1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13 [section]
15 key = value
16 key2 = value2,value3
17 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72 Currently supported debug levels:
74 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87 4, 0x0100: Configuration settings.
89 5, 0x0200: Function data.
91 6, 0x0400: Trace messages for operation functions.
93 7, 0x1000: Trace messages for internal control functions.
95 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98 9, 0x4000: Extremely low-level tracing information.
100 9, 0x20000: Performance and statistical data, please note that due
102 to the way requests are processed internally the logged execution
103 time of a request might be longer than it actually was.
104 10, 0x10000: Even more low-level libldb tracing information. Almost
106 never really required.
107 To log required bitmask debug levels, simply add their numbers
109 together as shown in following examples:
110 Example: To log fatal failures, critical failures, serious failures
112 and function data use 0x0270.
113 Example: To log fatal failures, configuration settings, function
115 data, trace messages for internal control functions use 0x1310.
116 Note: The bitmask format of debug levels was introduced in 1.7.0.
118 Default: 0x0070 (i.e. fatal, critical and serious failures;
120 corresponds to setting 2 in decimal notation)
121 debug (integer)
123 SSSD 1.14 and later also includes the debug alias for debug_level
124 as a convenience feature. If both are specified, the value of
125 debug_level will be used.
126 debug_timestamps (bool)
128 Add a timestamp to the debug messages. If journald is enabled for
129 SSSD debug logging this option is ignored.
130 Default: true
132 debug_microseconds (bool)
134 Add microseconds to the timestamp in debug messages. If journald is
135 enabled for SSSD debug logging this option is ignored.
136 Default: false
138 debug_backtrace_enabled (bool)
140 Enable debug backtrace.
141 In case SSSD is run with debug_level less than 9, everything is
143 logged to a ring buffer in memory and flushed to a log file on any
144 error up to and including `min(0x0040, debug_level)` (i.e. if
145 debug_level is explicitly set to 0 or 1 then only those error
146 levels will trigger backtrace, otherwise up to 2).
147 Feature is only supported for `logger == files` (i.e. setting
149 doesn't have effect for other logger types).
150 Default: true
152 Options usable in SERVICE and DOMAIN sections
154 timeout (integer)
155 Timeout in seconds between heartbeats for this service. This is
156 used to ensure that the process is alive and capable of answering
157 requests. Note that after three missed heartbeats the process will
158 terminate itself.
159 Default: 10
161
163 The [sssd] section
164 Individual pieces of SSSD functionality are provided by special SSSD
165 services that are started and stopped together with SSSD. The services
166 are managed by a special service frequently called “monitor”. The
167 “[sssd]” section is used to configure the monitor as well as some other
168 important options like the identity domains.
169 Section parameters
171 config_file_version (integer)
173 Indicates what is the syntax of the config file. SSSD 0.6.0 and
174 later use version 2.
175 services
177 Comma separated list of services that are started when sssd itself
178 starts. The services' list is optional on platforms where systemd
179 is supported, as they will either be socket or D-Bus activated when
180 needed.
181 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
183 By default, all services are disabled and the administrator must
185 enable the ones allowed to be used by executing: "systemctl enable
186 sssd-@service@.socket".
187 reconnection_retries (integer)
189 Number of times services should attempt to reconnect in the event
190 of a Data Provider crash or restart before they give up
191 Default: 3
193 domains
195 A domain is a database containing user information. SSSD can use
196 more domains at the same time, but at least one must be configured
197 or SSSD won't start. This parameter describes the list of domains
198 in the order you want them to be queried. A domain name is
199 recommended to contain only alphanumeric ASCII characters, dashes,
200 dots and underscores. '/' character is forbidden.
201 re_expression (string)
203 Default regular expression that describes how to parse the string
204 containing user name and domain into these components.
205 Each domain can have an individual regular expression configured.
207 For some ID providers there are also default regular expressions.
208 See DOMAIN SECTIONS for more info on these regular expressions.
209 full_name_format (string)
211 A printf(3)-compatible format that describes how to compose a fully
212 qualified name from user name and domain name components.
213 The following expansions are supported:
215 %1$s
217 user name
218 %2$s
220 domain name as specified in the SSSD config file.
221 %3$s
223 domain flat name. Mostly usable for Active Directory domains,
224 both directly configured or discovered via IPA trusts.
225 Each domain can have an individual format string configured. See
227 DOMAIN SECTIONS for more info on this option.
228 monitor_resolv_conf (boolean)
230 Controls if SSSD should monitor the state of resolv.conf to
231 identify when it needs to update its internal DNS resolver.
232 Default: true
234 try_inotify (boolean)
236 By default, SSSD will attempt to use inotify to monitor
237 configuration files changes and will fall back to polling every
238 five seconds if inotify cannot be used.
239 There are some limited situations where it is preferred that we
241 should skip even trying to use inotify. In these rare cases, this
242 option should be set to 'false'
243 Default: true on platforms where inotify is supported. False on
245 other platforms.
246 Note: this option will have no effect on platforms where inotify is
248 unavailable. On these platforms, polling will always be used.
249 krb5_rcache_dir (string)
251 Directory on the filesystem where SSSD should store Kerberos replay
252 cache files.
253 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
255 instruct SSSD to let libkrb5 decide the appropriate location for
256 the replay cache.
257 Default: Distribution-specific and specified at build-time.
259 (__LIBKRB5_DEFAULTS__ if not configured)
260 user (string)
262 The user to drop the privileges to where appropriate to avoid
263 running as the root user. This option does not work when running
264 socket-activated services, as the user set up to run the processes
265 is set up during compilation time. The way to override the systemd
266 unit files is by creating the appropriate files in
267 /etc/systemd/system/. Keep in mind that any change in the socket
268 user, group or permissions may result in a non-usable SSSD. The
269 same may occur in case of changes of the user running the NSS
270 responder.
271 Default: not set, process will run as root
273 default_domain_suffix (string)
275 This string will be used as a default domain name for all names
276 without a domain name component. The main use case is environments
277 where the primary domain is intended for managing host policies and
278 all users are located in a trusted domain. The option allows those
279 users to log in just with their user name without giving a domain
280 name as well.
281 Please note that if this option is set all users from the primary
283 domain have to use their fully qualified name, e.g.
284 user@domain.name, to log in. Setting this option changes default of
285 use_fully_qualified_names to True. It is not allowed to use this
286 option together with use_fully_qualified_names set to False. One
287 exception from this rule are domains with “id_provider=files” that
288 always try to match the behaviour of nss_files and therefore their
289 output is not qualified even when the default_domain_suffix option
290 is used.
291 Default: not set
293 override_space (string)
295 This parameter will replace spaces (space bar) with the given
296 character for user and group names. e.g. (_). User name "john doe"
297 will be "john_doe" This feature was added to help compatibility
298 with shell scripts that have difficulty handling spaces, due to the
299 default field separator in the shell.
300 Please note it is a configuration error to use a replacement
302 character that might be used in user or group names. If a name
303 contains the replacement character SSSD tries to return the
304 unmodified name but in general the result of a lookup is undefined.
305 Default: not set (spaces will not be replaced)
307 certificate_verification (string)
309 With this parameter the certificate verification can be tuned with
310 a comma separated list of options. Supported options are:
311 no_ocsp
313 Disables Online Certificate Status Protocol (OCSP) checks. This
314 might be needed if the OCSP servers defined in the certificate
315 are not reachable from the client.
316 soft_ocsp
318 If a connection cannot be established to an OCSP responder the
319 OCSP check is skipped. This option should be used to allow
320 authentication when the system is offline and the OCSP
321 responder cannot be reached.
322 ocsp_dgst
324 Digest (hash) function used to create the certificate ID for
325 the OCSP request. Allowed values are:
326 • sha1
328 • sha256
330 • sha384
332 • sha512
334 Default: sha1 (to allow compatibility with RFC5019-compliant
336 responder)
337 no_verification
339 Disables verification completely. This option should only be
340 used for testing.
341 partial_chain
343 Allow verification to succeed even if a complete chain cannot
344 be built to a self-signed trust-anchor, provided it is possible
345 to construct a chain to a trusted certificate that might not be
346 self-signed.
347 ocsp_default_responder=URL
349 Sets the OCSP default responder which should be used instead of
350 the one mentioned in the certificate. URL must be replaced with
351 the URL of the OCSP default responder e.g.
352 http://example.com:80/ocsp.
353 ocsp_default_responder_signing_cert=NAME
355 This option is currently ignored. All needed certificates must
356 be available in the PEM file given by pam_cert_db_path.
357 crl_file=/PATH/TO/CRL/FILE
359 Use the Certificate Revocation List (CRL) from the given file
360 during the verification of the certificate. The CRL must be
361 given in PEM format, see crl(1ssl) for details.
362 soft_crl
364 If a Certificate Revocation List (CRL) is expired ignore the
365 CRL checks for the related certificates. This option should be
366 used to allow authentication when the system is offline and the
367 CRL cannot be renewed.
368 Unknown options are reported but ignored.
370 Default: not set, i.e. do not restrict certificate verification
372 disable_netlink (boolean)
374 SSSD hooks into the netlink interface to monitor changes to routes,
375 addresses, links and trigger certain actions.
376 The SSSD state changes caused by netlink events may be undesirable
378 and can be disabled by setting this option to 'true'
379 Default: false (netlink changes are detected)
381 enable_files_domain (boolean)
383 When this option is enabled, SSSD prepends an implicit domain with
384 “id_provider=files” before any explicitly configured domains.
385 Default: false
387 domain_resolution_order
389 Comma separated list of domains and subdomains representing the
390 lookup order that will be followed. The list doesn't have to
391 include all possible domains as the missing domains will be looked
392 up based on the order they're presented in the “domains”
393 configuration option. The subdomains which are not listed as part
394 of “lookup_order” will be looked up in a random order for each
395 parent domain.
396 Please, note that when this option is set the output format of all
398 commands is always fully-qualified even when using short names for
399 input, for all users but the ones managed by the files provider. In
400 case the administrator wants the output not fully-qualified, the
401 full_name_format option can be used as shown below:
402 “full_name_format=%1$s” However, keep in mind that during login,
403 login applications often canonicalize the username by calling
404 getpwnam(3) which, if a shortname is returned for a qualified input
405 (while trying to reach a user which exists in multiple domains)
406 might re-route the login attempt into the domain which uses
407 shortnames, making this workaround totally not recommended in cases
408 where usernames may overlap between domains.
409 Default: Not set
411 implicit_pac_responder (boolean)
413 The PAC responder is enabled automatically for the IPA and AD
414 provider to evaluate and check the PAC. If it has to be disabled
415 set this option to 'false'.
416 Default: true
418
420 Settings that can be used to configure different services are described
421 in this section. They should reside in the [$NAME] section, for
422 example, for NSS service, the section would be “[nss]”
423 General service configuration options
425 These options can be used to configure any service.
426 reconnection_retries (integer)
428 Number of times services should attempt to reconnect in the event
429 of a Data Provider crash or restart before they give up
430 Default: 3
432 fd_limit
434 This option specifies the maximum number of file descriptors that
435 may be opened at one time by this SSSD process. On systems where
436 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
437 absolute setting. On systems without this capability, the resulting
438 value will be the lower value of this or the limits.conf "hard"
439 limit.
440 Default: 8192 (or limits.conf "hard" limit)
442 client_idle_timeout
444 This option specifies the number of seconds that a client of an
445 SSSD process can hold onto a file descriptor without communicating
446 on it. This value is limited in order to avoid resource exhaustion
447 on the system. The timeout can't be shorter than 10 seconds. If a
448 lower value is configured, it will be adjusted to 10 seconds.
449 Default: 60, KCM: 300
451 offline_timeout (integer)
453 When SSSD switches to offline mode the amount of time before it
454 tries to go back online will increase based upon the time spent
455 disconnected. By default SSSD uses incremental behaviour to
456 calculate delay in between retries. So, the wait time for a given
457 retry will be longer than the wait time for the previous ones.
458 After each unsuccessful attempt to go online, the new interval is
459 recalculated by the following:
460 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
462 random[0...offline_timeout_random_offset]
463 The offline_timeout default value is 60. The offline_timeout_max
465 default value is 3600. The offline_timeout_random_offset default
466 value is 30. The end result is amount of seconds before next retry.
467 Note that the maximum length of each interval is defined by
469 offline_timeout_max (apart of random part).
470 Default: 60
472 offline_timeout_max (integer)
474 Controls by how much the time between attempts to go online can be
475 incremented following unsuccessful attempts to go online.
476 A value of 0 disables the incrementing behaviour.
478 The value of this parameter should be set in correlation to
480 offline_timeout parameter value.
481 With offline_timeout set to 60 (default value) there is no point in
483 setting offlinet_timeout_max to less than 120 as it will saturate
484 instantly. General rule here should be to set offline_timeout_max
485 to at least 4 times offline_timeout.
486 Although a value between 0 and offline_timeout may be specified, it
488 has the effect of overriding the offline_timeout value so is of
489 little use.
490 Default: 3600
492 offline_timeout_random_offset (integer)
494 When SSSD is in offline mode it keeps probing backend servers in
495 specified time intervals:
496 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
498 random[0...offline_timeout_random_offset]
499 This parameter controls the value of the random offset used for the
501 above equation. Final random_offset value will be random number in
502 range:
503 [0 - offline_timeout_random_offset]
505 A value of 0 disables the random offset addition.
507 Default: 30
509 responder_idle_timeout
511 This option specifies the number of seconds that an SSSD responder
512 process can be up without being used. This value is limited in
513 order to avoid resource exhaustion on the system. The minimum
514 acceptable value for this option is 60 seconds. Setting this option
515 to 0 (zero) means that no timeout will be set up to the responder.
516 This option only has effect when SSSD is built with systemd support
517 and when services are either socket or D-Bus activated.
518 Default: 300
520 cache_first
522 This option specifies whether the responder should query all caches
523 before querying the Data Providers.
524 Default: false
526 NSS configuration options
528 These options can be used to configure the Name Service Switch (NSS)
529 service.
530 enum_cache_timeout (integer)
532 How many seconds should nss_sss cache enumerations (requests for
533 info about all users)
534 Default: 120
536 entry_cache_nowait_percentage (integer)
538 The entry cache can be set to automatically update entries in the
539 background if they are requested beyond a percentage of the
540 entry_cache_timeout value for the domain.
541 For example, if the domain's entry_cache_timeout is set to 30s and
543 entry_cache_nowait_percentage is set to 50 (percent), entries that
544 come in after 15 seconds past the last cache update will be
545 returned immediately, but the SSSD will go and update the cache on
546 its own, so that future requests will not need to block waiting for
547 a cache update.
548 Valid values for this option are 0-99 and represent a percentage of
550 the entry_cache_timeout for each domain. For performance reasons,
551 this percentage will never reduce the nowait timeout to less than
552 10 seconds. (0 disables this feature)
553 Default: 50
555 entry_negative_timeout (integer)
557 Specifies for how many seconds nss_sss should cache negative cache
558 hits (that is, queries for invalid database entries, like
559 nonexistent ones) before asking the back end again.
560 Default: 15
562 local_negative_timeout (integer)
564 Specifies for how many seconds nss_sss should keep local users and
565 groups in negative cache before trying to look it up in the back
566 end again. Setting the option to 0 disables this feature.
567 Default: 14400 (4 hours)
569 filter_users, filter_groups (string)
571 Exclude certain users or groups from being fetched from the sss NSS
572 database. This is particularly useful for system accounts. This
573 option can also be set per-domain or include fully-qualified names
574 to filter only users from the particular domain or by a user
575 principal name (UPN).
576 NOTE: The filter_groups option doesn't affect inheritance of nested
578 group members, since filtering happens after they are propagated
579 for returning via NSS. E.g. a group having a member group filtered
580 out will still have the member users of the latter listed.
581 Default: root
583 filter_users_in_groups (bool)
585 If you want filtered user still be group members set this option to
586 false.
587 Default: true
589 override_homedir (string)
591 Override the user's home directory. You can either provide an
592 absolute value or a template. In the template, the following
593 sequences are substituted:
594 %u
596 login name
597 %U
599 UID number
600 %d
602 domain name
603 %f
605 fully qualified user name (user@domain)
606 %l
608 The first letter of the login name.
609 %P
611 UPN - User Principal Name (name@REALM)
612 %o
614 The original home directory retrieved from the identity
615 provider.
616 %H
618 The value of configure option homedir_substring.
619 %%
621 a literal '%'
622 This option can also be set per-domain.
624 example:
626 override_homedir = /home/%u
628 Default: Not set (SSSD will use the value retrieved from LDAP)
631 Please note, the home directory from a specific override for the
633 user, either locally (see sss_override(8)) or centrally managed IPA
634 id-overrides, has a higher precedence and will be used instead of
635 the value given by override_homedir.
636 homedir_substring (string)
638 The value of this option will be used in the expansion of the
639 override_homedir option if the template contains the format string
640 %H. An LDAP directory entry can directly contain this template so
641 that this option can be used to expand the home directory path for
642 each client machine (or operating system). It can be set per-domain
643 or globally in the [nss] section. A value specified in a domain
644 section will override one set in the [nss] section.
645 Default: /home
647 fallback_homedir (string)
649 Set a default template for a user's home directory if one is not
650 specified explicitly by the domain's data provider.
651 The available values for this option are the same as for
653 override_homedir.
654 example:
656 fallback_homedir = /home/%u
658 Default: not set (no substitution for unset home directories)
661 override_shell (string)
663 Override the login shell for all users. This option supersedes any
664 other shell options if it takes effect and can be set either in the
665 [nss] section or per-domain.
666 Default: not set (SSSD will use the value retrieved from LDAP)
668 allowed_shells (string)
670 Restrict user shell to one of the listed values. The order of
671 evaluation is:
672 1. If the shell is present in “/etc/shells”, it is used.
674 2. If the shell is in the allowed_shells list but not in
676 “/etc/shells”, use the value of the shell_fallback parameter.
677 3. If the shell is not in the allowed_shells list and not in
679 “/etc/shells”, a nologin shell is used.
680 The wildcard (*) can be used to allow any shell.
682 The (*) is useful if you want to use shell_fallback in case that
684 user's shell is not in “/etc/shells” and maintaining list of all
685 allowed shells in allowed_shells would be to much overhead.
686 An empty string for shell is passed as-is to libc.
688 The “/etc/shells” is only read on SSSD start up, which means that a
690 restart of the SSSD is required in case a new shell is installed.
691 Default: Not set. The user shell is automatically used.
693 vetoed_shells (string)
695 Replace any instance of these shells with the shell_fallback
696 shell_fallback (string)
698 The default shell to use if an allowed shell is not installed on
699 the machine.
700 Default: /bin/sh
702 default_shell
704 The default shell to use if the provider does not return one during
705 lookup. This option can be specified globally in the [nss] section
706 or per-domain.
707 Default: not set (Return NULL if no shell is specified and rely on
709 libc to substitute something sensible when necessary, usually
710 /bin/sh)
711 get_domains_timeout (int)
713 Specifies time in seconds for which the list of subdomains will be
714 considered valid.
715 Default: 60
717 memcache_timeout (integer)
719 Specifies time in seconds for which records in the in-memory cache
720 will be valid. Setting this option to zero will disable the
721 in-memory cache.
722 Default: 300
724 WARNING: Disabling the in-memory cache will have significant
726 negative impact on SSSD's performance and should only be used for
727 testing.
728 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
730 "NO", client applications will not use the fast in-memory cache.
731 memcache_size_passwd (integer)
733 Size (in megabytes) of the data table allocated inside fast
734 in-memory cache for passwd requests. Setting the size to 0 will
735 disable the passwd in-memory cache.
736 Default: 8
738 WARNING: Disabled or too small in-memory cache can have significant
740 negative impact on SSSD's performance.
741 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
743 "NO", client applications will not use the fast in-memory cache.
744 memcache_size_group (integer)
746 Size (in megabytes) of the data table allocated inside fast
747 in-memory cache for group requests. Setting the size to 0 will
748 disable the group in-memory cache.
749 Default: 6
751 WARNING: Disabled or too small in-memory cache can have significant
753 negative impact on SSSD's performance.
754 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
756 "NO", client applications will not use the fast in-memory cache.
757 memcache_size_initgroups (integer)
759 Size (in megabytes) of the data table allocated inside fast
760 in-memory cache for initgroups requests. Setting the size to 0 will
761 disable the initgroups in-memory cache.
762 Default: 10
764 WARNING: Disabled or too small in-memory cache can have significant
766 negative impact on SSSD's performance.
767 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
769 "NO", client applications will not use the fast in-memory cache.
770 memcache_size_sid (integer)
772 Size (in megabytes) of the data table allocated inside fast
773 in-memory cache for SID related requests. Only SID-by-ID and
774 ID-by-SID requests are currently cached in fast in-memory cache.
775 Setting the size to 0 will disable the SID in-memory cache.
776 Default: 6
778 WARNING: Disabled or too small in-memory cache can have significant
780 negative impact on SSSD's performance.
781 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
783 "NO", client applications will not use the fast in-memory cache.
784 user_attributes (string)
786 Some of the additional NSS responder requests can return more
787 attributes than just the POSIX ones defined by the NSS interface.
788 The list of attributes is controlled by this option. It is handled
789 the same way as the “user_attributes” option of the InfoPipe
790 responder (see sssd-ifp(5) for details) but with no default values.
791 To make configuration more easy the NSS responder will check the
793 InfoPipe option if it is not set for the NSS responder.
794 Default: not set, fallback to InfoPipe option
796 pwfield (string)
798 The value that NSS operations that return users or groups will
799 return for the “password” field.
800 Default: “*”
802 Note: This option can also be set per-domain which overwrites the
804 value in [nss] section.
805 Default: “not set” (remote domains), “x” (the files domain), “x”
807 (proxy domain with nss_files and sssd-shadowutils target)
808 PAM configuration options
810 These options can be used to configure the Pluggable Authentication
811 Module (PAM) service.
812 offline_credentials_expiration (integer)
814 If the authentication provider is offline, how long should we allow
815 cached logins (in days since the last successful online login).
816 Default: 0 (No limit)
818 offline_failed_login_attempts (integer)
820 If the authentication provider is offline, how many failed login
821 attempts are allowed.
822 Default: 0 (No limit)
824 offline_failed_login_delay (integer)
826 The time in minutes which has to pass after
827 offline_failed_login_attempts has been reached before a new login
828 attempt is possible.
829 If set to 0 the user cannot authenticate offline if
831 offline_failed_login_attempts has been reached. Only a successful
832 online authentication can enable offline authentication again.
833 Default: 5
835 pam_verbosity (integer)
837 Controls what kind of messages are shown to the user during
838 authentication. The higher the number to more messages are
839 displayed.
840 Currently sssd supports the following values:
842 0: do not show any message
844 1: show only important messages
846 2: show informational messages
848 3: show all messages and debug information
850 Default: 1
852 pam_response_filter (string)
854 A comma separated list of strings which allows to remove (filter)
855 data sent by the PAM responder to pam_sss PAM module. There are
856 different kind of responses sent to pam_sss e.g. messages displayed
857 to the user or environment variables which should be set by
858 pam_sss.
859 While messages already can be controlled with the help of the
861 pam_verbosity option this option allows to filter out other kind of
862 responses as well.
863 Currently the following filters are supported:
865 ENV
867 Do not send any environment variables to any service.
868 ENV:var_name
870 Do not send environment variable var_name to any service.
871 ENV:var_name:service
873 Do not send environment variable var_name to service.
874 The list of strings can either be the list of filters which would
876 set this list of filters and overwrite the defaults. Or each
877 element of the list can be prefixed by a '+' or '-' character which
878 would add the filter to the existing default or remove it from the
879 defaults, respectively. Please note that either all list elements
880 must have a '+' or '-' prefix or none. It is considered as an error
881 to mix both styles.
882 Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
884 Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the
886 default list
887 pam_id_timeout (integer)
889 For any PAM request while SSSD is online, the SSSD will attempt to
890 immediately update the cached identity information for the user in
891 order to ensure that authentication takes place with the latest
892 information.
893 A complete PAM conversation may perform multiple PAM requests, such
895 as account management and session opening. This option controls (on
896 a per-client-application basis) how long (in seconds) we can cache
897 the identity information to avoid excessive round-trips to the
898 identity provider.
899 Default: 5
901 pam_pwd_expiration_warning (integer)
903 Display a warning N days before the password expires.
904 Please note that the backend server has to provide information
906 about the expiration time of the password. If this information is
907 missing, sssd cannot display a warning.
908 If zero is set, then this filter is not applied, i.e. if the
910 expiration warning was received from backend server, it will
911 automatically be displayed.
912 This setting can be overridden by setting pwd_expiration_warning
914 for a particular domain.
915 Default: 0
917 get_domains_timeout (int)
919 Specifies time in seconds for which the list of subdomains will be
920 considered valid.
921 Default: 60
923 pam_trusted_users (string)
925 Specifies the comma-separated list of UID values or user names that
926 are allowed to run PAM conversations against trusted domains. Users
927 not included in this list can only access domains marked as public
928 with “pam_public_domains”. User names are resolved to UIDs at
929 startup.
930 Default: All users are considered trusted by default
932 Please note that UID 0 is always allowed to access the PAM
934 responder even in case it is not in the pam_trusted_users list.
935 pam_public_domains (string)
937 Specifies the comma-separated list of domain names that are
938 accessible even to untrusted users.
939 Two special values for pam_public_domains option are defined:
941 all (Untrusted users are allowed to access all domains in PAM
943 responder.)
944 none (Untrusted users are not allowed to access any domains PAM in
946 responder.)
947 Default: none
949 pam_account_expired_message (string)
951 Allows a custom expiration message to be set, replacing the default
952 'Permission denied' message.
953 Note: Please be aware that message is only printed for the SSH
955 service unless pam_verbosity is set to 3 (show all messages and
956 debug information).
957 example:
959 pam_account_expired_message = Account expired, please contact help desk.
961 Default: none
964 pam_account_locked_message (string)
966 Allows a custom lockout message to be set, replacing the default
967 'Permission denied' message.
968 example:
970 pam_account_locked_message = Account locked, please contact help desk.
972 Default: none
975 pam_cert_auth (bool)
977 Enable certificate based Smartcard authentication. Since this
978 requires additional communication with the Smartcard which will
979 delay the authentication process this option is disabled by
980 default.
981 Default: False
983 pam_cert_db_path (string)
985 The path to the certificate database.
986 Default:
988 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
990 CA certificates in PEM format)
991 pam_cert_verification (string)
994 With this parameter the PAM certificate verification can be tuned
995 with a comma separated list of options that override the
996 “certificate_verification” value in “[sssd]” section. Supported
997 options are the same of “certificate_verification”.
998 example:
1000 pam_cert_verification = partial_chain
1002 Default: not set, i.e. use default “certificate_verification”
1005 option defined in “[sssd]” section.
1006 p11_child_timeout (integer)
1008 How many seconds will pam_sss wait for p11_child to finish.
1009 Default: 10
1011 pam_app_services (string)
1013 Which PAM services are permitted to contact domains of type
1014 “application”
1015 Default: Not set
1017 pam_p11_allowed_services (integer)
1019 A comma-separated list of PAM service names for which it will be
1020 allowed to use Smartcards.
1021 It is possible to add another PAM service name to the default set
1023 by using “+service_name” or to explicitly remove a PAM service name
1024 from the default set by using “-service_name”. For example, in
1025 order to replace a default PAM service name for authentication with
1026 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
1027 “my_pam_service”), you would use the following configuration:
1028 pam_p11_allowed_services = +my_pam_service, -login
1030 Default: the default set of PAM service names includes:
1033 • login
1035 • su
1037 • su-l
1039 • gdm-smartcard
1041 • gdm-password
1043 • kdm
1045 • sudo
1047 • sudo-i
1049 • gnome-screensaver
1051 p11_wait_for_card_timeout (integer)
1054 If Smartcard authentication is required how many extra seconds in
1055 addition to p11_child_timeout should the PAM responder wait until a
1056 Smartcard is inserted.
1057 Default: 60
1059 p11_uri (string)
1061 PKCS#11 URI (see RFC-7512 for details) which can be used to
1062 restrict the selection of devices used for Smartcard
1063 authentication. By default SSSD's p11_child will search for a
1064 PKCS#11 slot (reader) where the 'removable' flags is set and read
1065 the certificates from the inserted token from the first slot found.
1066 If multiple readers are connected p11_uri can be used to tell
1067 p11_child to use a specific reader.
1068 Example:
1070 p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
1072 or
1075 p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
1077 To find suitable URI please check the debug output of p11_child. As
1080 an alternative the GnuTLS utility 'p11tool' with e.g. the
1081 '--list-all' will show PKCS#11 URIs as well.
1082 Default: none
1084 pam_initgroups_scheme
1086 The PAM responder can force an online lookup to get the current
1087 group memberships of the user trying to log in. This option
1088 controls when this should be done and the following values are
1089 allowed:
1090 always
1092 Always do an online lookup, please note that pam_id_timeout
1093 still applies
1094 no_session
1096 Only do an online lookup if there is no active session of the
1097 user, i.e. if the user is currently not logged in
1098 never
1100 Never force an online lookup, use the data from the cache as
1101 long as they are not expired
1102 Default: no_session
1104 pam_gssapi_services
1106 Comma separated list of PAM services that are allowed to try GSSAPI
1107 authentication using pam_sss_gss.so module.
1108 To disable GSSAPI authentication, set this option to “-” (dash).
1110 Note: This option can also be set per-domain which overwrites the
1112 value in [pam] section. It can also be set for trusted domain which
1113 overwrites the value in the domain section.
1114 Example:
1116 pam_gssapi_services = sudo, sudo-i
1118 Default: - (GSSAPI authentication is disabled)
1121 pam_gssapi_check_upn
1123 If True, SSSD will require that the Kerberos user principal that
1124 successfully authenticated through GSSAPI can be associated with
1125 the user who is being authenticated. Authentication will fail if
1126 the check fails.
1127 If False, every user that is able to obtained required service
1129 ticket will be authenticated.
1130 Note: This option can also be set per-domain which overwrites the
1132 value in [pam] section. It can also be set for trusted domain which
1133 overwrites the value in the domain section.
1134 Default: True
1136 pam_gssapi_indicators_map
1138 Comma separated list of authentication indicators required to be
1139 present in a Kerberos ticket to access a PAM service that is
1140 allowed to try GSSAPI authentication using pam_sss_gss.so module.
1141 Each element of the list can be either an authentication indicator
1143 name or a pair “service:indicator”. Indicators not prefixed with
1144 the PAM service name will be required to access any PAM service
1145 configured to be used with pam_gssapi_services. A resulting list of
1146 indicators per PAM service is then checked against indicators in
1147 the Kerberos ticket during authentication by pam_sss_gss.so. Any
1148 indicator from the ticket that matches the resulting list of
1149 indicators for the PAM service would grant access. If none of the
1150 indicators in the list match, access will be denied. If the
1151 resulting list of indicators for the PAM service is empty, the
1152 check will not prevent the access.
1153 To disable GSSAPI authentication indicator check, set this option
1155 to “-” (dash). To disable the check for a specific PAM service, add
1156 “service:-”.
1157 Note: This option can also be set per-domain which overwrites the
1159 value in [pam] section. It can also be set for trusted domain which
1160 overwrites the value in the domain section.
1161 Following authentication indicators are supported by IPA Kerberos
1163 deployments:
1164 • pkinit -- pre-authentication using X.509 certificates --
1166 whether stored in files or on smart cards.
1167 • hardened -- SPAKE pre-authentication or any pre-authentication
1169 wrapped in a FAST channel.
1170 • radius -- pre-authentication with the help of a RADIUS server.
1172 • otp -- pre-authentication using integrated two-factor
1174 authentication (2FA or one-time password, OTP) in IPA.
1175 • idp -- pre-authentication using external identity provider.
1177 Example: to require access to SUDO services only for users which
1179 obtained their Kerberos tickets with a X.509 certificate
1180 pre-authentication (PKINIT), set
1181 pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1183 Default: not set (use of authentication indicators is not required)
1186 SUDO configuration options
1188 These options can be used to configure the sudo service. The detailed
1189 instructions for configuration of sudo(8) to work with sssd(8) are in
1190 the manual page sssd-sudo(5).
1191 sudo_timed (bool)
1193 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1194 attributes that implement time-dependent sudoers entries.
1195 Default: false
1197 sudo_threshold (integer)
1199 Maximum number of expired rules that can be refreshed at once. If
1200 number of expired rules is below threshold, those rules are
1201 refreshed with “rules refresh” mechanism. If the threshold is
1202 exceeded a “full refresh” of sudo rules is triggered instead. This
1203 threshold number also applies to IPA sudo command and command group
1204 searches.
1205 Default: 50
1207 AUTOFS configuration options
1209 These options can be used to configure the autofs service.
1210 autofs_negative_timeout (integer)
1212 Specifies for how many seconds should the autofs responder negative
1213 cache hits (that is, queries for invalid map entries, like
1214 nonexistent ones) before asking the back end again.
1215 Default: 15
1217 Please note that the automounter only reads the master map on startup,
1219 so if any autofs-related changes are made to the sssd.conf, you
1220 typically also need to restart the automounter daemon after restarting
1221 the SSSD.
1222 SSH configuration options
1224 These options can be used to configure the SSH service.
1225 ssh_hash_known_hosts (bool)
1227 Whether or not to hash host names and addresses in the managed
1228 known_hosts file.
1229 Default: false
1231 ssh_known_hosts_timeout (integer)
1233 How many seconds to keep a host in the managed known_hosts file
1234 after its host keys were requested.
1235 Default: 180
1237 ssh_use_certificate_keys (bool)
1239 If set to true the sss_ssh_authorizedkeys will return ssh keys
1240 derived from the public key of X.509 certificates stored in the
1241 user entry as well. See sss_ssh_authorizedkeys(1) for details.
1242 Default: true
1244 ssh_use_certificate_matching_rules (string)
1246 By default the ssh responder will use all available certificate
1247 matching rules to filter the certificates so that ssh keys are only
1248 derived from the matching ones. With this option the used rules can
1249 be restricted with a comma separated list of mapping and matching
1250 rule names. All other rules will be ignored.
1251 There are two special key words 'all_rules' and 'no_rules' which
1253 will enable all or no rules, respectively. The latter means that no
1254 certificates will be filtered out and ssh keys will be generated
1255 from all valid certificates.
1256 If no rules are configured using 'all_rules' will enable a default
1258 rule which enables all certificates suitable for client
1259 authentication. This is the same behavior as for the PAM responder
1260 if certificate authentication is enabled.
1261 A non-existing rule name is considered an error. If as a result no
1263 rule is selected all certificates will be ignored.
1264 Default: not set, equivalent to 'all_rules', all found rules or the
1266 default rule are used
1267 ca_db (string)
1269 Path to a storage of trusted CA certificates. The option is used to
1270 validate user certificates before deriving public ssh keys from
1271 them.
1272 Default:
1274 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1276 CA certificates in PEM format)
1277 PAC responder configuration options
1280 The PAC responder works together with the authorization data plugin for
1281 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1282 sends the PAC data during a GSSAPI authentication to the PAC responder.
1283 The sub-domain provider collects domain SID and ID ranges of the domain
1284 the client is joined to and of remote trusted domains from the local
1285 domain controller. If the PAC is decoded and evaluated some of the
1286 following operations are done:
1287 • If the remote user does not exist in the cache, it is created. The
1289 UID is determined with the help of the SID, trusted domains will
1290 have UPGs and the GID will have the same value as the UID. The home
1291 directory is set based on the subdomain_homedir parameter. The
1292 shell will be empty by default, i.e. the system defaults are used,
1293 but can be overwritten with the default_shell parameter.
1294 • If there are SIDs of groups from domains sssd knows about, the user
1296 will be added to those groups.
1297 These options can be used to configure the PAC responder.
1299 allowed_uids (string)
1301 Specifies the comma-separated list of UID values or user names that
1302 are allowed to access the PAC responder. User names are resolved to
1303 UIDs at startup.
1304 Default: 0 (only the root user is allowed to access the PAC
1306 responder)
1307 Please note that although the UID 0 is used as the default it will
1309 be overwritten with this option. If you still want to allow the
1310 root user to access the PAC responder, which would be the typical
1311 case, you have to add 0 to the list of allowed UIDs as well.
1312 pac_lifetime (integer)
1314 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1315 the PAC data can be used to determine the group memberships of a
1316 user.
1317 Default: 300
1319 pac_check (string)
1321 Apply additional checks on the PAC of the Kerberos ticket which is
1322 available in Active Directory and FreeIPA domains, if configured.
1323 The following options can be used alone or in a comma-separated
1324 list:
1325 no_check
1327 The PAC must not be present and even if it is present no
1328 additional checks will be done.
1329 pac_present
1331 The PAC must be present in the service ticket which SSSD will
1332 request with the help of the user's TGT. If the PAC is not
1333 available the authentication will fail.
1334 check_upn
1336 If the PAC is present check if the user principal name (UPN)
1337 information is consistent.
1338 upn_dns_info_present
1340 The PAC must contain the UPN-DNS-INFO buffer, implies
1341 'check_upn'.
1342 check_upn_dns_info_ex
1344 If the PAC is present and the extension to the UPN-DNS-INFO
1345 buffer is available check if the information in the extension
1346 is consistent.
1347 upn_dns_info_ex_present
1349 The PAC must contain the extension of the UPN-DNS-INFO buffer,
1350 implies 'check_upn_dns_info_ex', 'upn_dns_info_present' and
1351 'check_upn'.
1352 Default: no_check (AD and IPA provider 'check_upn,
1354 check_upn_dns_info_ex')
1355 Session recording configuration options
1357 Session recording works in conjunction with tlog-rec-session(8), a part
1358 of tlog package, to log what users see and type when they log in on a
1359 text terminal. See also sssd-session-recording(5).
1360 These options can be used to configure session recording.
1362 scope (string)
1364 One of the following strings specifying the scope of session
1365 recording:
1366 "none"
1368 No users are recorded.
1369 "some"
1371 Users/groups specified by users and groups options are
1372 recorded.
1373 "all"
1375 All users are recorded.
1376 Default: "none"
1378 users (string)
1380 A comma-separated list of users which should have session recording
1381 enabled. Matches user names as returned by NSS. I.e. after the
1382 possible space replacement, case changes, etc.
1383 Default: Empty. Matches no users.
1385 groups (string)
1387 A comma-separated list of groups, members of which should have
1388 session recording enabled. Matches group names as returned by NSS.
1389 I.e. after the possible space replacement, case changes, etc.
1390 NOTE: using this option (having it set to anything) has a
1392 considerable performance cost, because each uncached request for a
1393 user requires retrieving and matching the groups the user is member
1394 of.
1395 Default: Empty. Matches no groups.
1397 exclude_users (string)
1399 A comma-separated list of users to be excluded from recording, only
1400 applicable with 'scope=all'.
1401 Default: Empty. No users excluded.
1403 exclude_groups (string)
1405 A comma-separated list of groups, members of which should be
1406 excluded from recording. Only applicable with 'scope=all'.
1407 NOTE: using this option (having it set to anything) has a
1409 considerable performance cost, because each uncached request for a
1410 user requires retrieving and matching the groups the user is member
1411 of.
1412 Default: Empty. No groups excluded.
1414
1416 These configuration options can be present in a domain configuration
1417 section, that is, in a section called “[domain/NAME]”
1418 enabled
1420 Explicitly enable or disable the domain. If “true”, the domain is
1421 always “enabled”. If “false”, the domain is always “disabled”. If
1422 this option is not set, the domain is enabled only if it is listed
1423 in the domains option in the “[sssd]” section.
1424 domain_type (string)
1426 Specifies whether the domain is meant to be used by POSIX-aware
1427 clients such as the Name Service Switch or by applications that do
1428 not need POSIX data to be present or generated. Only objects from
1429 POSIX domains are available to the operating system interfaces and
1430 utilities.
1431 Allowed values for this option are “posix” and “application”.
1433 POSIX domains are reachable by all services. Application domains
1435 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1436 and the PAM responder.
1437 NOTE: The application domains are currently well tested with
1439 “id_provider=ldap” only.
1440 For an easy way to configure a non-POSIX domains, please see the
1442 “Application domains” section.
1443 Default: posix
1445 min_id,max_id (integer)
1447 UID and GID limits for the domain. If a domain contains an entry
1448 that is outside these limits, it is ignored.
1449 For users, this affects the primary GID limit. The user will not be
1451 returned to NSS if either the UID or the primary GID is outside the
1452 range. For non-primary group memberships, those that are in range
1453 will be reported as expected.
1454 These ID limits affect even saving entries to cache, not only
1456 returning them by name or ID.
1457 Default: 1 for min_id, 0 (no limit) for max_id
1459 enumerate (bool)
1461 Determines if a domain can be enumerated, that is, whether the
1462 domain can list all the users and group it contains. Note that it
1463 is not required to enable enumeration in order for secondary groups
1464 to be displayed. This parameter can have one of the following
1465 values:
1466 TRUE = Users and groups are enumerated
1468 FALSE = No enumerations for this domain
1470 Default: FALSE
1472 Enumerating a domain requires SSSD to download and store ALL user
1474 and group entries from the remote server.
1475 Note: Enabling enumeration has a moderate performance impact on
1477 SSSD while enumeration is running. It may take up to several
1478 minutes after SSSD startup to fully complete enumerations. During
1479 this time, individual requests for information will go directly to
1480 LDAP, though it may be slow, due to the heavy enumeration
1481 processing. Saving a large number of entries to cache after the
1482 enumeration completes might also be CPU intensive as the
1483 memberships have to be recomputed. This can lead to the “sssd_be”
1484 process becoming unresponsive or even restarted by the internal
1485 watchdog.
1486 While the first enumeration is running, requests for the complete
1488 user or group lists may return no results until it completes.
1489 Further, enabling enumeration may increase the time necessary to
1491 detect network disconnection, as longer timeouts are required to
1492 ensure that enumeration lookups are completed successfully. For
1493 more information, refer to the man pages for the specific
1494 id_provider in use.
1495 For the reasons cited above, enabling enumeration is not
1497 recommended, especially in large environments.
1498 subdomain_enumerate (string)
1500 Whether any of autodetected trusted domains should be enumerated.
1501 The supported values are:
1502 all
1504 All discovered trusted domains will be enumerated
1505 none
1507 No discovered trusted domains will be enumerated
1508 Optionally, a list of one or more domain names can enable
1510 enumeration just for these trusted domains.
1511 Default: none
1513 entry_cache_timeout (integer)
1515 How many seconds should nss_sss consider entries valid before
1516 asking the backend again
1517 The cache expiration timestamps are stored as attributes of
1519 individual objects in the cache. Therefore, changing the cache
1520 timeout only has effect for newly added or expired entries. You
1521 should run the sss_cache(8) tool in order to force refresh of
1522 entries that have already been cached.
1523 Default: 5400
1525 entry_cache_user_timeout (integer)
1527 How many seconds should nss_sss consider user entries valid before
1528 asking the backend again
1529 Default: entry_cache_timeout
1531 entry_cache_group_timeout (integer)
1533 How many seconds should nss_sss consider group entries valid before
1534 asking the backend again
1535 Default: entry_cache_timeout
1537 entry_cache_netgroup_timeout (integer)
1539 How many seconds should nss_sss consider netgroup entries valid
1540 before asking the backend again
1541 Default: entry_cache_timeout
1543 entry_cache_service_timeout (integer)
1545 How many seconds should nss_sss consider service entries valid
1546 before asking the backend again
1547 Default: entry_cache_timeout
1549 entry_cache_resolver_timeout (integer)
1551 How many seconds should nss_sss consider hosts and networks entries
1552 valid before asking the backend again
1553 Default: entry_cache_timeout
1555 entry_cache_sudo_timeout (integer)
1557 How many seconds should sudo consider rules valid before asking the
1558 backend again
1559 Default: entry_cache_timeout
1561 entry_cache_autofs_timeout (integer)
1563 How many seconds should the autofs service consider automounter
1564 maps valid before asking the backend again
1565 Default: entry_cache_timeout
1567 entry_cache_ssh_host_timeout (integer)
1569 How many seconds to keep a host ssh key after refresh. IE how long
1570 to cache the host key for.
1571 Default: entry_cache_timeout
1573 entry_cache_computer_timeout (integer)
1575 How many seconds to keep the local computer entry before asking the
1576 backend again
1577 Default: entry_cache_timeout
1579 refresh_expired_interval (integer)
1581 Specifies how many seconds SSSD has to wait before triggering a
1582 background refresh task which will refresh all expired or nearly
1583 expired records.
1584 The background refresh will process users, groups and netgroups in
1586 the cache. For users who have performed the initgroups (get group
1587 membership for user, typically ran at login) operation in the past,
1588 both the user entry and the group membership are updated.
1589 This option is automatically inherited for all trusted domains.
1591 You can consider setting this value to 3/4 * entry_cache_timeout.
1593 Cache entry will be refreshed by background task when 2/3 of cache
1595 timeout has already passed. If there are existing cached entries,
1596 the background task will refer to their original cache timeout
1597 values instead of current configuration value. This may lead to a
1598 situation in which background refresh task appears to not be
1599 working. This is done by design to improve offline mode operation
1600 and reuse of existing valid cache entries. To make this change
1601 instant the user may want to manually invalidate existing cache.
1602 Default: 0 (disabled)
1604 cache_credentials (bool)
1606 Determines if user credentials are also cached in the local LDB
1607 cache
1608 User credentials are stored in a SHA512 hash, not in plaintext
1610 Default: FALSE
1612 cache_credentials_minimal_first_factor_length (int)
1614 If 2-Factor-Authentication (2FA) is used and credentials should be
1615 saved this value determines the minimal length the first
1616 authentication factor (long term password) must have to be saved as
1617 SHA512 hash into the cache.
1618 This should avoid that the short PINs of a PIN based 2FA scheme are
1620 saved in the cache which would make them easy targets for
1621 brute-force attacks.
1622 Default: 8
1624 account_cache_expiration (integer)
1626 Number of days entries are left in cache after last successful
1627 login before being removed during a cleanup of the cache. 0 means
1628 keep forever. The value of this parameter must be greater than or
1629 equal to offline_credentials_expiration.
1630 Default: 0 (unlimited)
1632 pwd_expiration_warning (integer)
1634 Display a warning N days before the password expires.
1635 If zero is set, then this filter is not applied, i.e. if the
1637 expiration warning was received from backend server, it will
1638 automatically be displayed.
1639 Please note that the backend server has to provide information
1641 about the expiration time of the password. If this information is
1642 missing, sssd cannot display a warning. Also an auth provider has
1643 to be configured for the backend.
1644 Default: 7 (Kerberos), 0 (LDAP)
1646 id_provider (string)
1648 The identification provider used for the domain. Supported ID
1649 providers are:
1650 “proxy”: Support a legacy NSS provider.
1652 “files”: FILES provider. See sssd-files(5) for more information on
1654 how to mirror local users and groups into SSSD.
1655 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1657 configuring LDAP.
1658 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1660 See sssd-ipa(5) for more information on configuring FreeIPA.
1661 “ad”: Active Directory provider. See sssd-ad(5) for more
1663 information on configuring Active Directory.
1664 use_fully_qualified_names (bool)
1666 Use the full name and domain (as formatted by the domain's
1667 full_name_format) as the user's login name reported to NSS.
1668 If set to TRUE, all requests to this domain must use fully
1670 qualified names. For example, if used in LOCAL domain that contains
1671 a "test" user, getent passwd test wouldn't find the user while
1672 getent passwd test@LOCAL would.
1673 NOTE: This option has no effect on netgroup lookups due to their
1675 tendency to include nested netgroups without qualified names. For
1676 netgroups, all domains will be searched when an unqualified name is
1677 requested.
1678 Default: FALSE (TRUE for trusted domain/sub-domains or if
1680 default_domain_suffix is used)
1681 ignore_group_members (bool)
1683 Do not return group members for group lookups.
1684 If set to TRUE, the group membership attribute is not requested
1686 from the ldap server, and group members are not returned when
1687 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1688 As an effect, “getent group $groupname” would return the requested
1689 group as if it was empty.
1690 Enabling this option can also make access provider checks for group
1692 membership significantly faster, especially for groups containing
1693 many members.
1694 Default: FALSE
1696 auth_provider (string)
1698 The authentication provider used for the domain. Supported auth
1699 providers are:
1700 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1702 information on configuring LDAP.
1703 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1705 information on configuring Kerberos.
1706 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1708 See sssd-ipa(5) for more information on configuring FreeIPA.
1709 “ad”: Active Directory provider. See sssd-ad(5) for more
1711 information on configuring Active Directory.
1712 “proxy” for relaying authentication to some other PAM target.
1714 “none” disables authentication explicitly.
1716 Default: “id_provider” is used if it is set and can handle
1718 authentication requests.
1719 access_provider (string)
1721 The access control provider used for the domain. There are two
1722 built-in access providers (in addition to any included in installed
1723 backends) Internal special providers are:
1724 “permit” always allow access. It's the only permitted access
1726 provider for a local domain.
1727 “deny” always deny access.
1729 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1731 information on configuring LDAP.
1732 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1734 See sssd-ipa(5) for more information on configuring FreeIPA.
1735 “ad”: Active Directory provider. See sssd-ad(5) for more
1737 information on configuring Active Directory.
1738 “simple” access control based on access or deny lists. See sssd-
1740 simple(5) for more information on configuring the simple access
1741 module.
1742 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1744 information on configuring Kerberos.
1745 “proxy” for relaying access control to another PAM module.
1747 Default: “permit”
1749 chpass_provider (string)
1751 The provider which should handle change password operations for the
1752 domain. Supported change password providers are:
1753 “ldap” to change a password stored in a LDAP server. See sssd-
1755 ldap(5) for more information on configuring LDAP.
1756 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1758 information on configuring Kerberos.
1759 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1761 See sssd-ipa(5) for more information on configuring FreeIPA.
1762 “ad”: Active Directory provider. See sssd-ad(5) for more
1764 information on configuring Active Directory.
1765 “proxy” for relaying password changes to some other PAM target.
1767 “none” disallows password changes explicitly.
1769 Default: “auth_provider” is used if it is set and can handle change
1771 password requests.
1772 sudo_provider (string)
1774 The SUDO provider used for the domain. Supported SUDO providers
1775 are:
1776 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1778 information on configuring LDAP.
1779 “ipa” the same as “ldap” but with IPA default settings.
1781 “ad” the same as “ldap” but with AD default settings.
1783 “none” disables SUDO explicitly.
1785 Default: The value of “id_provider” is used if it is set.
1787 The detailed instructions for configuration of sudo_provider are in
1789 the manual page sssd-sudo(5). There are many configuration options
1790 that can be used to adjust the behavior. Please refer to
1791 "ldap_sudo_*" in sssd-ldap(5).
1792 NOTE: Sudo rules are periodically downloaded in the background
1794 unless the sudo provider is explicitly disabled. Set sudo_provider
1795 = None to disable all sudo-related activity in SSSD if you do not
1796 want to use sudo with SSSD at all.
1797 selinux_provider (string)
1799 The provider which should handle loading of selinux settings. Note
1800 that this provider will be called right after access provider ends.
1801 Supported selinux providers are:
1802 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1804 for more information on configuring IPA.
1805 “none” disallows fetching selinux settings explicitly.
1807 Default: “id_provider” is used if it is set and can handle selinux
1809 loading requests.
1810 subdomains_provider (string)
1812 The provider which should handle fetching of subdomains. This value
1813 should be always the same as id_provider. Supported subdomain
1814 providers are:
1815 “ipa” to load a list of subdomains from an IPA server. See sssd-
1817 ipa(5) for more information on configuring IPA.
1818 “ad” to load a list of subdomains from an Active Directory server.
1820 See sssd-ad(5) for more information on configuring the AD provider.
1821 “none” disallows fetching subdomains explicitly.
1823 Default: The value of “id_provider” is used if it is set.
1825 session_provider (string)
1827 The provider which configures and manages user session related
1828 tasks. The only user session task currently provided is the
1829 integration with Fleet Commander, which works only with IPA.
1830 Supported session providers are:
1831 “ipa” to allow performing user session related tasks.
1833 “none” does not perform any kind of user session related tasks.
1835 Default: “id_provider” is used if it is set and can perform session
1837 related tasks.
1838 NOTE: In order to have this feature working as expected SSSD must
1840 be running as "root" and not as the unprivileged user.
1841 autofs_provider (string)
1843 The autofs provider used for the domain. Supported autofs providers
1844 are:
1845 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1847 information on configuring LDAP.
1848 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1850 more information on configuring IPA.
1851 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1853 information on configuring the AD provider.
1854 “none” disables autofs explicitly.
1856 Default: The value of “id_provider” is used if it is set.
1858 hostid_provider (string)
1860 The provider used for retrieving host identity information.
1861 Supported hostid providers are:
1862 “ipa” to load host identity stored in an IPA server. See sssd-
1864 ipa(5) for more information on configuring IPA.
1865 “none” disables hostid explicitly.
1867 Default: The value of “id_provider” is used if it is set.
1869 resolver_provider (string)
1871 The provider which should handle hosts and networks lookups.
1872 Supported resolver providers are:
1873 “proxy” to forward lookups to another NSS library. See
1875 “proxy_resolver_lib_name”
1876 “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1878 for more information on configuring LDAP.
1879 “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1881 more information on configuring the AD provider.
1882 “none” disallows fetching hosts and networks explicitly.
1884 Default: The value of “id_provider” is used if it is set.
1886 re_expression (string)
1888 Regular expression for this domain that describes how to parse the
1889 string containing user name and domain into these components. The
1890 "domain" can match either the SSSD configuration domain name, or,
1891 in the case of IPA trust subdomains and Active Directory domains,
1892 the flat (NetBIOS) name of the domain.
1893 Default for the AD and IPA provider:
1895 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>.+)@(?P<domain>[^@]+$))|(^(?P<name>[^@\\]+)$))”
1896 which allows three different styles for user names:
1897 • username
1899 • username@domain.name
1901 • domain\username
1903 While the first two correspond to the general default the third one
1905 is introduced to allow easy integration of users from Windows
1906 domains.
1907 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1909 "the name is everything up to the “@” sign, the domain everything
1910 after that"
1911 full_name_format (string)
1913 A printf(3)-compatible format that describes how to compose a fully
1914 qualified name from user name and domain name components.
1915 The following expansions are supported:
1917 %1$s
1919 user name
1920 %2$s
1922 domain name as specified in the SSSD config file.
1923 %3$s
1925 domain flat name. Mostly usable for Active Directory domains,
1926 both directly configured or discovered via IPA trusts.
1927 Default: “%1$s@%2$s”.
1929 lookup_family_order (string)
1931 Provides the ability to select preferred address family to use when
1932 performing DNS lookups.
1933 Supported values:
1935 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1937 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1939 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1941 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1943 Default: ipv4_first
1945 dns_resolver_server_timeout (integer)
1947 Defines the amount of time (in milliseconds) SSSD would try to talk
1948 to DNS server before trying next DNS server.
1949 The AD provider will use this option for the CLDAP ping timeouts as
1951 well.
1952 Please see the section “FAILOVER” for more information about the
1954 service resolution.
1955 Default: 1000
1957 dns_resolver_op_timeout (integer)
1959 Defines the amount of time (in seconds) to wait to resolve single
1960 DNS query (e.g. resolution of a hostname or an SRV record) before
1961 try next hostname or DNS discovery.
1962 Please see the section “FAILOVER” for more information about the
1964 service resolution.
1965 Default: 3
1967 dns_resolver_server_timeout (integer)
1969 Defines the amount of time (in milliseconds) SSSD would try to talk
1970 to DNS server before trying next DNS server.
1971 Please see the section “FAILOVER” for more information about the
1973 service resolution.
1974 Default: 1000
1976 dns_resolver_op_timeout (integer)
1978 Defines the amount of time (in seconds) to wait to resolve single
1979 DNS query (e.g. resolution of a hostname or an SRV record) before
1980 try next hostname or DNS discovery.
1981 Please see the section “FAILOVER” for more information about the
1983 service resolution.
1984 Default: 3
1986 dns_resolver_timeout (integer)
1988 Defines the amount of time (in seconds) to wait for a reply from
1989 the internal fail over service before assuming that the service is
1990 unreachable. If this timeout is reached, the domain will continue
1991 to operate in offline mode.
1992 Please see the section “FAILOVER” for more information about the
1994 service resolution.
1995 Default: 6
1997 dns_discovery_domain (string)
1999 If service discovery is used in the back end, specifies the domain
2000 part of the service discovery DNS query.
2001 Default: Use the domain part of machine's hostname
2003 override_gid (integer)
2005 Override the primary GID value with the one specified.
2006 case_sensitive (string)
2008 Treat user and group names as case sensitive. Possible option
2009 values are:
2010 True
2012 Case sensitive. This value is invalid for AD provider.
2013 False
2015 Case insensitive.
2016 Preserving
2018 Same as False (case insensitive), but does not lowercase names
2019 in the result of NSS operations. Note that name aliases (and in
2020 case of services also protocol names) are still lowercased in
2021 the output.
2022 If you want to set this value for trusted domain with IPA
2024 provider, you need to set it on both the client and SSSD on the
2025 server.
2026 This option can be also set per subdomain or inherited via
2028 subdomain_inherit.
2029 Default: True (False for AD provider)
2031 subdomain_inherit (string)
2033 Specifies a list of configuration parameters that should be
2034 inherited by a subdomain. Please note that only selected parameters
2035 can be inherited. Currently the following options can be inherited:
2036 ignore_group_members
2038 ldap_purge_cache_timeout
2040 ldap_use_tokengroups
2042 ldap_user_principal
2044 ldap_krb5_keytab (the value of krb5_keytab will be used if
2046 ldap_krb5_keytab is not set explicitly)
2047 auto_private_groups
2049 case_sensitive
2051 Example:
2053 subdomain_inherit = ldap_purge_cache_timeout
2055 Default: none
2058 Note: This option only works with the IPA and AD provider.
2060 subdomain_homedir (string)
2062 Use this homedir as default value for all subdomains within this
2063 domain in IPA AD trust. See override_homedir for info about
2064 possible values. In addition to those, the expansion below can only
2065 be used with subdomain_homedir.
2066 %F
2068 flat (NetBIOS) name of a subdomain.
2069 The value can be overridden by override_homedir option.
2071 Default: /home/%d/%u
2073 realmd_tags (string)
2075 Various tags stored by the realmd configuration service for this
2076 domain.
2077 cached_auth_timeout (int)
2079 Specifies time in seconds since last successful online
2080 authentication for which user will be authenticated using cached
2081 credentials while SSSD is in the online mode. If the credentials
2082 are incorrect, SSSD falls back to online authentication.
2083 This option's value is inherited by all trusted domains. At the
2085 moment it is not possible to set a different value per trusted
2086 domain.
2087 Special value 0 implies that this feature is disabled.
2089 Please note that if “cached_auth_timeout” is longer than
2091 “pam_id_timeout” then the back end could be called to handle
2092 “initgroups.”
2093 Default: 0
2095 auto_private_groups (string)
2097 This option takes any of three available values:
2098 true
2100 Create user's private group unconditionally from user's UID
2101 number. The GID number is ignored in this case.
2102 NOTE: Because the GID number and the user private group are
2104 inferred from the UID number, it is not supported to have
2105 multiple entries with the same UID or GID number with this
2106 option. In other words, enabling this option enforces
2107 uniqueness across the ID space.
2108 false
2110 Always use the user's primary GID number. The GID number must
2111 refer to a group object in the LDAP database.
2112 hybrid
2114 A primary group is autogenerated for user entries whose UID and
2115 GID numbers have the same value and at the same time the GID
2116 number does not correspond to a real group object in LDAP. If
2117 the values are the same, but the primary GID in the user entry
2118 is also used by a group object, the primary GID of the user
2119 resolves to that group object.
2120 If the UID and GID of a user are different, then the GID must
2122 correspond to a group entry, otherwise the GID is simply not
2123 resolvable.
2124 This feature is useful for environments that wish to stop
2126 maintaining a separate group objects for the user private
2127 groups, but also wish to retain the existing user private
2128 groups.
2129 For subdomains, the default value is False for subdomains that use
2131 assigned POSIX IDs and True for subdomains that use automatic
2132 ID-mapping.
2133 The value of auto_private_groups can either be set per subdomains
2135 in a subsection, for example:
2136 [domain/forest.domain/sub.domain]
2138 auto_private_groups = false
2139 or globally for all subdomains in the main domain section using the
2141 subdomain_inherit option:
2142 [domain/forest.domain]
2144 subdomain_inherit = auto_private_groups
2145 auto_private_groups = false
2146 Options valid for proxy domains.
2149 proxy_pam_target (string)
2151 The proxy target PAM proxies to.
2152 Default: not set by default, you have to take an existing pam
2154 configuration or create a new one and add the service name here.
2155 proxy_lib_name (string)
2157 The name of the NSS library to use in proxy domains. The NSS
2158 functions searched for in the library are in the form of
2159 _nss_$(libName)_$(function), for example _nss_files_getpwent.
2160 proxy_resolver_lib_name (string)
2162 The name of the NSS library to use for hosts and networks lookups
2163 in proxy domains. The NSS functions searched for in the library are
2164 in the form of _nss_$(libName)_$(function), for example
2165 _nss_dns_gethostbyname2_r.
2166 proxy_fast_alias (boolean)
2168 When a user or group is looked up by name in the proxy provider, a
2169 second lookup by ID is performed to "canonicalize" the name in case
2170 the requested name was an alias. Setting this option to true would
2171 cause the SSSD to perform the ID lookup from cache for performance
2172 reasons.
2173 Default: false
2175 proxy_max_children (integer)
2177 This option specifies the number of pre-forked proxy children. It
2178 is useful for high-load SSSD environments where sssd may run out of
2179 available child slots, which would cause some issues due to the
2180 requests being queued.
2181 Default: 10
2183 Application domains
2185 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2186 applications as a gateway to an LDAP directory where users and groups
2187 are stored. However, contrary to the traditional SSSD deployment where
2188 all users and groups either have POSIX attributes or those attributes
2189 can be inferred from the Windows SIDs, in many cases the users and
2190 groups in the application support scenario have no POSIX attributes.
2191 Instead of setting a “[domain/NAME]” section, the administrator can set
2192 up an “[application/NAME]” section that internally represents a domain
2193 with type “application” optionally inherits settings from a tradition
2194 SSSD domain.
2195 Please note that the application domain must still be explicitly
2197 enabled in the “domains” parameter so that the lookup order between the
2198 application domain and its POSIX sibling domain is set correctly.
2199 Application domain parameters
2201 inherit_from (string)
2203 The SSSD POSIX-type domain the application domain inherits all
2204 settings from. The application domain can moreover add its own
2205 settings to the application settings that augment or override the
2206 “sibling” domain settings.
2207 Default: Not set
2209 The following example illustrates the use of an application domain. In
2211 this setup, the POSIX domain is connected to an LDAP server and is used
2212 by the OS through the NSS responder. In addition, the application
2213 domain also requests the telephoneNumber attribute, stores it as the
2214 phone attribute in the cache and makes the phone attribute reachable
2215 through the D-Bus interface.
2216 [sssd]
2218 domains = appdom, posixdom
2219 [ifp]
2221 user_attributes = +phone
2222 [domain/posixdom]
2224 id_provider = ldap
2225 ldap_uri = ldap://ldap.example.com
2226 ldap_search_base = dc=example,dc=com
2227 [application/appdom]
2229 inherit_from = posixdom
2230 ldap_user_extra_attrs = phone:telephoneNumber
2231
2233 Some options used in the domain section can also be used in the trusted
2234 domain section, that is, in a section called
2235 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2236 actual joined-to base domain. Please refer to examples below for
2237 explanation. Currently supported options in the trusted domain section
2238 are:
2239 ldap_search_base,
2241 ldap_user_search_base,
2243 ldap_group_search_base,
2245 ldap_netgroup_search_base,
2247 ldap_service_search_base,
2249 ldap_sasl_mech,
2251 ad_server,
2253 ad_backup_server,
2255 ad_site,
2257 use_fully_qualified_names
2259 pam_gssapi_services
2261 pam_gssapi_check_upn
2263 For more details about these options see their individual description
2265 in the manual page.
2266
2268 To allow authentication with Smartcards and certificates SSSD must be
2269 able to map certificates to users. This can be done by adding the full
2270 certificate to the LDAP object of the user or to a local override.
2271 While using the full certificate is required to use the Smartcard
2272 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2273 details) it might be cumbersome or not even possible to do this for the
2274 general case where local services use PAM for authentication.
2275 To make the mapping more flexible mapping and matching rules were added
2277 to SSSD (see sss-certmap(5) for details).
2278 A mapping and matching rule can be added to the SSSD configuration in a
2280 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2281 In this section the following options are allowed:
2282 matchrule (string)
2284 Only certificates from the Smartcard which matches this rule will
2285 be processed, all others are ignored.
2286 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2288 the Extended Key Usage “clientAuth”
2289 maprule (string)
2291 Defines how the user is found for a given certificate.
2292 Default:
2294 • LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2296 providers like “ldap”, “AD” or “ipa”.
2297 • The RULE_NAME for the “files” provider which tries to find a
2299 user with the same name.
2300 domains (string)
2303 Comma separated list of domain names the rule should be applied. By
2304 default a rule is only valid in the domain configured in sssd.conf.
2305 If the provider supports subdomains this option can be used to add
2306 the rule to subdomains as well.
2307 Default: the configured domain in sssd.conf
2309 priority (integer)
2311 Unsigned integer value defining the priority of the rule. The
2312 higher the number the lower the priority. “0” stands for the
2313 highest priority while “4294967295” is the lowest.
2314 Default: the lowest priority
2316 To make the configuration simple and reduce the amount of configuration
2318 options the “files” provider has some special properties:
2319 • if maprule is not set the RULE_NAME name is assumed to be the name
2321 of the matching user
2322 • if a maprule is used both a single user name or a template like
2324 “{subject_rfc822_name.short_name}” must be in braces like e.g.
2325 “(username)” or “({subject_rfc822_name.short_name})”
2326 • the “domains” option is ignored
2328
2331 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2332 SSSD's PAM module pam_sss will ask SSSD to figure out which
2333 authentication methods are available for the user trying to log in.
2334 Based on the results pam_sss will prompt the user for appropriate
2335 credentials.
2336 With the growing number of authentication methods and the possibility
2338 that there are multiple ones for a single user the heuristic used by
2339 pam_sss to select the prompting might not be suitable for all use
2340 cases. The following options should provide a better flexibility here.
2341 Each supported authentication method has its own configuration
2343 subsection under “[prompting/...]”. Currently there are:
2344 [prompting/password]
2346 to configure password prompting, allowed options are:
2347 password_prompt
2349 to change the string of the password prompt
2350 [prompting/2fa]
2353 to configure two-factor authentication prompting, allowed options
2354 are:
2355 first_prompt
2357 to change the string of the prompt for the first factor
2358 second_prompt
2360 to change the string of the prompt for the second factor
2361 single_prompt
2363 boolean value, if True there will be only a single prompt using
2364 the value of first_prompt where it is expected that both
2365 factors are entered as a single string. Please note that both
2366 factors have to be entered here, even if the second factor is
2367 optional.
2368 If the second factor is optional and it should be possible to log
2370 in either only with the password or with both factors two-step
2371 prompting has to be used.
2372 It is possible to add a subsection for specific PAM services, e.g.
2374 “[prompting/password/sshd]” to individual change the prompting for this
2375 service.
2376
2378 1. The following example shows a typical SSSD config. It does not
2379 describe configuration of the domains themselves - refer to
2380 documentation on configuring domains for more details.
2381 [sssd]
2383 domains = LDAP
2384 services = nss, pam
2385 config_file_version = 2
2386 [nss]
2388 filter_groups = root
2389 filter_users = root
2390 [pam]
2392 [domain/LDAP]
2394 id_provider = ldap
2395 ldap_uri = ldap://ldap.example.com
2396 ldap_search_base = dc=example,dc=com
2397 auth_provider = krb5
2399 krb5_server = kerberos.example.com
2400 krb5_realm = EXAMPLE.COM
2401 cache_credentials = true
2402 min_id = 10000
2404 max_id = 20000
2405 enumerate = False
2406 2. The following example shows configuration of IPA AD trust where the
2408 AD forest consists of two domains in a parent-child structure. Suppose
2409 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2410 domain (child.ad.com). To enable shortnames in the child domain the
2411 following configuration should be used.
2412 [domain/ipa.com/child.ad.com]
2414 use_fully_qualified_names = false
2415 3. The following example shows the configuration for two certificate
2417 mapping rules. The first is valid for the configured domain “my.domain”
2418 and additionally for the subdomains “your.domain” and uses the full
2419 certificate in the search filter. The second example is valid for the
2420 domain “files” where it is assumed the files provider is used for this
2421 domain and contains a matching rule for the local user “myname”.
2422 [certmap/my.domain/rule_name]
2424 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2425 maprule = (userCertificate;binary={cert!bin})
2426 domains = my.domain, your.domain
2427 priority = 10
2428 [certmap/files/myname]
2430 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
2431
2434 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2435 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2436 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2437 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2438 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
2439 sssd-systemtap(5)
2440
2442 The SSSD upstream - https://github.com/SSSD/sssd/
2443SSSD 07/04/2022 SSSD.CONF(5)