1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
3
4
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13
14 [section]
15 key = value
16 key2 = value2,value3
17
18
19 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21
22 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24
25 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27
28 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35
36 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38
39 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45
46 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51
52 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60
61 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67
68 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72
73 Currently supported debug levels:
74
75 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77
78 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81
82 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84
85 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87
88 4, 0x0100: Configuration settings.
89
90 5, 0x0200: Function data.
91
92 6, 0x0400: Trace messages for operation functions.
93
94 7, 0x1000: Trace messages for internal control functions.
95
96 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98
99 9, 0x4000: Extremely low-level tracing information.
100
101 9, 0x20000: Performance and statistical data, please note that due
102 to the way requests are processed internally the logged execution
103 time of a request might be longer than it actually was.
104
105 10, 0x10000: Even more low-level libldb tracing information. Almost
106 never really required.
107
108 To log required bitmask debug levels, simply add their numbers
109 together as shown in following examples:
110
111 Example: To log fatal failures, critical failures, serious failures
112 and function data use 0x0270.
113
114 Example: To log fatal failures, configuration settings, function
115 data, trace messages for internal control functions use 0x1310.
116
117 Note: The bitmask format of debug levels was introduced in 1.7.0.
118
119 Default: 0x0070 (i.e. fatal, critical and serious failures;
120 corresponds to setting 2 in decimal notation)
121
122 debug (integer)
123 SSSD 1.14 and later also includes the debug alias for debug_level
124 as a convenience feature. If both are specified, the value of
125 debug_level will be used.
126
127 debug_timestamps (bool)
128 Add a timestamp to the debug messages. If journald is enabled for
129 SSSD debug logging this option is ignored.
130
131 Default: true
132
133 debug_microseconds (bool)
134 Add microseconds to the timestamp in debug messages. If journald is
135 enabled for SSSD debug logging this option is ignored.
136
137 Default: false
138
139 debug_backtrace_enabled (bool)
140 Enable debug backtrace.
141
142 In case SSSD is run with debug_level less than 9, everything is
143 logged to a ring buffer in memory and flushed to a log file on any
144 error up to and including `min(0x0040, debug_level)` (i.e. if
145 debug_level is explicitly set to 0 or 1 then only those error
146 levels will trigger backtrace, otherwise up to 2).
147
148 Feature is only supported for `logger == files` (i.e. setting
149 doesn't have effect for other logger types).
150
151 Default: true
152
153 Options usable in SERVICE and DOMAIN sections
154 timeout (integer)
155 Timeout in seconds between heartbeats for this service. This is
156 used to ensure that the process is alive and capable of answering
157 requests. Note that after three missed heartbeats the process will
158 terminate itself.
159
160 Default: 10
161
163 The [sssd] section
164 Individual pieces of SSSD functionality are provided by special SSSD
165 services that are started and stopped together with SSSD. The services
166 are managed by a special service frequently called “monitor”. The
167 “[sssd]” section is used to configure the monitor as well as some other
168 important options like the identity domains.
169
170 Section parameters
171
172 config_file_version (integer)
173 Indicates what is the syntax of the config file. SSSD 0.6.0 and
174 later use version 2.
175
176 services
177 Comma separated list of services that are started when sssd itself
178 starts. The services' list is optional on platforms where systemd
179 is supported, as they will either be socket or D-Bus activated when
180 needed.
181
182 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
183
184 By default, all services are disabled and the administrator must
185 enable the ones allowed to be used by executing: "systemctl enable
186 sssd-@service@.socket".
187
188 reconnection_retries (integer)
189 Number of times services should attempt to reconnect in the event
190 of a Data Provider crash or restart before they give up
191
192 Default: 3
193
194 domains
195 A domain is a database containing user information. SSSD can use
196 more domains at the same time, but at least one must be configured
197 or SSSD won't start. This parameter describes the list of domains
198 in the order you want them to be queried. A domain name is
199 recommended to contain only alphanumeric ASCII characters, dashes,
200 dots and underscores. '/' character is forbidden.
201
202 re_expression (string)
203 Default regular expression that describes how to parse the string
204 containing user name and domain into these components.
205
206 Each domain can have an individual regular expression configured.
207 For some ID providers there are also default regular expressions.
208 See DOMAIN SECTIONS for more info on these regular expressions.
209
210 full_name_format (string)
211 A printf(3)-compatible format that describes how to compose a fully
212 qualified name from user name and domain name components.
213
214 The following expansions are supported:
215
216 %1$s
217 user name
218
219 %2$s
220 domain name as specified in the SSSD config file.
221
222 %3$s
223 domain flat name. Mostly usable for Active Directory domains,
224 both directly configured or discovered via IPA trusts.
225
226 Each domain can have an individual format string configured. See
227 DOMAIN SECTIONS for more info on this option.
228
229 monitor_resolv_conf (boolean)
230 Controls if SSSD should monitor the state of resolv.conf to
231 identify when it needs to update its internal DNS resolver.
232
233 Default: true
234
235 try_inotify (boolean)
236 By default, SSSD will attempt to use inotify to monitor
237 configuration files changes and will fall back to polling every
238 five seconds if inotify cannot be used.
239
240 There are some limited situations where it is preferred that we
241 should skip even trying to use inotify. In these rare cases, this
242 option should be set to 'false'
243
244 Default: true on platforms where inotify is supported. False on
245 other platforms.
246
247 Note: this option will have no effect on platforms where inotify is
248 unavailable. On these platforms, polling will always be used.
249
250 krb5_rcache_dir (string)
251 Directory on the filesystem where SSSD should store Kerberos replay
252 cache files.
253
254 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
255 instruct SSSD to let libkrb5 decide the appropriate location for
256 the replay cache.
257
258 Default: Distribution-specific and specified at build-time.
259 (__LIBKRB5_DEFAULTS__ if not configured)
260
261 user (string)
262 The user to drop the privileges to where appropriate to avoid
263 running as the root user. This option does not work when running
264 socket-activated services, as the user set up to run the processes
265 is set up during compilation time. The way to override the systemd
266 unit files is by creating the appropriate files in
267 /etc/systemd/system/. Keep in mind that any change in the socket
268 user, group or permissions may result in a non-usable SSSD. The
269 same may occur in case of changes of the user running the NSS
270 responder.
271
272 Default: not set, process will run as root
273
274 default_domain_suffix (string)
275 This string will be used as a default domain name for all names
276 without a domain name component. The main use case is environments
277 where the primary domain is intended for managing host policies and
278 all users are located in a trusted domain. The option allows those
279 users to log in just with their user name without giving a domain
280 name as well.
281
282 Please note that if this option is set all users from the primary
283 domain have to use their fully qualified name, e.g.
284 user@domain.name, to log in. Setting this option changes default of
285 use_fully_qualified_names to True. It is not allowed to use this
286 option together with use_fully_qualified_names set to False. One
287 exception from this rule are domains with “id_provider=files” that
288 always try to match the behaviour of nss_files and therefore their
289 output is not qualified even when the default_domain_suffix option
290 is used.
291
292 Default: not set
293
294 override_space (string)
295 This parameter will replace spaces (space bar) with the given
296 character for user and group names. e.g. (_). User name "john doe"
297 will be "john_doe" This feature was added to help compatibility
298 with shell scripts that have difficulty handling spaces, due to the
299 default field separator in the shell.
300
301 Please note it is a configuration error to use a replacement
302 character that might be used in user or group names. If a name
303 contains the replacement character SSSD tries to return the
304 unmodified name but in general the result of a lookup is undefined.
305
306 Default: not set (spaces will not be replaced)
307
308 certificate_verification (string)
309 With this parameter the certificate verification can be tuned with
310 a comma separated list of options. Supported options are:
311
312 no_ocsp
313 Disables Online Certificate Status Protocol (OCSP) checks. This
314 might be needed if the OCSP servers defined in the certificate
315 are not reachable from the client.
316
317 soft_ocsp
318 If a connection cannot be established to an OCSP responder the
319 OCSP check is skipped. This option should be used to allow
320 authentication when the system is offline and the OCSP
321 responder cannot be reached.
322
323 ocsp_dgst
324 Digest (hash) function used to create the certificate ID for
325 the OCSP request. Allowed values are:
326
327 • sha1
328
329 • sha256
330
331 • sha384
332
333 • sha512
334
335 Default: sha1 (to allow compatibility with RFC5019-compliant
336 responder)
337
338 no_verification
339 Disables verification completely. This option should only be
340 used for testing.
341
342 partial_chain
343 Allow verification to succeed even if a complete chain cannot
344 be built to a self-signed trust-anchor, provided it is possible
345 to construct a chain to a trusted certificate that might not be
346 self-signed.
347
348 ocsp_default_responder=URL
349 Sets the OCSP default responder which should be used instead of
350 the one mentioned in the certificate. URL must be replaced with
351 the URL of the OCSP default responder e.g.
352 http://example.com:80/ocsp.
353
354 ocsp_default_responder_signing_cert=NAME
355 This option is currently ignored. All needed certificates must
356 be available in the PEM file given by pam_cert_db_path.
357
358 crl_file=/PATH/TO/CRL/FILE
359 Use the Certificate Revocation List (CRL) from the given file
360 during the verification of the certificate. The CRL must be
361 given in PEM format, see crl(1ssl) for details.
362
363 soft_crl
364 If a Certificate Revocation List (CRL) is expired ignore the
365 CRL checks for the related certificates. This option should be
366 used to allow authentication when the system is offline and the
367 CRL cannot be renewed.
368
369 Unknown options are reported but ignored.
370
371 Default: not set, i.e. do not restrict certificate verification
372
373 disable_netlink (boolean)
374 SSSD hooks into the netlink interface to monitor changes to routes,
375 addresses, links and trigger certain actions.
376
377 The SSSD state changes caused by netlink events may be undesirable
378 and can be disabled by setting this option to 'true'
379
380 Default: false (netlink changes are detected)
381
382 enable_files_domain (boolean)
383 When this option is enabled, SSSD prepends an implicit domain with
384 “id_provider=files” before any explicitly configured domains.
385
386 Default: false
387
388 domain_resolution_order
389 Comma separated list of domains and subdomains representing the
390 lookup order that will be followed. The list doesn't have to
391 include all possible domains as the missing domains will be looked
392 up based on the order they're presented in the “domains”
393 configuration option. The subdomains which are not listed as part
394 of “lookup_order” will be looked up in a random order for each
395 parent domain.
396
397 Please, note that when this option is set the output format of all
398 commands is always fully-qualified even when using short names for
399 input, for all users but the ones managed by the files provider. In
400 case the administrator wants the output not fully-qualified, the
401 full_name_format option can be used as shown below:
402 “full_name_format=%1$s” However, keep in mind that during login,
403 login applications often canonicalize the username by calling
404 getpwnam(3) which, if a shortname is returned for a qualified input
405 (while trying to reach a user which exists in multiple domains)
406 might re-route the login attempt into the domain which uses
407 shortnames, making this workaround totally not recommended in cases
408 where usernames may overlap between domains.
409
410 Default: Not set
411
412 implicit_pac_responder (boolean)
413 The PAC responder is enabled automatically for the IPA and AD
414 provider to evaluate and check the PAC. If it has to be disabled
415 set this option to 'false'.
416
417 Default: true
418
419 core_dumpable (boolean)
420 This option can be used for general system hardening: setting it to
421 'false' forbids core dumps for all SSSD processes to avoid leaking
422 plain text passwords. See man page prctl:PR_SET_DUMPABLE for
423 details.
424
425 Default: true
426
428 Settings that can be used to configure different services are described
429 in this section. They should reside in the [$NAME] section, for
430 example, for NSS service, the section would be “[nss]”
431
432 General service configuration options
433 These options can be used to configure any service.
434
435 reconnection_retries (integer)
436 Number of times services should attempt to reconnect in the event
437 of a Data Provider crash or restart before they give up
438
439 Default: 3
440
441 fd_limit
442 This option specifies the maximum number of file descriptors that
443 may be opened at one time by this SSSD process. On systems where
444 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
445 absolute setting. On systems without this capability, the resulting
446 value will be the lower value of this or the limits.conf "hard"
447 limit.
448
449 Default: 8192 (or limits.conf "hard" limit)
450
451 client_idle_timeout
452 This option specifies the number of seconds that a client of an
453 SSSD process can hold onto a file descriptor without communicating
454 on it. This value is limited in order to avoid resource exhaustion
455 on the system. The timeout can't be shorter than 10 seconds. If a
456 lower value is configured, it will be adjusted to 10 seconds.
457
458 Default: 60, KCM: 300
459
460 offline_timeout (integer)
461 When SSSD switches to offline mode the amount of time before it
462 tries to go back online will increase based upon the time spent
463 disconnected. By default SSSD uses incremental behaviour to
464 calculate delay in between retries. So, the wait time for a given
465 retry will be longer than the wait time for the previous ones.
466 After each unsuccessful attempt to go online, the new interval is
467 recalculated by the following:
468
469 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
470 random[0...offline_timeout_random_offset]
471
472 The offline_timeout default value is 60. The offline_timeout_max
473 default value is 3600. The offline_timeout_random_offset default
474 value is 30. The end result is amount of seconds before next retry.
475
476 Note that the maximum length of each interval is defined by
477 offline_timeout_max (apart of random part).
478
479 Default: 60
480
481 offline_timeout_max (integer)
482 Controls by how much the time between attempts to go online can be
483 incremented following unsuccessful attempts to go online.
484
485 A value of 0 disables the incrementing behaviour.
486
487 The value of this parameter should be set in correlation to
488 offline_timeout parameter value.
489
490 With offline_timeout set to 60 (default value) there is no point in
491 setting offlinet_timeout_max to less than 120 as it will saturate
492 instantly. General rule here should be to set offline_timeout_max
493 to at least 4 times offline_timeout.
494
495 Although a value between 0 and offline_timeout may be specified, it
496 has the effect of overriding the offline_timeout value so is of
497 little use.
498
499 Default: 3600
500
501 offline_timeout_random_offset (integer)
502 When SSSD is in offline mode it keeps probing backend servers in
503 specified time intervals:
504
505 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
506 random[0...offline_timeout_random_offset]
507
508 This parameter controls the value of the random offset used for the
509 above equation. Final random_offset value will be random number in
510 range:
511
512 [0 - offline_timeout_random_offset]
513
514 A value of 0 disables the random offset addition.
515
516 Default: 30
517
518 responder_idle_timeout
519 This option specifies the number of seconds that an SSSD responder
520 process can be up without being used. This value is limited in
521 order to avoid resource exhaustion on the system. The minimum
522 acceptable value for this option is 60 seconds. Setting this option
523 to 0 (zero) means that no timeout will be set up to the responder.
524 This option only has effect when SSSD is built with systemd support
525 and when services are either socket or D-Bus activated.
526
527 Default: 300
528
529 cache_first
530 This option specifies whether the responder should query all caches
531 before querying the Data Providers.
532
533 Default: false
534
535 NSS configuration options
536 These options can be used to configure the Name Service Switch (NSS)
537 service.
538
539 enum_cache_timeout (integer)
540 How many seconds should nss_sss cache enumerations (requests for
541 info about all users)
542
543 Default: 120
544
545 entry_cache_nowait_percentage (integer)
546 The entry cache can be set to automatically update entries in the
547 background if they are requested beyond a percentage of the
548 entry_cache_timeout value for the domain.
549
550 For example, if the domain's entry_cache_timeout is set to 30s and
551 entry_cache_nowait_percentage is set to 50 (percent), entries that
552 come in after 15 seconds past the last cache update will be
553 returned immediately, but the SSSD will go and update the cache on
554 its own, so that future requests will not need to block waiting for
555 a cache update.
556
557 Valid values for this option are 0-99 and represent a percentage of
558 the entry_cache_timeout for each domain. For performance reasons,
559 this percentage will never reduce the nowait timeout to less than
560 10 seconds. (0 disables this feature)
561
562 Default: 50
563
564 entry_negative_timeout (integer)
565 Specifies for how many seconds nss_sss should cache negative cache
566 hits (that is, queries for invalid database entries, like
567 nonexistent ones) before asking the back end again.
568
569 Default: 15
570
571 local_negative_timeout (integer)
572 Specifies for how many seconds nss_sss should keep local users and
573 groups in negative cache before trying to look it up in the back
574 end again. Setting the option to 0 disables this feature.
575
576 Default: 14400 (4 hours)
577
578 filter_users, filter_groups (string)
579 Exclude certain users or groups from being fetched from the sss NSS
580 database. This is particularly useful for system accounts. This
581 option can also be set per-domain or include fully-qualified names
582 to filter only users from the particular domain or by a user
583 principal name (UPN).
584
585 NOTE: The filter_groups option doesn't affect inheritance of nested
586 group members, since filtering happens after they are propagated
587 for returning via NSS. E.g. a group having a member group filtered
588 out will still have the member users of the latter listed.
589
590 Default: root
591
592 filter_users_in_groups (bool)
593 If you want filtered user still be group members set this option to
594 false.
595
596 Default: true
597
598 override_homedir (string)
599 Override the user's home directory. You can either provide an
600 absolute value or a template. In the template, the following
601 sequences are substituted:
602
603 %u
604 login name
605
606 %U
607 UID number
608
609 %d
610 domain name
611
612 %f
613 fully qualified user name (user@domain)
614
615 %l
616 The first letter of the login name.
617
618 %P
619 UPN - User Principal Name (name@REALM)
620
621 %o
622 The original home directory retrieved from the identity
623 provider.
624
625 %h
626 The original home directory retrieved from the identity
627 provider, but in lower case.
628
629 %H
630 The value of configure option homedir_substring.
631
632 %%
633 a literal '%'
634
635 This option can also be set per-domain.
636
637 example:
638
639 override_homedir = /home/%u
640
641
642 Default: Not set (SSSD will use the value retrieved from LDAP)
643
644 Please note, the home directory from a specific override for the
645 user, either locally (see sss_override(8)) or centrally managed IPA
646 id-overrides, has a higher precedence and will be used instead of
647 the value given by override_homedir.
648
649 homedir_substring (string)
650 The value of this option will be used in the expansion of the
651 override_homedir option if the template contains the format string
652 %H. An LDAP directory entry can directly contain this template so
653 that this option can be used to expand the home directory path for
654 each client machine (or operating system). It can be set per-domain
655 or globally in the [nss] section. A value specified in a domain
656 section will override one set in the [nss] section.
657
658 Default: /home
659
660 fallback_homedir (string)
661 Set a default template for a user's home directory if one is not
662 specified explicitly by the domain's data provider.
663
664 The available values for this option are the same as for
665 override_homedir.
666
667 example:
668
669 fallback_homedir = /home/%u
670
671
672 Default: not set (no substitution for unset home directories)
673
674 override_shell (string)
675 Override the login shell for all users. This option supersedes any
676 other shell options if it takes effect and can be set either in the
677 [nss] section or per-domain.
678
679 Default: not set (SSSD will use the value retrieved from LDAP)
680
681 allowed_shells (string)
682 Restrict user shell to one of the listed values. The order of
683 evaluation is:
684
685 1. If the shell is present in “/etc/shells”, it is used.
686
687 2. If the shell is in the allowed_shells list but not in
688 “/etc/shells”, use the value of the shell_fallback parameter.
689
690 3. If the shell is not in the allowed_shells list and not in
691 “/etc/shells”, a nologin shell is used.
692
693 The wildcard (*) can be used to allow any shell.
694
695 The (*) is useful if you want to use shell_fallback in case that
696 user's shell is not in “/etc/shells” and maintaining list of all
697 allowed shells in allowed_shells would be to much overhead.
698
699 An empty string for shell is passed as-is to libc.
700
701 The “/etc/shells” is only read on SSSD start up, which means that a
702 restart of the SSSD is required in case a new shell is installed.
703
704 Default: Not set. The user shell is automatically used.
705
706 vetoed_shells (string)
707 Replace any instance of these shells with the shell_fallback
708
709 shell_fallback (string)
710 The default shell to use if an allowed shell is not installed on
711 the machine.
712
713 Default: /bin/sh
714
715 default_shell
716 The default shell to use if the provider does not return one during
717 lookup. This option can be specified globally in the [nss] section
718 or per-domain.
719
720 Default: not set (Return NULL if no shell is specified and rely on
721 libc to substitute something sensible when necessary, usually
722 /bin/sh)
723
724 get_domains_timeout (int)
725 Specifies time in seconds for which the list of subdomains will be
726 considered valid.
727
728 Default: 60
729
730 memcache_timeout (integer)
731 Specifies time in seconds for which records in the in-memory cache
732 will be valid. Setting this option to zero will disable the
733 in-memory cache.
734
735 Default: 300
736
737 WARNING: Disabling the in-memory cache will have significant
738 negative impact on SSSD's performance and should only be used for
739 testing.
740
741 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
742 "NO", client applications will not use the fast in-memory cache.
743
744 memcache_size_passwd (integer)
745 Size (in megabytes) of the data table allocated inside fast
746 in-memory cache for passwd requests. Setting the size to 0 will
747 disable the passwd in-memory cache.
748
749 Default: 8
750
751 WARNING: Disabled or too small in-memory cache can have significant
752 negative impact on SSSD's performance.
753
754 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
755 "NO", client applications will not use the fast in-memory cache.
756
757 memcache_size_group (integer)
758 Size (in megabytes) of the data table allocated inside fast
759 in-memory cache for group requests. Setting the size to 0 will
760 disable the group in-memory cache.
761
762 Default: 6
763
764 WARNING: Disabled or too small in-memory cache can have significant
765 negative impact on SSSD's performance.
766
767 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
768 "NO", client applications will not use the fast in-memory cache.
769
770 memcache_size_initgroups (integer)
771 Size (in megabytes) of the data table allocated inside fast
772 in-memory cache for initgroups requests. Setting the size to 0 will
773 disable the initgroups in-memory cache.
774
775 Default: 10
776
777 WARNING: Disabled or too small in-memory cache can have significant
778 negative impact on SSSD's performance.
779
780 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
781 "NO", client applications will not use the fast in-memory cache.
782
783 memcache_size_sid (integer)
784 Size (in megabytes) of the data table allocated inside fast
785 in-memory cache for SID related requests. Only SID-by-ID and
786 ID-by-SID requests are currently cached in fast in-memory cache.
787 Setting the size to 0 will disable the SID in-memory cache.
788
789 Default: 6
790
791 WARNING: Disabled or too small in-memory cache can have significant
792 negative impact on SSSD's performance.
793
794 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
795 "NO", client applications will not use the fast in-memory cache.
796
797 user_attributes (string)
798 Some of the additional NSS responder requests can return more
799 attributes than just the POSIX ones defined by the NSS interface.
800 The list of attributes is controlled by this option. It is handled
801 the same way as the “user_attributes” option of the InfoPipe
802 responder (see sssd-ifp(5) for details) but with no default values.
803
804 To make configuration more easy the NSS responder will check the
805 InfoPipe option if it is not set for the NSS responder.
806
807 Default: not set, fallback to InfoPipe option
808
809 pwfield (string)
810 The value that NSS operations that return users or groups will
811 return for the “password” field.
812
813 Default: “*”
814
815 Note: This option can also be set per-domain which overwrites the
816 value in [nss] section.
817
818 Default: “not set” (remote domains), “x” (the files domain), “x”
819 (proxy domain with nss_files and sssd-shadowutils target)
820
821 PAM configuration options
822 These options can be used to configure the Pluggable Authentication
823 Module (PAM) service.
824
825 offline_credentials_expiration (integer)
826 If the authentication provider is offline, how long should we allow
827 cached logins (in days since the last successful online login).
828
829 Default: 0 (No limit)
830
831 offline_failed_login_attempts (integer)
832 If the authentication provider is offline, how many failed login
833 attempts are allowed.
834
835 Default: 0 (No limit)
836
837 offline_failed_login_delay (integer)
838 The time in minutes which has to pass after
839 offline_failed_login_attempts has been reached before a new login
840 attempt is possible.
841
842 If set to 0 the user cannot authenticate offline if
843 offline_failed_login_attempts has been reached. Only a successful
844 online authentication can enable offline authentication again.
845
846 Default: 5
847
848 pam_verbosity (integer)
849 Controls what kind of messages are shown to the user during
850 authentication. The higher the number to more messages are
851 displayed.
852
853 Currently sssd supports the following values:
854
855 0: do not show any message
856
857 1: show only important messages
858
859 2: show informational messages
860
861 3: show all messages and debug information
862
863 Default: 1
864
865 pam_response_filter (string)
866 A comma separated list of strings which allows to remove (filter)
867 data sent by the PAM responder to pam_sss PAM module. There are
868 different kind of responses sent to pam_sss e.g. messages displayed
869 to the user or environment variables which should be set by
870 pam_sss.
871
872 While messages already can be controlled with the help of the
873 pam_verbosity option this option allows to filter out other kind of
874 responses as well.
875
876 Currently the following filters are supported:
877
878 ENV
879 Do not send any environment variables to any service.
880
881 ENV:var_name
882 Do not send environment variable var_name to any service.
883
884 ENV:var_name:service
885 Do not send environment variable var_name to service.
886
887 The list of strings can either be the list of filters which would
888 set this list of filters and overwrite the defaults. Or each
889 element of the list can be prefixed by a '+' or '-' character which
890 would add the filter to the existing default or remove it from the
891 defaults, respectively. Please note that either all list elements
892 must have a '+' or '-' prefix or none. It is considered as an error
893 to mix both styles.
894
895 Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
896
897 Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the
898 default list
899
900 pam_id_timeout (integer)
901 For any PAM request while SSSD is online, the SSSD will attempt to
902 immediately update the cached identity information for the user in
903 order to ensure that authentication takes place with the latest
904 information.
905
906 A complete PAM conversation may perform multiple PAM requests, such
907 as account management and session opening. This option controls (on
908 a per-client-application basis) how long (in seconds) we can cache
909 the identity information to avoid excessive round-trips to the
910 identity provider.
911
912 Default: 5
913
914 pam_pwd_expiration_warning (integer)
915 Display a warning N days before the password expires.
916
917 Please note that the backend server has to provide information
918 about the expiration time of the password. If this information is
919 missing, sssd cannot display a warning.
920
921 If zero is set, then this filter is not applied, i.e. if the
922 expiration warning was received from backend server, it will
923 automatically be displayed.
924
925 This setting can be overridden by setting pwd_expiration_warning
926 for a particular domain.
927
928 Default: 0
929
930 get_domains_timeout (int)
931 Specifies time in seconds for which the list of subdomains will be
932 considered valid.
933
934 Default: 60
935
936 pam_trusted_users (string)
937 Specifies the comma-separated list of UID values or user names that
938 are allowed to run PAM conversations against trusted domains. Users
939 not included in this list can only access domains marked as public
940 with “pam_public_domains”. User names are resolved to UIDs at
941 startup.
942
943 Default: All users are considered trusted by default
944
945 Please note that UID 0 is always allowed to access the PAM
946 responder even in case it is not in the pam_trusted_users list.
947
948 pam_public_domains (string)
949 Specifies the comma-separated list of domain names that are
950 accessible even to untrusted users.
951
952 Two special values for pam_public_domains option are defined:
953
954 all (Untrusted users are allowed to access all domains in PAM
955 responder.)
956
957 none (Untrusted users are not allowed to access any domains PAM in
958 responder.)
959
960 Default: none
961
962 pam_account_expired_message (string)
963 Allows a custom expiration message to be set, replacing the default
964 'Permission denied' message.
965
966 Note: Please be aware that message is only printed for the SSH
967 service unless pam_verbosity is set to 3 (show all messages and
968 debug information).
969
970 example:
971
972 pam_account_expired_message = Account expired, please contact help desk.
973
974
975 Default: none
976
977 pam_account_locked_message (string)
978 Allows a custom lockout message to be set, replacing the default
979 'Permission denied' message.
980
981 example:
982
983 pam_account_locked_message = Account locked, please contact help desk.
984
985
986 Default: none
987
988 pam_cert_auth (bool)
989 Enable certificate based Smartcard authentication. Since this
990 requires additional communication with the Smartcard which will
991 delay the authentication process this option is disabled by
992 default.
993
994 Default: False
995
996 pam_cert_db_path (string)
997 The path to the certificate database.
998
999 Default:
1000
1001 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1002 CA certificates in PEM format)
1003
1004
1005 pam_cert_verification (string)
1006 With this parameter the PAM certificate verification can be tuned
1007 with a comma separated list of options that override the
1008 “certificate_verification” value in “[sssd]” section. Supported
1009 options are the same of “certificate_verification”.
1010
1011 example:
1012
1013 pam_cert_verification = partial_chain
1014
1015
1016 Default: not set, i.e. use default “certificate_verification”
1017 option defined in “[sssd]” section.
1018
1019 p11_child_timeout (integer)
1020 How many seconds will pam_sss wait for p11_child to finish.
1021
1022 Default: 10
1023
1024 pam_app_services (string)
1025 Which PAM services are permitted to contact domains of type
1026 “application”
1027
1028 Default: Not set
1029
1030 pam_p11_allowed_services (integer)
1031 A comma-separated list of PAM service names for which it will be
1032 allowed to use Smartcards.
1033
1034 It is possible to add another PAM service name to the default set
1035 by using “+service_name” or to explicitly remove a PAM service name
1036 from the default set by using “-service_name”. For example, in
1037 order to replace a default PAM service name for authentication with
1038 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
1039 “my_pam_service”), you would use the following configuration:
1040
1041 pam_p11_allowed_services = +my_pam_service, -login
1042
1043
1044 Default: the default set of PAM service names includes:
1045
1046 • login
1047
1048 • su
1049
1050 • su-l
1051
1052 • gdm-smartcard
1053
1054 • gdm-password
1055
1056 • kdm
1057
1058 • sudo
1059
1060 • sudo-i
1061
1062 • gnome-screensaver
1063
1064
1065 p11_wait_for_card_timeout (integer)
1066 If Smartcard authentication is required how many extra seconds in
1067 addition to p11_child_timeout should the PAM responder wait until a
1068 Smartcard is inserted.
1069
1070 Default: 60
1071
1072 p11_uri (string)
1073 PKCS#11 URI (see RFC-7512 for details) which can be used to
1074 restrict the selection of devices used for Smartcard
1075 authentication. By default SSSD's p11_child will search for a
1076 PKCS#11 slot (reader) where the 'removable' flags is set and read
1077 the certificates from the inserted token from the first slot found.
1078 If multiple readers are connected p11_uri can be used to tell
1079 p11_child to use a specific reader.
1080
1081 Example:
1082
1083 p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
1084
1085
1086 or
1087
1088 p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
1089
1090
1091 To find suitable URI please check the debug output of p11_child. As
1092 an alternative the GnuTLS utility 'p11tool' with e.g. the
1093 '--list-all' will show PKCS#11 URIs as well.
1094
1095 Default: none
1096
1097 pam_initgroups_scheme
1098 The PAM responder can force an online lookup to get the current
1099 group memberships of the user trying to log in. This option
1100 controls when this should be done and the following values are
1101 allowed:
1102
1103 always
1104 Always do an online lookup, please note that pam_id_timeout
1105 still applies
1106
1107 no_session
1108 Only do an online lookup if there is no active session of the
1109 user, i.e. if the user is currently not logged in
1110
1111 never
1112 Never force an online lookup, use the data from the cache as
1113 long as they are not expired
1114
1115 Default: no_session
1116
1117 pam_gssapi_services
1118 Comma separated list of PAM services that are allowed to try GSSAPI
1119 authentication using pam_sss_gss.so module.
1120
1121 To disable GSSAPI authentication, set this option to “-” (dash).
1122
1123 Note: This option can also be set per-domain which overwrites the
1124 value in [pam] section. It can also be set for trusted domain which
1125 overwrites the value in the domain section.
1126
1127 Example:
1128
1129 pam_gssapi_services = sudo, sudo-i
1130
1131
1132 Default: - (GSSAPI authentication is disabled)
1133
1134 pam_gssapi_check_upn
1135 If True, SSSD will require that the Kerberos user principal that
1136 successfully authenticated through GSSAPI can be associated with
1137 the user who is being authenticated. Authentication will fail if
1138 the check fails.
1139
1140 If False, every user that is able to obtained required service
1141 ticket will be authenticated.
1142
1143 Note: This option can also be set per-domain which overwrites the
1144 value in [pam] section. It can also be set for trusted domain which
1145 overwrites the value in the domain section.
1146
1147 Default: True
1148
1149 pam_gssapi_indicators_map
1150 Comma separated list of authentication indicators required to be
1151 present in a Kerberos ticket to access a PAM service that is
1152 allowed to try GSSAPI authentication using pam_sss_gss.so module.
1153
1154 Each element of the list can be either an authentication indicator
1155 name or a pair “service:indicator”. Indicators not prefixed with
1156 the PAM service name will be required to access any PAM service
1157 configured to be used with pam_gssapi_services. A resulting list of
1158 indicators per PAM service is then checked against indicators in
1159 the Kerberos ticket during authentication by pam_sss_gss.so. Any
1160 indicator from the ticket that matches the resulting list of
1161 indicators for the PAM service would grant access. If none of the
1162 indicators in the list match, access will be denied. If the
1163 resulting list of indicators for the PAM service is empty, the
1164 check will not prevent the access.
1165
1166 To disable GSSAPI authentication indicator check, set this option
1167 to “-” (dash). To disable the check for a specific PAM service, add
1168 “service:-”.
1169
1170 Note: This option can also be set per-domain which overwrites the
1171 value in [pam] section. It can also be set for trusted domain which
1172 overwrites the value in the domain section.
1173
1174 Following authentication indicators are supported by IPA Kerberos
1175 deployments:
1176
1177 • pkinit -- pre-authentication using X.509 certificates --
1178 whether stored in files or on smart cards.
1179
1180 • hardened -- SPAKE pre-authentication or any pre-authentication
1181 wrapped in a FAST channel.
1182
1183 • radius -- pre-authentication with the help of a RADIUS server.
1184
1185 • otp -- pre-authentication using integrated two-factor
1186 authentication (2FA or one-time password, OTP) in IPA.
1187
1188 • idp -- pre-authentication using external identity provider.
1189
1190 Example: to require access to SUDO services only for users which
1191 obtained their Kerberos tickets with a X.509 certificate
1192 pre-authentication (PKINIT), set
1193
1194 pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1195
1196
1197 Default: not set (use of authentication indicators is not required)
1198
1199 SUDO configuration options
1200 These options can be used to configure the sudo service. The detailed
1201 instructions for configuration of sudo(8) to work with sssd(8) are in
1202 the manual page sssd-sudo(5).
1203
1204 sudo_timed (bool)
1205 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1206 attributes that implement time-dependent sudoers entries.
1207
1208 Default: false
1209
1210 sudo_threshold (integer)
1211 Maximum number of expired rules that can be refreshed at once. If
1212 number of expired rules is below threshold, those rules are
1213 refreshed with “rules refresh” mechanism. If the threshold is
1214 exceeded a “full refresh” of sudo rules is triggered instead. This
1215 threshold number also applies to IPA sudo command and command group
1216 searches.
1217
1218 Default: 50
1219
1220 AUTOFS configuration options
1221 These options can be used to configure the autofs service.
1222
1223 autofs_negative_timeout (integer)
1224 Specifies for how many seconds should the autofs responder negative
1225 cache hits (that is, queries for invalid map entries, like
1226 nonexistent ones) before asking the back end again.
1227
1228 Default: 15
1229
1230 Please note that the automounter only reads the master map on startup,
1231 so if any autofs-related changes are made to the sssd.conf, you
1232 typically also need to restart the automounter daemon after restarting
1233 the SSSD.
1234
1235 SSH configuration options
1236 These options can be used to configure the SSH service.
1237
1238 ssh_hash_known_hosts (bool)
1239 Whether or not to hash host names and addresses in the managed
1240 known_hosts file.
1241
1242 Default: false
1243
1244 ssh_known_hosts_timeout (integer)
1245 How many seconds to keep a host in the managed known_hosts file
1246 after its host keys were requested.
1247
1248 Default: 180
1249
1250 ssh_use_certificate_keys (bool)
1251 If set to true the sss_ssh_authorizedkeys will return ssh keys
1252 derived from the public key of X.509 certificates stored in the
1253 user entry as well. See sss_ssh_authorizedkeys(1) for details.
1254
1255 Default: true
1256
1257 ssh_use_certificate_matching_rules (string)
1258 By default the ssh responder will use all available certificate
1259 matching rules to filter the certificates so that ssh keys are only
1260 derived from the matching ones. With this option the used rules can
1261 be restricted with a comma separated list of mapping and matching
1262 rule names. All other rules will be ignored.
1263
1264 There are two special key words 'all_rules' and 'no_rules' which
1265 will enable all or no rules, respectively. The latter means that no
1266 certificates will be filtered out and ssh keys will be generated
1267 from all valid certificates.
1268
1269 If no rules are configured using 'all_rules' will enable a default
1270 rule which enables all certificates suitable for client
1271 authentication. This is the same behavior as for the PAM responder
1272 if certificate authentication is enabled.
1273
1274 A non-existing rule name is considered an error. If as a result no
1275 rule is selected all certificates will be ignored.
1276
1277 Default: not set, equivalent to 'all_rules', all found rules or the
1278 default rule are used
1279
1280 ca_db (string)
1281 Path to a storage of trusted CA certificates. The option is used to
1282 validate user certificates before deriving public ssh keys from
1283 them.
1284
1285 Default:
1286
1287 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1288 CA certificates in PEM format)
1289
1290
1291 PAC responder configuration options
1292 The PAC responder works together with the authorization data plugin for
1293 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1294 sends the PAC data during a GSSAPI authentication to the PAC responder.
1295 The sub-domain provider collects domain SID and ID ranges of the domain
1296 the client is joined to and of remote trusted domains from the local
1297 domain controller. If the PAC is decoded and evaluated some of the
1298 following operations are done:
1299
1300 • If the remote user does not exist in the cache, it is created. The
1301 UID is determined with the help of the SID, trusted domains will
1302 have UPGs and the GID will have the same value as the UID. The home
1303 directory is set based on the subdomain_homedir parameter. The
1304 shell will be empty by default, i.e. the system defaults are used,
1305 but can be overwritten with the default_shell parameter.
1306
1307 • If there are SIDs of groups from domains sssd knows about, the user
1308 will be added to those groups.
1309
1310 These options can be used to configure the PAC responder.
1311
1312 allowed_uids (string)
1313 Specifies the comma-separated list of UID values or user names that
1314 are allowed to access the PAC responder. User names are resolved to
1315 UIDs at startup.
1316
1317 Default: 0 (only the root user is allowed to access the PAC
1318 responder)
1319
1320 Please note that although the UID 0 is used as the default it will
1321 be overwritten with this option. If you still want to allow the
1322 root user to access the PAC responder, which would be the typical
1323 case, you have to add 0 to the list of allowed UIDs as well.
1324
1325 pac_lifetime (integer)
1326 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1327 the PAC data can be used to determine the group memberships of a
1328 user.
1329
1330 Default: 300
1331
1332 pac_check (string)
1333 Apply additional checks on the PAC of the Kerberos ticket which is
1334 available in Active Directory and FreeIPA domains, if configured.
1335 Please note that Kerberos ticket validation must be enabled to be
1336 able to check the PAC, i.e. the krb5_validate option must be set to
1337 'True' which is the default for the IPA and AD provider. If
1338 krb5_validate is set to 'False' the PAC checks will be skipped.
1339
1340 The following options can be used alone or in a comma-separated
1341 list:
1342
1343 no_check
1344 The PAC must not be present and even if it is present no
1345 additional checks will be done.
1346
1347 pac_present
1348 The PAC must be present in the service ticket which SSSD will
1349 request with the help of the user's TGT. If the PAC is not
1350 available the authentication will fail.
1351
1352 check_upn
1353 If the PAC is present check if the user principal name (UPN)
1354 information is consistent.
1355
1356 check_upn_allow_missing
1357 This option should be used together with 'check_upn' and
1358 handles the case where a UPN is set on the server-side but is
1359 not read by SSSD. The typical example is a FreeIPA domain where
1360 'ldap_user_principal' is set to a not existing attribute name.
1361 This was typically done to work-around issues in the handling
1362 of enterprise principals. But this is fixed since quite some
1363 time and FreeIPA can handle enterprise principals just fine and
1364 there is no need anymore to set 'ldap_user_principal'.
1365
1366 Currently this option is set by default to avoid regressions in
1367 such environments. A log message will be added to the system
1368 log and SSSD's debug log in case a UPN is found in the PAC but
1369 not in SSSD's cache. To avoid this log message it would be best
1370 to evaluate if the 'ldap_user_principal' option can be removed.
1371 If this is not possible, removing 'check_upn' will skip the
1372 test and avoid the log message.
1373
1374 upn_dns_info_present
1375 The PAC must contain the UPN-DNS-INFO buffer, implies
1376 'check_upn'.
1377
1378 check_upn_dns_info_ex
1379 If the PAC is present and the extension to the UPN-DNS-INFO
1380 buffer is available check if the information in the extension
1381 is consistent.
1382
1383 upn_dns_info_ex_present
1384 The PAC must contain the extension of the UPN-DNS-INFO buffer,
1385 implies 'check_upn_dns_info_ex', 'upn_dns_info_present' and
1386 'check_upn'.
1387
1388 Default: no_check (AD and IPA provider 'check_upn,
1389 check_upn_allow_missing, check_upn_dns_info_ex')
1390
1391 Session recording configuration options
1392 Session recording works in conjunction with tlog-rec-session(8), a part
1393 of tlog package, to log what users see and type when they log in on a
1394 text terminal. See also sssd-session-recording(5).
1395
1396 These options can be used to configure session recording.
1397
1398 scope (string)
1399 One of the following strings specifying the scope of session
1400 recording:
1401
1402 "none"
1403 No users are recorded.
1404
1405 "some"
1406 Users/groups specified by users and groups options are
1407 recorded.
1408
1409 "all"
1410 All users are recorded.
1411
1412 Default: "none"
1413
1414 users (string)
1415 A comma-separated list of users which should have session recording
1416 enabled. Matches user names as returned by NSS. I.e. after the
1417 possible space replacement, case changes, etc.
1418
1419 Default: Empty. Matches no users.
1420
1421 groups (string)
1422 A comma-separated list of groups, members of which should have
1423 session recording enabled. Matches group names as returned by NSS.
1424 I.e. after the possible space replacement, case changes, etc.
1425
1426 NOTE: using this option (having it set to anything) has a
1427 considerable performance cost, because each uncached request for a
1428 user requires retrieving and matching the groups the user is member
1429 of.
1430
1431 Default: Empty. Matches no groups.
1432
1433 exclude_users (string)
1434 A comma-separated list of users to be excluded from recording, only
1435 applicable with 'scope=all'.
1436
1437 Default: Empty. No users excluded.
1438
1439 exclude_groups (string)
1440 A comma-separated list of groups, members of which should be
1441 excluded from recording. Only applicable with 'scope=all'.
1442
1443 NOTE: using this option (having it set to anything) has a
1444 considerable performance cost, because each uncached request for a
1445 user requires retrieving and matching the groups the user is member
1446 of.
1447
1448 Default: Empty. No groups excluded.
1449
1451 These configuration options can be present in a domain configuration
1452 section, that is, in a section called “[domain/NAME]”
1453
1454 enabled
1455 Explicitly enable or disable the domain. If “true”, the domain is
1456 always “enabled”. If “false”, the domain is always “disabled”. If
1457 this option is not set, the domain is enabled only if it is listed
1458 in the domains option in the “[sssd]” section.
1459
1460 domain_type (string)
1461 Specifies whether the domain is meant to be used by POSIX-aware
1462 clients such as the Name Service Switch or by applications that do
1463 not need POSIX data to be present or generated. Only objects from
1464 POSIX domains are available to the operating system interfaces and
1465 utilities.
1466
1467 Allowed values for this option are “posix” and “application”.
1468
1469 POSIX domains are reachable by all services. Application domains
1470 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1471 and the PAM responder.
1472
1473 NOTE: The application domains are currently well tested with
1474 “id_provider=ldap” only.
1475
1476 For an easy way to configure a non-POSIX domains, please see the
1477 “Application domains” section.
1478
1479 Default: posix
1480
1481 min_id,max_id (integer)
1482 UID and GID limits for the domain. If a domain contains an entry
1483 that is outside these limits, it is ignored.
1484
1485 For users, this affects the primary GID limit. The user will not be
1486 returned to NSS if either the UID or the primary GID is outside the
1487 range. For non-primary group memberships, those that are in range
1488 will be reported as expected.
1489
1490 These ID limits affect even saving entries to cache, not only
1491 returning them by name or ID.
1492
1493 Default: 1 for min_id, 0 (no limit) for max_id
1494
1495 enumerate (bool)
1496 Determines if a domain can be enumerated, that is, whether the
1497 domain can list all the users and group it contains. Note that it
1498 is not required to enable enumeration in order for secondary groups
1499 to be displayed. This parameter can have one of the following
1500 values:
1501
1502 TRUE = Users and groups are enumerated
1503
1504 FALSE = No enumerations for this domain
1505
1506 Default: FALSE
1507
1508 Enumerating a domain requires SSSD to download and store ALL user
1509 and group entries from the remote server.
1510
1511 Note: Enabling enumeration has a moderate performance impact on
1512 SSSD while enumeration is running. It may take up to several
1513 minutes after SSSD startup to fully complete enumerations. During
1514 this time, individual requests for information will go directly to
1515 LDAP, though it may be slow, due to the heavy enumeration
1516 processing. Saving a large number of entries to cache after the
1517 enumeration completes might also be CPU intensive as the
1518 memberships have to be recomputed. This can lead to the “sssd_be”
1519 process becoming unresponsive or even restarted by the internal
1520 watchdog.
1521
1522 While the first enumeration is running, requests for the complete
1523 user or group lists may return no results until it completes.
1524
1525 Further, enabling enumeration may increase the time necessary to
1526 detect network disconnection, as longer timeouts are required to
1527 ensure that enumeration lookups are completed successfully. For
1528 more information, refer to the man pages for the specific
1529 id_provider in use.
1530
1531 For the reasons cited above, enabling enumeration is not
1532 recommended, especially in large environments.
1533
1534 subdomain_enumerate (string)
1535 Whether any of autodetected trusted domains should be enumerated.
1536 The supported values are:
1537
1538 all
1539 All discovered trusted domains will be enumerated
1540
1541 none
1542 No discovered trusted domains will be enumerated
1543
1544 Optionally, a list of one or more domain names can enable
1545 enumeration just for these trusted domains.
1546
1547 Default: none
1548
1549 entry_cache_timeout (integer)
1550 How many seconds should nss_sss consider entries valid before
1551 asking the backend again
1552
1553 The cache expiration timestamps are stored as attributes of
1554 individual objects in the cache. Therefore, changing the cache
1555 timeout only has effect for newly added or expired entries. You
1556 should run the sss_cache(8) tool in order to force refresh of
1557 entries that have already been cached.
1558
1559 Default: 5400
1560
1561 entry_cache_user_timeout (integer)
1562 How many seconds should nss_sss consider user entries valid before
1563 asking the backend again
1564
1565 Default: entry_cache_timeout
1566
1567 entry_cache_group_timeout (integer)
1568 How many seconds should nss_sss consider group entries valid before
1569 asking the backend again
1570
1571 Default: entry_cache_timeout
1572
1573 entry_cache_netgroup_timeout (integer)
1574 How many seconds should nss_sss consider netgroup entries valid
1575 before asking the backend again
1576
1577 Default: entry_cache_timeout
1578
1579 entry_cache_service_timeout (integer)
1580 How many seconds should nss_sss consider service entries valid
1581 before asking the backend again
1582
1583 Default: entry_cache_timeout
1584
1585 entry_cache_resolver_timeout (integer)
1586 How many seconds should nss_sss consider hosts and networks entries
1587 valid before asking the backend again
1588
1589 Default: entry_cache_timeout
1590
1591 entry_cache_sudo_timeout (integer)
1592 How many seconds should sudo consider rules valid before asking the
1593 backend again
1594
1595 Default: entry_cache_timeout
1596
1597 entry_cache_autofs_timeout (integer)
1598 How many seconds should the autofs service consider automounter
1599 maps valid before asking the backend again
1600
1601 Default: entry_cache_timeout
1602
1603 entry_cache_ssh_host_timeout (integer)
1604 How many seconds to keep a host ssh key after refresh. IE how long
1605 to cache the host key for.
1606
1607 Default: entry_cache_timeout
1608
1609 entry_cache_computer_timeout (integer)
1610 How many seconds to keep the local computer entry before asking the
1611 backend again
1612
1613 Default: entry_cache_timeout
1614
1615 refresh_expired_interval (integer)
1616 Specifies how many seconds SSSD has to wait before triggering a
1617 background refresh task which will refresh all expired or nearly
1618 expired records.
1619
1620 The background refresh will process users, groups and netgroups in
1621 the cache. For users who have performed the initgroups (get group
1622 membership for user, typically ran at login) operation in the past,
1623 both the user entry and the group membership are updated.
1624
1625 This option is automatically inherited for all trusted domains.
1626
1627 You can consider setting this value to 3/4 * entry_cache_timeout.
1628
1629 Cache entry will be refreshed by background task when 2/3 of cache
1630 timeout has already passed. If there are existing cached entries,
1631 the background task will refer to their original cache timeout
1632 values instead of current configuration value. This may lead to a
1633 situation in which background refresh task appears to not be
1634 working. This is done by design to improve offline mode operation
1635 and reuse of existing valid cache entries. To make this change
1636 instant the user may want to manually invalidate existing cache.
1637
1638 Default: 0 (disabled)
1639
1640 cache_credentials (bool)
1641 Determines if user credentials are also cached in the local LDB
1642 cache
1643
1644 User credentials are stored in a SHA512 hash, not in plaintext
1645
1646 Default: FALSE
1647
1648 cache_credentials_minimal_first_factor_length (int)
1649 If 2-Factor-Authentication (2FA) is used and credentials should be
1650 saved this value determines the minimal length the first
1651 authentication factor (long term password) must have to be saved as
1652 SHA512 hash into the cache.
1653
1654 This should avoid that the short PINs of a PIN based 2FA scheme are
1655 saved in the cache which would make them easy targets for
1656 brute-force attacks.
1657
1658 Default: 8
1659
1660 account_cache_expiration (integer)
1661 Number of days entries are left in cache after last successful
1662 login before being removed during a cleanup of the cache. 0 means
1663 keep forever. The value of this parameter must be greater than or
1664 equal to offline_credentials_expiration.
1665
1666 Default: 0 (unlimited)
1667
1668 pwd_expiration_warning (integer)
1669 Display a warning N days before the password expires.
1670
1671 If zero is set, then this filter is not applied, i.e. if the
1672 expiration warning was received from backend server, it will
1673 automatically be displayed.
1674
1675 Please note that the backend server has to provide information
1676 about the expiration time of the password. If this information is
1677 missing, sssd cannot display a warning. Also an auth provider has
1678 to be configured for the backend.
1679
1680 Default: 7 (Kerberos), 0 (LDAP)
1681
1682 id_provider (string)
1683 The identification provider used for the domain. Supported ID
1684 providers are:
1685
1686 “proxy”: Support a legacy NSS provider.
1687
1688 “files”: FILES provider. See sssd-files(5) for more information on
1689 how to mirror local users and groups into SSSD.
1690
1691 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1692 configuring LDAP.
1693
1694 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1695 See sssd-ipa(5) for more information on configuring FreeIPA.
1696
1697 “ad”: Active Directory provider. See sssd-ad(5) for more
1698 information on configuring Active Directory.
1699
1700 use_fully_qualified_names (bool)
1701 Use the full name and domain (as formatted by the domain's
1702 full_name_format) as the user's login name reported to NSS.
1703
1704 If set to TRUE, all requests to this domain must use fully
1705 qualified names. For example, if used in LOCAL domain that contains
1706 a "test" user, getent passwd test wouldn't find the user while
1707 getent passwd test@LOCAL would.
1708
1709 NOTE: This option has no effect on netgroup lookups due to their
1710 tendency to include nested netgroups without qualified names. For
1711 netgroups, all domains will be searched when an unqualified name is
1712 requested.
1713
1714 Default: FALSE (TRUE for trusted domain/sub-domains or if
1715 default_domain_suffix is used)
1716
1717 ignore_group_members (bool)
1718 Do not return group members for group lookups.
1719
1720 If set to TRUE, the group membership attribute is not requested
1721 from the ldap server, and group members are not returned when
1722 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1723 As an effect, “getent group $groupname” would return the requested
1724 group as if it was empty.
1725
1726 Enabling this option can also make access provider checks for group
1727 membership significantly faster, especially for groups containing
1728 many members.
1729
1730 This option can be also set per subdomain or inherited via
1731 subdomain_inherit.
1732
1733 Default: FALSE
1734
1735 auth_provider (string)
1736 The authentication provider used for the domain. Supported auth
1737 providers are:
1738
1739 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1740 information on configuring LDAP.
1741
1742 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1743 information on configuring Kerberos.
1744
1745 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1746 See sssd-ipa(5) for more information on configuring FreeIPA.
1747
1748 “ad”: Active Directory provider. See sssd-ad(5) for more
1749 information on configuring Active Directory.
1750
1751 “proxy” for relaying authentication to some other PAM target.
1752
1753 “none” disables authentication explicitly.
1754
1755 Default: “id_provider” is used if it is set and can handle
1756 authentication requests.
1757
1758 access_provider (string)
1759 The access control provider used for the domain. There are two
1760 built-in access providers (in addition to any included in installed
1761 backends) Internal special providers are:
1762
1763 “permit” always allow access. It's the only permitted access
1764 provider for a local domain.
1765
1766 “deny” always deny access.
1767
1768 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1769 information on configuring LDAP.
1770
1771 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1772 See sssd-ipa(5) for more information on configuring FreeIPA.
1773
1774 “ad”: Active Directory provider. See sssd-ad(5) for more
1775 information on configuring Active Directory.
1776
1777 “simple” access control based on access or deny lists. See sssd-
1778 simple(5) for more information on configuring the simple access
1779 module.
1780
1781 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1782 information on configuring Kerberos.
1783
1784 “proxy” for relaying access control to another PAM module.
1785
1786 Default: “permit”
1787
1788 chpass_provider (string)
1789 The provider which should handle change password operations for the
1790 domain. Supported change password providers are:
1791
1792 “ldap” to change a password stored in a LDAP server. See sssd-
1793 ldap(5) for more information on configuring LDAP.
1794
1795 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1796 information on configuring Kerberos.
1797
1798 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1799 See sssd-ipa(5) for more information on configuring FreeIPA.
1800
1801 “ad”: Active Directory provider. See sssd-ad(5) for more
1802 information on configuring Active Directory.
1803
1804 “proxy” for relaying password changes to some other PAM target.
1805
1806 “none” disallows password changes explicitly.
1807
1808 Default: “auth_provider” is used if it is set and can handle change
1809 password requests.
1810
1811 sudo_provider (string)
1812 The SUDO provider used for the domain. Supported SUDO providers
1813 are:
1814
1815 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1816 information on configuring LDAP.
1817
1818 “ipa” the same as “ldap” but with IPA default settings.
1819
1820 “ad” the same as “ldap” but with AD default settings.
1821
1822 “none” disables SUDO explicitly.
1823
1824 Default: The value of “id_provider” is used if it is set.
1825
1826 The detailed instructions for configuration of sudo_provider are in
1827 the manual page sssd-sudo(5). There are many configuration options
1828 that can be used to adjust the behavior. Please refer to
1829 "ldap_sudo_*" in sssd-ldap(5).
1830
1831 NOTE: Sudo rules are periodically downloaded in the background
1832 unless the sudo provider is explicitly disabled. Set sudo_provider
1833 = None to disable all sudo-related activity in SSSD if you do not
1834 want to use sudo with SSSD at all.
1835
1836 selinux_provider (string)
1837 The provider which should handle loading of selinux settings. Note
1838 that this provider will be called right after access provider ends.
1839 Supported selinux providers are:
1840
1841 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1842 for more information on configuring IPA.
1843
1844 “none” disallows fetching selinux settings explicitly.
1845
1846 Default: “id_provider” is used if it is set and can handle selinux
1847 loading requests.
1848
1849 subdomains_provider (string)
1850 The provider which should handle fetching of subdomains. This value
1851 should be always the same as id_provider. Supported subdomain
1852 providers are:
1853
1854 “ipa” to load a list of subdomains from an IPA server. See sssd-
1855 ipa(5) for more information on configuring IPA.
1856
1857 “ad” to load a list of subdomains from an Active Directory server.
1858 See sssd-ad(5) for more information on configuring the AD provider.
1859
1860 “none” disallows fetching subdomains explicitly.
1861
1862 Default: The value of “id_provider” is used if it is set.
1863
1864 session_provider (string)
1865 The provider which configures and manages user session related
1866 tasks. The only user session task currently provided is the
1867 integration with Fleet Commander, which works only with IPA.
1868 Supported session providers are:
1869
1870 “ipa” to allow performing user session related tasks.
1871
1872 “none” does not perform any kind of user session related tasks.
1873
1874 Default: “id_provider” is used if it is set and can perform session
1875 related tasks.
1876
1877 NOTE: In order to have this feature working as expected SSSD must
1878 be running as "root" and not as the unprivileged user.
1879
1880 autofs_provider (string)
1881 The autofs provider used for the domain. Supported autofs providers
1882 are:
1883
1884 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1885 information on configuring LDAP.
1886
1887 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1888 more information on configuring IPA.
1889
1890 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1891 information on configuring the AD provider.
1892
1893 “none” disables autofs explicitly.
1894
1895 Default: The value of “id_provider” is used if it is set.
1896
1897 hostid_provider (string)
1898 The provider used for retrieving host identity information.
1899 Supported hostid providers are:
1900
1901 “ipa” to load host identity stored in an IPA server. See sssd-
1902 ipa(5) for more information on configuring IPA.
1903
1904 “none” disables hostid explicitly.
1905
1906 Default: The value of “id_provider” is used if it is set.
1907
1908 resolver_provider (string)
1909 The provider which should handle hosts and networks lookups.
1910 Supported resolver providers are:
1911
1912 “proxy” to forward lookups to another NSS library. See
1913 “proxy_resolver_lib_name”
1914
1915 “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1916 for more information on configuring LDAP.
1917
1918 “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1919 more information on configuring the AD provider.
1920
1921 “none” disallows fetching hosts and networks explicitly.
1922
1923 Default: The value of “id_provider” is used if it is set.
1924
1925 re_expression (string)
1926 Regular expression for this domain that describes how to parse the
1927 string containing user name and domain into these components. The
1928 "domain" can match either the SSSD configuration domain name, or,
1929 in the case of IPA trust subdomains and Active Directory domains,
1930 the flat (NetBIOS) name of the domain.
1931
1932 Default for the AD and IPA provider:
1933 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>.+)@(?P<domain>[^@]+$))|(^(?P<name>[^@\\]+)$))”
1934 which allows three different styles for user names:
1935
1936 • username
1937
1938 • username@domain.name
1939
1940 • domain\username
1941
1942 While the first two correspond to the general default the third one
1943 is introduced to allow easy integration of users from Windows
1944 domains.
1945
1946 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1947 "the name is everything up to the “@” sign, the domain everything
1948 after that"
1949
1950 full_name_format (string)
1951 A printf(3)-compatible format that describes how to compose a fully
1952 qualified name from user name and domain name components.
1953
1954 The following expansions are supported:
1955
1956 %1$s
1957 user name
1958
1959 %2$s
1960 domain name as specified in the SSSD config file.
1961
1962 %3$s
1963 domain flat name. Mostly usable for Active Directory domains,
1964 both directly configured or discovered via IPA trusts.
1965
1966 Default: “%1$s@%2$s”.
1967
1968 lookup_family_order (string)
1969 Provides the ability to select preferred address family to use when
1970 performing DNS lookups.
1971
1972 Supported values:
1973
1974 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1975
1976 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1977
1978 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1979
1980 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1981
1982 Default: ipv4_first
1983
1984 dns_resolver_server_timeout (integer)
1985 Defines the amount of time (in milliseconds) SSSD would try to talk
1986 to DNS server before trying next DNS server.
1987
1988 The AD provider will use this option for the CLDAP ping timeouts as
1989 well.
1990
1991 Please see the section “FAILOVER” for more information about the
1992 service resolution.
1993
1994 Default: 1000
1995
1996 dns_resolver_op_timeout (integer)
1997 Defines the amount of time (in seconds) to wait to resolve single
1998 DNS query (e.g. resolution of a hostname or an SRV record) before
1999 trying the next hostname or DNS discovery.
2000
2001 Please see the section “FAILOVER” for more information about the
2002 service resolution.
2003
2004 Default: 3
2005
2006 dns_resolver_timeout (integer)
2007 Defines the amount of time (in seconds) to wait for a reply from
2008 the internal fail over service before assuming that the service is
2009 unreachable. If this timeout is reached, the domain will continue
2010 to operate in offline mode.
2011
2012 Please see the section “FAILOVER” for more information about the
2013 service resolution.
2014
2015 Default: 6
2016
2017 dns_resolver_use_search_list (bool)
2018 Normally, the DNS resolver searches the domain list defined in the
2019 "search" directive from the resolv.conf file. This can lead to
2020 delays in environments with improperly configured DNS.
2021
2022 If fully qualified domain names (or _srv_) are used in the SSSD
2023 configuration, setting this option to FALSE can prevent unnecessary
2024 DNS lookups in such environments.
2025
2026 Default: TRUE
2027
2028 dns_discovery_domain (string)
2029 If service discovery is used in the back end, specifies the domain
2030 part of the service discovery DNS query.
2031
2032 Default: Use the domain part of machine's hostname
2033
2034 override_gid (integer)
2035 Override the primary GID value with the one specified.
2036
2037 case_sensitive (string)
2038 Treat user and group names as case sensitive. Possible option
2039 values are:
2040
2041 True
2042 Case sensitive. This value is invalid for AD provider.
2043
2044 False
2045 Case insensitive.
2046
2047 Preserving
2048 Same as False (case insensitive), but does not lowercase names
2049 in the result of NSS operations. Note that name aliases (and in
2050 case of services also protocol names) are still lowercased in
2051 the output.
2052
2053 If you want to set this value for trusted domain with IPA
2054 provider, you need to set it on both the client and SSSD on the
2055 server.
2056
2057 This option can be also set per subdomain or inherited via
2058 subdomain_inherit.
2059
2060 Default: True (False for AD provider)
2061
2062 subdomain_inherit (string)
2063 Specifies a list of configuration parameters that should be
2064 inherited by a subdomain. Please note that only selected parameters
2065 can be inherited. Currently the following options can be inherited:
2066
2067 ldap_search_timeout
2068
2069 ldap_network_timeout
2070
2071 ldap_opt_timeout
2072
2073 ldap_offline_timeout
2074
2075 ldap_enumeration_refresh_timeout
2076
2077 ldap_enumeration_refresh_offset
2078
2079 ldap_purge_cache_timeout
2080
2081 ldap_purge_cache_offset
2082
2083 ldap_krb5_keytab (the value of krb5_keytab will be used if
2084 ldap_krb5_keytab is not set explicitly)
2085
2086 ldap_krb5_ticket_lifetime
2087
2088 ldap_enumeration_search_timeout
2089
2090 ldap_connection_expire_timeout
2091
2092 ldap_connection_expire_offset
2093
2094 ldap_connection_idle_timeout
2095
2096 ldap_use_tokengroups
2097
2098 ldap_user_principal
2099
2100 ignore_group_members
2101
2102 auto_private_groups
2103
2104 case_sensitive
2105
2106 Example:
2107
2108 subdomain_inherit = ldap_purge_cache_timeout
2109
2110
2111 Default: none
2112
2113 Note: This option only works with the IPA and AD provider.
2114
2115 subdomain_homedir (string)
2116 Use this homedir as default value for all subdomains within this
2117 domain in IPA AD trust. See override_homedir for info about
2118 possible values. In addition to those, the expansion below can only
2119 be used with subdomain_homedir.
2120
2121 %F
2122 flat (NetBIOS) name of a subdomain.
2123
2124 The value can be overridden by override_homedir option.
2125
2126 Default: /home/%d/%u
2127
2128 realmd_tags (string)
2129 Various tags stored by the realmd configuration service for this
2130 domain.
2131
2132 cached_auth_timeout (int)
2133 Specifies time in seconds since last successful online
2134 authentication for which user will be authenticated using cached
2135 credentials while SSSD is in the online mode. If the credentials
2136 are incorrect, SSSD falls back to online authentication.
2137
2138 This option's value is inherited by all trusted domains. At the
2139 moment it is not possible to set a different value per trusted
2140 domain.
2141
2142 Special value 0 implies that this feature is disabled.
2143
2144 Please note that if “cached_auth_timeout” is longer than
2145 “pam_id_timeout” then the back end could be called to handle
2146 “initgroups.”
2147
2148 Default: 0
2149
2150 auto_private_groups (string)
2151 This option takes any of three available values:
2152
2153 true
2154 Create user's private group unconditionally from user's UID
2155 number. The GID number is ignored in this case.
2156
2157 NOTE: Because the GID number and the user private group are
2158 inferred from the UID number, it is not supported to have
2159 multiple entries with the same UID or GID number with this
2160 option. In other words, enabling this option enforces
2161 uniqueness across the ID space.
2162
2163 false
2164 Always use the user's primary GID number. The GID number must
2165 refer to a group object in the LDAP database.
2166
2167 hybrid
2168 A primary group is autogenerated for user entries whose UID and
2169 GID numbers have the same value and at the same time the GID
2170 number does not correspond to a real group object in LDAP. If
2171 the values are the same, but the primary GID in the user entry
2172 is also used by a group object, the primary GID of the user
2173 resolves to that group object.
2174
2175 If the UID and GID of a user are different, then the GID must
2176 correspond to a group entry, otherwise the GID is simply not
2177 resolvable.
2178
2179 This feature is useful for environments that wish to stop
2180 maintaining a separate group objects for the user private
2181 groups, but also wish to retain the existing user private
2182 groups.
2183
2184 For subdomains, the default value is False for subdomains that use
2185 assigned POSIX IDs and True for subdomains that use automatic
2186 ID-mapping.
2187
2188 The value of auto_private_groups can either be set per subdomains
2189 in a subsection, for example:
2190
2191 [domain/forest.domain/sub.domain]
2192 auto_private_groups = false
2193
2194 or globally for all subdomains in the main domain section using the
2195 subdomain_inherit option:
2196
2197 [domain/forest.domain]
2198 subdomain_inherit = auto_private_groups
2199 auto_private_groups = false
2200
2201
2202 Options valid for proxy domains.
2203
2204 proxy_pam_target (string)
2205 The proxy target PAM proxies to.
2206
2207 Default: not set by default, you have to take an existing pam
2208 configuration or create a new one and add the service name here.
2209
2210 proxy_lib_name (string)
2211 The name of the NSS library to use in proxy domains. The NSS
2212 functions searched for in the library are in the form of
2213 _nss_$(libName)_$(function), for example _nss_files_getpwent.
2214
2215 proxy_resolver_lib_name (string)
2216 The name of the NSS library to use for hosts and networks lookups
2217 in proxy domains. The NSS functions searched for in the library are
2218 in the form of _nss_$(libName)_$(function), for example
2219 _nss_dns_gethostbyname2_r.
2220
2221 proxy_fast_alias (boolean)
2222 When a user or group is looked up by name in the proxy provider, a
2223 second lookup by ID is performed to "canonicalize" the name in case
2224 the requested name was an alias. Setting this option to true would
2225 cause the SSSD to perform the ID lookup from cache for performance
2226 reasons.
2227
2228 Default: false
2229
2230 proxy_max_children (integer)
2231 This option specifies the number of pre-forked proxy children. It
2232 is useful for high-load SSSD environments where sssd may run out of
2233 available child slots, which would cause some issues due to the
2234 requests being queued.
2235
2236 Default: 10
2237
2238 Application domains
2239 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2240 applications as a gateway to an LDAP directory where users and groups
2241 are stored. However, contrary to the traditional SSSD deployment where
2242 all users and groups either have POSIX attributes or those attributes
2243 can be inferred from the Windows SIDs, in many cases the users and
2244 groups in the application support scenario have no POSIX attributes.
2245 Instead of setting a “[domain/NAME]” section, the administrator can set
2246 up an “[application/NAME]” section that internally represents a domain
2247 with type “application” optionally inherits settings from a tradition
2248 SSSD domain.
2249
2250 Please note that the application domain must still be explicitly
2251 enabled in the “domains” parameter so that the lookup order between the
2252 application domain and its POSIX sibling domain is set correctly.
2253
2254 Application domain parameters
2255
2256 inherit_from (string)
2257 The SSSD POSIX-type domain the application domain inherits all
2258 settings from. The application domain can moreover add its own
2259 settings to the application settings that augment or override the
2260 “sibling” domain settings.
2261
2262 Default: Not set
2263
2264 The following example illustrates the use of an application domain. In
2265 this setup, the POSIX domain is connected to an LDAP server and is used
2266 by the OS through the NSS responder. In addition, the application
2267 domain also requests the telephoneNumber attribute, stores it as the
2268 phone attribute in the cache and makes the phone attribute reachable
2269 through the D-Bus interface.
2270
2271 [sssd]
2272 domains = appdom, posixdom
2273
2274 [ifp]
2275 user_attributes = +phone
2276
2277 [domain/posixdom]
2278 id_provider = ldap
2279 ldap_uri = ldap://ldap.example.com
2280 ldap_search_base = dc=example,dc=com
2281
2282 [application/appdom]
2283 inherit_from = posixdom
2284 ldap_user_extra_attrs = phone:telephoneNumber
2285
2287 Some options used in the domain section can also be used in the trusted
2288 domain section, that is, in a section called
2289 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2290 actual joined-to base domain. Please refer to examples below for
2291 explanation. Currently supported options in the trusted domain section
2292 are:
2293
2294 ldap_search_base,
2295
2296 ldap_user_search_base,
2297
2298 ldap_group_search_base,
2299
2300 ldap_netgroup_search_base,
2301
2302 ldap_service_search_base,
2303
2304 ldap_sasl_mech,
2305
2306 ad_server,
2307
2308 ad_backup_server,
2309
2310 ad_site,
2311
2312 use_fully_qualified_names
2313
2314 pam_gssapi_services
2315
2316 pam_gssapi_check_upn
2317
2318 For more details about these options see their individual description
2319 in the manual page.
2320
2322 To allow authentication with Smartcards and certificates SSSD must be
2323 able to map certificates to users. This can be done by adding the full
2324 certificate to the LDAP object of the user or to a local override.
2325 While using the full certificate is required to use the Smartcard
2326 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2327 details) it might be cumbersome or not even possible to do this for the
2328 general case where local services use PAM for authentication.
2329
2330 To make the mapping more flexible mapping and matching rules were added
2331 to SSSD (see sss-certmap(5) for details).
2332
2333 A mapping and matching rule can be added to the SSSD configuration in a
2334 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2335 In this section the following options are allowed:
2336
2337 matchrule (string)
2338 Only certificates from the Smartcard which matches this rule will
2339 be processed, all others are ignored.
2340
2341 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2342 the Extended Key Usage “clientAuth”
2343
2344 maprule (string)
2345 Defines how the user is found for a given certificate.
2346
2347 Default:
2348
2349 • LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2350 providers like “ldap”, “AD” or “ipa”.
2351
2352 • The RULE_NAME for the “files” provider which tries to find a
2353 user with the same name.
2354
2355
2356 domains (string)
2357 Comma separated list of domain names the rule should be applied. By
2358 default a rule is only valid in the domain configured in sssd.conf.
2359 If the provider supports subdomains this option can be used to add
2360 the rule to subdomains as well.
2361
2362 Default: the configured domain in sssd.conf
2363
2364 priority (integer)
2365 Unsigned integer value defining the priority of the rule. The
2366 higher the number the lower the priority. “0” stands for the
2367 highest priority while “4294967295” is the lowest.
2368
2369 Default: the lowest priority
2370
2371 To make the configuration simple and reduce the amount of configuration
2372 options the “files” provider has some special properties:
2373
2374 • if maprule is not set the RULE_NAME name is assumed to be the name
2375 of the matching user
2376
2377 • if a maprule is used both a single user name or a template like
2378 “{subject_rfc822_name.short_name}” must be in braces like e.g.
2379 “(username)” or “({subject_rfc822_name.short_name})”
2380
2381 • the “domains” option is ignored
2382
2383
2385 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2386 SSSD's PAM module pam_sss will ask SSSD to figure out which
2387 authentication methods are available for the user trying to log in.
2388 Based on the results pam_sss will prompt the user for appropriate
2389 credentials.
2390
2391 With the growing number of authentication methods and the possibility
2392 that there are multiple ones for a single user the heuristic used by
2393 pam_sss to select the prompting might not be suitable for all use
2394 cases. The following options should provide a better flexibility here.
2395
2396 Each supported authentication method has its own configuration
2397 subsection under “[prompting/...]”. Currently there are:
2398
2399 [prompting/password]
2400 to configure password prompting, allowed options are:
2401
2402 password_prompt
2403 to change the string of the password prompt
2404
2405
2406 [prompting/2fa]
2407 to configure two-factor authentication prompting, allowed options
2408 are:
2409
2410 first_prompt
2411 to change the string of the prompt for the first factor
2412
2413 second_prompt
2414 to change the string of the prompt for the second factor
2415
2416 single_prompt
2417 boolean value, if True there will be only a single prompt using
2418 the value of first_prompt where it is expected that both
2419 factors are entered as a single string. Please note that both
2420 factors have to be entered here, even if the second factor is
2421 optional.
2422
2423 If the second factor is optional and it should be possible to log
2424 in either only with the password or with both factors two-step
2425 prompting has to be used.
2426
2427 It is possible to add a subsection for specific PAM services, e.g.
2428 “[prompting/password/sshd]” to individual change the prompting for this
2429 service.
2430
2432 1. The following example shows a typical SSSD config. It does not
2433 describe configuration of the domains themselves - refer to
2434 documentation on configuring domains for more details.
2435
2436 [sssd]
2437 domains = LDAP
2438 services = nss, pam
2439 config_file_version = 2
2440
2441 [nss]
2442 filter_groups = root
2443 filter_users = root
2444
2445 [pam]
2446
2447 [domain/LDAP]
2448 id_provider = ldap
2449 ldap_uri = ldap://ldap.example.com
2450 ldap_search_base = dc=example,dc=com
2451
2452 auth_provider = krb5
2453 krb5_server = kerberos.example.com
2454 krb5_realm = EXAMPLE.COM
2455 cache_credentials = true
2456
2457 min_id = 10000
2458 max_id = 20000
2459 enumerate = False
2460
2461 2. The following example shows configuration of IPA AD trust where the
2462 AD forest consists of two domains in a parent-child structure. Suppose
2463 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2464 domain (child.ad.com). To enable shortnames in the child domain the
2465 following configuration should be used.
2466
2467 [domain/ipa.com/child.ad.com]
2468 use_fully_qualified_names = false
2469
2470 3. The following example shows the configuration for two certificate
2471 mapping rules. The first is valid for the configured domain “my.domain”
2472 and additionally for the subdomains “your.domain” and uses the full
2473 certificate in the search filter. The second example is valid for the
2474 domain “files” where it is assumed the files provider is used for this
2475 domain and contains a matching rule for the local user “myname”.
2476
2477 [certmap/my.domain/rule_name]
2478 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2479 maprule = (userCertificate;binary={cert!bin})
2480 domains = my.domain, your.domain
2481 priority = 10
2482
2483 [certmap/files/myname]
2484 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
2485
2486
2488 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2489 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2490 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2491 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2492 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
2493 sssd-systemtap(5)
2494
2496 The SSSD upstream - https://github.com/SSSD/sssd/
2497
2498
2499
2500SSSD 12/09/2022 SSSD.CONF(5)