underscores. '/' character is forbidden.
197 re_expression (string)
199 Default regular expression that describes how to parse the string
200 containing user name and domain into these components.
201 Each domain can have an individual regular expression configured.
203 For some ID providers there are also default regular expressions.
204 See DOMAIN SECTIONS for more info on these regular expressions.
205 full_name_format (string)
207 A printf(3)-compatible format that describes how to compose a fully
208 qualified name from user name and domain name components.
209 The following expansions are supported:
211 %1$s
213 user name
214 %2$s
216 domain name as specified in the SSSD config file.
217 %3$s
219 domain flat name. Mostly usable for Active Directory domains,
220 both directly configured or discovered via IPA trusts.
221 Each domain can have an individual format string configured. See
223 DOMAIN SECTIONS for more info on this option.
224 monitor_resolv_conf (boolean)
226 Controls if SSSD should monitor the state of resolv.conf to
227 identify when it needs to update its internal DNS resolver.
228 Default: true
230 try_inotify (boolean)
232 By default, SSSD will attempt to use inotify to monitor
233 configuration files changes and will fall back to polling every
234 five seconds if inotify cannot be used.
235 There are some limited situations where it is preferred that we
237 should skip even trying to use inotify. In these rare cases, this
238 option should be set to 'false'
239 Default: true on platforms where inotify is supported. False on
241 other platforms.
242 Note: this option will have no effect on platforms where inotify is
244 unavailable. On these platforms, polling will always be used.
245 krb5_rcache_dir (string)
247 Directory on the filesystem where SSSD should store Kerberos replay
248 cache files.
249 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
251 instruct SSSD to let libkrb5 decide the appropriate location for
252 the replay cache.
253 Default: Distribution-specific and specified at build-time.
255 (__LIBKRB5_DEFAULTS__ if not configured)
256 user (string)
258 The user to drop the privileges to where appropriate to avoid
259 running as the root user. This option does not work when running
260 socket-activated services, as the user set up to run the processes
261 is set up during compilation time. The way to override the systemd
262 unit files is by creating the appropriate files in
263 /etc/systemd/system/. Keep in mind that any change in the socket
264 user, group or permissions may result in a non-usable SSSD. The
265 same may occur in case of changes of the user running the NSS
266 responder.
267 Default: not set, process will run as root
269 default_domain_suffix (string)
271 This string will be used as a default domain name for all names
272 without a domain name component. The main use case is environments
273 where the primary domain is intended for managing host policies and
274 all users are located in a trusted domain. The option allows those
275 users to log in just with their user name without giving a domain
276 name as well.
277 Please note that if this option is set all users from the primary
279 domain have to use their fully qualified name, e.g.
280 user@domain.name, to log in. Setting this option changes default of
281 use_fully_qualified_names to True. It is not allowed to use this
282 option together with use_fully_qualified_names set to False. One
283 exception from this rule are domains with “id_provider=files” that
284 always try to match the behaviour of nss_files and therefore their
285 output is not qualified even when the default_domain_suffix option
286 is used.
287 Default: not set
289 override_space (string)
291 This parameter will replace spaces (space bar) with the given
292 character for user and group names. e.g. (_). User name "john doe"
293 will be "john_doe" This feature was added to help compatibility
294 with shell scripts that have difficulty handling spaces, due to the
295 default field separator in the shell.
296 Please note it is a configuration error to use a replacement
298 character that might be used in user or group names. If a name
299 contains the replacement character SSSD tries to return the
300 unmodified name but in general the result of a lookup is undefined.
301 Default: not set (spaces will not be replaced)
303 certificate_verification (string)
305 With this parameter the certificate verification can be tuned with
306 a comma separated list of options. Supported options are:
307 no_ocsp
309 Disables Online Certificate Status Protocol (OCSP) checks. This
310 might be needed if the OCSP servers defined in the certificate
311 are not reachable from the client.
312 soft_ocsp
314 If a connection cannot be established to an OCSP responder the
315 OCSP check is skipped. This option should be used to allow
316 authentication when the system is offline and the OCSP
317 responder cannot be reached.
318 ocsp_dgst
320 Digest (hash) function used to create the certificate ID for
321 the OCSP request. Allowed values are:
322 • sha1
324 • sha256
326 • sha384
328 • sha512
330 Default: sha1 (to allow compatibility with RFC5019-compliant
332 responder)
333 no_verification
335 Disables verification completely. This option should only be
336 used for testing.
337 partial_chain
339 Allow verification to succeed even if a complete chain cannot
340 be built to a self-signed trust-anchor, provided it is possible
341 to construct a chain to a trusted certificate that might not be
342 self-signed.
343 ocsp_default_responder=URL
345 Sets the OCSP default responder which should be used instead of
346 the one mentioned in the certificate. URL must be replaced with
347 the URL of the OCSP default responder e.g.
348 http://example.com:80/ocsp.
349 ocsp_default_responder_signing_cert=NAME
351 This option is currently ignored. All needed certificates must
352 be available in the PEM file given by pam_cert_db_path.
353 crl_file=/PATH/TO/CRL/FILE
355 Use the Certificate Revocation List (CRL) from the given file
356 during the verification of the certificate. The CRL must be
357 given in PEM format, see crl(1ssl) for details.
358 soft_crl
360 If a Certificate Revocation List (CRL) is expired ignore the
361 CRL checks for the related certificates. This option should be
362 used to allow authentication when the system is offline and the
363 CRL cannot be renewed.
364 Unknown options are reported but ignored.
366 Default: not set, i.e. do not restrict certificate verification
368 disable_netlink (boolean)
370 SSSD hooks into the netlink interface to monitor changes to routes,
371 addresses, links and trigger certain actions.
372 The SSSD state changes caused by netlink events may be undesirable
374 and can be disabled by setting this option to 'true'
375 Default: false (netlink changes are detected)
377 enable_files_domain (boolean)
379 When this option is enabled, SSSD prepends an implicit domain with
380 “id_provider=files” before any explicitly configured domains.
381 Default: false
383 domain_resolution_order
385 Comma separated list of domains and subdomains representing the
386 lookup order that will be followed. The list doesn't have to
387 include all possible domains as the missing domains will be looked
388 up based on the order they're presented in the “domains”
389 configuration option. The subdomains which are not listed as part
390 of “lookup_order” will be looked up in a random order for each
391 parent domain.
392 Please, note that when this option is set the output format of all
394 commands is always fully-qualified even when using short names for
395 input, for all users but the ones managed by the files provider. In
396 case the administrator wants the output not fully-qualified, the
397 full_name_format option can be used as shown below:
398 “full_name_format=%1$s” However, keep in mind that during login,
399 login applications often canonicalize the username by calling
400 getpwnam(3) which, if a shortname is returned for a qualified input
401 (while trying to reach a user which exists in multiple domains)
402 might re-route the login attempt into the domain which uses
403 shortnames, making this workaround totally not recommended in cases
404 where usernames may overlap between domains.
405 Default: Not set
407
409 Settings that can be used to configure different services are described
410 in this section. They should reside in the [$NAME] section, for
411 example, for NSS service, the section would be “[nss]”
412 General service configuration options
414 These options can be used to configure any service.
415 reconnection_retries (integer)
417 Number of times services should attempt to reconnect in the event
418 of a Data Provider crash or restart before they give up
419 Default: 3
421 fd_limit
423 This option specifies the maximum number of file descriptors that
424 may be opened at one time by this SSSD process. On systems where
425 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
426 absolute setting. On systems without this capability, the resulting
427 value will be the lower value of this or the limits.conf "hard"
428 limit.
429 Default: 8192 (or limits.conf "hard" limit)
431 client_idle_timeout
433 This option specifies the number of seconds that a client of an
434 SSSD process can hold onto a file descriptor without communicating
435 on it. This value is limited in order to avoid resource exhaustion
436 on the system. The timeout can't be shorter than 10 seconds. If a
437 lower value is configured, it will be adjusted to 10 seconds.
438 Default: 60, KCM: 300
440 offline_timeout (integer)
442 When SSSD switches to offline mode the amount of time before it
443 tries to go back online will increase based upon the time spent
444 disconnected. By default SSSD uses incremental behaviour to
445 calculate delay in between retries. So, the wait time for a given
446 retry will be longer than the wait time for the previous ones.
447 After each unsuccessful attempt to go online, the new interval is
448 recalculated by the following:
449 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
451 random[0...offline_timeout_random_offset]
452 The offline_timeout default value is 60. The offline_timeout_max
454 default value is 3600. The offline_timeout_random_offset default
455 value is 30. The end result is amount of seconds before next retry.
456 Note that the maximum length of each interval is defined by
458 offline_timeout_max (apart of random part).
459 Default: 60
461 offline_timeout_max (integer)
463 Controls by how much the time between attempts to go online can be
464 incremented following unsuccessful attempts to go online.
465 A value of 0 disables the incrementing behaviour.
467 The value of this parameter should be set in correlation to
469 offline_timeout parameter value.
470 With offline_timeout set to 60 (default value) there is no point in
472 setting offlinet_timeout_max to less than 120 as it will saturate
473 instantly. General rule here should be to set offline_timeout_max
474 to at least 4 times offline_timeout.
475 Although a value between 0 and offline_timeout may be specified, it
477 has the effect of overriding the offline_timeout value so is of
478 little use.
479 Default: 3600
481 offline_timeout_random_offset (integer)
483 When SSSD is in offline mode it keeps probing backend servers in
484 specified time intervals:
485 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
487 random[0...offline_timeout_random_offset]
488 This parameter controls the value of the random offset used for the
490 above equation. Final random_offset value will be random number in
491 range:
492 [0 - offline_timeout_random_offset]
494 A value of 0 disables the random offset addition.
496 Default: 30
498 responder_idle_timeout
500 This option specifies the number of seconds that an SSSD responder
501 process can be up without being used. This value is limited in
502 order to avoid resource exhaustion on the system. The minimum
503 acceptable value for this option is 60 seconds. Setting this option
504 to 0 (zero) means that no timeout will be set up to the responder.
505 This option only has effect when SSSD is built with systemd support
506 and when services are either socket or D-Bus activated.
507 Default: 300
509 cache_first
511 This option specifies whether the responder should query all caches
512 before querying the Data Providers.
513 Default: false
515 NSS configuration options
517 These options can be used to configure the Name Service Switch (NSS)
518 service.
519 enum_cache_timeout (integer)
521 How many seconds should nss_sss cache enumerations (requests for
522 info about all users)
523 Default: 120
525 entry_cache_nowait_percentage (integer)
527 The entry cache can be set to automatically update entries in the
528 background if they are requested beyond a percentage of the
529 entry_cache_timeout value for the domain.
530 For example, if the domain's entry_cache_timeout is set to 30s and
532 entry_cache_nowait_percentage is set to 50 (percent), entries that
533 come in after 15 seconds past the last cache update will be
534 returned immediately, but the SSSD will go and update the cache on
535 its own, so that future requests will not need to block waiting for
536 a cache update.
537 Valid values for this option are 0-99 and represent a percentage of
539 the entry_cache_timeout for each domain. For performance reasons,
540 this percentage will never reduce the nowait timeout to less than
541 10 seconds. (0 disables this feature)
542 Default: 50
544 entry_negative_timeout (integer)
546 Specifies for how many seconds nss_sss should cache negative cache
547 hits (that is, queries for invalid database entries, like
548 nonexistent ones) before asking the back end again.
549 Default: 15
551 local_negative_timeout (integer)
553 Specifies for how many seconds nss_sss should keep local users and
554 groups in negative cache before trying to look it up in the back
555 end again. Setting the option to 0 disables this feature.
556 Default: 14400 (4 hours)
558 filter_users, filter_groups (string)
560 Exclude certain users or groups from being fetched from the sss NSS
561 database. This is particularly useful for system accounts. This
562 option can also be set per-domain or include fully-qualified names
563 to filter only users from the particular domain or by a user
564 principal name (UPN).
565 NOTE: The filter_groups option doesn't affect inheritance of nested
567 group members, since filtering happens after they are propagated
568 for returning via NSS. E.g. a group having a member group filtered
569 out will still have the member users of the latter listed.
570 Default: root
572 filter_users_in_groups (bool)
574 If you want filtered user still be group members set this option to
575 false.
576 Default: true
578 override_homedir (string)
580 Override the user's home directory. You can either provide an
581 absolute value or a template. In the template, the following
582 sequences are substituted:
583 %u
585 login name
586 %U
588 UID number
589 %d
591 domain name
592 %f
594 fully qualified user name (user@domain)
595 %l
597 The first letter of the login name.
598 %P
600 UPN - User Principal Name (name@REALM)
601 %o
603 The original home directory retrieved from the identity
604 provider.
605 %H
607 The value of configure option homedir_substring.
608 %%
610 a literal '%'
611 This option can also be set per-domain.
613 example:
615 override_homedir = /home/%u
617 Default: Not set (SSSD will use the value retrieved from LDAP)
620 Please note, the home directory from a specific override for the
622 user, either locally (see sss_override(8)) or centrally managed IPA
623 id-overrides, has a higher precedence and will be used instead of
624 the value given by override_homedir.
625 homedir_substring (string)
627 The value of this option will be used in the expansion of the
628 override_homedir option if the template contains the format string
629 %H. An LDAP directory entry can directly contain this template so
630 that this option can be used to expand the home directory path for
631 each client machine (or operating system). It can be set per-domain
632 or globally in the [nss] section. A value specified in a domain
633 section will override one set in the [nss] section.
634 Default: /home
636 fallback_homedir (string)
638 Set a default template for a user's home directory if one is not
639 specified explicitly by the domain's data provider.
640 The available values for this option are the same as for
642 override_homedir.
643 example:
645 fallback_homedir = /home/%u
647 Default: not set (no substitution for unset home directories)
650 override_shell (string)
652 Override the login shell for all users. This option supersedes any
653 other shell options if it takes effect and can be set either in the
654 [nss] section or per-domain.
655 Default: not set (SSSD will use the value retrieved from LDAP)
657 allowed_shells (string)
659 Restrict user shell to one of the listed values. The order of
660 evaluation is:
661 1. If the shell is present in “/etc/shells”, it is used.
663 2. If the shell is in the allowed_shells list but not in
665 “/etc/shells”, use the value of the shell_fallback parameter.
666 3. If the shell is not in the allowed_shells list and not in
668 “/etc/shells”, a nologin shell is used.
669 The wildcard (*) can be used to allow any shell.
671 The (*) is useful if you want to use shell_fallback in case that
673 user's shell is not in “/etc/shells” and maintaining list of all
674 allowed shells in allowed_shells would be to much overhead.
675 An empty string for shell is passed as-is to libc.
677 The “/etc/shells” is only read on SSSD start up, which means that a
679 restart of the SSSD is required in case a new shell is installed.
680 Default: Not set. The user shell is automatically used.
682 vetoed_shells (string)
684 Replace any instance of these shells with the shell_fallback
685 shell_fallback (string)
687 The default shell to use if an allowed shell is not installed on
688 the machine.
689 Default: /bin/sh
691 default_shell
693 The default shell to use if the provider does not return one during
694 lookup. This option can be specified globally in the [nss] section
695 or per-domain.
696 Default: not set (Return NULL if no shell is specified and rely on
698 libc to substitute something sensible when necessary, usually
699 /bin/sh)
700 get_domains_timeout (int)
702 Specifies time in seconds for which the list of subdomains will be
703 considered valid.
704 Default: 60
706 memcache_timeout (integer)
708 Specifies time in seconds for which records in the in-memory cache
709 will be valid. Setting this option to zero will disable the
710 in-memory cache.
711 Default: 300
713 WARNING: Disabling the in-memory cache will have significant
715 negative impact on SSSD's performance and should only be used for
716 testing.
717 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
719 "NO", client applications will not use the fast in-memory cache.
720 memcache_size_passwd (integer)
722 Size (in megabytes) of the data table allocated inside fast
723 in-memory cache for passwd requests. Setting the size to 0 will
724 disable the passwd in-memory cache.
725 Default: 8
727 WARNING: Disabled or too small in-memory cache can have significant
729 negative impact on SSSD's performance.
730 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
732 "NO", client applications will not use the fast in-memory cache.
733 memcache_size_group (integer)
735 Size (in megabytes) of the data table allocated inside fast
736 in-memory cache for group requests. Setting the size to 0 will
737 disable the group in-memory cache.
738 Default: 6
740 WARNING: Disabled or too small in-memory cache can have significant
742 negative impact on SSSD's performance.
743 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
745 "NO", client applications will not use the fast in-memory cache.
746 memcache_size_initgroups (integer)
748 Size (in megabytes) of the data table allocated inside fast
749 in-memory cache for initgroups requests. Setting the size to 0 will
750 disable the initgroups in-memory cache.
751 Default: 10
753 WARNING: Disabled or too small in-memory cache can have significant
755 negative impact on SSSD's performance.
756 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
758 "NO", client applications will not use the fast in-memory cache.
759 user_attributes (string)
761 Some of the additional NSS responder requests can return more
762 attributes than just the POSIX ones defined by the NSS interface.
763 The list of attributes is controlled by this option. It is handled
764 the same way as the “user_attributes” option of the InfoPipe
765 responder (see sssd-ifp(5) for details) but with no default values.
766 To make configuration more easy the NSS responder will check the
768 InfoPipe option if it is not set for the NSS responder.
769 Default: not set, fallback to InfoPipe option
771 pwfield (string)
773 The value that NSS operations that return users or groups will
774 return for the “password” field.
775 Default: “*”
777 Note: This option can also be set per-domain which overwrites the
779 value in [nss] section.
780 Default: “not set” (remote domains), “x” (the files domain), “x”
782 (proxy domain with nss_files and sssd-shadowutils target)
783 PAM configuration options
785 These options can be used to configure the Pluggable Authentication
786 Module (PAM) service.
787 offline_credentials_expiration (integer)
789 If the authentication provider is offline, how long should we allow
790 cached logins (in days since the last successful online login).
791 Default: 0 (No limit)
793 offline_failed_login_attempts (integer)
795 If the authentication provider is offline, how many failed login
796 attempts are allowed.
797 Default: 0 (No limit)
799 offline_failed_login_delay (integer)
801 The time in minutes which has to pass after
802 offline_failed_login_attempts has been reached before a new login
803 attempt is possible.
804 If set to 0 the user cannot authenticate offline if
806 offline_failed_login_attempts has been reached. Only a successful
807 online authentication can enable offline authentication again.
808 Default: 5
810 pam_verbosity (integer)
812 Controls what kind of messages are shown to the user during
813 authentication. The higher the number to more messages are
814 displayed.
815 Currently sssd supports the following values:
817 0: do not show any message
819 1: show only important messages
821 2: show informational messages
823 3: show all messages and debug information
825 Default: 1
827 pam_response_filter (string)
829 A comma separated list of strings which allows to remove (filter)
830 data sent by the PAM responder to pam_sss PAM module. There are
831 different kind of responses sent to pam_sss e.g. messages displayed
832 to the user or environment variables which should be set by
833 pam_sss.
834 While messages already can be controlled with the help of the
836 pam_verbosity option this option allows to filter out other kind of
837 responses as well.
838 Currently the following filters are supported:
840 ENV
842 Do not send any environment variables to any service.
843 ENV:var_name
845 Do not send environment variable var_name to any service.
846 ENV:var_name:service
848 Do not send environment variable var_name to service.
849 The list of strings can either be the list of filters which would
851 set this list of filters and overwrite the defaults. Or each
852 element of the list can be prefixed by a '+' or '-' character which
853 would add the filter to the existing default or remove it from the
854 defaults, respectively. Please note that either all list elements
855 must have a '+' or '-' prefix or none. It is considered as an error
856 to mix both styles.
857 Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
859 Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the
861 default list
862 pam_id_timeout (integer)
864 For any PAM request while SSSD is online, the SSSD will attempt to
865 immediately update the cached identity information for the user in
866 order to ensure that authentication takes place with the latest
867 information.
868 A complete PAM conversation may perform multiple PAM requests, such
870 as account management and session opening. This option controls (on
871 a per-client-application basis) how long (in seconds) we can cache
872 the identity information to avoid excessive round-trips to the
873 identity provider.
874 Default: 5
876 pam_pwd_expiration_warning (integer)
878 Display a warning N days before the password expires.
879 Please note that the backend server has to provide information
881 about the expiration time of the password. If this information is
882 missing, sssd cannot display a warning.
883 If zero is set, then this filter is not applied, i.e. if the
885 expiration warning was received from backend server, it will
886 automatically be displayed.
887 This setting can be overridden by setting pwd_expiration_warning
889 for a particular domain.
890 Default: 0
892 get_domains_timeout (int)
894 Specifies time in seconds for which the list of subdomains will be
895 considered valid.
896 Default: 60
898 pam_trusted_users (string)
900 Specifies the comma-separated list of UID values or user names that
901 are allowed to run PAM conversations against trusted domains. Users
902 not included in this list can only access domains marked as public
903 with “pam_public_domains”. User names are resolved to UIDs at
904 startup.
905 Default: All users are considered trusted by default
907 Please note that UID 0 is always allowed to access the PAM
909 responder even in case it is not in the pam_trusted_users list.
910 pam_public_domains (string)
912 Specifies the comma-separated list of domain names that are
913 accessible even to untrusted users.
914 Two special values for pam_public_domains option are defined:
916 all (Untrusted users are allowed to access all domains in PAM
918 responder.)
919 none (Untrusted users are not allowed to access any domains PAM in
921 responder.)
922 Default: none
924 pam_account_expired_message (string)
926 Allows a custom expiration message to be set, replacing the default
927 'Permission denied' message.
928 Note: Please be aware that message is only printed for the SSH
930 service unless pam_verbosity is set to 3 (show all messages and
931 debug information).
932 example:
934 pam_account_expired_message = Account expired, please contact help desk.
936 Default: none
939 pam_account_locked_message (string)
941 Allows a custom lockout message to be set, replacing the default
942 'Permission denied' message.
943 example:
945 pam_account_locked_message = Account locked, please contact help desk.
947 Default: none
950 pam_cert_auth (bool)
952 Enable certificate based Smartcard authentication. Since this
953 requires additional communication with the Smartcard which will
954 delay the authentication process this option is disabled by
955 default.
956 Default: False
958 pam_cert_db_path (string)
960 The path to the certificate database.
961 Default:
963 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
965 CA certificates in PEM format)
966 pam_cert_verification (string)
969 With this parameter the PAM certificate verification can be tuned
970 with a comma separated list of options that override the
971 “certificate_verification” value in “[sssd]” section. Supported
972 options are the same of “certificate_verification”.
973 example:
975 pam_cert_verification = partial_chain
977 Default: not set, i.e. use default “certificate_verification”
980 option defined in “[sssd]” section.
981 p11_child_timeout (integer)
983 How many seconds will pam_sss wait for p11_child to finish.
984 Default: 10
986 pam_app_services (string)
988 Which PAM services are permitted to contact domains of type
989 “application”
990 Default: Not set
992 pam_p11_allowed_services (integer)
994 A comma-separated list of PAM service names for which it will be
995 allowed to use Smartcards.
996 It is possible to add another PAM service name to the default set
998 by using “+service_name” or to explicitly remove a PAM service name
999 from the default set by using “-service_name”. For example, in
1000 order to replace a default PAM service name for authentication with
1001 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
1002 “my_pam_service”), you would use the following configuration:
1003 pam_p11_allowed_services = +my_pam_service, -login
1005 Default: the default set of PAM service names includes:
1008 • login
1010 • su
1012 • su-l
1014 • gdm-smartcard
1016 • gdm-password
1018 • kdm
1020 • sudo
1022 • sudo-i
1024 • gnome-screensaver
1026 p11_wait_for_card_timeout (integer)
1029 If Smartcard authentication is required how many extra seconds in
1030 addition to p11_child_timeout should the PAM responder wait until a
1031 Smartcard is inserted.
1032 Default: 60
1034 p11_uri (string)
1036 PKCS#11 URI (see RFC-7512 for details) which can be used to
1037 restrict the selection of devices used for Smartcard
1038 authentication. By default SSSD's p11_child will search for a
1039 PKCS#11 slot (reader) where the 'removable' flags is set and read
1040 the certificates from the inserted token from the first slot found.
1041 If multiple readers are connected p11_uri can be used to tell
1042 p11_child to use a specific reader.
1043 Example:
1045 p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
1047 or
1050 p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
1052 To find suitable URI please check the debug output of p11_child. As
1055 an alternative the GnuTLS utility 'p11tool' with e.g. the
1056 '--list-all' will show PKCS#11 URIs as well.
1057 Default: none
1059 pam_initgroups_scheme
1061 The PAM responder can force an online lookup to get the current
1062 group memberships of the user trying to log in. This option
1063 controls when this should be done and the following values are
1064 allowed:
1065 always
1067 Always do an online lookup, please note that pam_id_timeout
1068 still applies
1069 no_session
1071 Only do an online lookup if there is no active session of the
1072 user, i.e. if the user is currently not logged in
1073 never
1075 Never force an online lookup, use the data from the cache as
1076 long as they are not expired
1077 Default: no_session
1079 pam_gssapi_services
1081 Comma separated list of PAM services that are allowed to try GSSAPI
1082 authentication using pam_sss_gss.so module.
1083 To disable GSSAPI authentication, set this option to “-” (dash).
1085 Note: This option can also be set per-domain which overwrites the
1087 value in [pam] section. It can also be set for trusted domain which
1088 overwrites the value in the domain section.
1089 Example:
1091 pam_gssapi_services = sudo, sudo-i
1093 Default: - (GSSAPI authentication is disabled)
1096 pam_gssapi_check_upn
1098 If True, SSSD will require that the Kerberos user principal that
1099 successfully authenticated through GSSAPI can be associated with
1100 the user who is being authenticated. Authentication will fail if
1101 the check fails.
1102 If False, every user that is able to obtained required service
1104 ticket will be authenticated.
1105 Note: This option can also be set per-domain which overwrites the
1107 value in [pam] section. It can also be set for trusted domain which
1108 overwrites the value in the domain section.
1109 Default: True
1111 pam_gssapi_indicators_map
1113 Comma separated list of authentication indicators required to be
1114 present in a Kerberos ticket to access a PAM service that is
1115 allowed to try GSSAPI authentication using pam_sss_gss.so module.
1116 Each element of the list can be either an authentication indicator
1118 name or a pair “service:indicator”. Indicators not prefixed with
1119 the PAM service name will be required to access any PAM service
1120 configured to be used with pam_gssapi_services. A resulting list of
1121 indicators per PAM service is then checked against indicators in
1122 the Kerberos ticket during authentication by pam_sss_gss.so. Any
1123 indicator from the ticket that matches the resulting list of
1124 indicators for the PAM service would grant access. If none of the
1125 indicators in the list match, access will be denied. If the
1126 resulting list of indicators for the PAM service is empty, the
1127 check will not prevent the access.
1128 To disable GSSAPI authentication indicator check, set this option
1130 to “-” (dash). To disable the check for a specific PAM service, add
1131 “service:-”.
1132 Note: This option can also be set per-domain which overwrites the
1134 value in [pam] section. It can also be set for trusted domain which
1135 overwrites the value in the domain section.
1136 Following authentication indicators are supported by IPA Kerberos
1138 deployments:
1139 • pkinit -- pre-authentication using X.509 certificates --
1141 whether stored in files or on smart cards.
1142 • hardened -- SPAKE pre-authentication or any pre-authentication
1144 wrapped in a FAST channel.
1145 • radius -- pre-authentication with the help of a RADIUS server.
1147 • otp -- pre-authentication using integrated two-factor
1149 authentication (2FA or one-time password, OTP) in IPA.
1150 Example: to require access to SUDO services only for users which
1152 obtained their Kerberos tickets with a X.509 certificate
1153 pre-authentication (PKINIT), set
1154 pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1156 Default: not set (use of authentication indicators is not required)
1159 SUDO configuration options
1161 These options can be used to configure the sudo service. The detailed
1162 instructions for configuration of sudo(8) to work with sssd(8) are in
1163 the manual page sssd-sudo(5).
1164 sudo_timed (bool)
1166 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1167 attributes that implement time-dependent sudoers entries.
1168 Default: false
1170 sudo_threshold (integer)
1172 Maximum number of expired rules that can be refreshed at once. If
1173 number of expired rules is below threshold, those rules are
1174 refreshed with “rules refresh” mechanism. If the threshold is
1175 exceeded a “full refresh” of sudo rules is triggered instead. This
1176 threshold number also applies to IPA sudo command and command group
1177 searches.
1178 Default: 50
1180 AUTOFS configuration options
1182 These options can be used to configure the autofs service.
1183 autofs_negative_timeout (integer)
1185 Specifies for how many seconds should the autofs responder negative
1186 cache hits (that is, queries for invalid map entries, like
1187 nonexistent ones) before asking the back end again.
1188 Default: 15
1190 Please note that the automounter only reads the master map on startup,
1192 so if any autofs-related changes are made to the sssd.conf, you
1193 typically also need to restart the automounter daemon after restarting
1194 the SSSD.
1195 SSH configuration options
1197 These options can be used to configure the SSH service.
1198 ssh_hash_known_hosts (bool)
1200 Whether or not to hash host names and addresses in the managed
1201 known_hosts file.
1202 Default: false
1204 ssh_known_hosts_timeout (integer)
1206 How many seconds to keep a host in the managed known_hosts file
1207 after its host keys were requested.
1208 Default: 180
1210 ssh_use_certificate_keys (bool)
1212 If set to true the sss_ssh_authorizedkeys will return ssh keys
1213 derived from the public key of X.509 certificates stored in the
1214 user entry as well. See sss_ssh_authorizedkeys(1) for details.
1215 Default: true
1217 ssh_use_certificate_matching_rules (string)
1219 By default the ssh responder will use all available certificate
1220 matching rules to filter the certificates so that ssh keys are only
1221 derived from the matching ones. With this option the used rules can
1222 be restricted with a comma separated list of mapping and matching
1223 rule names. All other rules will be ignored.
1224 There are two special key words 'all_rules' and 'no_rules' which
1226 will enable all or no rules, respectively. The latter means that no
1227 certificates will be filtered out and ssh keys will be generated
1228 from all valid certificates.
1229 If no rules are configured using 'all_rules' will enable a default
1231 rule which enables all certificates suitable for client
1232 authentication. This is the same behavior as for the PAM responder
1233 if certificate authentication is enabled.
1234 A non-existing rule name is considered an error. If as a result no
1236 rule is selected all certificates will be ignored.
1237 Default: not set, equivalent to 'all_rules', all found rules or the
1239 default rule are used
1240 ca_db (string)
1242 Path to a storage of trusted CA certificates. The option is used to
1243 validate user certificates before deriving public ssh keys from
1244 them.
1245 Default:
1247 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1249 CA certificates in PEM format)
1250 PAC responder configuration options
1253 The PAC responder works together with the authorization data plugin for
1254 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1255 sends the PAC data during a GSSAPI authentication to the PAC responder.
1256 The sub-domain provider collects domain SID and ID ranges of the domain
1257 the client is joined to and of remote trusted domains from the local
1258 domain controller. If the PAC is decoded and evaluated some of the
1259 following operations are done:
1260 • If the remote user does not exist in the cache, it is created. The
1262 UID is determined with the help of the SID, trusted domains will
1263 have UPGs and the GID will have the same value as the UID. The home
1264 directory is set based on the subdomain_homedir parameter. The
1265 shell will be empty by default, i.e. the system defaults are used,
1266 but can be overwritten with the default_shell parameter.
1267 • If there are SIDs of groups from domains sssd knows about, the user
1269 will be added to those groups.
1270 These options can be used to configure the PAC responder.
1272 allowed_uids (string)
1274 Specifies the comma-separated list of UID values or user names that
1275 are allowed to access the PAC responder. User names are resolved to
1276 UIDs at startup.
1277 Default: 0 (only the root user is allowed to access the PAC
1279 responder)
1280 Please note that although the UID 0 is used as the default it will
1282 be overwritten with this option. If you still want to allow the
1283 root user to access the PAC responder, which would be the typical
1284 case, you have to add 0 to the list of allowed UIDs as well.
1285 pac_lifetime (integer)
1287 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1288 the PAC data can be used to determine the group memberships of a
1289 user.
1290 Default: 300
1292 Session recording configuration options
1294 Session recording works in conjunction with tlog-rec-session(8), a part
1295 of tlog package, to log what users see and type when they log in on a
1296 text terminal. See also sssd-session-recording(5).
1297 These options can be used to configure session recording.
1299 scope (string)
1301 One of the following strings specifying the scope of session
1302 recording:
1303 "none"
1305 No users are recorded.
1306 "some"
1308 Users/groups specified by users and groups options are
1309 recorded.
1310 "all"
1312 All users are recorded.
1313 Default: "none"
1315 users (string)
1317 A comma-separated list of users which should have session recording
1318 enabled. Matches user names as returned by NSS. I.e. after the
1319 possible space replacement, case changes, etc.
1320 Default: Empty. Matches no users.
1322 groups (string)
1324 A comma-separated list of groups, members of which should have
1325 session recording enabled. Matches group names as returned by NSS.
1326 I.e. after the possible space replacement, case changes, etc.
1327 NOTE: using this option (having it set to anything) has a
1329 considerable performance cost, because each uncached request for a
1330 user requires retrieving and matching the groups the user is member
1331 of.
1332 Default: Empty. Matches no groups.
1334 exclude_users (string)
1336 A comma-separated list of users to be excluded from recording, only
1337 applicable with 'scope=all'.
1338 Default: Empty. No users excluded.
1340 exclude_groups (string)
1342 A comma-separated list of groups, members of which should be
1343 excluded from recording. Only applicable with 'scope=all'.
1344 NOTE: using this option (having it set to anything) has a
1346 considerable performance cost, because each uncached request for a
1347 user requires retrieving and matching the groups the user is member
1348 of.
1349 Default: Empty. No groups excluded.
1351
1353 These configuration options can be present in a domain configuration
1354 section, that is, in a section called “[domain/NAME]”
1355 enabled
1357 Explicitly enable or disable the domain. If “true”, the domain is
1358 always “enabled”. If “false”, the domain is always “disabled”. If
1359 this option is not set, the domain is enabled only if it is listed
1360 in the domains option in the “[sssd]” section.
1361 domain_type (string)
1363 Specifies whether the domain is meant to be used by POSIX-aware
1364 clients such as the Name Service Switch or by applications that do
1365 not need POSIX data to be present or generated. Only objects from
1366 POSIX domains are available to the operating system interfaces and
1367 utilities.
1368 Allowed values for this option are “posix” and “application”.
1370 POSIX domains are reachable by all services. Application domains
1372 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1373 and the PAM responder.
1374 NOTE: The application domains are currently well tested with
1376 “id_provider=ldap” only.
1377 For an easy way to configure a non-POSIX domains, please see the
1379 “Application domains” section.
1380 Default: posix
1382 min_id,max_id (integer)
1384 UID and GID limits for the domain. If a domain contains an entry
1385 that is outside these limits, it is ignored.
1386 For users, this affects the primary GID limit. The user will not be
1388 returned to NSS if either the UID or the primary GID is outside the
1389 range. For non-primary group memberships, those that are in range
1390 will be reported as expected.
1391 These ID limits affect even saving entries to cache, not only
1393 returning them by name or ID.
1394 Default: 1 for min_id, 0 (no limit) for max_id
1396 enumerate (bool)
1398 Determines if a domain can be enumerated, that is, whether the
1399 domain can list all the users and group it contains. Note that it
1400 is not required to enable enumeration in order for secondary groups
1401 to be displayed. This parameter can have one of the following
1402 values:
1403 TRUE = Users and groups are enumerated
1405 FALSE = No enumerations for this domain
1407 Default: FALSE
1409 Enumerating a domain requires SSSD to download and store ALL user
1411 and group entries from the remote server.
1412 Note: Enabling enumeration has a moderate performance impact on
1414 SSSD while enumeration is running. It may take up to several
1415 minutes after SSSD startup to fully complete enumerations. During
1416 this time, individual requests for information will go directly to
1417 LDAP, though it may be slow, due to the heavy enumeration
1418 processing. Saving a large number of entries to cache after the
1419 enumeration completes might also be CPU intensive as the
1420 memberships have to be recomputed. This can lead to the “sssd_be”
1421 process becoming unresponsive or even restarted by the internal
1422 watchdog.
1423 While the first enumeration is running, requests for the complete
1425 user or group lists may return no results until it completes.
1426 Further, enabling enumeration may increase the time necessary to
1428 detect network disconnection, as longer timeouts are required to
1429 ensure that enumeration lookups are completed successfully. For
1430 more information, refer to the man pages for the specific
1431 id_provider in use.
1432 For the reasons cited above, enabling enumeration is not
1434 recommended, especially in large environments.
1435 subdomain_enumerate (string)
1437 Whether any of autodetected trusted domains should be enumerated.
1438 The supported values are:
1439 all
1441 All discovered trusted domains will be enumerated
1442 none
1444 No discovered trusted domains will be enumerated
1445 Optionally, a list of one or more domain names can enable
1447 enumeration just for these trusted domains.
1448 Default: none
1450 entry_cache_timeout (integer)
1452 How many seconds should nss_sss consider entries valid before
1453 asking the backend again
1454 The cache expiration timestamps are stored as attributes of
1456 individual objects in the cache. Therefore, changing the cache
1457 timeout only has effect for newly added or expired entries. You
1458 should run the sss_cache(8) tool in order to force refresh of
1459 entries that have already been cached.
1460 Default: 5400
1462 entry_cache_user_timeout (integer)
1464 How many seconds should nss_sss consider user entries valid before
1465 asking the backend again
1466 Default: entry_cache_timeout
1468 entry_cache_group_timeout (integer)
1470 How many seconds should nss_sss consider group entries valid before
1471 asking the backend again
1472 Default: entry_cache_timeout
1474 entry_cache_netgroup_timeout (integer)
1476 How many seconds should nss_sss consider netgroup entries valid
1477 before asking the backend again
1478 Default: entry_cache_timeout
1480 entry_cache_service_timeout (integer)
1482 How many seconds should nss_sss consider service entries valid
1483 before asking the backend again
1484 Default: entry_cache_timeout
1486 entry_cache_resolver_timeout (integer)
1488 How many seconds should nss_sss consider hosts and networks entries
1489 valid before asking the backend again
1490 Default: entry_cache_timeout
1492 entry_cache_sudo_timeout (integer)
1494 How many seconds should sudo consider rules valid before asking the
1495 backend again
1496 Default: entry_cache_timeout
1498 entry_cache_autofs_timeout (integer)
1500 How many seconds should the autofs service consider automounter
1501 maps valid before asking the backend again
1502 Default: entry_cache_timeout
1504 entry_cache_ssh_host_timeout (integer)
1506 How many seconds to keep a host ssh key after refresh. IE how long
1507 to cache the host key for.
1508 Default: entry_cache_timeout
1510 entry_cache_computer_timeout (integer)
1512 How many seconds to keep the local computer entry before asking the
1513 backend again
1514 Default: entry_cache_timeout
1516 refresh_expired_interval (integer)
1518 Specifies how many seconds SSSD has to wait before triggering a
1519 background refresh task which will refresh all expired or nearly
1520 expired records.
1521 The background refresh will process users, groups and netgroups in
1523 the cache. For users who have performed the initgroups (get group
1524 membership for user, typically ran at login) operation in the past,
1525 both the user entry and the group membership are updated.
1526 This option is automatically inherited for all trusted domains.
1528 You can consider setting this value to 3/4 * entry_cache_timeout.
1530 Cache entry will be refreshed by background task when 2/3 of cache
1532 timeout has already passed. If there are existing cached entries,
1533 the background task will refer to their original cache timeout
1534 values instead of current configuration value. This may lead to a
1535 situation in which background refresh task appears to not be
1536 working. This is done by design to improve offline mode operation
1537 and reuse of existing valid cache entries. To make this change
1538 instant the user may want to manually invalidate existing cache.
1539 Default: 0 (disabled)
1541 cache_credentials (bool)
1543 Determines if user credentials are also cached in the local LDB
1544 cache
1545 User credentials are stored in a SHA512 hash, not in plaintext
1547 Default: FALSE
1549 cache_credentials_minimal_first_factor_length (int)
1551 If 2-Factor-Authentication (2FA) is used and credentials should be
1552 saved this value determines the minimal length the first
1553 authentication factor (long term password) must have to be saved as
1554 SHA512 hash into the cache.
1555 This should avoid that the short PINs of a PIN based 2FA scheme are
1557 saved in the cache which would make them easy targets for
1558 brute-force attacks.
1559 Default: 8
1561 account_cache_expiration (integer)
1563 Number of days entries are left in cache after last successful
1564 login before being removed during a cleanup of the cache. 0 means
1565 keep forever. The value of this parameter must be greater than or
1566 equal to offline_credentials_expiration.
1567 Default: 0 (unlimited)
1569 pwd_expiration_warning (integer)
1571 Display a warning N days before the password expires.
1572 If zero is set, then this filter is not applied, i.e. if the
1574 expiration warning was received from backend server, it will
1575 automatically be displayed.
1576 Please note that the backend server has to provide information
1578 about the expiration time of the password. If this information is
1579 missing, sssd cannot display a warning. Also an auth provider has
1580 to be configured for the backend.
1581 Default: 7 (Kerberos), 0 (LDAP)
1583 id_provider (string)
1585 The identification provider used for the domain. Supported ID
1586 providers are:
1587 “proxy”: Support a legacy NSS provider.
1589 “files”: FILES provider. See sssd-files(5) for more information on
1591 how to mirror local users and groups into SSSD.
1592 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1594 configuring LDAP.
1595 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1597 See sssd-ipa(5) for more information on configuring FreeIPA.
1598 “ad”: Active Directory provider. See sssd-ad(5) for more
1600 information on configuring Active Directory.
1601 use_fully_qualified_names (bool)
1603 Use the full name and domain (as formatted by the domain's
1604 full_name_format) as the user's login name reported to NSS.
1605 If set to TRUE, all requests to this domain must use fully
1607 qualified names. For example, if used in LOCAL domain that contains
1608 a "test" user, getent passwd test wouldn't find the user while
1609 getent passwd test@LOCAL would.
1610 NOTE: This option has no effect on netgroup lookups due to their
1612 tendency to include nested netgroups without qualified names. For
1613 netgroups, all domains will be searched when an unqualified name is
1614 requested.
1615 Default: FALSE (TRUE for trusted domain/sub-domains or if
1617 default_domain_suffix is used)
1618 ignore_group_members (bool)
1620 Do not return group members for group lookups.
1621 If set to TRUE, the group membership attribute is not requested
1623 from the ldap server, and group members are not returned when
1624 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1625 As an effect, “getent group $groupname” would return the requested
1626 group as if it was empty.
1627 Enabling this option can also make access provider checks for group
1629 membership significantly faster, especially for groups containing
1630 many members.
1631 Default: FALSE
1633 auth_provider (string)
1635 The authentication provider used for the domain. Supported auth
1636 providers are:
1637 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1639 information on configuring LDAP.
1640 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1642 information on configuring Kerberos.
1643 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1645 See sssd-ipa(5) for more information on configuring FreeIPA.
1646 “ad”: Active Directory provider. See sssd-ad(5) for more
1648 information on configuring Active Directory.
1649 “proxy” for relaying authentication to some other PAM target.
1651 “none” disables authentication explicitly.
1653 Default: “id_provider” is used if it is set and can handle
1655 authentication requests.
1656 access_provider (string)
1658 The access control provider used for the domain. There are two
1659 built-in access providers (in addition to any included in installed
1660 backends) Internal special providers are:
1661 “permit” always allow access. It's the only permitted access
1663 provider for a local domain.
1664 “deny” always deny access.
1666 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1668 information on configuring LDAP.
1669 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1671 See sssd-ipa(5) for more information on configuring FreeIPA.
1672 “ad”: Active Directory provider. See sssd-ad(5) for more
1674 information on configuring Active Directory.
1675 “simple” access control based on access or deny lists. See sssd-
1677 simple(5) for more information on configuring the simple access
1678 module.
1679 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1681 information on configuring Kerberos.
1682 “proxy” for relaying access control to another PAM module.
1684 Default: “permit”
1686 chpass_provider (string)
1688 The provider which should handle change password operations for the
1689 domain. Supported change password providers are:
1690 “ldap” to change a password stored in a LDAP server. See sssd-
1692 ldap(5) for more information on configuring LDAP.
1693 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1695 information on configuring Kerberos.
1696 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1698 See sssd-ipa(5) for more information on configuring FreeIPA.
1699 “ad”: Active Directory provider. See sssd-ad(5) for more
1701 information on configuring Active Directory.
1702 “proxy” for relaying password changes to some other PAM target.
1704 “none” disallows password changes explicitly.
1706 Default: “auth_provider” is used if it is set and can handle change
1708 password requests.
1709 sudo_provider (string)
1711 The SUDO provider used for the domain. Supported SUDO providers
1712 are:
1713 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1715 information on configuring LDAP.
1716 “ipa” the same as “ldap” but with IPA default settings.
1718 “ad” the same as “ldap” but with AD default settings.
1720 “none” disables SUDO explicitly.
1722 Default: The value of “id_provider” is used if it is set.
1724 The detailed instructions for configuration of sudo_provider are in
1726 the manual page sssd-sudo(5). There are many configuration options
1727 that can be used to adjust the behavior. Please refer to
1728 "ldap_sudo_*" in sssd-ldap(5).
1729 NOTE: Sudo rules are periodically downloaded in the background
1731 unless the sudo provider is explicitly disabled. Set sudo_provider
1732 = None to disable all sudo-related activity in SSSD if you do not
1733 want to use sudo with SSSD at all.
1734 selinux_provider (string)
1736 The provider which should handle loading of selinux settings. Note
1737 that this provider will be called right after access provider ends.
1738 Supported selinux providers are:
1739 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1741 for more information on configuring IPA.
1742 “none” disallows fetching selinux settings explicitly.
1744 Default: “id_provider” is used if it is set and can handle selinux
1746 loading requests.
1747 subdomains_provider (string)
1749 The provider which should handle fetching of subdomains. This value
1750 should be always the same as id_provider. Supported subdomain
1751 providers are:
1752 “ipa” to load a list of subdomains from an IPA server. See sssd-
1754 ipa(5) for more information on configuring IPA.
1755 “ad” to load a list of subdomains from an Active Directory server.
1757 See sssd-ad(5) for more information on configuring the AD provider.
1758 “none” disallows fetching subdomains explicitly.
1760 Default: The value of “id_provider” is used if it is set.
1762 session_provider (string)
1764 The provider which configures and manages user session related
1765 tasks. The only user session task currently provided is the
1766 integration with Fleet Commander, which works only with IPA.
1767 Supported session providers are:
1768 “ipa” to allow performing user session related tasks.
1770 “none” does not perform any kind of user session related tasks.
1772 Default: “id_provider” is used if it is set and can perform session
1774 related tasks.
1775 NOTE: In order to have this feature working as expected SSSD must
1777 be running as "root" and not as the unprivileged user.
1778 autofs_provider (string)
1780 The autofs provider used for the domain. Supported autofs providers
1781 are:
1782 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1784 information on configuring LDAP.
1785 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1787 more information on configuring IPA.
1788 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1790 information on configuring the AD provider.
1791 “none” disables autofs explicitly.
1793 Default: The value of “id_provider” is used if it is set.
1795 hostid_provider (string)
1797 The provider used for retrieving host identity information.
1798 Supported hostid providers are:
1799 “ipa” to load host identity stored in an IPA server. See sssd-
1801 ipa(5) for more information on configuring IPA.
1802 “none” disables hostid explicitly.
1804 Default: The value of “id_provider” is used if it is set.
1806 resolver_provider (string)
1808 The provider which should handle hosts and networks lookups.
1809 Supported resolver providers are:
1810 “proxy” to forward lookups to another NSS library. See
1812 “proxy_resolver_lib_name”
1813 “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1815 for more information on configuring LDAP.
1816 “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1818 more information on configuring the AD provider.
1819 “none” disallows fetching hosts and networks explicitly.
1821 Default: The value of “id_provider” is used if it is set.
1823 re_expression (string)
1825 Regular expression for this domain that describes how to parse the
1826 string containing user name and domain into these components. The
1827 "domain" can match either the SSSD configuration domain name, or,
1828 in the case of IPA trust subdomains and Active Directory domains,
1829 the flat (NetBIOS) name of the domain.
1830 Default for the AD and IPA provider:
1832 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
1833 which allows three different styles for user names:
1834 • username
1836 • username@domain.name
1838 • domain\username
1840 While the first two correspond to the general default the third one
1842 is introduced to allow easy integration of users from Windows
1843 domains.
1844 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1846 "the name is everything up to the “@” sign, the domain everything
1847 after that"
1848 NOTE: Some Active Directory groups, typically those used for MS
1850 Exchange contain an “@” sign in the name, which clashes with the
1851 default re_expression value for the AD and IPA providers. To
1852 support these groups, consider changing the re_expression value to:
1853 “((?P<name>.+)@(?P<domain>[^@]+$))”.
1854 full_name_format (string)
1856 A printf(3)-compatible format that describes how to compose a fully
1857 qualified name from user name and domain name components.
1858 The following expansions are supported:
1860 %1$s
1862 user name
1863 %2$s
1865 domain name as specified in the SSSD config file.
1866 %3$s
1868 domain flat name. Mostly usable for Active Directory domains,
1869 both directly configured or discovered via IPA trusts.
1870 Default: “%1$s@%2$s”.
1872 lookup_family_order (string)
1874 Provides the ability to select preferred address family to use when
1875 performing DNS lookups.
1876 Supported values:
1878 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1880 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1882 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1884 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1886 Default: ipv4_first
1888 dns_resolver_server_timeout (integer)
1890 Defines the amount of time (in milliseconds) SSSD would try to talk
1891 to DNS server before trying next DNS server.
1892 Please see the section “FAILOVER” for more information about the
1894 service resolution.
1895 Default: 1000
1897 dns_resolver_op_timeout (integer)
1899 Defines the amount of time (in seconds) to wait to resolve single
1900 DNS query (e.g. resolution of a hostname or an SRV record) before
1901 try next hostname or DNS discovery.
1902 Please see the section “FAILOVER” for more information about the
1904 service resolution.
1905 Default: 3
1907 dns_resolver_server_timeout (integer)
1909 Defines the amount of time (in milliseconds) SSSD would try to talk
1910 to DNS server before trying next DNS server.
1911 Please see the section “FAILOVER” for more information about the
1913 service resolution.
1914 Default: 1000
1916 dns_resolver_op_timeout (integer)
1918 Defines the amount of time (in seconds) to wait to resolve single
1919 DNS query (e.g. resolution of a hostname or an SRV record) before
1920 try next hostname or DNS discovery.
1921 Please see the section “FAILOVER” for more information about the
1923 service resolution.
1924 Default: 3
1926 dns_resolver_timeout (integer)
1928 Defines the amount of time (in seconds) to wait for a reply from
1929 the internal fail over service before assuming that the service is
1930 unreachable. If this timeout is reached, the domain will continue
1931 to operate in offline mode.
1932 Please see the section “FAILOVER” for more information about the
1934 service resolution.
1935 Default: 6
1937 dns_discovery_domain (string)
1939 If service discovery is used in the back end, specifies the domain
1940 part of the service discovery DNS query.
1941 Default: Use the domain part of machine's hostname
1943 override_gid (integer)
1945 Override the primary GID value with the one specified.
1946 case_sensitive (string)
1948 Treat user and group names as case sensitive. Possible option
1949 values are:
1950 True
1952 Case sensitive. This value is invalid for AD provider.
1953 False
1955 Case insensitive.
1956 Preserving
1958 Same as False (case insensitive), but does not lowercase names
1959 in the result of NSS operations. Note that name aliases (and in
1960 case of services also protocol names) are still lowercased in
1961 the output.
1962 If you want to set this value for trusted domain with IPA
1964 provider, you need to set it on both the client and SSSD on the
1965 server.
1966 This option can be also set per subdomain or inherited via
1968 subdomain_inherit.
1969 Default: True (False for AD provider)
1971 subdomain_inherit (string)
1973 Specifies a list of configuration parameters that should be
1974 inherited by a subdomain. Please note that only selected parameters
1975 can be inherited. Currently the following options can be inherited:
1976 ignore_group_members
1978 ldap_purge_cache_timeout
1980 ldap_use_tokengroups
1982 ldap_user_principal
1984 ldap_krb5_keytab (the value of krb5_keytab will be used if
1986 ldap_krb5_keytab is not set explicitly)
1987 auto_private_groups
1989 case_sensitive
1991 Example:
1993 subdomain_inherit = ldap_purge_cache_timeout
1995 Default: none
1998 Note: This option only works with the IPA and AD provider.
2000 subdomain_homedir (string)
2002 Use this homedir as default value for all subdomains within this
2003 domain in IPA AD trust. See override_homedir for info about
2004 possible values. In addition to those, the expansion below can only
2005 be used with subdomain_homedir.
2006 %F
2008 flat (NetBIOS) name of a subdomain.
2009 The value can be overridden by override_homedir option.
2011 Default: /home/%d/%u
2013 realmd_tags (string)
2015 Various tags stored by the realmd configuration service for this
2016 domain.
2017 cached_auth_timeout (int)
2019 Specifies time in seconds since last successful online
2020 authentication for which user will be authenticated using cached
2021 credentials while SSSD is in the online mode. If the credentials
2022 are incorrect, SSSD falls back to online authentication.
2023 This option's value is inherited by all trusted domains. At the
2025 moment it is not possible to set a different value per trusted
2026 domain.
2027 Special value 0 implies that this feature is disabled.
2029 Please note that if “cached_auth_timeout” is longer than
2031 “pam_id_timeout” then the back end could be called to handle
2032 “initgroups.”
2033 Default: 0
2035 auto_private_groups (string)
2037 This option takes any of three available values:
2038 true
2040 Create user's private group unconditionally from user's UID
2041 number. The GID number is ignored in this case.
2042 NOTE: Because the GID number and the user private group are
2044 inferred from the UID number, it is not supported to have
2045 multiple entries with the same UID or GID number with this
2046 option. In other words, enabling this option enforces
2047 uniqueness across the ID space.
2048 false
2050 Always use the user's primary GID number. The GID number must
2051 refer to a group object in the LDAP database.
2052 hybrid
2054 A primary group is autogenerated for user entries whose UID and
2055 GID numbers have the same value and at the same time the GID
2056 number does not correspond to a real group object in LDAP. If
2057 the values are the same, but the primary GID in the user entry
2058 is also used by a group object, the primary GID of the user
2059 resolves to that group object.
2060 If the UID and GID of a user are different, then the GID must
2062 correspond to a group entry, otherwise the GID is simply not
2063 resolvable.
2064 This feature is useful for environments that wish to stop
2066 maintaining a separate group objects for the user private
2067 groups, but also wish to retain the existing user private
2068 groups.
2069 For subdomains, the default value is False for subdomains that use
2071 assigned POSIX IDs and True for subdomains that use automatic
2072 ID-mapping.
2073 The value of auto_private_groups can either be set per subdomains
2075 in a subsection, for example:
2076 [domain/forest.domain/sub.domain]
2078 auto_private_groups = false
2079 or globally for all subdomains in the main domain section using the
2081 subdomain_inherit option:
2082 [domain/forest.domain]
2084 subdomain_inherit = auto_private_groups
2085 auto_private_groups = false
2086 Options valid for proxy domains.
2089 proxy_pam_target (string)
2091 The proxy target PAM proxies to.
2092 Default: not set by default, you have to take an existing pam
2094 configuration or create a new one and add the service name here.
2095 proxy_lib_name (string)
2097 The name of the NSS library to use in proxy domains. The NSS
2098 functions searched for in the library are in the form of
2099 _nss_$(libName)_$(function), for example _nss_files_getpwent.
2100 proxy_resolver_lib_name (string)
2102 The name of the NSS library to use for hosts and networks lookups
2103 in proxy domains. The NSS functions searched for in the library are
2104 in the form of _nss_$(libName)_$(function), for example
2105 _nss_dns_gethostbyname2_r.
2106 proxy_fast_alias (boolean)
2108 When a user or group is looked up by name in the proxy provider, a
2109 second lookup by ID is performed to "canonicalize" the name in case
2110 the requested name was an alias. Setting this option to true would
2111 cause the SSSD to perform the ID lookup from cache for performance
2112 reasons.
2113 Default: false
2115 proxy_max_children (integer)
2117 This option specifies the number of pre-forked proxy children. It
2118 is useful for high-load SSSD environments where sssd may run out of
2119 available child slots, which would cause some issues due to the
2120 requests being queued.
2121 Default: 10
2123 Application domains
2125 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2126 applications as a gateway to an LDAP directory where users and groups
2127 are stored. However, contrary to the traditional SSSD deployment where
2128 all users and groups either have POSIX attributes or those attributes
2129 can be inferred from the Windows SIDs, in many cases the users and
2130 groups in the application support scenario have no POSIX attributes.
2131 Instead of setting a “[domain/NAME]” section, the administrator can set
2132 up an “[application/NAME]” section that internally represents a domain
2133 with type “application” optionally inherits settings from a tradition
2134 SSSD domain.
2135 Please note that the application domain must still be explicitly
2137 enabled in the “domains” parameter so that the lookup order between the
2138 application domain and its POSIX sibling domain is set correctly.
2139 Application domain parameters
2141 inherit_from (string)
2143 The SSSD POSIX-type domain the application domain inherits all
2144 settings from. The application domain can moreover add its own
2145 settings to the application settings that augment or override the
2146 “sibling” domain settings.
2147 Default: Not set
2149 The following example illustrates the use of an application domain. In
2151 this setup, the POSIX domain is connected to an LDAP server and is used
2152 by the OS through the NSS responder. In addition, the application
2153 domain also requests the telephoneNumber attribute, stores it as the
2154 phone attribute in the cache and makes the phone attribute reachable
2155 through the D-Bus interface.
2156 [sssd]
2158 domains = appdom, posixdom
2159 [ifp]
2161 user_attributes = +phone
2162 [domain/posixdom]
2164 id_provider = ldap
2165 ldap_uri = ldap://ldap.example.com
2166 ldap_search_base = dc=example,dc=com
2167 [application/appdom]
2169 inherit_from = posixdom
2170 ldap_user_extra_attrs = phone:telephoneNumber
2171
2173 Some options used in the domain section can also be used in the trusted
2174 domain section, that is, in a section called
2175 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2176 actual joined-to base domain. Please refer to examples below for
2177 explanation. Currently supported options in the trusted domain section
2178 are:
2179 ldap_search_base,
2181 ldap_user_search_base,
2183 ldap_group_search_base,
2185 ldap_netgroup_search_base,
2187 ldap_service_search_base,
2189 ldap_sasl_mech,
2191 ad_server,
2193 ad_backup_server,
2195 ad_site,
2197 use_fully_qualified_names
2199 pam_gssapi_services
2201 pam_gssapi_check_upn
2203 For more details about these options see their individual description
2205 in the manual page.
2206
2208 To allow authentication with Smartcards and certificates SSSD must be
2209 able to map certificates to users. This can be done by adding the full
2210 certificate to the LDAP object of the user or to a local override.
2211 While using the full certificate is required to use the Smartcard
2212 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2213 details) it might be cumbersome or not even possible to do this for the
2214 general case where local services use PAM for authentication.
2215 To make the mapping more flexible mapping and matching rules were added
2217 to SSSD (see sss-certmap(5) for details).
2218 A mapping and matching rule can be added to the SSSD configuration in a
2220 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2221 In this section the following options are allowed:
2222 matchrule (string)
2224 Only certificates from the Smartcard which matches this rule will
2225 be processed, all others are ignored.
2226 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2228 the Extended Key Usage “clientAuth”
2229 maprule (string)
2231 Defines how the user is found for a given certificate.
2232 Default:
2234 • LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2236 providers like “ldap”, “AD” or “ipa”.
2237 • The RULE_NAME for the “files” provider which tries to find a
2239 user with the same name.
2240 domains (string)
2243 Comma separated list of domain names the rule should be applied. By
2244 default a rule is only valid in the domain configured in sssd.conf.
2245 If the provider supports subdomains this option can be used to add
2246 the rule to subdomains as well.
2247 Default: the configured domain in sssd.conf
2249 priority (integer)
2251 Unsigned integer value defining the priority of the rule. The
2252 higher the number the lower the priority. “0” stands for the
2253 highest priority while “4294967295” is the lowest.
2254 Default: the lowest priority
2256 To make the configuration simple and reduce the amount of configuration
2258 options the “files” provider has some special properties:
2259 • if maprule is not set the RULE_NAME name is assumed to be the name
2261 of the matching user
2262 • if a maprule is used both a single user name or a template like
2264 “{subject_rfc822_name.short_name}” must be in braces like e.g.
2265 “(username)” or “({subject_rfc822_name.short_name})”
2266 • the “domains” option is ignored
2268
2271 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2272 SSSD's PAM module pam_sss will ask SSSD to figure out which
2273 authentication methods are available for the user trying to log in.
2274 Based on the results pam_sss will prompt the user for appropriate
2275 credentials.
2276 With the growing number of authentication methods and the possibility
2278 that there are multiple ones for a single user the heuristic used by
2279 pam_sss to select the prompting might not be suitable for all use
2280 cases. The following options should provide a better flexibility here.
2281 Each supported authentication method has its own configuration
2283 subsection under “[prompting/...]”. Currently there are:
2284 [prompting/password]
2286 to configure password prompting, allowed options are:
2287 password_prompt
2289 to change the string of the password prompt
2290 [prompting/2fa]
2293 to configure two-factor authentication prompting, allowed options
2294 are:
2295 first_prompt
2297 to change the string of the prompt for the first factor
2298 second_prompt
2300 to change the string of the prompt for the second factor
2301 single_prompt
2303 boolean value, if True there will be only a single prompt using
2304 the value of first_prompt where it is expected that both
2305 factors are entered as a single string. Please note that both
2306 factors have to be entered here, even if the second factor is
2307 optional.
2308 If the second factor is optional and it should be possible to log
2310 in either only with the password or with both factors two-step
2311 prompting has to be used.
2312 It is possible to add a subsection for specific PAM services, e.g.
2314 “[prompting/password/sshd]” to individual change the prompting for this
2315 service.
2316
2318 1. The following example shows a typical SSSD config. It does not
2319 describe configuration of the domains themselves - refer to
2320 documentation on configuring domains for more details.
2321 [sssd]
2323 domains = LDAP
2324 services = nss, pam
2325 config_file_version = 2
2326 [nss]
2328 filter_groups = root
2329 filter_users = root
2330 [pam]
2332 [domain/LDAP]
2334 id_provider = ldap
2335 ldap_uri = ldap://ldap.example.com
2336 ldap_search_base = dc=example,dc=com
2337 auth_provider = krb5
2339 krb5_server = kerberos.example.com
2340 krb5_realm = EXAMPLE.COM
2341 cache_credentials = true
2342 min_id = 10000
2344 max_id = 20000
2345 enumerate = False
2346 2. The following example shows configuration of IPA AD trust where the
2348 AD forest consists of two domains in a parent-child structure. Suppose
2349 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2350 domain (child.ad.com). To enable shortnames in the child domain the
2351 following configuration should be used.
2352 [domain/ipa.com/child.ad.com]
2354 use_fully_qualified_names = false
2355 3. The following example shows the configuration for two certificate
2357 mapping rules. The first is valid for the configured domain “my.domain”
2358 and additionally for the subdomains “your.domain” and uses the full
2359 certificate in the search filter. The second example is valid for the
2360 domain “files” where it is assumed the files provider is used for this
2361 domain and contains a matching rule for the local user “myname”.
2362 [certmap/my.domain/rule_name]
2364 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2365 maprule = (userCertificate;binary={cert!bin})
2366 domains = my.domain, your.domain
2367 priority = 10
2368 [certmap/files/myname]
2370 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
2371
2374 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2375 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2376 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2377 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2378 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
2379 sssd-systemtap(5)
2380
2382 The SSSD upstream - https://github.com/SSSD/sssd/
2383SSSD 11/08/2021 SSSD.CONF(5)