1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
3
4
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13
14 [section]
15 key = value
16 key2 = value2,value3
17
18
19 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21
22 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24
25 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27
28 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35
36 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38
39 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45
46 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51
52 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60
61 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67
68 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72
73 Currently supported debug levels:
74
75 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77
78 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81
82 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84
85 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87
88 4, 0x0100: Configuration settings.
89
90 5, 0x0200: Function data.
91
92 6, 0x0400: Trace messages for operation functions.
93
94 7, 0x1000: Trace messages for internal control functions.
95
96 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98
99 9, 0x4000: Extremely low-level tracing information.
100
101 9, 0x20000: Performance and statistical data, please note that due
102 to the way requests are processed internally the logged execution
103 time of a request might be longer than it actually was.
104
105 10, 0x10000: Even more low-level libldb tracing information. Almost
106 never really required.
107
108 To log required bitmask debug levels, simply add their numbers
109 together as shown in following examples:
110
111 Example: To log fatal failures, critical failures, serious failures
112 and function data use 0x0270.
113
114 Example: To log fatal failures, configuration settings, function
115 data, trace messages for internal control functions use 0x1310.
116
117 Note: The bitmask format of debug levels was introduced in 1.7.0.
118
119 Default: 0x0070 (i.e. fatal, critical and serious failures;
120 corresponds to setting 2 in decimal notation)
121
122 debug (integer)
123 SSSD 1.14 and later also includes the debug alias for debug_level
124 as a convenience feature. If both are specified, the value of
125 debug_level will be used.
126
127 debug_timestamps (bool)
128 Add a timestamp to the debug messages. If journald is enabled for
129 SSSD debug logging this option is ignored.
130
131 Default: true
132
133 debug_microseconds (bool)
134 Add microseconds to the timestamp in debug messages. If journald is
135 enabled for SSSD debug logging this option is ignored.
136
137 Default: false
138
139 debug_backtrace_enabled (bool)
140 Enable debug backtrace.
141
142 In case SSSD is run with debug_level less than 9, everything is
143 logged to a ring buffer in memory and flushed to a log file on any
144 error up to and including `min(0x0040, debug_level)` (i.e. if
145 debug_level is explicitly set to 0 or 1 then only those error
146 levels will trigger backtrace, otherwise up to 2).
147
148 Feature is only supported for `logger == files` (i.e. setting
149 doesn't have effect for other logger types).
150
151 Default: true
152
153 Options usable in SERVICE and DOMAIN sections
154 timeout (integer)
155 Timeout in seconds between heartbeats for this service. This is
156 used to ensure that the process is alive and capable of answering
157 requests. Note that after three missed heartbeats the process will
158 terminate itself.
159
160 Default: 10
161
163 The [sssd] section
164 Individual pieces of SSSD functionality are provided by special SSSD
165 services that are started and stopped together with SSSD. The services
166 are managed by a special service frequently called “monitor”. The
167 “[sssd]” section is used to configure the monitor as well as some other
168 important options like the identity domains.
169
170 Section parameters
171
172 config_file_version (integer)
173 Indicates what is the syntax of the config file. SSSD 0.6.0 and
174 later use version 2.
175
176 services
177 Comma separated list of services that are started when sssd itself
178 starts. The services' list is optional on platforms where systemd
179 is supported, as they will either be socket or D-Bus activated when
180 needed.
181
182 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
183
184 By default, all services are disabled and the administrator must
185 enable the ones allowed to be used by executing: "systemctl enable
186 sssd-@service@.socket".
187
188 reconnection_retries (integer)
189 Number of times services should attempt to reconnect in the event
190 of a Data Provider crash or restart before they give up
191
192 Default: 3
193
194 domains
195 A domain is a database containing user information. SSSD can use
196 more domains at the same time, but at least one must be configured
197 or SSSD won't start. This parameter describes the list of domains
198 in the order you want them to be queried. A domain name is
199 recommended to contain only alphanumeric ASCII characters, dashes,
200 dots and underscores. '/' character is forbidden.
201
202 re_expression (string)
203 Default regular expression that describes how to parse the string
204 containing user name and domain into these components.
205
206 Each domain can have an individual regular expression configured.
207 For some ID providers there are also default regular expressions.
208 See DOMAIN SECTIONS for more info on these regular expressions.
209
210 full_name_format (string)
211 A printf(3)-compatible format that describes how to compose a fully
212 qualified name from user name and domain name components.
213
214 The following expansions are supported:
215
216 %1$s
217 user name
218
219 %2$s
220 domain name as specified in the SSSD config file.
221
222 %3$s
223 domain flat name. Mostly usable for Active Directory domains,
224 both directly configured or discovered via IPA trusts.
225
226 Each domain can have an individual format string configured. See
227 DOMAIN SECTIONS for more info on this option.
228
229 monitor_resolv_conf (boolean)
230 Controls if SSSD should monitor the state of resolv.conf to
231 identify when it needs to update its internal DNS resolver.
232
233 Default: true
234
235 try_inotify (boolean)
236 By default, SSSD will attempt to use inotify to monitor
237 configuration files changes and will fall back to polling every
238 five seconds if inotify cannot be used.
239
240 There are some limited situations where it is preferred that we
241 should skip even trying to use inotify. In these rare cases, this
242 option should be set to 'false'
243
244 Default: true on platforms where inotify is supported. False on
245 other platforms.
246
247 Note: this option will have no effect on platforms where inotify is
248 unavailable. On these platforms, polling will always be used.
249
250 krb5_rcache_dir (string)
251 Directory on the filesystem where SSSD should store Kerberos replay
252 cache files.
253
254 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
255 instruct SSSD to let libkrb5 decide the appropriate location for
256 the replay cache.
257
258 Default: Distribution-specific and specified at build-time.
259 (__LIBKRB5_DEFAULTS__ if not configured)
260
261 user (string)
262 The user to drop the privileges to where appropriate to avoid
263 running as the root user. This option does not work when running
264 socket-activated services, as the user set up to run the processes
265 is set up during compilation time. The way to override the systemd
266 unit files is by creating the appropriate files in
267 /etc/systemd/system/. Keep in mind that any change in the socket
268 user, group or permissions may result in a non-usable SSSD. The
269 same may occur in case of changes of the user running the NSS
270 responder.
271
272 Default: not set, process will run as root
273
274 default_domain_suffix (string)
275 This string will be used as a default domain name for all names
276 without a domain name component. The main use case is environments
277 where the primary domain is intended for managing host policies and
278 all users are located in a trusted domain. The option allows those
279 users to log in just with their user name without giving a domain
280 name as well.
281
282 Please note that if this option is set all users from the primary
283 domain have to use their fully qualified name, e.g.
284 user@domain.name, to log in. Setting this option changes default of
285 use_fully_qualified_names to True. It is not allowed to use this
286 option together with use_fully_qualified_names set to False. One
287 exception from this rule are domains with “id_provider=files” that
288 always try to match the behaviour of nss_files and therefore their
289 output is not qualified even when the default_domain_suffix option
290 is used.
291
292 Default: not set
293
294 override_space (string)
295 This parameter will replace spaces (space bar) with the given
296 character for user and group names. e.g. (_). User name "john doe"
297 will be "john_doe" This feature was added to help compatibility
298 with shell scripts that have difficulty handling spaces, due to the
299 default field separator in the shell.
300
301 Please note it is a configuration error to use a replacement
302 character that might be used in user or group names. If a name
303 contains the replacement character SSSD tries to return the
304 unmodified name but in general the result of a lookup is undefined.
305
306 Default: not set (spaces will not be replaced)
307
308 certificate_verification (string)
309 With this parameter the certificate verification can be tuned with
310 a comma separated list of options. Supported options are:
311
312 no_ocsp
313 Disables Online Certificate Status Protocol (OCSP) checks. This
314 might be needed if the OCSP servers defined in the certificate
315 are not reachable from the client.
316
317 soft_ocsp
318 If a connection cannot be established to an OCSP responder the
319 OCSP check is skipped. This option should be used to allow
320 authentication when the system is offline and the OCSP
321 responder cannot be reached.
322
323 ocsp_dgst
324 Digest (hash) function used to create the certificate ID for
325 the OCSP request. Allowed values are:
326
327 • sha1
328
329 • sha256
330
331 • sha384
332
333 • sha512
334
335 Default: sha1 (to allow compatibility with RFC5019-compliant
336 responder)
337
338 no_verification
339 Disables verification completely. This option should only be
340 used for testing.
341
342 partial_chain
343 Allow verification to succeed even if a complete chain cannot
344 be built to a self-signed trust-anchor, provided it is possible
345 to construct a chain to a trusted certificate that might not be
346 self-signed.
347
348 ocsp_default_responder=URL
349 Sets the OCSP default responder which should be used instead of
350 the one mentioned in the certificate. URL must be replaced with
351 the URL of the OCSP default responder e.g.
352 http://example.com:80/ocsp.
353
354 ocsp_default_responder_signing_cert=NAME
355 This option is currently ignored. All needed certificates must
356 be available in the PEM file given by pam_cert_db_path.
357
358 crl_file=/PATH/TO/CRL/FILE
359 Use the Certificate Revocation List (CRL) from the given file
360 during the verification of the certificate. The CRL must be
361 given in PEM format, see crl(1ssl) for details.
362
363 soft_crl
364 If a Certificate Revocation List (CRL) is expired ignore the
365 CRL checks for the related certificates. This option should be
366 used to allow authentication when the system is offline and the
367 CRL cannot be renewed.
368
369 Unknown options are reported but ignored.
370
371 Default: not set, i.e. do not restrict certificate verification
372
373 disable_netlink (boolean)
374 SSSD hooks into the netlink interface to monitor changes to routes,
375 addresses, links and trigger certain actions.
376
377 The SSSD state changes caused by netlink events may be undesirable
378 and can be disabled by setting this option to 'true'
379
380 Default: false (netlink changes are detected)
381
382 enable_files_domain (boolean)
383 When this option is enabled, SSSD prepends an implicit domain with
384 “id_provider=files” before any explicitly configured domains.
385
386 Default: false
387
388 domain_resolution_order
389 Comma separated list of domains and subdomains representing the
390 lookup order that will be followed. The list doesn't have to
391 include all possible domains as the missing domains will be looked
392 up based on the order they're presented in the “domains”
393 configuration option. The subdomains which are not listed as part
394 of “lookup_order” will be looked up in a random order for each
395 parent domain.
396
397 Please, note that when this option is set the output format of all
398 commands is always fully-qualified even when using short names for
399 input, for all users but the ones managed by the files provider. In
400 case the administrator wants the output not fully-qualified, the
401 full_name_format option can be used as shown below:
402 “full_name_format=%1$s” However, keep in mind that during login,
403 login applications often canonicalize the username by calling
404 getpwnam(3) which, if a shortname is returned for a qualified input
405 (while trying to reach a user which exists in multiple domains)
406 might re-route the login attempt into the domain which uses
407 shortnames, making this workaround totally not recommended in cases
408 where usernames may overlap between domains.
409
410 Default: Not set
411
412 implicit_pac_responder (boolean)
413 The PAC responder is enabled automatically for the IPA and AD
414 provider to evaluate and check the PAC. If it has to be disabled
415 set this option to 'false'.
416
417 Default: true
418
420 Settings that can be used to configure different services are described
421 in this section. They should reside in the [$NAME] section, for
422 example, for NSS service, the section would be “[nss]”
423
424 General service configuration options
425 These options can be used to configure any service.
426
427 reconnection_retries (integer)
428 Number of times services should attempt to reconnect in the event
429 of a Data Provider crash or restart before they give up
430
431 Default: 3
432
433 fd_limit
434 This option specifies the maximum number of file descriptors that
435 may be opened at one time by this SSSD process. On systems where
436 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
437 absolute setting. On systems without this capability, the resulting
438 value will be the lower value of this or the limits.conf "hard"
439 limit.
440
441 Default: 8192 (or limits.conf "hard" limit)
442
443 client_idle_timeout
444 This option specifies the number of seconds that a client of an
445 SSSD process can hold onto a file descriptor without communicating
446 on it. This value is limited in order to avoid resource exhaustion
447 on the system. The timeout can't be shorter than 10 seconds. If a
448 lower value is configured, it will be adjusted to 10 seconds.
449
450 Default: 60, KCM: 300
451
452 offline_timeout (integer)
453 When SSSD switches to offline mode the amount of time before it
454 tries to go back online will increase based upon the time spent
455 disconnected. By default SSSD uses incremental behaviour to
456 calculate delay in between retries. So, the wait time for a given
457 retry will be longer than the wait time for the previous ones.
458 After each unsuccessful attempt to go online, the new interval is
459 recalculated by the following:
460
461 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
462 random[0...offline_timeout_random_offset]
463
464 The offline_timeout default value is 60. The offline_timeout_max
465 default value is 3600. The offline_timeout_random_offset default
466 value is 30. The end result is amount of seconds before next retry.
467
468 Note that the maximum length of each interval is defined by
469 offline_timeout_max (apart of random part).
470
471 Default: 60
472
473 offline_timeout_max (integer)
474 Controls by how much the time between attempts to go online can be
475 incremented following unsuccessful attempts to go online.
476
477 A value of 0 disables the incrementing behaviour.
478
479 The value of this parameter should be set in correlation to
480 offline_timeout parameter value.
481
482 With offline_timeout set to 60 (default value) there is no point in
483 setting offlinet_timeout_max to less than 120 as it will saturate
484 instantly. General rule here should be to set offline_timeout_max
485 to at least 4 times offline_timeout.
486
487 Although a value between 0 and offline_timeout may be specified, it
488 has the effect of overriding the offline_timeout value so is of
489 little use.
490
491 Default: 3600
492
493 offline_timeout_random_offset (integer)
494 When SSSD is in offline mode it keeps probing backend servers in
495 specified time intervals:
496
497 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
498 random[0...offline_timeout_random_offset]
499
500 This parameter controls the value of the random offset used for the
501 above equation. Final random_offset value will be random number in
502 range:
503
504 [0 - offline_timeout_random_offset]
505
506 A value of 0 disables the random offset addition.
507
508 Default: 30
509
510 responder_idle_timeout
511 This option specifies the number of seconds that an SSSD responder
512 process can be up without being used. This value is limited in
513 order to avoid resource exhaustion on the system. The minimum
514 acceptable value for this option is 60 seconds. Setting this option
515 to 0 (zero) means that no timeout will be set up to the responder.
516 This option only has effect when SSSD is built with systemd support
517 and when services are either socket or D-Bus activated.
518
519 Default: 300
520
521 cache_first
522 This option specifies whether the responder should query all caches
523 before querying the Data Providers.
524
525 Default: false
526
527 NSS configuration options
528 These options can be used to configure the Name Service Switch (NSS)
529 service.
530
531 enum_cache_timeout (integer)
532 How many seconds should nss_sss cache enumerations (requests for
533 info about all users)
534
535 Default: 120
536
537 entry_cache_nowait_percentage (integer)
538 The entry cache can be set to automatically update entries in the
539 background if they are requested beyond a percentage of the
540 entry_cache_timeout value for the domain.
541
542 For example, if the domain's entry_cache_timeout is set to 30s and
543 entry_cache_nowait_percentage is set to 50 (percent), entries that
544 come in after 15 seconds past the last cache update will be
545 returned immediately, but the SSSD will go and update the cache on
546 its own, so that future requests will not need to block waiting for
547 a cache update.
548
549 Valid values for this option are 0-99 and represent a percentage of
550 the entry_cache_timeout for each domain. For performance reasons,
551 this percentage will never reduce the nowait timeout to less than
552 10 seconds. (0 disables this feature)
553
554 Default: 50
555
556 entry_negative_timeout (integer)
557 Specifies for how many seconds nss_sss should cache negative cache
558 hits (that is, queries for invalid database entries, like
559 nonexistent ones) before asking the back end again.
560
561 Default: 15
562
563 local_negative_timeout (integer)
564 Specifies for how many seconds nss_sss should keep local users and
565 groups in negative cache before trying to look it up in the back
566 end again. Setting the option to 0 disables this feature.
567
568 Default: 14400 (4 hours)
569
570 filter_users, filter_groups (string)
571 Exclude certain users or groups from being fetched from the sss NSS
572 database. This is particularly useful for system accounts. This
573 option can also be set per-domain or include fully-qualified names
574 to filter only users from the particular domain or by a user
575 principal name (UPN).
576
577 NOTE: The filter_groups option doesn't affect inheritance of nested
578 group members, since filtering happens after they are propagated
579 for returning via NSS. E.g. a group having a member group filtered
580 out will still have the member users of the latter listed.
581
582 Default: root
583
584 filter_users_in_groups (bool)
585 If you want filtered user still be group members set this option to
586 false.
587
588 Default: true
589
590 override_homedir (string)
591 Override the user's home directory. You can either provide an
592 absolute value or a template. In the template, the following
593 sequences are substituted:
594
595 %u
596 login name
597
598 %U
599 UID number
600
601 %d
602 domain name
603
604 %f
605 fully qualified user name (user@domain)
606
607 %l
608 The first letter of the login name.
609
610 %P
611 UPN - User Principal Name (name@REALM)
612
613 %o
614 The original home directory retrieved from the identity
615 provider.
616
617 %H
618 The value of configure option homedir_substring.
619
620 %%
621 a literal '%'
622
623 This option can also be set per-domain.
624
625 example:
626
627 override_homedir = /home/%u
628
629
630 Default: Not set (SSSD will use the value retrieved from LDAP)
631
632 Please note, the home directory from a specific override for the
633 user, either locally (see sss_override(8)) or centrally managed IPA
634 id-overrides, has a higher precedence and will be used instead of
635 the value given by override_homedir.
636
637 homedir_substring (string)
638 The value of this option will be used in the expansion of the
639 override_homedir option if the template contains the format string
640 %H. An LDAP directory entry can directly contain this template so
641 that this option can be used to expand the home directory path for
642 each client machine (or operating system). It can be set per-domain
643 or globally in the [nss] section. A value specified in a domain
644 section will override one set in the [nss] section.
645
646 Default: /home
647
648 fallback_homedir (string)
649 Set a default template for a user's home directory if one is not
650 specified explicitly by the domain's data provider.
651
652 The available values for this option are the same as for
653 override_homedir.
654
655 example:
656
657 fallback_homedir = /home/%u
658
659
660 Default: not set (no substitution for unset home directories)
661
662 override_shell (string)
663 Override the login shell for all users. This option supersedes any
664 other shell options if it takes effect and can be set either in the
665 [nss] section or per-domain.
666
667 Default: not set (SSSD will use the value retrieved from LDAP)
668
669 allowed_shells (string)
670 Restrict user shell to one of the listed values. The order of
671 evaluation is:
672
673 1. If the shell is present in “/etc/shells”, it is used.
674
675 2. If the shell is in the allowed_shells list but not in
676 “/etc/shells”, use the value of the shell_fallback parameter.
677
678 3. If the shell is not in the allowed_shells list and not in
679 “/etc/shells”, a nologin shell is used.
680
681 The wildcard (*) can be used to allow any shell.
682
683 The (*) is useful if you want to use shell_fallback in case that
684 user's shell is not in “/etc/shells” and maintaining list of all
685 allowed shells in allowed_shells would be to much overhead.
686
687 An empty string for shell is passed as-is to libc.
688
689 The “/etc/shells” is only read on SSSD start up, which means that a
690 restart of the SSSD is required in case a new shell is installed.
691
692 Default: Not set. The user shell is automatically used.
693
694 vetoed_shells (string)
695 Replace any instance of these shells with the shell_fallback
696
697 shell_fallback (string)
698 The default shell to use if an allowed shell is not installed on
699 the machine.
700
701 Default: /bin/sh
702
703 default_shell
704 The default shell to use if the provider does not return one during
705 lookup. This option can be specified globally in the [nss] section
706 or per-domain.
707
708 Default: not set (Return NULL if no shell is specified and rely on
709 libc to substitute something sensible when necessary, usually
710 /bin/sh)
711
712 get_domains_timeout (int)
713 Specifies time in seconds for which the list of subdomains will be
714 considered valid.
715
716 Default: 60
717
718 memcache_timeout (integer)
719 Specifies time in seconds for which records in the in-memory cache
720 will be valid. Setting this option to zero will disable the
721 in-memory cache.
722
723 Default: 300
724
725 WARNING: Disabling the in-memory cache will have significant
726 negative impact on SSSD's performance and should only be used for
727 testing.
728
729 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
730 "NO", client applications will not use the fast in-memory cache.
731
732 memcache_size_passwd (integer)
733 Size (in megabytes) of the data table allocated inside fast
734 in-memory cache for passwd requests. Setting the size to 0 will
735 disable the passwd in-memory cache.
736
737 Default: 8
738
739 WARNING: Disabled or too small in-memory cache can have significant
740 negative impact on SSSD's performance.
741
742 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
743 "NO", client applications will not use the fast in-memory cache.
744
745 memcache_size_group (integer)
746 Size (in megabytes) of the data table allocated inside fast
747 in-memory cache for group requests. Setting the size to 0 will
748 disable the group in-memory cache.
749
750 Default: 6
751
752 WARNING: Disabled or too small in-memory cache can have significant
753 negative impact on SSSD's performance.
754
755 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
756 "NO", client applications will not use the fast in-memory cache.
757
758 memcache_size_initgroups (integer)
759 Size (in megabytes) of the data table allocated inside fast
760 in-memory cache for initgroups requests. Setting the size to 0 will
761 disable the initgroups in-memory cache.
762
763 Default: 10
764
765 WARNING: Disabled or too small in-memory cache can have significant
766 negative impact on SSSD's performance.
767
768 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
769 "NO", client applications will not use the fast in-memory cache.
770
771 memcache_size_sid (integer)
772 Size (in megabytes) of the data table allocated inside fast
773 in-memory cache for SID related requests. Only SID-by-ID and
774 ID-by-SID requests are currently cached in fast in-memory cache.
775 Setting the size to 0 will disable the SID in-memory cache.
776
777 Default: 6
778
779 WARNING: Disabled or too small in-memory cache can have significant
780 negative impact on SSSD's performance.
781
782 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
783 "NO", client applications will not use the fast in-memory cache.
784
785 user_attributes (string)
786 Some of the additional NSS responder requests can return more
787 attributes than just the POSIX ones defined by the NSS interface.
788 The list of attributes is controlled by this option. It is handled
789 the same way as the “user_attributes” option of the InfoPipe
790 responder (see sssd-ifp(5) for details) but with no default values.
791
792 To make configuration more easy the NSS responder will check the
793 InfoPipe option if it is not set for the NSS responder.
794
795 Default: not set, fallback to InfoPipe option
796
797 pwfield (string)
798 The value that NSS operations that return users or groups will
799 return for the “password” field.
800
801 Default: “*”
802
803 Note: This option can also be set per-domain which overwrites the
804 value in [nss] section.
805
806 Default: “not set” (remote domains), “x” (the files domain), “x”
807 (proxy domain with nss_files and sssd-shadowutils target)
808
809 PAM configuration options
810 These options can be used to configure the Pluggable Authentication
811 Module (PAM) service.
812
813 offline_credentials_expiration (integer)
814 If the authentication provider is offline, how long should we allow
815 cached logins (in days since the last successful online login).
816
817 Default: 0 (No limit)
818
819 offline_failed_login_attempts (integer)
820 If the authentication provider is offline, how many failed login
821 attempts are allowed.
822
823 Default: 0 (No limit)
824
825 offline_failed_login_delay (integer)
826 The time in minutes which has to pass after
827 offline_failed_login_attempts has been reached before a new login
828 attempt is possible.
829
830 If set to 0 the user cannot authenticate offline if
831 offline_failed_login_attempts has been reached. Only a successful
832 online authentication can enable offline authentication again.
833
834 Default: 5
835
836 pam_verbosity (integer)
837 Controls what kind of messages are shown to the user during
838 authentication. The higher the number to more messages are
839 displayed.
840
841 Currently sssd supports the following values:
842
843 0: do not show any message
844
845 1: show only important messages
846
847 2: show informational messages
848
849 3: show all messages and debug information
850
851 Default: 1
852
853 pam_response_filter (string)
854 A comma separated list of strings which allows to remove (filter)
855 data sent by the PAM responder to pam_sss PAM module. There are
856 different kind of responses sent to pam_sss e.g. messages displayed
857 to the user or environment variables which should be set by
858 pam_sss.
859
860 While messages already can be controlled with the help of the
861 pam_verbosity option this option allows to filter out other kind of
862 responses as well.
863
864 Currently the following filters are supported:
865
866 ENV
867 Do not send any environment variables to any service.
868
869 ENV:var_name
870 Do not send environment variable var_name to any service.
871
872 ENV:var_name:service
873 Do not send environment variable var_name to service.
874
875 The list of strings can either be the list of filters which would
876 set this list of filters and overwrite the defaults. Or each
877 element of the list can be prefixed by a '+' or '-' character which
878 would add the filter to the existing default or remove it from the
879 defaults, respectively. Please note that either all list elements
880 must have a '+' or '-' prefix or none. It is considered as an error
881 to mix both styles.
882
883 Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
884
885 Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the
886 default list
887
888 pam_id_timeout (integer)
889 For any PAM request while SSSD is online, the SSSD will attempt to
890 immediately update the cached identity information for the user in
891 order to ensure that authentication takes place with the latest
892 information.
893
894 A complete PAM conversation may perform multiple PAM requests, such
895 as account management and session opening. This option controls (on
896 a per-client-application basis) how long (in seconds) we can cache
897 the identity information to avoid excessive round-trips to the
898 identity provider.
899
900 Default: 5
901
902 pam_pwd_expiration_warning (integer)
903 Display a warning N days before the password expires.
904
905 Please note that the backend server has to provide information
906 about the expiration time of the password. If this information is
907 missing, sssd cannot display a warning.
908
909 If zero is set, then this filter is not applied, i.e. if the
910 expiration warning was received from backend server, it will
911 automatically be displayed.
912
913 This setting can be overridden by setting pwd_expiration_warning
914 for a particular domain.
915
916 Default: 0
917
918 get_domains_timeout (int)
919 Specifies time in seconds for which the list of subdomains will be
920 considered valid.
921
922 Default: 60
923
924 pam_trusted_users (string)
925 Specifies the comma-separated list of UID values or user names that
926 are allowed to run PAM conversations against trusted domains. Users
927 not included in this list can only access domains marked as public
928 with “pam_public_domains”. User names are resolved to UIDs at
929 startup.
930
931 Default: All users are considered trusted by default
932
933 Please note that UID 0 is always allowed to access the PAM
934 responder even in case it is not in the pam_trusted_users list.
935
936 pam_public_domains (string)
937 Specifies the comma-separated list of domain names that are
938 accessible even to untrusted users.
939
940 Two special values for pam_public_domains option are defined:
941
942 all (Untrusted users are allowed to access all domains in PAM
943 responder.)
944
945 none (Untrusted users are not allowed to access any domains PAM in
946 responder.)
947
948 Default: none
949
950 pam_account_expired_message (string)
951 Allows a custom expiration message to be set, replacing the default
952 'Permission denied' message.
953
954 Note: Please be aware that message is only printed for the SSH
955 service unless pam_verbosity is set to 3 (show all messages and
956 debug information).
957
958 example:
959
960 pam_account_expired_message = Account expired, please contact help desk.
961
962
963 Default: none
964
965 pam_account_locked_message (string)
966 Allows a custom lockout message to be set, replacing the default
967 'Permission denied' message.
968
969 example:
970
971 pam_account_locked_message = Account locked, please contact help desk.
972
973
974 Default: none
975
976 pam_cert_auth (bool)
977 Enable certificate based Smartcard authentication. Since this
978 requires additional communication with the Smartcard which will
979 delay the authentication process this option is disabled by
980 default.
981
982 Default: False
983
984 pam_cert_db_path (string)
985 The path to the certificate database.
986
987 Default:
988
989 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
990 CA certificates in PEM format)
991
992
993 pam_cert_verification (string)
994 With this parameter the PAM certificate verification can be tuned
995 with a comma separated list of options that override the
996 “certificate_verification” value in “[sssd]” section. Supported
997 options are the same of “certificate_verification”.
998
999 example:
1000
1001 pam_cert_verification = partial_chain
1002
1003
1004 Default: not set, i.e. use default “certificate_verification”
1005 option defined in “[sssd]” section.
1006
1007 p11_child_timeout (integer)
1008 How many seconds will pam_sss wait for p11_child to finish.
1009
1010 Default: 10
1011
1012 pam_app_services (string)
1013 Which PAM services are permitted to contact domains of type
1014 “application”
1015
1016 Default: Not set
1017
1018 pam_p11_allowed_services (integer)
1019 A comma-separated list of PAM service names for which it will be
1020 allowed to use Smartcards.
1021
1022 It is possible to add another PAM service name to the default set
1023 by using “+service_name” or to explicitly remove a PAM service name
1024 from the default set by using “-service_name”. For example, in
1025 order to replace a default PAM service name for authentication with
1026 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
1027 “my_pam_service”), you would use the following configuration:
1028
1029 pam_p11_allowed_services = +my_pam_service, -login
1030
1031
1032 Default: the default set of PAM service names includes:
1033
1034 • login
1035
1036 • su
1037
1038 • su-l
1039
1040 • gdm-smartcard
1041
1042 • gdm-password
1043
1044 • kdm
1045
1046 • sudo
1047
1048 • sudo-i
1049
1050 • gnome-screensaver
1051
1052
1053 p11_wait_for_card_timeout (integer)
1054 If Smartcard authentication is required how many extra seconds in
1055 addition to p11_child_timeout should the PAM responder wait until a
1056 Smartcard is inserted.
1057
1058 Default: 60
1059
1060 p11_uri (string)
1061 PKCS#11 URI (see RFC-7512 for details) which can be used to
1062 restrict the selection of devices used for Smartcard
1063 authentication. By default SSSD's p11_child will search for a
1064 PKCS#11 slot (reader) where the 'removable' flags is set and read
1065 the certificates from the inserted token from the first slot found.
1066 If multiple readers are connected p11_uri can be used to tell
1067 p11_child to use a specific reader.
1068
1069 Example:
1070
1071 p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
1072
1073
1074 or
1075
1076 p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
1077
1078
1079 To find suitable URI please check the debug output of p11_child. As
1080 an alternative the GnuTLS utility 'p11tool' with e.g. the
1081 '--list-all' will show PKCS#11 URIs as well.
1082
1083 Default: none
1084
1085 pam_initgroups_scheme
1086 The PAM responder can force an online lookup to get the current
1087 group memberships of the user trying to log in. This option
1088 controls when this should be done and the following values are
1089 allowed:
1090
1091 always
1092 Always do an online lookup, please note that pam_id_timeout
1093 still applies
1094
1095 no_session
1096 Only do an online lookup if there is no active session of the
1097 user, i.e. if the user is currently not logged in
1098
1099 never
1100 Never force an online lookup, use the data from the cache as
1101 long as they are not expired
1102
1103 Default: no_session
1104
1105 pam_gssapi_services
1106 Comma separated list of PAM services that are allowed to try GSSAPI
1107 authentication using pam_sss_gss.so module.
1108
1109 To disable GSSAPI authentication, set this option to “-” (dash).
1110
1111 Note: This option can also be set per-domain which overwrites the
1112 value in [pam] section. It can also be set for trusted domain which
1113 overwrites the value in the domain section.
1114
1115 Example:
1116
1117 pam_gssapi_services = sudo, sudo-i
1118
1119
1120 Default: - (GSSAPI authentication is disabled)
1121
1122 pam_gssapi_check_upn
1123 If True, SSSD will require that the Kerberos user principal that
1124 successfully authenticated through GSSAPI can be associated with
1125 the user who is being authenticated. Authentication will fail if
1126 the check fails.
1127
1128 If False, every user that is able to obtained required service
1129 ticket will be authenticated.
1130
1131 Note: This option can also be set per-domain which overwrites the
1132 value in [pam] section. It can also be set for trusted domain which
1133 overwrites the value in the domain section.
1134
1135 Default: True
1136
1137 pam_gssapi_indicators_map
1138 Comma separated list of authentication indicators required to be
1139 present in a Kerberos ticket to access a PAM service that is
1140 allowed to try GSSAPI authentication using pam_sss_gss.so module.
1141
1142 Each element of the list can be either an authentication indicator
1143 name or a pair “service:indicator”. Indicators not prefixed with
1144 the PAM service name will be required to access any PAM service
1145 configured to be used with pam_gssapi_services. A resulting list of
1146 indicators per PAM service is then checked against indicators in
1147 the Kerberos ticket during authentication by pam_sss_gss.so. Any
1148 indicator from the ticket that matches the resulting list of
1149 indicators for the PAM service would grant access. If none of the
1150 indicators in the list match, access will be denied. If the
1151 resulting list of indicators for the PAM service is empty, the
1152 check will not prevent the access.
1153
1154 To disable GSSAPI authentication indicator check, set this option
1155 to “-” (dash). To disable the check for a specific PAM service, add
1156 “service:-”.
1157
1158 Note: This option can also be set per-domain which overwrites the
1159 value in [pam] section. It can also be set for trusted domain which
1160 overwrites the value in the domain section.
1161
1162 Following authentication indicators are supported by IPA Kerberos
1163 deployments:
1164
1165 • pkinit -- pre-authentication using X.509 certificates --
1166 whether stored in files or on smart cards.
1167
1168 • hardened -- SPAKE pre-authentication or any pre-authentication
1169 wrapped in a FAST channel.
1170
1171 • radius -- pre-authentication with the help of a RADIUS server.
1172
1173 • otp -- pre-authentication using integrated two-factor
1174 authentication (2FA or one-time password, OTP) in IPA.
1175
1176 • idp -- pre-authentication using external identity provider.
1177
1178 Example: to require access to SUDO services only for users which
1179 obtained their Kerberos tickets with a X.509 certificate
1180 pre-authentication (PKINIT), set
1181
1182 pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1183
1184
1185 Default: not set (use of authentication indicators is not required)
1186
1187 SUDO configuration options
1188 These options can be used to configure the sudo service. The detailed
1189 instructions for configuration of sudo(8) to work with sssd(8) are in
1190 the manual page sssd-sudo(5).
1191
1192 sudo_timed (bool)
1193 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1194 attributes that implement time-dependent sudoers entries.
1195
1196 Default: false
1197
1198 sudo_threshold (integer)
1199 Maximum number of expired rules that can be refreshed at once. If
1200 number of expired rules is below threshold, those rules are
1201 refreshed with “rules refresh” mechanism. If the threshold is
1202 exceeded a “full refresh” of sudo rules is triggered instead. This
1203 threshold number also applies to IPA sudo command and command group
1204 searches.
1205
1206 Default: 50
1207
1208 AUTOFS configuration options
1209 These options can be used to configure the autofs service.
1210
1211 autofs_negative_timeout (integer)
1212 Specifies for how many seconds should the autofs responder negative
1213 cache hits (that is, queries for invalid map entries, like
1214 nonexistent ones) before asking the back end again.
1215
1216 Default: 15
1217
1218 Please note that the automounter only reads the master map on startup,
1219 so if any autofs-related changes are made to the sssd.conf, you
1220 typically also need to restart the automounter daemon after restarting
1221 the SSSD.
1222
1223 SSH configuration options
1224 These options can be used to configure the SSH service.
1225
1226 ssh_hash_known_hosts (bool)
1227 Whether or not to hash host names and addresses in the managed
1228 known_hosts file.
1229
1230 Default: false
1231
1232 ssh_known_hosts_timeout (integer)
1233 How many seconds to keep a host in the managed known_hosts file
1234 after its host keys were requested.
1235
1236 Default: 180
1237
1238 ssh_use_certificate_keys (bool)
1239 If set to true the sss_ssh_authorizedkeys will return ssh keys
1240 derived from the public key of X.509 certificates stored in the
1241 user entry as well. See sss_ssh_authorizedkeys(1) for details.
1242
1243 Default: true
1244
1245 ssh_use_certificate_matching_rules (string)
1246 By default the ssh responder will use all available certificate
1247 matching rules to filter the certificates so that ssh keys are only
1248 derived from the matching ones. With this option the used rules can
1249 be restricted with a comma separated list of mapping and matching
1250 rule names. All other rules will be ignored.
1251
1252 There are two special key words 'all_rules' and 'no_rules' which
1253 will enable all or no rules, respectively. The latter means that no
1254 certificates will be filtered out and ssh keys will be generated
1255 from all valid certificates.
1256
1257 If no rules are configured using 'all_rules' will enable a default
1258 rule which enables all certificates suitable for client
1259 authentication. This is the same behavior as for the PAM responder
1260 if certificate authentication is enabled.
1261
1262 A non-existing rule name is considered an error. If as a result no
1263 rule is selected all certificates will be ignored.
1264
1265 Default: not set, equivalent to 'all_rules', all found rules or the
1266 default rule are used
1267
1268 ca_db (string)
1269 Path to a storage of trusted CA certificates. The option is used to
1270 validate user certificates before deriving public ssh keys from
1271 them.
1272
1273 Default:
1274
1275 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1276 CA certificates in PEM format)
1277
1278
1279 PAC responder configuration options
1280 The PAC responder works together with the authorization data plugin for
1281 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1282 sends the PAC data during a GSSAPI authentication to the PAC responder.
1283 The sub-domain provider collects domain SID and ID ranges of the domain
1284 the client is joined to and of remote trusted domains from the local
1285 domain controller. If the PAC is decoded and evaluated some of the
1286 following operations are done:
1287
1288 • If the remote user does not exist in the cache, it is created. The
1289 UID is determined with the help of the SID, trusted domains will
1290 have UPGs and the GID will have the same value as the UID. The home
1291 directory is set based on the subdomain_homedir parameter. The
1292 shell will be empty by default, i.e. the system defaults are used,
1293 but can be overwritten with the default_shell parameter.
1294
1295 • If there are SIDs of groups from domains sssd knows about, the user
1296 will be added to those groups.
1297
1298 These options can be used to configure the PAC responder.
1299
1300 allowed_uids (string)
1301 Specifies the comma-separated list of UID values or user names that
1302 are allowed to access the PAC responder. User names are resolved to
1303 UIDs at startup.
1304
1305 Default: 0 (only the root user is allowed to access the PAC
1306 responder)
1307
1308 Please note that although the UID 0 is used as the default it will
1309 be overwritten with this option. If you still want to allow the
1310 root user to access the PAC responder, which would be the typical
1311 case, you have to add 0 to the list of allowed UIDs as well.
1312
1313 pac_lifetime (integer)
1314 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1315 the PAC data can be used to determine the group memberships of a
1316 user.
1317
1318 Default: 300
1319
1320 pac_check (string)
1321 Apply additional checks on the PAC of the Kerberos ticket which is
1322 available in Active Directory and FreeIPA domains, if configured.
1323 The following options can be used alone or in a comma-separated
1324 list:
1325
1326 no_check
1327 The PAC must not be present and even if it is present no
1328 additional checks will be done.
1329
1330 pac_present
1331 The PAC must be present in the service ticket which SSSD will
1332 request with the help of the user's TGT. If the PAC is not
1333 available the authentication will fail.
1334
1335 check_upn
1336 If the PAC is present check if the user principal name (UPN)
1337 information is consistent.
1338
1339 upn_dns_info_present
1340 The PAC must contain the UPN-DNS-INFO buffer, implies
1341 'check_upn'.
1342
1343 check_upn_dns_info_ex
1344 If the PAC is present and the extension to the UPN-DNS-INFO
1345 buffer is available check if the information in the extension
1346 is consistent.
1347
1348 upn_dns_info_ex_present
1349 The PAC must contain the extension of the UPN-DNS-INFO buffer,
1350 implies 'check_upn_dns_info_ex', 'upn_dns_info_present' and
1351 'check_upn'.
1352
1353 Default: no_check (AD and IPA provider 'check_upn,
1354 check_upn_dns_info_ex')
1355
1356 Session recording configuration options
1357 Session recording works in conjunction with tlog-rec-session(8), a part
1358 of tlog package, to log what users see and type when they log in on a
1359 text terminal. See also sssd-session-recording(5).
1360
1361 These options can be used to configure session recording.
1362
1363 scope (string)
1364 One of the following strings specifying the scope of session
1365 recording:
1366
1367 "none"
1368 No users are recorded.
1369
1370 "some"
1371 Users/groups specified by users and groups options are
1372 recorded.
1373
1374 "all"
1375 All users are recorded.
1376
1377 Default: "none"
1378
1379 users (string)
1380 A comma-separated list of users which should have session recording
1381 enabled. Matches user names as returned by NSS. I.e. after the
1382 possible space replacement, case changes, etc.
1383
1384 Default: Empty. Matches no users.
1385
1386 groups (string)
1387 A comma-separated list of groups, members of which should have
1388 session recording enabled. Matches group names as returned by NSS.
1389 I.e. after the possible space replacement, case changes, etc.
1390
1391 NOTE: using this option (having it set to anything) has a
1392 considerable performance cost, because each uncached request for a
1393 user requires retrieving and matching the groups the user is member
1394 of.
1395
1396 Default: Empty. Matches no groups.
1397
1398 exclude_users (string)
1399 A comma-separated list of users to be excluded from recording, only
1400 applicable with 'scope=all'.
1401
1402 Default: Empty. No users excluded.
1403
1404 exclude_groups (string)
1405 A comma-separated list of groups, members of which should be
1406 excluded from recording. Only applicable with 'scope=all'.
1407
1408 NOTE: using this option (having it set to anything) has a
1409 considerable performance cost, because each uncached request for a
1410 user requires retrieving and matching the groups the user is member
1411 of.
1412
1413 Default: Empty. No groups excluded.
1414
1416 These configuration options can be present in a domain configuration
1417 section, that is, in a section called “[domain/NAME]”
1418
1419 enabled
1420 Explicitly enable or disable the domain. If “true”, the domain is
1421 always “enabled”. If “false”, the domain is always “disabled”. If
1422 this option is not set, the domain is enabled only if it is listed
1423 in the domains option in the “[sssd]” section.
1424
1425 domain_type (string)
1426 Specifies whether the domain is meant to be used by POSIX-aware
1427 clients such as the Name Service Switch or by applications that do
1428 not need POSIX data to be present or generated. Only objects from
1429 POSIX domains are available to the operating system interfaces and
1430 utilities.
1431
1432 Allowed values for this option are “posix” and “application”.
1433
1434 POSIX domains are reachable by all services. Application domains
1435 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1436 and the PAM responder.
1437
1438 NOTE: The application domains are currently well tested with
1439 “id_provider=ldap” only.
1440
1441 For an easy way to configure a non-POSIX domains, please see the
1442 “Application domains” section.
1443
1444 Default: posix
1445
1446 min_id,max_id (integer)
1447 UID and GID limits for the domain. If a domain contains an entry
1448 that is outside these limits, it is ignored.
1449
1450 For users, this affects the primary GID limit. The user will not be
1451 returned to NSS if either the UID or the primary GID is outside the
1452 range. For non-primary group memberships, those that are in range
1453 will be reported as expected.
1454
1455 These ID limits affect even saving entries to cache, not only
1456 returning them by name or ID.
1457
1458 Default: 1 for min_id, 0 (no limit) for max_id
1459
1460 enumerate (bool)
1461 Determines if a domain can be enumerated, that is, whether the
1462 domain can list all the users and group it contains. Note that it
1463 is not required to enable enumeration in order for secondary groups
1464 to be displayed. This parameter can have one of the following
1465 values:
1466
1467 TRUE = Users and groups are enumerated
1468
1469 FALSE = No enumerations for this domain
1470
1471 Default: FALSE
1472
1473 Enumerating a domain requires SSSD to download and store ALL user
1474 and group entries from the remote server.
1475
1476 Note: Enabling enumeration has a moderate performance impact on
1477 SSSD while enumeration is running. It may take up to several
1478 minutes after SSSD startup to fully complete enumerations. During
1479 this time, individual requests for information will go directly to
1480 LDAP, though it may be slow, due to the heavy enumeration
1481 processing. Saving a large number of entries to cache after the
1482 enumeration completes might also be CPU intensive as the
1483 memberships have to be recomputed. This can lead to the “sssd_be”
1484 process becoming unresponsive or even restarted by the internal
1485 watchdog.
1486
1487 While the first enumeration is running, requests for the complete
1488 user or group lists may return no results until it completes.
1489
1490 Further, enabling enumeration may increase the time necessary to
1491 detect network disconnection, as longer timeouts are required to
1492 ensure that enumeration lookups are completed successfully. For
1493 more information, refer to the man pages for the specific
1494 id_provider in use.
1495
1496 For the reasons cited above, enabling enumeration is not
1497 recommended, especially in large environments.
1498
1499 subdomain_enumerate (string)
1500 Whether any of autodetected trusted domains should be enumerated.
1501 The supported values are:
1502
1503 all
1504 All discovered trusted domains will be enumerated
1505
1506 none
1507 No discovered trusted domains will be enumerated
1508
1509 Optionally, a list of one or more domain names can enable
1510 enumeration just for these trusted domains.
1511
1512 Default: none
1513
1514 entry_cache_timeout (integer)
1515 How many seconds should nss_sss consider entries valid before
1516 asking the backend again
1517
1518 The cache expiration timestamps are stored as attributes of
1519 individual objects in the cache. Therefore, changing the cache
1520 timeout only has effect for newly added or expired entries. You
1521 should run the sss_cache(8) tool in order to force refresh of
1522 entries that have already been cached.
1523
1524 Default: 5400
1525
1526 entry_cache_user_timeout (integer)
1527 How many seconds should nss_sss consider user entries valid before
1528 asking the backend again
1529
1530 Default: entry_cache_timeout
1531
1532 entry_cache_group_timeout (integer)
1533 How many seconds should nss_sss consider group entries valid before
1534 asking the backend again
1535
1536 Default: entry_cache_timeout
1537
1538 entry_cache_netgroup_timeout (integer)
1539 How many seconds should nss_sss consider netgroup entries valid
1540 before asking the backend again
1541
1542 Default: entry_cache_timeout
1543
1544 entry_cache_service_timeout (integer)
1545 How many seconds should nss_sss consider service entries valid
1546 before asking the backend again
1547
1548 Default: entry_cache_timeout
1549
1550 entry_cache_resolver_timeout (integer)
1551 How many seconds should nss_sss consider hosts and networks entries
1552 valid before asking the backend again
1553
1554 Default: entry_cache_timeout
1555
1556 entry_cache_sudo_timeout (integer)
1557 How many seconds should sudo consider rules valid before asking the
1558 backend again
1559
1560 Default: entry_cache_timeout
1561
1562 entry_cache_autofs_timeout (integer)
1563 How many seconds should the autofs service consider automounter
1564 maps valid before asking the backend again
1565
1566 Default: entry_cache_timeout
1567
1568 entry_cache_ssh_host_timeout (integer)
1569 How many seconds to keep a host ssh key after refresh. IE how long
1570 to cache the host key for.
1571
1572 Default: entry_cache_timeout
1573
1574 entry_cache_computer_timeout (integer)
1575 How many seconds to keep the local computer entry before asking the
1576 backend again
1577
1578 Default: entry_cache_timeout
1579
1580 refresh_expired_interval (integer)
1581 Specifies how many seconds SSSD has to wait before triggering a
1582 background refresh task which will refresh all expired or nearly
1583 expired records.
1584
1585 The background refresh will process users, groups and netgroups in
1586 the cache. For users who have performed the initgroups (get group
1587 membership for user, typically ran at login) operation in the past,
1588 both the user entry and the group membership are updated.
1589
1590 This option is automatically inherited for all trusted domains.
1591
1592 You can consider setting this value to 3/4 * entry_cache_timeout.
1593
1594 Cache entry will be refreshed by background task when 2/3 of cache
1595 timeout has already passed. If there are existing cached entries,
1596 the background task will refer to their original cache timeout
1597 values instead of current configuration value. This may lead to a
1598 situation in which background refresh task appears to not be
1599 working. This is done by design to improve offline mode operation
1600 and reuse of existing valid cache entries. To make this change
1601 instant the user may want to manually invalidate existing cache.
1602
1603 Default: 0 (disabled)
1604
1605 cache_credentials (bool)
1606 Determines if user credentials are also cached in the local LDB
1607 cache
1608
1609 User credentials are stored in a SHA512 hash, not in plaintext
1610
1611 Default: FALSE
1612
1613 cache_credentials_minimal_first_factor_length (int)
1614 If 2-Factor-Authentication (2FA) is used and credentials should be
1615 saved this value determines the minimal length the first
1616 authentication factor (long term password) must have to be saved as
1617 SHA512 hash into the cache.
1618
1619 This should avoid that the short PINs of a PIN based 2FA scheme are
1620 saved in the cache which would make them easy targets for
1621 brute-force attacks.
1622
1623 Default: 8
1624
1625 account_cache_expiration (integer)
1626 Number of days entries are left in cache after last successful
1627 login before being removed during a cleanup of the cache. 0 means
1628 keep forever. The value of this parameter must be greater than or
1629 equal to offline_credentials_expiration.
1630
1631 Default: 0 (unlimited)
1632
1633 pwd_expiration_warning (integer)
1634 Display a warning N days before the password expires.
1635
1636 If zero is set, then this filter is not applied, i.e. if the
1637 expiration warning was received from backend server, it will
1638 automatically be displayed.
1639
1640 Please note that the backend server has to provide information
1641 about the expiration time of the password. If this information is
1642 missing, sssd cannot display a warning. Also an auth provider has
1643 to be configured for the backend.
1644
1645 Default: 7 (Kerberos), 0 (LDAP)
1646
1647 id_provider (string)
1648 The identification provider used for the domain. Supported ID
1649 providers are:
1650
1651 “proxy”: Support a legacy NSS provider.
1652
1653 “files”: FILES provider. See sssd-files(5) for more information on
1654 how to mirror local users and groups into SSSD.
1655
1656 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1657 configuring LDAP.
1658
1659 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1660 See sssd-ipa(5) for more information on configuring FreeIPA.
1661
1662 “ad”: Active Directory provider. See sssd-ad(5) for more
1663 information on configuring Active Directory.
1664
1665 use_fully_qualified_names (bool)
1666 Use the full name and domain (as formatted by the domain's
1667 full_name_format) as the user's login name reported to NSS.
1668
1669 If set to TRUE, all requests to this domain must use fully
1670 qualified names. For example, if used in LOCAL domain that contains
1671 a "test" user, getent passwd test wouldn't find the user while
1672 getent passwd test@LOCAL would.
1673
1674 NOTE: This option has no effect on netgroup lookups due to their
1675 tendency to include nested netgroups without qualified names. For
1676 netgroups, all domains will be searched when an unqualified name is
1677 requested.
1678
1679 Default: FALSE (TRUE for trusted domain/sub-domains or if
1680 default_domain_suffix is used)
1681
1682 ignore_group_members (bool)
1683 Do not return group members for group lookups.
1684
1685 If set to TRUE, the group membership attribute is not requested
1686 from the ldap server, and group members are not returned when
1687 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1688 As an effect, “getent group $groupname” would return the requested
1689 group as if it was empty.
1690
1691 Enabling this option can also make access provider checks for group
1692 membership significantly faster, especially for groups containing
1693 many members.
1694
1695 Default: FALSE
1696
1697 auth_provider (string)
1698 The authentication provider used for the domain. Supported auth
1699 providers are:
1700
1701 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1702 information on configuring LDAP.
1703
1704 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1705 information on configuring Kerberos.
1706
1707 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1708 See sssd-ipa(5) for more information on configuring FreeIPA.
1709
1710 “ad”: Active Directory provider. See sssd-ad(5) for more
1711 information on configuring Active Directory.
1712
1713 “proxy” for relaying authentication to some other PAM target.
1714
1715 “none” disables authentication explicitly.
1716
1717 Default: “id_provider” is used if it is set and can handle
1718 authentication requests.
1719
1720 access_provider (string)
1721 The access control provider used for the domain. There are two
1722 built-in access providers (in addition to any included in installed
1723 backends) Internal special providers are:
1724
1725 “permit” always allow access. It's the only permitted access
1726 provider for a local domain.
1727
1728 “deny” always deny access.
1729
1730 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1731 information on configuring LDAP.
1732
1733 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1734 See sssd-ipa(5) for more information on configuring FreeIPA.
1735
1736 “ad”: Active Directory provider. See sssd-ad(5) for more
1737 information on configuring Active Directory.
1738
1739 “simple” access control based on access or deny lists. See sssd-
1740 simple(5) for more information on configuring the simple access
1741 module.
1742
1743 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1744 information on configuring Kerberos.
1745
1746 “proxy” for relaying access control to another PAM module.
1747
1748 Default: “permit”
1749
1750 chpass_provider (string)
1751 The provider which should handle change password operations for the
1752 domain. Supported change password providers are:
1753
1754 “ldap” to change a password stored in a LDAP server. See sssd-
1755 ldap(5) for more information on configuring LDAP.
1756
1757 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1758 information on configuring Kerberos.
1759
1760 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1761 See sssd-ipa(5) for more information on configuring FreeIPA.
1762
1763 “ad”: Active Directory provider. See sssd-ad(5) for more
1764 information on configuring Active Directory.
1765
1766 “proxy” for relaying password changes to some other PAM target.
1767
1768 “none” disallows password changes explicitly.
1769
1770 Default: “auth_provider” is used if it is set and can handle change
1771 password requests.
1772
1773 sudo_provider (string)
1774 The SUDO provider used for the domain. Supported SUDO providers
1775 are:
1776
1777 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1778 information on configuring LDAP.
1779
1780 “ipa” the same as “ldap” but with IPA default settings.
1781
1782 “ad” the same as “ldap” but with AD default settings.
1783
1784 “none” disables SUDO explicitly.
1785
1786 Default: The value of “id_provider” is used if it is set.
1787
1788 The detailed instructions for configuration of sudo_provider are in
1789 the manual page sssd-sudo(5). There are many configuration options
1790 that can be used to adjust the behavior. Please refer to
1791 "ldap_sudo_*" in sssd-ldap(5).
1792
1793 NOTE: Sudo rules are periodically downloaded in the background
1794 unless the sudo provider is explicitly disabled. Set sudo_provider
1795 = None to disable all sudo-related activity in SSSD if you do not
1796 want to use sudo with SSSD at all.
1797
1798 selinux_provider (string)
1799 The provider which should handle loading of selinux settings. Note
1800 that this provider will be called right after access provider ends.
1801 Supported selinux providers are:
1802
1803 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1804 for more information on configuring IPA.
1805
1806 “none” disallows fetching selinux settings explicitly.
1807
1808 Default: “id_provider” is used if it is set and can handle selinux
1809 loading requests.
1810
1811 subdomains_provider (string)
1812 The provider which should handle fetching of subdomains. This value
1813 should be always the same as id_provider. Supported subdomain
1814 providers are:
1815
1816 “ipa” to load a list of subdomains from an IPA server. See sssd-
1817 ipa(5) for more information on configuring IPA.
1818
1819 “ad” to load a list of subdomains from an Active Directory server.
1820 See sssd-ad(5) for more information on configuring the AD provider.
1821
1822 “none” disallows fetching subdomains explicitly.
1823
1824 Default: The value of “id_provider” is used if it is set.
1825
1826 session_provider (string)
1827 The provider which configures and manages user session related
1828 tasks. The only user session task currently provided is the
1829 integration with Fleet Commander, which works only with IPA.
1830 Supported session providers are:
1831
1832 “ipa” to allow performing user session related tasks.
1833
1834 “none” does not perform any kind of user session related tasks.
1835
1836 Default: “id_provider” is used if it is set and can perform session
1837 related tasks.
1838
1839 NOTE: In order to have this feature working as expected SSSD must
1840 be running as "root" and not as the unprivileged user.
1841
1842 autofs_provider (string)
1843 The autofs provider used for the domain. Supported autofs providers
1844 are:
1845
1846 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1847 information on configuring LDAP.
1848
1849 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1850 more information on configuring IPA.
1851
1852 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1853 information on configuring the AD provider.
1854
1855 “none” disables autofs explicitly.
1856
1857 Default: The value of “id_provider” is used if it is set.
1858
1859 hostid_provider (string)
1860 The provider used for retrieving host identity information.
1861 Supported hostid providers are:
1862
1863 “ipa” to load host identity stored in an IPA server. See sssd-
1864 ipa(5) for more information on configuring IPA.
1865
1866 “none” disables hostid explicitly.
1867
1868 Default: The value of “id_provider” is used if it is set.
1869
1870 resolver_provider (string)
1871 The provider which should handle hosts and networks lookups.
1872 Supported resolver providers are:
1873
1874 “proxy” to forward lookups to another NSS library. See
1875 “proxy_resolver_lib_name”
1876
1877 “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1878 for more information on configuring LDAP.
1879
1880 “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1881 more information on configuring the AD provider.
1882
1883 “none” disallows fetching hosts and networks explicitly.
1884
1885 Default: The value of “id_provider” is used if it is set.
1886
1887 re_expression (string)
1888 Regular expression for this domain that describes how to parse the
1889 string containing user name and domain into these components. The
1890 "domain" can match either the SSSD configuration domain name, or,
1891 in the case of IPA trust subdomains and Active Directory domains,
1892 the flat (NetBIOS) name of the domain.
1893
1894 Default for the AD and IPA provider:
1895 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>.+)@(?P<domain>[^@]+$))|(^(?P<name>[^@\\]+)$))”
1896 which allows three different styles for user names:
1897
1898 • username
1899
1900 • username@domain.name
1901
1902 • domain\username
1903
1904 While the first two correspond to the general default the third one
1905 is introduced to allow easy integration of users from Windows
1906 domains.
1907
1908 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1909 "the name is everything up to the “@” sign, the domain everything
1910 after that"
1911
1912 full_name_format (string)
1913 A printf(3)-compatible format that describes how to compose a fully
1914 qualified name from user name and domain name components.
1915
1916 The following expansions are supported:
1917
1918 %1$s
1919 user name
1920
1921 %2$s
1922 domain name as specified in the SSSD config file.
1923
1924 %3$s
1925 domain flat name. Mostly usable for Active Directory domains,
1926 both directly configured or discovered via IPA trusts.
1927
1928 Default: “%1$s@%2$s”.
1929
1930 lookup_family_order (string)
1931 Provides the ability to select preferred address family to use when
1932 performing DNS lookups.
1933
1934 Supported values:
1935
1936 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1937
1938 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1939
1940 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1941
1942 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1943
1944 Default: ipv4_first
1945
1946 dns_resolver_server_timeout (integer)
1947 Defines the amount of time (in milliseconds) SSSD would try to talk
1948 to DNS server before trying next DNS server.
1949
1950 The AD provider will use this option for the CLDAP ping timeouts as
1951 well.
1952
1953 Please see the section “FAILOVER” for more information about the
1954 service resolution.
1955
1956 Default: 1000
1957
1958 dns_resolver_op_timeout (integer)
1959 Defines the amount of time (in seconds) to wait to resolve single
1960 DNS query (e.g. resolution of a hostname or an SRV record) before
1961 try next hostname or DNS discovery.
1962
1963 Please see the section “FAILOVER” for more information about the
1964 service resolution.
1965
1966 Default: 3
1967
1968 dns_resolver_server_timeout (integer)
1969 Defines the amount of time (in milliseconds) SSSD would try to talk
1970 to DNS server before trying next DNS server.
1971
1972 Please see the section “FAILOVER” for more information about the
1973 service resolution.
1974
1975 Default: 1000
1976
1977 dns_resolver_op_timeout (integer)
1978 Defines the amount of time (in seconds) to wait to resolve single
1979 DNS query (e.g. resolution of a hostname or an SRV record) before
1980 try next hostname or DNS discovery.
1981
1982 Please see the section “FAILOVER” for more information about the
1983 service resolution.
1984
1985 Default: 3
1986
1987 dns_resolver_timeout (integer)
1988 Defines the amount of time (in seconds) to wait for a reply from
1989 the internal fail over service before assuming that the service is
1990 unreachable. If this timeout is reached, the domain will continue
1991 to operate in offline mode.
1992
1993 Please see the section “FAILOVER” for more information about the
1994 service resolution.
1995
1996 Default: 6
1997
1998 dns_discovery_domain (string)
1999 If service discovery is used in the back end, specifies the domain
2000 part of the service discovery DNS query.
2001
2002 Default: Use the domain part of machine's hostname
2003
2004 override_gid (integer)
2005 Override the primary GID value with the one specified.
2006
2007 case_sensitive (string)
2008 Treat user and group names as case sensitive. Possible option
2009 values are:
2010
2011 True
2012 Case sensitive. This value is invalid for AD provider.
2013
2014 False
2015 Case insensitive.
2016
2017 Preserving
2018 Same as False (case insensitive), but does not lowercase names
2019 in the result of NSS operations. Note that name aliases (and in
2020 case of services also protocol names) are still lowercased in
2021 the output.
2022
2023 If you want to set this value for trusted domain with IPA
2024 provider, you need to set it on both the client and SSSD on the
2025 server.
2026
2027 This option can be also set per subdomain or inherited via
2028 subdomain_inherit.
2029
2030 Default: True (False for AD provider)
2031
2032 subdomain_inherit (string)
2033 Specifies a list of configuration parameters that should be
2034 inherited by a subdomain. Please note that only selected parameters
2035 can be inherited. Currently the following options can be inherited:
2036
2037 ignore_group_members
2038
2039 ldap_purge_cache_timeout
2040
2041 ldap_use_tokengroups
2042
2043 ldap_user_principal
2044
2045 ldap_krb5_keytab (the value of krb5_keytab will be used if
2046 ldap_krb5_keytab is not set explicitly)
2047
2048 auto_private_groups
2049
2050 case_sensitive
2051
2052 Example:
2053
2054 subdomain_inherit = ldap_purge_cache_timeout
2055
2056
2057 Default: none
2058
2059 Note: This option only works with the IPA and AD provider.
2060
2061 subdomain_homedir (string)
2062 Use this homedir as default value for all subdomains within this
2063 domain in IPA AD trust. See override_homedir for info about
2064 possible values. In addition to those, the expansion below can only
2065 be used with subdomain_homedir.
2066
2067 %F
2068 flat (NetBIOS) name of a subdomain.
2069
2070 The value can be overridden by override_homedir option.
2071
2072 Default: /home/%d/%u
2073
2074 realmd_tags (string)
2075 Various tags stored by the realmd configuration service for this
2076 domain.
2077
2078 cached_auth_timeout (int)
2079 Specifies time in seconds since last successful online
2080 authentication for which user will be authenticated using cached
2081 credentials while SSSD is in the online mode. If the credentials
2082 are incorrect, SSSD falls back to online authentication.
2083
2084 This option's value is inherited by all trusted domains. At the
2085 moment it is not possible to set a different value per trusted
2086 domain.
2087
2088 Special value 0 implies that this feature is disabled.
2089
2090 Please note that if “cached_auth_timeout” is longer than
2091 “pam_id_timeout” then the back end could be called to handle
2092 “initgroups.”
2093
2094 Default: 0
2095
2096 auto_private_groups (string)
2097 This option takes any of three available values:
2098
2099 true
2100 Create user's private group unconditionally from user's UID
2101 number. The GID number is ignored in this case.
2102
2103 NOTE: Because the GID number and the user private group are
2104 inferred from the UID number, it is not supported to have
2105 multiple entries with the same UID or GID number with this
2106 option. In other words, enabling this option enforces
2107 uniqueness across the ID space.
2108
2109 false
2110 Always use the user's primary GID number. The GID number must
2111 refer to a group object in the LDAP database.
2112
2113 hybrid
2114 A primary group is autogenerated for user entries whose UID and
2115 GID numbers have the same value and at the same time the GID
2116 number does not correspond to a real group object in LDAP. If
2117 the values are the same, but the primary GID in the user entry
2118 is also used by a group object, the primary GID of the user
2119 resolves to that group object.
2120
2121 If the UID and GID of a user are different, then the GID must
2122 correspond to a group entry, otherwise the GID is simply not
2123 resolvable.
2124
2125 This feature is useful for environments that wish to stop
2126 maintaining a separate group objects for the user private
2127 groups, but also wish to retain the existing user private
2128 groups.
2129
2130 For subdomains, the default value is False for subdomains that use
2131 assigned POSIX IDs and True for subdomains that use automatic
2132 ID-mapping.
2133
2134 The value of auto_private_groups can either be set per subdomains
2135 in a subsection, for example:
2136
2137 [domain/forest.domain/sub.domain]
2138 auto_private_groups = false
2139
2140 or globally for all subdomains in the main domain section using the
2141 subdomain_inherit option:
2142
2143 [domain/forest.domain]
2144 subdomain_inherit = auto_private_groups
2145 auto_private_groups = false
2146
2147
2148 Options valid for proxy domains.
2149
2150 proxy_pam_target (string)
2151 The proxy target PAM proxies to.
2152
2153 Default: not set by default, you have to take an existing pam
2154 configuration or create a new one and add the service name here.
2155
2156 proxy_lib_name (string)
2157 The name of the NSS library to use in proxy domains. The NSS
2158 functions searched for in the library are in the form of
2159 _nss_$(libName)_$(function), for example _nss_files_getpwent.
2160
2161 proxy_resolver_lib_name (string)
2162 The name of the NSS library to use for hosts and networks lookups
2163 in proxy domains. The NSS functions searched for in the library are
2164 in the form of _nss_$(libName)_$(function), for example
2165 _nss_dns_gethostbyname2_r.
2166
2167 proxy_fast_alias (boolean)
2168 When a user or group is looked up by name in the proxy provider, a
2169 second lookup by ID is performed to "canonicalize" the name in case
2170 the requested name was an alias. Setting this option to true would
2171 cause the SSSD to perform the ID lookup from cache for performance
2172 reasons.
2173
2174 Default: false
2175
2176 proxy_max_children (integer)
2177 This option specifies the number of pre-forked proxy children. It
2178 is useful for high-load SSSD environments where sssd may run out of
2179 available child slots, which would cause some issues due to the
2180 requests being queued.
2181
2182 Default: 10
2183
2184 Application domains
2185 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2186 applications as a gateway to an LDAP directory where users and groups
2187 are stored. However, contrary to the traditional SSSD deployment where
2188 all users and groups either have POSIX attributes or those attributes
2189 can be inferred from the Windows SIDs, in many cases the users and
2190 groups in the application support scenario have no POSIX attributes.
2191 Instead of setting a “[domain/NAME]” section, the administrator can set
2192 up an “[application/NAME]” section that internally represents a domain
2193 with type “application” optionally inherits settings from a tradition
2194 SSSD domain.
2195
2196 Please note that the application domain must still be explicitly
2197 enabled in the “domains” parameter so that the lookup order between the
2198 application domain and its POSIX sibling domain is set correctly.
2199
2200 Application domain parameters
2201
2202 inherit_from (string)
2203 The SSSD POSIX-type domain the application domain inherits all
2204 settings from. The application domain can moreover add its own
2205 settings to the application settings that augment or override the
2206 “sibling” domain settings.
2207
2208 Default: Not set
2209
2210 The following example illustrates the use of an application domain. In
2211 this setup, the POSIX domain is connected to an LDAP server and is used
2212 by the OS through the NSS responder. In addition, the application
2213 domain also requests the telephoneNumber attribute, stores it as the
2214 phone attribute in the cache and makes the phone attribute reachable
2215 through the D-Bus interface.
2216
2217 [sssd]
2218 domains = appdom, posixdom
2219
2220 [ifp]
2221 user_attributes = +phone
2222
2223 [domain/posixdom]
2224 id_provider = ldap
2225 ldap_uri = ldap://ldap.example.com
2226 ldap_search_base = dc=example,dc=com
2227
2228 [application/appdom]
2229 inherit_from = posixdom
2230 ldap_user_extra_attrs = phone:telephoneNumber
2231
2233 Some options used in the domain section can also be used in the trusted
2234 domain section, that is, in a section called
2235 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2236 actual joined-to base domain. Please refer to examples below for
2237 explanation. Currently supported options in the trusted domain section
2238 are:
2239
2240 ldap_search_base,
2241
2242 ldap_user_search_base,
2243
2244 ldap_group_search_base,
2245
2246 ldap_netgroup_search_base,
2247
2248 ldap_service_search_base,
2249
2250 ldap_sasl_mech,
2251
2252 ad_server,
2253
2254 ad_backup_server,
2255
2256 ad_site,
2257
2258 use_fully_qualified_names
2259
2260 pam_gssapi_services
2261
2262 pam_gssapi_check_upn
2263
2264 For more details about these options see their individual description
2265 in the manual page.
2266
2268 To allow authentication with Smartcards and certificates SSSD must be
2269 able to map certificates to users. This can be done by adding the full
2270 certificate to the LDAP object of the user or to a local override.
2271 While using the full certificate is required to use the Smartcard
2272 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2273 details) it might be cumbersome or not even possible to do this for the
2274 general case where local services use PAM for authentication.
2275
2276 To make the mapping more flexible mapping and matching rules were added
2277 to SSSD (see sss-certmap(5) for details).
2278
2279 A mapping and matching rule can be added to the SSSD configuration in a
2280 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2281 In this section the following options are allowed:
2282
2283 matchrule (string)
2284 Only certificates from the Smartcard which matches this rule will
2285 be processed, all others are ignored.
2286
2287 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2288 the Extended Key Usage “clientAuth”
2289
2290 maprule (string)
2291 Defines how the user is found for a given certificate.
2292
2293 Default:
2294
2295 • LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2296 providers like “ldap”, “AD” or “ipa”.
2297
2298 • The RULE_NAME for the “files” provider which tries to find a
2299 user with the same name.
2300
2301
2302 domains (string)
2303 Comma separated list of domain names the rule should be applied. By
2304 default a rule is only valid in the domain configured in sssd.conf.
2305 If the provider supports subdomains this option can be used to add
2306 the rule to subdomains as well.
2307
2308 Default: the configured domain in sssd.conf
2309
2310 priority (integer)
2311 Unsigned integer value defining the priority of the rule. The
2312 higher the number the lower the priority. “0” stands for the
2313 highest priority while “4294967295” is the lowest.
2314
2315 Default: the lowest priority
2316
2317 To make the configuration simple and reduce the amount of configuration
2318 options the “files” provider has some special properties:
2319
2320 • if maprule is not set the RULE_NAME name is assumed to be the name
2321 of the matching user
2322
2323 • if a maprule is used both a single user name or a template like
2324 “{subject_rfc822_name.short_name}” must be in braces like e.g.
2325 “(username)” or “({subject_rfc822_name.short_name})”
2326
2327 • the “domains” option is ignored
2328
2329
2331 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2332 SSSD's PAM module pam_sss will ask SSSD to figure out which
2333 authentication methods are available for the user trying to log in.
2334 Based on the results pam_sss will prompt the user for appropriate
2335 credentials.
2336
2337 With the growing number of authentication methods and the possibility
2338 that there are multiple ones for a single user the heuristic used by
2339 pam_sss to select the prompting might not be suitable for all use
2340 cases. The following options should provide a better flexibility here.
2341
2342 Each supported authentication method has its own configuration
2343 subsection under “[prompting/...]”. Currently there are:
2344
2345 [prompting/password]
2346 to configure password prompting, allowed options are:
2347
2348 password_prompt
2349 to change the string of the password prompt
2350
2351
2352 [prompting/2fa]
2353 to configure two-factor authentication prompting, allowed options
2354 are:
2355
2356 first_prompt
2357 to change the string of the prompt for the first factor
2358
2359 second_prompt
2360 to change the string of the prompt for the second factor
2361
2362 single_prompt
2363 boolean value, if True there will be only a single prompt using
2364 the value of first_prompt where it is expected that both
2365 factors are entered as a single string. Please note that both
2366 factors have to be entered here, even if the second factor is
2367 optional.
2368
2369 If the second factor is optional and it should be possible to log
2370 in either only with the password or with both factors two-step
2371 prompting has to be used.
2372
2373 It is possible to add a subsection for specific PAM services, e.g.
2374 “[prompting/password/sshd]” to individual change the prompting for this
2375 service.
2376
2378 1. The following example shows a typical SSSD config. It does not
2379 describe configuration of the domains themselves - refer to
2380 documentation on configuring domains for more details.
2381
2382 [sssd]
2383 domains = LDAP
2384 services = nss, pam
2385 config_file_version = 2
2386
2387 [nss]
2388 filter_groups = root
2389 filter_users = root
2390
2391 [pam]
2392
2393 [domain/LDAP]
2394 id_provider = ldap
2395 ldap_uri = ldap://ldap.example.com
2396 ldap_search_base = dc=example,dc=com
2397
2398 auth_provider = krb5
2399 krb5_server = kerberos.example.com
2400 krb5_realm = EXAMPLE.COM
2401 cache_credentials = true
2402
2403 min_id = 10000
2404 max_id = 20000
2405 enumerate = False
2406
2407 2. The following example shows configuration of IPA AD trust where the
2408 AD forest consists of two domains in a parent-child structure. Suppose
2409 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2410 domain (child.ad.com). To enable shortnames in the child domain the
2411 following configuration should be used.
2412
2413 [domain/ipa.com/child.ad.com]
2414 use_fully_qualified_names = false
2415
2416 3. The following example shows the configuration for two certificate
2417 mapping rules. The first is valid for the configured domain “my.domain”
2418 and additionally for the subdomains “your.domain” and uses the full
2419 certificate in the search filter. The second example is valid for the
2420 domain “files” where it is assumed the files provider is used for this
2421 domain and contains a matching rule for the local user “myname”.
2422
2423 [certmap/my.domain/rule_name]
2424 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2425 maprule = (userCertificate;binary={cert!bin})
2426 domains = my.domain, your.domain
2427 priority = 10
2428
2429 [certmap/files/myname]
2430 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
2431
2432
2434 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2435 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2436 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2437 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2438 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
2439 sssd-systemtap(5)
2440
2442 The SSSD upstream - https://github.com/SSSD/sssd/
2443
2444
2445
2446SSSD 07/04/2022 SSSD.CONF(5)