1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13 [section]
15 key = value
16 key2 = value2,value3
17 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72 Currently supported debug levels:
74 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87 4, 0x0100: Configuration settings.
89 5, 0x0200: Function data.
91 6, 0x0400: Trace messages for operation functions.
93 7, 0x1000: Trace messages for internal control functions.
95 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98 9, 0x4000: Extremely low-level tracing information.
100 9, 0x20000: Performance and statistical data, please note that due
102 to the way requests are processed internally the logged execution
103 time of a request might be longer than it actually was.
104 10, 0x10000: Even more low-level libldb tracing information. Almost
106 never really required.
107 To log required bitmask debug levels, simply add their numbers
109 together as shown in following examples:
110 Example: To log fatal failures, critical failures, serious failures
112 and function data use 0x0270.
113 Example: To log fatal failures, configuration settings, function
115 data, trace messages for internal control functions use 0x1310.
116 Note: The bitmask format of debug levels was introduced in 1.7.0.
118 Default: 0x0070 (i.e. fatal, critical and serious failures;
120 corresponds to setting 2 in decimal notation)
121 debug (integer)
123 SSSD 1.14 and later also includes the debug alias for debug_level
124 as a convenience feature. If both are specified, the value of
125 debug_level will be used.
126 debug_timestamps (bool)
128 Add a timestamp to the debug messages. If journald is enabled for
129 SSSD debug logging this option is ignored.
130 Default: true
132 debug_microseconds (bool)
134 Add microseconds to the timestamp in debug messages. If journald is
135 enabled for SSSD debug logging this option is ignored.
136 Default: false
138 debug_backtrace_enabled (bool)
140 Enable debug backtrace.
141 In case SSSD is run with debug_level less than 9, everything is
143 logged to a ring buffer in memory and flushed to a log file on any
144 error up to and including `min(0x0040, debug_level)` (i.e. if
145 debug_level is explicitly set to 0 or 1 then only those error
146 levels will trigger backtrace, otherwise up to 2).
147 Feature is only supported for `logger == files` (i.e. setting
149 doesn't have effect for other logger types).
150 Default: true
152 Options usable in SERVICE and DOMAIN sections
154 timeout (integer)
155 Timeout in seconds between heartbeats for this service. This is
156 used to ensure that the process is alive and capable of answering
157 requests. Note that after three missed heartbeats the process will
158 terminate itself.
159 Default: 10
161
163 The [sssd] section
164 Individual pieces of SSSD functionality are provided by special SSSD
165 services that are started and stopped together with SSSD. The services
166 are managed by a special service frequently called “monitor”. The
167 “[sssd]” section is used to configure the monitor as well as some other
168 important options like the identity domains.
169 Section parameters
171 config_file_version (integer)
173 Indicates what is the syntax of the config file. SSSD 0.6.0 and
174 later use version 2.
175 services
177 Comma separated list of services that are started when sssd itself
178 starts. The services' list is optional on platforms where systemd
179 is supported, as they will either be socket or D-Bus activated when
180 needed.
181 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
183 By default, all services are disabled and the administrator must
185 enable the ones allowed to be used by executing: "systemctl enable
186 sssd-@service@.socket".
187 reconnection_retries (integer)
189 Number of times services should attempt to reconnect in the event
190 of a Data Provider crash or restart before they give up
191 Default: 3
193 domains
195 A domain is a database containing user information. SSSD can use
196 more domains at the same time, but at least one must be configured
197 or SSSD won't start. This parameter describes the list of domains
198 in the order you want them to be queried. A domain name is
199 recommended to contain only alphanumeric ASCII characters, dashes,
200 dots and underscores. '/' character is forbidden.
201 re_expression (string)
203 Default regular expression that describes how to parse the string
204 containing user name and domain into these components.
205 Each domain can have an individual regular expression configured.
207 For some ID providers there are also default regular expressions.
208 See DOMAIN SECTIONS for more info on these regular expressions.
209 full_name_format (string)
211 A printf(3)-compatible format that describes how to compose a fully
212 qualified name from user name and domain name components.
213 The following expansions are supported:
215 %1$s
217 user name
218 %2$s
220 domain name as specified in the SSSD config file.
221 %3$s
223 domain flat name. Mostly usable for Active Directory domains,
224 both directly configured or discovered via IPA trusts.
225 Each domain can have an individual format string configured. See
227 DOMAIN SECTIONS for more info on this option.
228 monitor_resolv_conf (boolean)
230 Controls if SSSD should monitor the state of resolv.conf to
231 identify when it needs to update its internal DNS resolver.
232 Default: true
234 try_inotify (boolean)
236 By default, SSSD will attempt to use inotify to monitor
237 configuration files changes and will fall back to polling every
238 five seconds if inotify cannot be used.
239 There are some limited situations where it is preferred that we
241 should skip even trying to use inotify. In these rare cases, this
242 option should be set to 'false'
243 Default: true on platforms where inotify is supported. False on
245 other platforms.
246 Note: this option will have no effect on platforms where inotify is
248 unavailable. On these platforms, polling will always be used.
249 krb5_rcache_dir (string)
251 Directory on the filesystem where SSSD should store Kerberos replay
252 cache files.
253 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
255 instruct SSSD to let libkrb5 decide the appropriate location for
256 the replay cache.
257 Default: Distribution-specific and specified at build-time.
259 (__LIBKRB5_DEFAULTS__ if not configured)
260 user (string)
262 The user to drop the privileges to where appropriate to avoid
263 running as the root user. This option does not work when running
264 socket-activated services, as the user set up to run the processes
265 is set up during compilation time. The way to override the systemd
266 unit files is by creating the appropriate files in
267 /etc/systemd/system/. Keep in mind that any change in the socket
268 user, group or permissions may result in a non-usable SSSD. The
269 same may occur in case of changes of the user running the NSS
270 responder.
271 Default: not set, process will run as root
273 default_domain_suffix (string)
275 This string will be used as a default domain name for all names
276 without a domain name component. The main use case is environments
277 where the primary domain is intended for managing host policies and
278 all users are located in a trusted domain. The option allows those
279 users to log in just with their user name without giving a domain
280 name as well.
281 Please note that if this option is set all users from the primary
283 domain have to use their fully qualified name, e.g.
284 user@domain.name, to log in. Setting this option changes default of
285 use_fully_qualified_names to True. It is not allowed to use this
286 option together with use_fully_qualified_names set to False. One
287 exception from this rule are domains with “id_provider=files” that
288 always try to match the behaviour of nss_files and therefore their
289 output is not qualified even when the default_domain_suffix option
290 is used.
291 Default: not set
293 override_space (string)
295 This parameter will replace spaces (space bar) with the given
296 character for user and group names. e.g. (_). User name "john doe"
297 will be "john_doe" This feature was added to help compatibility
298 with shell scripts that have difficulty handling spaces, due to the
299 default field separator in the shell.
300 Please note it is a configuration error to use a replacement
302 character that might be used in user or group names. If a name
303 contains the replacement character SSSD tries to return the
304 unmodified name but in general the result of a lookup is undefined.
305 Default: not set (spaces will not be replaced)
307 certificate_verification (string)
309 With this parameter the certificate verification can be tuned with
310 a comma separated list of options. Supported options are:
311 no_ocsp
313 Disables Online Certificate Status Protocol (OCSP) checks. This
314 might be needed if the OCSP servers defined in the certificate
315 are not reachable from the client.
316 soft_ocsp
318 If a connection cannot be established to an OCSP responder the
319 OCSP check is skipped. This option should be used to allow
320 authentication when the system is offline and the OCSP
321 responder cannot be reached.
322 ocsp_dgst
324 Digest (hash) function used to create the certificate ID for
325 the OCSP request. Allowed values are:
326 • sha1
328 • sha256
330 • sha384
332 • sha512
334 Default: sha1 (to allow compatibility with RFC5019-compliant
336 responder)
337 no_verification
339 Disables verification completely. This option should only be
340 used for testing.
341 partial_chain
343 Allow verification to succeed even if a complete chain cannot
344 be built to a self-signed trust-anchor, provided it is possible
345 to construct a chain to a trusted certificate that might not be
346 self-signed.
347 ocsp_default_responder=URL
349 Sets the OCSP default responder which should be used instead of
350 the one mentioned in the certificate. URL must be replaced with
351 the URL of the OCSP default responder e.g.
352 http://example.com:80/ocsp.
353 ocsp_default_responder_signing_cert=NAME
355 This option is currently ignored. All needed certificates must
356 be available in the PEM file given by pam_cert_db_path.
357 crl_file=/PATH/TO/CRL/FILE
359 Use the Certificate Revocation List (CRL) from the given file
360 during the verification of the certificate. The CRL must be
361 given in PEM format, see crl(1ssl) for details.
362 soft_crl
364 If a Certificate Revocation List (CRL) is expired ignore the
365 CRL checks for the related certificates. This option should be
366 used to allow authentication when the system is offline and the
367 CRL cannot be renewed.
368 Unknown options are reported but ignored.
370 Default: not set, i.e. do not restrict certificate verification
372 disable_netlink (boolean)
374 SSSD hooks into the netlink interface to monitor changes to routes,
375 addresses, links and trigger certain actions.
376 The SSSD state changes caused by netlink events may be undesirable
378 and can be disabled by setting this option to 'true'
379 Default: false (netlink changes are detected)
381 enable_files_domain (boolean)
383 When this option is enabled, SSSD prepends an implicit domain with
384 “id_provider=files” before any explicitly configured domains.
385 Default: false
387 domain_resolution_order
389 Comma separated list of domains and subdomains representing the
390 lookup order that will be followed. The list doesn't have to
391 include all possible domains as the missing domains will be looked
392 up based on the order they're presented in the “domains”
393 configuration option. The subdomains which are not listed as part
394 of “lookup_order” will be looked up in a random order for each
395 parent domain.
396 Please, note that when this option is set the output format of all
398 commands is always fully-qualified even when using short names for
399 input, for all users but the ones managed by the files provider. In
400 case the administrator wants the output not fully-qualified, the
401 full_name_format option can be used as shown below:
402 “full_name_format=%1$s” However, keep in mind that during login,
403 login applications often canonicalize the username by calling
404 getpwnam(3) which, if a shortname is returned for a qualified input
405 (while trying to reach a user which exists in multiple domains)
406 might re-route the login attempt into the domain which uses
407 shortnames, making this workaround totally not recommended in cases
408 where usernames may overlap between domains.
409 Default: Not set
411 implicit_pac_responder (boolean)
413 The PAC responder is enabled automatically for the IPA and AD
414 provider to evaluate and check the PAC. If it has to be disabled
415 set this option to 'false'.
416 Default: true
418 core_dumpable (boolean)
420 This option can be used for general system hardening: setting it to
421 'false' forbids core dumps for all SSSD processes to avoid leaking
422 plain text passwords. See man page prctl:PR_SET_DUMPABLE for
423 details.
424 Default: true
426
428 Settings that can be used to configure different services are described
429 in this section. They should reside in the [$NAME] section, for
430 example, for NSS service, the section would be “[nss]”
431 General service configuration options
433 These options can be used to configure any service.
434 reconnection_retries (integer)
436 Number of times services should attempt to reconnect in the event
437 of a Data Provider crash or restart before they give up
438 Default: 3
440 fd_limit
442 This option specifies the maximum number of file descriptors that
443 may be opened at one time by this SSSD process. On systems where
444 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
445 absolute setting. On systems without this capability, the resulting
446 value will be the lower value of this or the limits.conf "hard"
447 limit.
448 Default: 8192 (or limits.conf "hard" limit)
450 client_idle_timeout
452 This option specifies the number of seconds that a client of an
453 SSSD process can hold onto a file descriptor without communicating
454 on it. This value is limited in order to avoid resource exhaustion
455 on the system. The timeout can't be shorter than 10 seconds. If a
456 lower value is configured, it will be adjusted to 10 seconds.
457 Default: 60, KCM: 300
459 offline_timeout (integer)
461 When SSSD switches to offline mode the amount of time before it
462 tries to go back online will increase based upon the time spent
463 disconnected. By default SSSD uses incremental behaviour to
464 calculate delay in between retries. So, the wait time for a given
465 retry will be longer than the wait time for the previous ones.
466 After each unsuccessful attempt to go online, the new interval is
467 recalculated by the following:
468 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
470 random[0...offline_timeout_random_offset]
471 The offline_timeout default value is 60. The offline_timeout_max
473 default value is 3600. The offline_timeout_random_offset default
474 value is 30. The end result is amount of seconds before next retry.
475 Note that the maximum length of each interval is defined by
477 offline_timeout_max (apart of random part).
478 Default: 60
480 offline_timeout_max (integer)
482 Controls by how much the time between attempts to go online can be
483 incremented following unsuccessful attempts to go online.
484 A value of 0 disables the incrementing behaviour.
486 The value of this parameter should be set in correlation to
488 offline_timeout parameter value.
489 With offline_timeout set to 60 (default value) there is no point in
491 setting offlinet_timeout_max to less than 120 as it will saturate
492 instantly. General rule here should be to set offline_timeout_max
493 to at least 4 times offline_timeout.
494 Although a value between 0 and offline_timeout may be specified, it
496 has the effect of overriding the offline_timeout value so is of
497 little use.
498 Default: 3600
500 offline_timeout_random_offset (integer)
502 When SSSD is in offline mode it keeps probing backend servers in
503 specified time intervals:
504 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
506 random[0...offline_timeout_random_offset]
507 This parameter controls the value of the random offset used for the
509 above equation. Final random_offset value will be random number in
510 range:
511 [0 - offline_timeout_random_offset]
513 A value of 0 disables the random offset addition.
515 Default: 30
517 responder_idle_timeout
519 This option specifies the number of seconds that an SSSD responder
520 process can be up without being used. This value is limited in
521 order to avoid resource exhaustion on the system. The minimum
522 acceptable value for this option is 60 seconds. Setting this option
523 to 0 (zero) means that no timeout will be set up to the responder.
524 This option only has effect when SSSD is built with systemd support
525 and when services are either socket or D-Bus activated.
526 Default: 300
528 cache_first
530 This option specifies whether the responder should query all caches
531 before querying the Data Providers.
532 Default: false
534 NSS configuration options
536 These options can be used to configure the Name Service Switch (NSS)
537 service.
538 enum_cache_timeout (integer)
540 How many seconds should nss_sss cache enumerations (requests for
541 info about all users)
542 Default: 120
544 entry_cache_nowait_percentage (integer)
546 The entry cache can be set to automatically update entries in the
547 background if they are requested beyond a percentage of the
548 entry_cache_timeout value for the domain.
549 For example, if the domain's entry_cache_timeout is set to 30s and
551 entry_cache_nowait_percentage is set to 50 (percent), entries that
552 come in after 15 seconds past the last cache update will be
553 returned immediately, but the SSSD will go and update the cache on
554 its own, so that future requests will not need to block waiting for
555 a cache update.
556 Valid values for this option are 0-99 and represent a percentage of
558 the entry_cache_timeout for each domain. For performance reasons,
559 this percentage will never reduce the nowait timeout to less than
560 10 seconds. (0 disables this feature)
561 Default: 50
563 entry_negative_timeout (integer)
565 Specifies for how many seconds nss_sss should cache negative cache
566 hits (that is, queries for invalid database entries, like
567 nonexistent ones) before asking the back end again.
568 Default: 15
570 local_negative_timeout (integer)
572 Specifies for how many seconds nss_sss should keep local users and
573 groups in negative cache before trying to look it up in the back
574 end again. Setting the option to 0 disables this feature.
575 Default: 14400 (4 hours)
577 filter_users, filter_groups (string)
579 Exclude certain users or groups from being fetched from the sss NSS
580 database. This is particularly useful for system accounts. This
581 option can also be set per-domain or include fully-qualified names
582 to filter only users from the particular domain or by a user
583 principal name (UPN).
584 NOTE: The filter_groups option doesn't affect inheritance of nested
586 group members, since filtering happens after they are propagated
587 for returning via NSS. E.g. a group having a member group filtered
588 out will still have the member users of the latter listed.
589 Default: root
591 filter_users_in_groups (bool)
593 If you want filtered user still be group members set this option to
594 false.
595 Default: true
597 override_homedir (string)
599 Override the user's home directory. You can either provide an
600 absolute value or a template. In the template, the following
601 sequences are substituted:
602 %u
604 login name
605 %U
607 UID number
608 %d
610 domain name
611 %f
613 fully qualified user name (user@domain)
614 %l
616 The first letter of the login name.
617 %P
619 UPN - User Principal Name (name@REALM)
620 %o
622 The original home directory retrieved from the identity
623 provider.
624 %h
626 The original home directory retrieved from the identity
627 provider, but in lower case.
628 %H
630 The value of configure option homedir_substring.
631 %%
633 a literal '%'
634 This option can also be set per-domain.
636 example:
638 override_homedir = /home/%u
640 Default: Not set (SSSD will use the value retrieved from LDAP)
643 Please note, the home directory from a specific override for the
645 user, either locally (see sss_override(8)) or centrally managed IPA
646 id-overrides, has a higher precedence and will be used instead of
647 the value given by override_homedir.
648 homedir_substring (string)
650 The value of this option will be used in the expansion of the
651 override_homedir option if the template contains the format string
652 %H. An LDAP directory entry can directly contain this template so
653 that this option can be used to expand the home directory path for
654 each client machine (or operating system). It can be set per-domain
655 or globally in the [nss] section. A value specified in a domain
656 section will override one set in the [nss] section.
657 Default: /home
659 fallback_homedir (string)
661 Set a default template for a user's home directory if one is not
662 specified explicitly by the domain's data provider.
663 The available values for this option are the same as for
665 override_homedir.
666 example:
668 fallback_homedir = /home/%u
670 Default: not set (no substitution for unset home directories)
673 override_shell (string)
675 Override the login shell for all users. This option supersedes any
676 other shell options if it takes effect and can be set either in the
677 [nss] section or per-domain.
678 Default: not set (SSSD will use the value retrieved from LDAP)
680 allowed_shells (string)
682 Restrict user shell to one of the listed values. The order of
683 evaluation is:
684 1. If the shell is present in “/etc/shells”, it is used.
686 2. If the shell is in the allowed_shells list but not in
688 “/etc/shells”, use the value of the shell_fallback parameter.
689 3. If the shell is not in the allowed_shells list and not in
691 “/etc/shells”, a nologin shell is used.
692 The wildcard (*) can be used to allow any shell.
694 The (*) is useful if you want to use shell_fallback in case that
696 user's shell is not in “/etc/shells” and maintaining list of all
697 allowed shells in allowed_shells would be to much overhead.
698 An empty string for shell is passed as-is to libc.
700 The “/etc/shells” is only read on SSSD start up, which means that a
702 restart of the SSSD is required in case a new shell is installed.
703 Default: Not set. The user shell is automatically used.
705 vetoed_shells (string)
707 Replace any instance of these shells with the shell_fallback
708 shell_fallback (string)
710 The default shell to use if an allowed shell is not installed on
711 the machine.
712 Default: /bin/sh
714 default_shell
716 The default shell to use if the provider does not return one during
717 lookup. This option can be specified globally in the [nss] section
718 or per-domain.
719 Default: not set (Return NULL if no shell is specified and rely on
721 libc to substitute something sensible when necessary, usually
722 /bin/sh)
723 get_domains_timeout (int)
725 Specifies time in seconds for which the list of subdomains will be
726 considered valid.
727 Default: 60
729 memcache_timeout (integer)
731 Specifies time in seconds for which records in the in-memory cache
732 will be valid. Setting this option to zero will disable the
733 in-memory cache.
734 Default: 300
736 WARNING: Disabling the in-memory cache will have significant
738 negative impact on SSSD's performance and should only be used for
739 testing.
740 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
742 "NO", client applications will not use the fast in-memory cache.
743 memcache_size_passwd (integer)
745 Size (in megabytes) of the data table allocated inside fast
746 in-memory cache for passwd requests. Setting the size to 0 will
747 disable the passwd in-memory cache.
748 Default: 8
750 WARNING: Disabled or too small in-memory cache can have significant
752 negative impact on SSSD's performance.
753 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
755 "NO", client applications will not use the fast in-memory cache.
756 memcache_size_group (integer)
758 Size (in megabytes) of the data table allocated inside fast
759 in-memory cache for group requests. Setting the size to 0 will
760 disable the group in-memory cache.
761 Default: 6
763 WARNING: Disabled or too small in-memory cache can have significant
765 negative impact on SSSD's performance.
766 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
768 "NO", client applications will not use the fast in-memory cache.
769 memcache_size_initgroups (integer)
771 Size (in megabytes) of the data table allocated inside fast
772 in-memory cache for initgroups requests. Setting the size to 0 will
773 disable the initgroups in-memory cache.
774 Default: 10
776 WARNING: Disabled or too small in-memory cache can have significant
778 negative impact on SSSD's performance.
779 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
781 "NO", client applications will not use the fast in-memory cache.
782 memcache_size_sid (integer)
784 Size (in megabytes) of the data table allocated inside fast
785 in-memory cache for SID related requests. Only SID-by-ID and
786 ID-by-SID requests are currently cached in fast in-memory cache.
787 Setting the size to 0 will disable the SID in-memory cache.
788 Default: 6
790 WARNING: Disabled or too small in-memory cache can have significant
792 negative impact on SSSD's performance.
793 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
795 "NO", client applications will not use the fast in-memory cache.
796 user_attributes (string)
798 Some of the additional NSS responder requests can return more
799 attributes than just the POSIX ones defined by the NSS interface.
800 The list of attributes is controlled by this option. It is handled
801 the same way as the “user_attributes” option of the InfoPipe
802 responder (see sssd-ifp(5) for details) but with no default values.
803 To make configuration more easy the NSS responder will check the
805 InfoPipe option if it is not set for the NSS responder.
806 Default: not set, fallback to InfoPipe option
808 pwfield (string)
810 The value that NSS operations that return users or groups will
811 return for the “password” field.
812 Default: “*”
814 Note: This option can also be set per-domain which overwrites the
816 value in [nss] section.
817 Default: “not set” (remote domains), “x” (the files domain), “x”
819 (proxy domain with nss_files and sssd-shadowutils target)
820 PAM configuration options
822 These options can be used to configure the Pluggable Authentication
823 Module (PAM) service.
824 offline_credentials_expiration (integer)
826 If the authentication provider is offline, how long should we allow
827 cached logins (in days since the last successful online login).
828 Default: 0 (No limit)
830 offline_failed_login_attempts (integer)
832 If the authentication provider is offline, how many failed login
833 attempts are allowed.
834 Default: 0 (No limit)
836 offline_failed_login_delay (integer)
838 The time in minutes which has to pass after
839 offline_failed_login_attempts has been reached before a new login
840 attempt is possible.
841 If set to 0 the user cannot authenticate offline if
843 offline_failed_login_attempts has been reached. Only a successful
844 online authentication can enable offline authentication again.
845 Default: 5
847 pam_verbosity (integer)
849 Controls what kind of messages are shown to the user during
850 authentication. The higher the number to more messages are
851 displayed.
852 Currently sssd supports the following values:
854 0: do not show any message
856 1: show only important messages
858 2: show informational messages
860 3: show all messages and debug information
862 Default: 1
864 pam_response_filter (string)
866 A comma separated list of strings which allows to remove (filter)
867 data sent by the PAM responder to pam_sss PAM module. There are
868 different kind of responses sent to pam_sss e.g. messages displayed
869 to the user or environment variables which should be set by
870 pam_sss.
871 While messages already can be controlled with the help of the
873 pam_verbosity option this option allows to filter out other kind of
874 responses as well.
875 Currently the following filters are supported:
877 ENV
879 Do not send any environment variables to any service.
880 ENV:var_name
882 Do not send environment variable var_name to any service.
883 ENV:var_name:service
885 Do not send environment variable var_name to service.
886 The list of strings can either be the list of filters which would
888 set this list of filters and overwrite the defaults. Or each
889 element of the list can be prefixed by a '+' or '-' character which
890 would add the filter to the existing default or remove it from the
891 defaults, respectively. Please note that either all list elements
892 must have a '+' or '-' prefix or none. It is considered as an error
893 to mix both styles.
894 Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
896 Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the
898 default list
899 pam_id_timeout (integer)
901 For any PAM request while SSSD is online, the SSSD will attempt to
902 immediately update the cached identity information for the user in
903 order to ensure that authentication takes place with the latest
904 information.
905 A complete PAM conversation may perform multiple PAM requests, such
907 as account management and session opening. This option controls (on
908 a per-client-application basis) how long (in seconds) we can cache
909 the identity information to avoid excessive round-trips to the
910 identity provider.
911 Default: 5
913 pam_pwd_expiration_warning (integer)
915 Display a warning N days before the password expires.
916 Please note that the backend server has to provide information
918 about the expiration time of the password. If this information is
919 missing, sssd cannot display a warning.
920 If zero is set, then this filter is not applied, i.e. if the
922 expiration warning was received from backend server, it will
923 automatically be displayed.
924 This setting can be overridden by setting pwd_expiration_warning
926 for a particular domain.
927 Default: 0
929 get_domains_timeout (int)
931 Specifies time in seconds for which the list of subdomains will be
932 considered valid.
933 Default: 60
935 pam_trusted_users (string)
937 Specifies the comma-separated list of UID values or user names that
938 are allowed to run PAM conversations against trusted domains. Users
939 not included in this list can only access domains marked as public
940 with “pam_public_domains”. User names are resolved to UIDs at
941 startup.
942 Default: All users are considered trusted by default
944 Please note that UID 0 is always allowed to access the PAM
946 responder even in case it is not in the pam_trusted_users list.
947 pam_public_domains (string)
949 Specifies the comma-separated list of domain names that are
950 accessible even to untrusted users.
951 Two special values for pam_public_domains option are defined:
953 all (Untrusted users are allowed to access all domains in PAM
955 responder.)
956 none (Untrusted users are not allowed to access any domains PAM in
958 responder.)
959 Default: none
961 pam_account_expired_message (string)
963 Allows a custom expiration message to be set, replacing the default
964 'Permission denied' message.
965 Note: Please be aware that message is only printed for the SSH
967 service unless pam_verbosity is set to 3 (show all messages and
968 debug information).
969 example:
971 pam_account_expired_message = Account expired, please contact help desk.
973 Default: none
976 pam_account_locked_message (string)
978 Allows a custom lockout message to be set, replacing the default
979 'Permission denied' message.
980 example:
982 pam_account_locked_message = Account locked, please contact help desk.
984 Default: none
987 pam_cert_auth (bool)
989 Enable certificate based Smartcard authentication. Since this
990 requires additional communication with the Smartcard which will
991 delay the authentication process this option is disabled by
992 default.
993 Default: False
995 pam_cert_db_path (string)
997 The path to the certificate database.
998 Default:
1000 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1002 CA certificates in PEM format)
1003 pam_cert_verification (string)
1006 With this parameter the PAM certificate verification can be tuned
1007 with a comma separated list of options that override the
1008 “certificate_verification” value in “[sssd]” section. Supported
1009 options are the same of “certificate_verification”.
1010 example:
1012 pam_cert_verification = partial_chain
1014 Default: not set, i.e. use default “certificate_verification”
1017 option defined in “[sssd]” section.
1018 p11_child_timeout (integer)
1020 How many seconds will pam_sss wait for p11_child to finish.
1021 Default: 10
1023 pam_app_services (string)
1025 Which PAM services are permitted to contact domains of type
1026 “application”
1027 Default: Not set
1029 pam_p11_allowed_services (integer)
1031 A comma-separated list of PAM service names for which it will be
1032 allowed to use Smartcards.
1033 It is possible to add another PAM service name to the default set
1035 by using “+service_name” or to explicitly remove a PAM service name
1036 from the default set by using “-service_name”. For example, in
1037 order to replace a default PAM service name for authentication with
1038 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
1039 “my_pam_service”), you would use the following configuration:
1040 pam_p11_allowed_services = +my_pam_service, -login
1042 Default: the default set of PAM service names includes:
1045 • login
1047 • su
1049 • su-l
1051 • gdm-smartcard
1053 • gdm-password
1055 • kdm
1057 • sudo
1059 • sudo-i
1061 • gnome-screensaver
1063 p11_wait_for_card_timeout (integer)
1066 If Smartcard authentication is required how many extra seconds in
1067 addition to p11_child_timeout should the PAM responder wait until a
1068 Smartcard is inserted.
1069 Default: 60
1071 p11_uri (string)
1073 PKCS#11 URI (see RFC-7512 for details) which can be used to
1074 restrict the selection of devices used for Smartcard
1075 authentication. By default SSSD's p11_child will search for a
1076 PKCS#11 slot (reader) where the 'removable' flags is set and read
1077 the certificates from the inserted token from the first slot found.
1078 If multiple readers are connected p11_uri can be used to tell
1079 p11_child to use a specific reader.
1080 Example:
1082 p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
1084 or
1087 p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
1089 To find suitable URI please check the debug output of p11_child. As
1092 an alternative the GnuTLS utility 'p11tool' with e.g. the
1093 '--list-all' will show PKCS#11 URIs as well.
1094 Default: none
1096 pam_initgroups_scheme
1098 The PAM responder can force an online lookup to get the current
1099 group memberships of the user trying to log in. This option
1100 controls when this should be done and the following values are
1101 allowed:
1102 always
1104 Always do an online lookup, please note that pam_id_timeout
1105 still applies
1106 no_session
1108 Only do an online lookup if there is no active session of the
1109 user, i.e. if the user is currently not logged in
1110 never
1112 Never force an online lookup, use the data from the cache as
1113 long as they are not expired
1114 Default: no_session
1116 pam_gssapi_services
1118 Comma separated list of PAM services that are allowed to try GSSAPI
1119 authentication using pam_sss_gss.so module.
1120 To disable GSSAPI authentication, set this option to “-” (dash).
1122 Note: This option can also be set per-domain which overwrites the
1124 value in [pam] section. It can also be set for trusted domain which
1125 overwrites the value in the domain section.
1126 Example:
1128 pam_gssapi_services = sudo, sudo-i
1130 Default: - (GSSAPI authentication is disabled)
1133 pam_gssapi_check_upn
1135 If True, SSSD will require that the Kerberos user principal that
1136 successfully authenticated through GSSAPI can be associated with
1137 the user who is being authenticated. Authentication will fail if
1138 the check fails.
1139 If False, every user that is able to obtained required service
1141 ticket will be authenticated.
1142 Note: This option can also be set per-domain which overwrites the
1144 value in [pam] section. It can also be set for trusted domain which
1145 overwrites the value in the domain section.
1146 Default: True
1148 pam_gssapi_indicators_map
1150 Comma separated list of authentication indicators required to be
1151 present in a Kerberos ticket to access a PAM service that is
1152 allowed to try GSSAPI authentication using pam_sss_gss.so module.
1153 Each element of the list can be either an authentication indicator
1155 name or a pair “service:indicator”. Indicators not prefixed with
1156 the PAM service name will be required to access any PAM service
1157 configured to be used with pam_gssapi_services. A resulting list of
1158 indicators per PAM service is then checked against indicators in
1159 the Kerberos ticket during authentication by pam_sss_gss.so. Any
1160 indicator from the ticket that matches the resulting list of
1161 indicators for the PAM service would grant access. If none of the
1162 indicators in the list match, access will be denied. If the
1163 resulting list of indicators for the PAM service is empty, the
1164 check will not prevent the access.
1165 To disable GSSAPI authentication indicator check, set this option
1167 to “-” (dash). To disable the check for a specific PAM service, add
1168 “service:-”.
1169 Note: This option can also be set per-domain which overwrites the
1171 value in [pam] section. It can also be set for trusted domain which
1172 overwrites the value in the domain section.
1173 Following authentication indicators are supported by IPA Kerberos
1175 deployments:
1176 • pkinit -- pre-authentication using X.509 certificates --
1178 whether stored in files or on smart cards.
1179 • hardened -- SPAKE pre-authentication or any pre-authentication
1181 wrapped in a FAST channel.
1182 • radius -- pre-authentication with the help of a RADIUS server.
1184 • otp -- pre-authentication using integrated two-factor
1186 authentication (2FA or one-time password, OTP) in IPA.
1187 • idp -- pre-authentication using external identity provider.
1189 Example: to require access to SUDO services only for users which
1191 obtained their Kerberos tickets with a X.509 certificate
1192 pre-authentication (PKINIT), set
1193 pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1195 Default: not set (use of authentication indicators is not required)
1198 SUDO configuration options
1200 These options can be used to configure the sudo service. The detailed
1201 instructions for configuration of sudo(8) to work with sssd(8) are in
1202 the manual page sssd-sudo(5).
1203 sudo_timed (bool)
1205 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1206 attributes that implement time-dependent sudoers entries.
1207 Default: false
1209 sudo_threshold (integer)
1211 Maximum number of expired rules that can be refreshed at once. If
1212 number of expired rules is below threshold, those rules are
1213 refreshed with “rules refresh” mechanism. If the threshold is
1214 exceeded a “full refresh” of sudo rules is triggered instead. This
1215 threshold number also applies to IPA sudo command and command group
1216 searches.
1217 Default: 50
1219 AUTOFS configuration options
1221 These options can be used to configure the autofs service.
1222 autofs_negative_timeout (integer)
1224 Specifies for how many seconds should the autofs responder negative
1225 cache hits (that is, queries for invalid map entries, like
1226 nonexistent ones) before asking the back end again.
1227 Default: 15
1229 Please note that the automounter only reads the master map on startup,
1231 so if any autofs-related changes are made to the sssd.conf, you
1232 typically also need to restart the automounter daemon after restarting
1233 the SSSD.
1234 SSH configuration options
1236 These options can be used to configure the SSH service.
1237 ssh_hash_known_hosts (bool)
1239 Whether or not to hash host names and addresses in the managed
1240 known_hosts file.
1241 Default: false
1243 ssh_known_hosts_timeout (integer)
1245 How many seconds to keep a host in the managed known_hosts file
1246 after its host keys were requested.
1247 Default: 180
1249 ssh_use_certificate_keys (bool)
1251 If set to true the sss_ssh_authorizedkeys will return ssh keys
1252 derived from the public key of X.509 certificates stored in the
1253 user entry as well. See sss_ssh_authorizedkeys(1) for details.
1254 Default: true
1256 ssh_use_certificate_matching_rules (string)
1258 By default the ssh responder will use all available certificate
1259 matching rules to filter the certificates so that ssh keys are only
1260 derived from the matching ones. With this option the used rules can
1261 be restricted with a comma separated list of mapping and matching
1262 rule names. All other rules will be ignored.
1263 There are two special key words 'all_rules' and 'no_rules' which
1265 will enable all or no rules, respectively. The latter means that no
1266 certificates will be filtered out and ssh keys will be generated
1267 from all valid certificates.
1268 If no rules are configured using 'all_rules' will enable a default
1270 rule which enables all certificates suitable for client
1271 authentication. This is the same behavior as for the PAM responder
1272 if certificate authentication is enabled.
1273 A non-existing rule name is considered an error. If as a result no
1275 rule is selected all certificates will be ignored.
1276 Default: not set, equivalent to 'all_rules', all found rules or the
1278 default rule are used
1279 ca_db (string)
1281 Path to a storage of trusted CA certificates. The option is used to
1282 validate user certificates before deriving public ssh keys from
1283 them.
1284 Default:
1286 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1288 CA certificates in PEM format)
1289 PAC responder configuration options
1292 The PAC responder works together with the authorization data plugin for
1293 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1294 sends the PAC data during a GSSAPI authentication to the PAC responder.
1295 The sub-domain provider collects domain SID and ID ranges of the domain
1296 the client is joined to and of remote trusted domains from the local
1297 domain controller. If the PAC is decoded and evaluated some of the
1298 following operations are done:
1299 • If the remote user does not exist in the cache, it is created. The
1301 UID is determined with the help of the SID, trusted domains will
1302 have UPGs and the GID will have the same value as the UID. The home
1303 directory is set based on the subdomain_homedir parameter. The
1304 shell will be empty by default, i.e. the system defaults are used,
1305 but can be overwritten with the default_shell parameter.
1306 • If there are SIDs of groups from domains sssd knows about, the user
1308 will be added to those groups.
1309 These options can be used to configure the PAC responder.
1311 allowed_uids (string)
1313 Specifies the comma-separated list of UID values or user names that
1314 are allowed to access the PAC responder. User names are resolved to
1315 UIDs at startup.
1316 Default: 0 (only the root user is allowed to access the PAC
1318 responder)
1319 Please note that although the UID 0 is used as the default it will
1321 be overwritten with this option. If you still want to allow the
1322 root user to access the PAC responder, which would be the typical
1323 case, you have to add 0 to the list of allowed UIDs as well.
1324 pac_lifetime (integer)
1326 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1327 the PAC data can be used to determine the group memberships of a
1328 user.
1329 Default: 300
1331 pac_check (string)
1333 Apply additional checks on the PAC of the Kerberos ticket which is
1334 available in Active Directory and FreeIPA domains, if configured.
1335 Please note that Kerberos ticket validation must be enabled to be
1336 able to check the PAC, i.e. the krb5_validate option must be set to
1337 'True' which is the default for the IPA and AD provider. If
1338 krb5_validate is set to 'False' the PAC checks will be skipped.
1339 The following options can be used alone or in a comma-separated
1341 list:
1342 no_check
1344 The PAC must not be present and even if it is present no
1345 additional checks will be done.
1346 pac_present
1348 The PAC must be present in the service ticket which SSSD will
1349 request with the help of the user's TGT. If the PAC is not
1350 available the authentication will fail.
1351 check_upn
1353 If the PAC is present check if the user principal name (UPN)
1354 information is consistent.
1355 check_upn_allow_missing
1357 This option should be used together with 'check_upn' and
1358 handles the case where a UPN is set on the server-side but is
1359 not read by SSSD. The typical example is a FreeIPA domain where
1360 'ldap_user_principal' is set to a not existing attribute name.
1361 This was typically done to work-around issues in the handling
1362 of enterprise principals. But this is fixed since quite some
1363 time and FreeIPA can handle enterprise principals just fine and
1364 there is no need anymore to set 'ldap_user_principal'.
1365 Currently this option is set by default to avoid regressions in
1367 such environments. A log message will be added to the system
1368 log and SSSD's debug log in case a UPN is found in the PAC but
1369 not in SSSD's cache. To avoid this log message it would be best
1370 to evaluate if the 'ldap_user_principal' option can be removed.
1371 If this is not possible, removing 'check_upn' will skip the
1372 test and avoid the log message.
1373 upn_dns_info_present
1375 The PAC must contain the UPN-DNS-INFO buffer, implies
1376 'check_upn'.
1377 check_upn_dns_info_ex
1379 If the PAC is present and the extension to the UPN-DNS-INFO
1380 buffer is available check if the information in the extension
1381 is consistent.
1382 upn_dns_info_ex_present
1384 The PAC must contain the extension of the UPN-DNS-INFO buffer,
1385 implies 'check_upn_dns_info_ex', 'upn_dns_info_present' and
1386 'check_upn'.
1387 Default: no_check (AD and IPA provider 'check_upn,
1389 check_upn_allow_missing, check_upn_dns_info_ex')
1390 Session recording configuration options
1392 Session recording works in conjunction with tlog-rec-session(8), a part
1393 of tlog package, to log what users see and type when they log in on a
1394 text terminal. See also sssd-session-recording(5).
1395 These options can be used to configure session recording.
1397 scope (string)
1399 One of the following strings specifying the scope of session
1400 recording:
1401 "none"
1403 No users are recorded.
1404 "some"
1406 Users/groups specified by users and groups options are
1407 recorded.
1408 "all"
1410 All users are recorded.
1411 Default: "none"
1413 users (string)
1415 A comma-separated list of users which should have session recording
1416 enabled. Matches user names as returned by NSS. I.e. after the
1417 possible space replacement, case changes, etc.
1418 Default: Empty. Matches no users.
1420 groups (string)
1422 A comma-separated list of groups, members of which should have
1423 session recording enabled. Matches group names as returned by NSS.
1424 I.e. after the possible space replacement, case changes, etc.
1425 NOTE: using this option (having it set to anything) has a
1427 considerable performance cost, because each uncached request for a
1428 user requires retrieving and matching the groups the user is member
1429 of.
1430 Default: Empty. Matches no groups.
1432 exclude_users (string)
1434 A comma-separated list of users to be excluded from recording, only
1435 applicable with 'scope=all'.
1436 Default: Empty. No users excluded.
1438 exclude_groups (string)
1440 A comma-separated list of groups, members of which should be
1441 excluded from recording. Only applicable with 'scope=all'.
1442 NOTE: using this option (having it set to anything) has a
1444 considerable performance cost, because each uncached request for a
1445 user requires retrieving and matching the groups the user is member
1446 of.
1447 Default: Empty. No groups excluded.
1449
1451 These configuration options can be present in a domain configuration
1452 section, that is, in a section called “[domain/NAME]”
1453 enabled
1455 Explicitly enable or disable the domain. If “true”, the domain is
1456 always “enabled”. If “false”, the domain is always “disabled”. If
1457 this option is not set, the domain is enabled only if it is listed
1458 in the domains option in the “[sssd]” section.
1459 domain_type (string)
1461 Specifies whether the domain is meant to be used by POSIX-aware
1462 clients such as the Name Service Switch or by applications that do
1463 not need POSIX data to be present or generated. Only objects from
1464 POSIX domains are available to the operating system interfaces and
1465 utilities.
1466 Allowed values for this option are “posix” and “application”.
1468 POSIX domains are reachable by all services. Application domains
1470 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1471 and the PAM responder.
1472 NOTE: The application domains are currently well tested with
1474 “id_provider=ldap” only.
1475 For an easy way to configure a non-POSIX domains, please see the
1477 “Application domains” section.
1478 Default: posix
1480 min_id,max_id (integer)
1482 UID and GID limits for the domain. If a domain contains an entry
1483 that is outside these limits, it is ignored.
1484 For users, this affects the primary GID limit. The user will not be
1486 returned to NSS if either the UID or the primary GID is outside the
1487 range. For non-primary group memberships, those that are in range
1488 will be reported as expected.
1489 These ID limits affect even saving entries to cache, not only
1491 returning them by name or ID.
1492 Default: 1 for min_id, 0 (no limit) for max_id
1494 enumerate (bool)
1496 Determines if a domain can be enumerated, that is, whether the
1497 domain can list all the users and group it contains. Note that it
1498 is not required to enable enumeration in order for secondary groups
1499 to be displayed. This parameter can have one of the following
1500 values:
1501 TRUE = Users and groups are enumerated
1503 FALSE = No enumerations for this domain
1505 Default: FALSE
1507 Enumerating a domain requires SSSD to download and store ALL user
1509 and group entries from the remote server.
1510 Note: Enabling enumeration has a moderate performance impact on
1512 SSSD while enumeration is running. It may take up to several
1513 minutes after SSSD startup to fully complete enumerations. During
1514 this time, individual requests for information will go directly to
1515 LDAP, though it may be slow, due to the heavy enumeration
1516 processing. Saving a large number of entries to cache after the
1517 enumeration completes might also be CPU intensive as the
1518 memberships have to be recomputed. This can lead to the “sssd_be”
1519 process becoming unresponsive or even restarted by the internal
1520 watchdog.
1521 While the first enumeration is running, requests for the complete
1523 user or group lists may return no results until it completes.
1524 Further, enabling enumeration may increase the time necessary to
1526 detect network disconnection, as longer timeouts are required to
1527 ensure that enumeration lookups are completed successfully. For
1528 more information, refer to the man pages for the specific
1529 id_provider in use.
1530 For the reasons cited above, enabling enumeration is not
1532 recommended, especially in large environments.
1533 subdomain_enumerate (string)
1535 Whether any of autodetected trusted domains should be enumerated.
1536 The supported values are:
1537 all
1539 All discovered trusted domains will be enumerated
1540 none
1542 No discovered trusted domains will be enumerated
1543 Optionally, a list of one or more domain names can enable
1545 enumeration just for these trusted domains.
1546 Default: none
1548 entry_cache_timeout (integer)
1550 How many seconds should nss_sss consider entries valid before
1551 asking the backend again
1552 The cache expiration timestamps are stored as attributes of
1554 individual objects in the cache. Therefore, changing the cache
1555 timeout only has effect for newly added or expired entries. You
1556 should run the sss_cache(8) tool in order to force refresh of
1557 entries that have already been cached.
1558 Default: 5400
1560 entry_cache_user_timeout (integer)
1562 How many seconds should nss_sss consider user entries valid before
1563 asking the backend again
1564 Default: entry_cache_timeout
1566 entry_cache_group_timeout (integer)
1568 How many seconds should nss_sss consider group entries valid before
1569 asking the backend again
1570 Default: entry_cache_timeout
1572 entry_cache_netgroup_timeout (integer)
1574 How many seconds should nss_sss consider netgroup entries valid
1575 before asking the backend again
1576 Default: entry_cache_timeout
1578 entry_cache_service_timeout (integer)
1580 How many seconds should nss_sss consider service entries valid
1581 before asking the backend again
1582 Default: entry_cache_timeout
1584 entry_cache_resolver_timeout (integer)
1586 How many seconds should nss_sss consider hosts and networks entries
1587 valid before asking the backend again
1588 Default: entry_cache_timeout
1590 entry_cache_sudo_timeout (integer)
1592 How many seconds should sudo consider rules valid before asking the
1593 backend again
1594 Default: entry_cache_timeout
1596 entry_cache_autofs_timeout (integer)
1598 How many seconds should the autofs service consider automounter
1599 maps valid before asking the backend again
1600 Default: entry_cache_timeout
1602 entry_cache_ssh_host_timeout (integer)
1604 How many seconds to keep a host ssh key after refresh. IE how long
1605 to cache the host key for.
1606 Default: entry_cache_timeout
1608 entry_cache_computer_timeout (integer)
1610 How many seconds to keep the local computer entry before asking the
1611 backend again
1612 Default: entry_cache_timeout
1614 refresh_expired_interval (integer)
1616 Specifies how many seconds SSSD has to wait before triggering a
1617 background refresh task which will refresh all expired or nearly
1618 expired records.
1619 The background refresh will process users, groups and netgroups in
1621 the cache. For users who have performed the initgroups (get group
1622 membership for user, typically ran at login) operation in the past,
1623 both the user entry and the group membership are updated.
1624 This option is automatically inherited for all trusted domains.
1626 You can consider setting this value to 3/4 * entry_cache_timeout.
1628 Cache entry will be refreshed by background task when 2/3 of cache
1630 timeout has already passed. If there are existing cached entries,
1631 the background task will refer to their original cache timeout
1632 values instead of current configuration value. This may lead to a
1633 situation in which background refresh task appears to not be
1634 working. This is done by design to improve offline mode operation
1635 and reuse of existing valid cache entries. To make this change
1636 instant the user may want to manually invalidate existing cache.
1637 Default: 0 (disabled)
1639 cache_credentials (bool)
1641 Determines if user credentials are also cached in the local LDB
1642 cache
1643 User credentials are stored in a SHA512 hash, not in plaintext
1645 Default: FALSE
1647 cache_credentials_minimal_first_factor_length (int)
1649 If 2-Factor-Authentication (2FA) is used and credentials should be
1650 saved this value determines the minimal length the first
1651 authentication factor (long term password) must have to be saved as
1652 SHA512 hash into the cache.
1653 This should avoid that the short PINs of a PIN based 2FA scheme are
1655 saved in the cache which would make them easy targets for
1656 brute-force attacks.
1657 Default: 8
1659 account_cache_expiration (integer)
1661 Number of days entries are left in cache after last successful
1662 login before being removed during a cleanup of the cache. 0 means
1663 keep forever. The value of this parameter must be greater than or
1664 equal to offline_credentials_expiration.
1665 Default: 0 (unlimited)
1667 pwd_expiration_warning (integer)
1669 Display a warning N days before the password expires.
1670 If zero is set, then this filter is not applied, i.e. if the
1672 expiration warning was received from backend server, it will
1673 automatically be displayed.
1674 Please note that the backend server has to provide information
1676 about the expiration time of the password. If this information is
1677 missing, sssd cannot display a warning. Also an auth provider has
1678 to be configured for the backend.
1679 Default: 7 (Kerberos), 0 (LDAP)
1681 id_provider (string)
1683 The identification provider used for the domain. Supported ID
1684 providers are:
1685 “proxy”: Support a legacy NSS provider.
1687 “files”: FILES provider. See sssd-files(5) for more information on
1689 how to mirror local users and groups into SSSD.
1690 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1692 configuring LDAP.
1693 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1695 See sssd-ipa(5) for more information on configuring FreeIPA.
1696 “ad”: Active Directory provider. See sssd-ad(5) for more
1698 information on configuring Active Directory.
1699 use_fully_qualified_names (bool)
1701 Use the full name and domain (as formatted by the domain's
1702 full_name_format) as the user's login name reported to NSS.
1703 If set to TRUE, all requests to this domain must use fully
1705 qualified names. For example, if used in LOCAL domain that contains
1706 a "test" user, getent passwd test wouldn't find the user while
1707 getent passwd test@LOCAL would.
1708 NOTE: This option has no effect on netgroup lookups due to their
1710 tendency to include nested netgroups without qualified names. For
1711 netgroups, all domains will be searched when an unqualified name is
1712 requested.
1713 Default: FALSE (TRUE for trusted domain/sub-domains or if
1715 default_domain_suffix is used)
1716 ignore_group_members (bool)
1718 Do not return group members for group lookups.
1719 If set to TRUE, the group membership attribute is not requested
1721 from the ldap server, and group members are not returned when
1722 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1723 As an effect, “getent group $groupname” would return the requested
1724 group as if it was empty.
1725 Enabling this option can also make access provider checks for group
1727 membership significantly faster, especially for groups containing
1728 many members.
1729 This option can be also set per subdomain or inherited via
1731 subdomain_inherit.
1732 Default: FALSE
1734 auth_provider (string)
1736 The authentication provider used for the domain. Supported auth
1737 providers are:
1738 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1740 information on configuring LDAP.
1741 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1743 information on configuring Kerberos.
1744 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1746 See sssd-ipa(5) for more information on configuring FreeIPA.
1747 “ad”: Active Directory provider. See sssd-ad(5) for more
1749 information on configuring Active Directory.
1750 “proxy” for relaying authentication to some other PAM target.
1752 “none” disables authentication explicitly.
1754 Default: “id_provider” is used if it is set and can handle
1756 authentication requests.
1757 access_provider (string)
1759 The access control provider used for the domain. There are two
1760 built-in access providers (in addition to any included in installed
1761 backends) Internal special providers are:
1762 “permit” always allow access. It's the only permitted access
1764 provider for a local domain.
1765 “deny” always deny access.
1767 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1769 information on configuring LDAP.
1770 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1772 See sssd-ipa(5) for more information on configuring FreeIPA.
1773 “ad”: Active Directory provider. See sssd-ad(5) for more
1775 information on configuring Active Directory.
1776 “simple” access control based on access or deny lists. See sssd-
1778 simple(5) for more information on configuring the simple access
1779 module.
1780 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1782 information on configuring Kerberos.
1783 “proxy” for relaying access control to another PAM module.
1785 Default: “permit”
1787 chpass_provider (string)
1789 The provider which should handle change password operations for the
1790 domain. Supported change password providers are:
1791 “ldap” to change a password stored in a LDAP server. See sssd-
1793 ldap(5) for more information on configuring LDAP.
1794 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1796 information on configuring Kerberos.
1797 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1799 See sssd-ipa(5) for more information on configuring FreeIPA.
1800 “ad”: Active Directory provider. See sssd-ad(5) for more
1802 information on configuring Active Directory.
1803 “proxy” for relaying password changes to some other PAM target.
1805 “none” disallows password changes explicitly.
1807 Default: “auth_provider” is used if it is set and can handle change
1809 password requests.
1810 sudo_provider (string)
1812 The SUDO provider used for the domain. Supported SUDO providers
1813 are:
1814 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1816 information on configuring LDAP.
1817 “ipa” the same as “ldap” but with IPA default settings.
1819 “ad” the same as “ldap” but with AD default settings.
1821 “none” disables SUDO explicitly.
1823 Default: The value of “id_provider” is used if it is set.
1825 The detailed instructions for configuration of sudo_provider are in
1827 the manual page sssd-sudo(5). There are many configuration options
1828 that can be used to adjust the behavior. Please refer to
1829 "ldap_sudo_*" in sssd-ldap(5).
1830 NOTE: Sudo rules are periodically downloaded in the background
1832 unless the sudo provider is explicitly disabled. Set sudo_provider
1833 = None to disable all sudo-related activity in SSSD if you do not
1834 want to use sudo with SSSD at all.
1835 selinux_provider (string)
1837 The provider which should handle loading of selinux settings. Note
1838 that this provider will be called right after access provider ends.
1839 Supported selinux providers are:
1840 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1842 for more information on configuring IPA.
1843 “none” disallows fetching selinux settings explicitly.
1845 Default: “id_provider” is used if it is set and can handle selinux
1847 loading requests.
1848 subdomains_provider (string)
1850 The provider which should handle fetching of subdomains. This value
1851 should be always the same as id_provider. Supported subdomain
1852 providers are:
1853 “ipa” to load a list of subdomains from an IPA server. See sssd-
1855 ipa(5) for more information on configuring IPA.
1856 “ad” to load a list of subdomains from an Active Directory server.
1858 See sssd-ad(5) for more information on configuring the AD provider.
1859 “none” disallows fetching subdomains explicitly.
1861 Default: The value of “id_provider” is used if it is set.
1863 session_provider (string)
1865 The provider which configures and manages user session related
1866 tasks. The only user session task currently provided is the
1867 integration with Fleet Commander, which works only with IPA.
1868 Supported session providers are:
1869 “ipa” to allow performing user session related tasks.
1871 “none” does not perform any kind of user session related tasks.
1873 Default: “id_provider” is used if it is set and can perform session
1875 related tasks.
1876 NOTE: In order to have this feature working as expected SSSD must
1878 be running as "root" and not as the unprivileged user.
1879 autofs_provider (string)
1881 The autofs provider used for the domain. Supported autofs providers
1882 are:
1883 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1885 information on configuring LDAP.
1886 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1888 more information on configuring IPA.
1889 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1891 information on configuring the AD provider.
1892 “none” disables autofs explicitly.
1894 Default: The value of “id_provider” is used if it is set.
1896 hostid_provider (string)
1898 The provider used for retrieving host identity information.
1899 Supported hostid providers are:
1900 “ipa” to load host identity stored in an IPA server. See sssd-
1902 ipa(5) for more information on configuring IPA.
1903 “none” disables hostid explicitly.
1905 Default: The value of “id_provider” is used if it is set.
1907 resolver_provider (string)
1909 The provider which should handle hosts and networks lookups.
1910 Supported resolver providers are:
1911 “proxy” to forward lookups to another NSS library. See
1913 “proxy_resolver_lib_name”
1914 “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1916 for more information on configuring LDAP.
1917 “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1919 more information on configuring the AD provider.
1920 “none” disallows fetching hosts and networks explicitly.
1922 Default: The value of “id_provider” is used if it is set.
1924 re_expression (string)
1926 Regular expression for this domain that describes how to parse the
1927 string containing user name and domain into these components. The
1928 "domain" can match either the SSSD configuration domain name, or,
1929 in the case of IPA trust subdomains and Active Directory domains,
1930 the flat (NetBIOS) name of the domain.
1931 Default for the AD and IPA provider:
1933 “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>.+)@(?P<domain>[^@]+$))|(^(?P<name>[^@\\]+)$))”
1934 which allows three different styles for user names:
1935 • username
1937 • username@domain.name
1939 • domain\username
1941 While the first two correspond to the general default the third one
1943 is introduced to allow easy integration of users from Windows
1944 domains.
1945 Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
1947 "the name is everything up to the “@” sign, the domain everything
1948 after that"
1949 full_name_format (string)
1951 A printf(3)-compatible format that describes how to compose a fully
1952 qualified name from user name and domain name components.
1953 The following expansions are supported:
1955 %1$s
1957 user name
1958 %2$s
1960 domain name as specified in the SSSD config file.
1961 %3$s
1963 domain flat name. Mostly usable for Active Directory domains,
1964 both directly configured or discovered via IPA trusts.
1965 Default: “%1$s@%2$s”.
1967 lookup_family_order (string)
1969 Provides the ability to select preferred address family to use when
1970 performing DNS lookups.
1971 Supported values:
1973 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1975 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1977 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1979 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1981 Default: ipv4_first
1983 dns_resolver_server_timeout (integer)
1985 Defines the amount of time (in milliseconds) SSSD would try to talk
1986 to DNS server before trying next DNS server.
1987 The AD provider will use this option for the CLDAP ping timeouts as
1989 well.
1990 Please see the section “FAILOVER” for more information about the
1992 service resolution.
1993 Default: 1000
1995 dns_resolver_op_timeout (integer)
1997 Defines the amount of time (in seconds) to wait to resolve single
1998 DNS query (e.g. resolution of a hostname or an SRV record) before
1999 trying the next hostname or DNS discovery.
2000 Please see the section “FAILOVER” for more information about the
2002 service resolution.
2003 Default: 3
2005 dns_resolver_timeout (integer)
2007 Defines the amount of time (in seconds) to wait for a reply from
2008 the internal fail over service before assuming that the service is
2009 unreachable. If this timeout is reached, the domain will continue
2010 to operate in offline mode.
2011 Please see the section “FAILOVER” for more information about the
2013 service resolution.
2014 Default: 6
2016 dns_resolver_use_search_list (bool)
2018 Normally, the DNS resolver searches the domain list defined in the
2019 "search" directive from the resolv.conf file. This can lead to
2020 delays in environments with improperly configured DNS.
2021 If fully qualified domain names (or _srv_) are used in the SSSD
2023 configuration, setting this option to FALSE can prevent unnecessary
2024 DNS lookups in such environments.
2025 Default: TRUE
2027 dns_discovery_domain (string)
2029 If service discovery is used in the back end, specifies the domain
2030 part of the service discovery DNS query.
2031 Default: Use the domain part of machine's hostname
2033 override_gid (integer)
2035 Override the primary GID value with the one specified.
2036 case_sensitive (string)
2038 Treat user and group names as case sensitive. Possible option
2039 values are:
2040 True
2042 Case sensitive. This value is invalid for AD provider.
2043 False
2045 Case insensitive.
2046 Preserving
2048 Same as False (case insensitive), but does not lowercase names
2049 in the result of NSS operations. Note that name aliases (and in
2050 case of services also protocol names) are still lowercased in
2051 the output.
2052 If you want to set this value for trusted domain with IPA
2054 provider, you need to set it on both the client and SSSD on the
2055 server.
2056 This option can be also set per subdomain or inherited via
2058 subdomain_inherit.
2059 Default: True (False for AD provider)
2061 subdomain_inherit (string)
2063 Specifies a list of configuration parameters that should be
2064 inherited by a subdomain. Please note that only selected parameters
2065 can be inherited. Currently the following options can be inherited:
2066 ldap_search_timeout
2068 ldap_network_timeout
2070 ldap_opt_timeout
2072 ldap_offline_timeout
2074 ldap_enumeration_refresh_timeout
2076 ldap_enumeration_refresh_offset
2078 ldap_purge_cache_timeout
2080 ldap_purge_cache_offset
2082 ldap_krb5_keytab (the value of krb5_keytab will be used if
2084 ldap_krb5_keytab is not set explicitly)
2085 ldap_krb5_ticket_lifetime
2087 ldap_enumeration_search_timeout
2089 ldap_connection_expire_timeout
2091 ldap_connection_expire_offset
2093 ldap_connection_idle_timeout
2095 ldap_use_tokengroups
2097 ldap_user_principal
2099 ignore_group_members
2101 auto_private_groups
2103 case_sensitive
2105 Example:
2107 subdomain_inherit = ldap_purge_cache_timeout
2109 Default: none
2112 Note: This option only works with the IPA and AD provider.
2114 subdomain_homedir (string)
2116 Use this homedir as default value for all subdomains within this
2117 domain in IPA AD trust. See override_homedir for info about
2118 possible values. In addition to those, the expansion below can only
2119 be used with subdomain_homedir.
2120 %F
2122 flat (NetBIOS) name of a subdomain.
2123 The value can be overridden by override_homedir option.
2125 Default: /home/%d/%u
2127 realmd_tags (string)
2129 Various tags stored by the realmd configuration service for this
2130 domain.
2131 cached_auth_timeout (int)
2133 Specifies time in seconds since last successful online
2134 authentication for which user will be authenticated using cached
2135 credentials while SSSD is in the online mode. If the credentials
2136 are incorrect, SSSD falls back to online authentication.
2137 This option's value is inherited by all trusted domains. At the
2139 moment it is not possible to set a different value per trusted
2140 domain.
2141 Special value 0 implies that this feature is disabled.
2143 Please note that if “cached_auth_timeout” is longer than
2145 “pam_id_timeout” then the back end could be called to handle
2146 “initgroups.”
2147 Default: 0
2149 auto_private_groups (string)
2151 This option takes any of three available values:
2152 true
2154 Create user's private group unconditionally from user's UID
2155 number. The GID number is ignored in this case.
2156 NOTE: Because the GID number and the user private group are
2158 inferred from the UID number, it is not supported to have
2159 multiple entries with the same UID or GID number with this
2160 option. In other words, enabling this option enforces
2161 uniqueness across the ID space.
2162 false
2164 Always use the user's primary GID number. The GID number must
2165 refer to a group object in the LDAP database.
2166 hybrid
2168 A primary group is autogenerated for user entries whose UID and
2169 GID numbers have the same value and at the same time the GID
2170 number does not correspond to a real group object in LDAP. If
2171 the values are the same, but the primary GID in the user entry
2172 is also used by a group object, the primary GID of the user
2173 resolves to that group object.
2174 If the UID and GID of a user are different, then the GID must
2176 correspond to a group entry, otherwise the GID is simply not
2177 resolvable.
2178 This feature is useful for environments that wish to stop
2180 maintaining a separate group objects for the user private
2181 groups, but also wish to retain the existing user private
2182 groups.
2183 For subdomains, the default value is False for subdomains that use
2185 assigned POSIX IDs and True for subdomains that use automatic
2186 ID-mapping.
2187 The value of auto_private_groups can either be set per subdomains
2189 in a subsection, for example:
2190 [domain/forest.domain/sub.domain]
2192 auto_private_groups = false
2193 or globally for all subdomains in the main domain section using the
2195 subdomain_inherit option:
2196 [domain/forest.domain]
2198 subdomain_inherit = auto_private_groups
2199 auto_private_groups = false
2200 Options valid for proxy domains.
2203 proxy_pam_target (string)
2205 The proxy target PAM proxies to.
2206 Default: not set by default, you have to take an existing pam
2208 configuration or create a new one and add the service name here.
2209 proxy_lib_name (string)
2211 The name of the NSS library to use in proxy domains. The NSS
2212 functions searched for in the library are in the form of
2213 _nss_$(libName)_$(function), for example _nss_files_getpwent.
2214 proxy_resolver_lib_name (string)
2216 The name of the NSS library to use for hosts and networks lookups
2217 in proxy domains. The NSS functions searched for in the library are
2218 in the form of _nss_$(libName)_$(function), for example
2219 _nss_dns_gethostbyname2_r.
2220 proxy_fast_alias (boolean)
2222 When a user or group is looked up by name in the proxy provider, a
2223 second lookup by ID is performed to "canonicalize" the name in case
2224 the requested name was an alias. Setting this option to true would
2225 cause the SSSD to perform the ID lookup from cache for performance
2226 reasons.
2227 Default: false
2229 proxy_max_children (integer)
2231 This option specifies the number of pre-forked proxy children. It
2232 is useful for high-load SSSD environments where sssd may run out of
2233 available child slots, which would cause some issues due to the
2234 requests being queued.
2235 Default: 10
2237 Application domains
2239 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2240 applications as a gateway to an LDAP directory where users and groups
2241 are stored. However, contrary to the traditional SSSD deployment where
2242 all users and groups either have POSIX attributes or those attributes
2243 can be inferred from the Windows SIDs, in many cases the users and
2244 groups in the application support scenario have no POSIX attributes.
2245 Instead of setting a “[domain/NAME]” section, the administrator can set
2246 up an “[application/NAME]” section that internally represents a domain
2247 with type “application” optionally inherits settings from a tradition
2248 SSSD domain.
2249 Please note that the application domain must still be explicitly
2251 enabled in the “domains” parameter so that the lookup order between the
2252 application domain and its POSIX sibling domain is set correctly.
2253 Application domain parameters
2255 inherit_from (string)
2257 The SSSD POSIX-type domain the application domain inherits all
2258 settings from. The application domain can moreover add its own
2259 settings to the application settings that augment or override the
2260 “sibling” domain settings.
2261 Default: Not set
2263 The following example illustrates the use of an application domain. In
2265 this setup, the POSIX domain is connected to an LDAP server and is used
2266 by the OS through the NSS responder. In addition, the application
2267 domain also requests the telephoneNumber attribute, stores it as the
2268 phone attribute in the cache and makes the phone attribute reachable
2269 through the D-Bus interface.
2270 [sssd]
2272 domains = appdom, posixdom
2273 [ifp]
2275 user_attributes = +phone
2276 [domain/posixdom]
2278 id_provider = ldap
2279 ldap_uri = ldap://ldap.example.com
2280 ldap_search_base = dc=example,dc=com
2281 [application/appdom]
2283 inherit_from = posixdom
2284 ldap_user_extra_attrs = phone:telephoneNumber
2285
2287 Some options used in the domain section can also be used in the trusted
2288 domain section, that is, in a section called
2289 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2290 actual joined-to base domain. Please refer to examples below for
2291 explanation. Currently supported options in the trusted domain section
2292 are:
2293 ldap_search_base,
2295 ldap_user_search_base,
2297 ldap_group_search_base,
2299 ldap_netgroup_search_base,
2301 ldap_service_search_base,
2303 ldap_sasl_mech,
2305 ad_server,
2307 ad_backup_server,
2309 ad_site,
2311 use_fully_qualified_names
2313 pam_gssapi_services
2315 pam_gssapi_check_upn
2317 For more details about these options see their individual description
2319 in the manual page.
2320
2322 To allow authentication with Smartcards and certificates SSSD must be
2323 able to map certificates to users. This can be done by adding the full
2324 certificate to the LDAP object of the user or to a local override.
2325 While using the full certificate is required to use the Smartcard
2326 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2327 details) it might be cumbersome or not even possible to do this for the
2328 general case where local services use PAM for authentication.
2329 To make the mapping more flexible mapping and matching rules were added
2331 to SSSD (see sss-certmap(5) for details).
2332 A mapping and matching rule can be added to the SSSD configuration in a
2334 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2335 In this section the following options are allowed:
2336 matchrule (string)
2338 Only certificates from the Smartcard which matches this rule will
2339 be processed, all others are ignored.
2340 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2342 the Extended Key Usage “clientAuth”
2343 maprule (string)
2345 Defines how the user is found for a given certificate.
2346 Default:
2348 • LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2350 providers like “ldap”, “AD” or “ipa”.
2351 • The RULE_NAME for the “files” provider which tries to find a
2353 user with the same name.
2354 domains (string)
2357 Comma separated list of domain names the rule should be applied. By
2358 default a rule is only valid in the domain configured in sssd.conf.
2359 If the provider supports subdomains this option can be used to add
2360 the rule to subdomains as well.
2361 Default: the configured domain in sssd.conf
2363 priority (integer)
2365 Unsigned integer value defining the priority of the rule. The
2366 higher the number the lower the priority. “0” stands for the
2367 highest priority while “4294967295” is the lowest.
2368 Default: the lowest priority
2370 To make the configuration simple and reduce the amount of configuration
2372 options the “files” provider has some special properties:
2373 • if maprule is not set the RULE_NAME name is assumed to be the name
2375 of the matching user
2376 • if a maprule is used both a single user name or a template like
2378 “{subject_rfc822_name.short_name}” must be in braces like e.g.
2379 “(username)” or “({subject_rfc822_name.short_name})”
2380 • the “domains” option is ignored
2382
2385 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2386 SSSD's PAM module pam_sss will ask SSSD to figure out which
2387 authentication methods are available for the user trying to log in.
2388 Based on the results pam_sss will prompt the user for appropriate
2389 credentials.
2390 With the growing number of authentication methods and the possibility
2392 that there are multiple ones for a single user the heuristic used by
2393 pam_sss to select the prompting might not be suitable for all use
2394 cases. The following options should provide a better flexibility here.
2395 Each supported authentication method has its own configuration
2397 subsection under “[prompting/...]”. Currently there are:
2398 [prompting/password]
2400 to configure password prompting, allowed options are:
2401 password_prompt
2403 to change the string of the password prompt
2404 [prompting/2fa]
2407 to configure two-factor authentication prompting, allowed options
2408 are:
2409 first_prompt
2411 to change the string of the prompt for the first factor
2412 second_prompt
2414 to change the string of the prompt for the second factor
2415 single_prompt
2417 boolean value, if True there will be only a single prompt using
2418 the value of first_prompt where it is expected that both
2419 factors are entered as a single string. Please note that both
2420 factors have to be entered here, even if the second factor is
2421 optional.
2422 If the second factor is optional and it should be possible to log
2424 in either only with the password or with both factors two-step
2425 prompting has to be used.
2426 It is possible to add a subsection for specific PAM services, e.g.
2428 “[prompting/password/sshd]” to individual change the prompting for this
2429 service.
2430
2432 1. The following example shows a typical SSSD config. It does not
2433 describe configuration of the domains themselves - refer to
2434 documentation on configuring domains for more details.
2435 [sssd]
2437 domains = LDAP
2438 services = nss, pam
2439 config_file_version = 2
2440 [nss]
2442 filter_groups = root
2443 filter_users = root
2444 [pam]
2446 [domain/LDAP]
2448 id_provider = ldap
2449 ldap_uri = ldap://ldap.example.com
2450 ldap_search_base = dc=example,dc=com
2451 auth_provider = krb5
2453 krb5_server = kerberos.example.com
2454 krb5_realm = EXAMPLE.COM
2455 cache_credentials = true
2456 min_id = 10000
2458 max_id = 20000
2459 enumerate = False
2460 2. The following example shows configuration of IPA AD trust where the
2462 AD forest consists of two domains in a parent-child structure. Suppose
2463 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2464 domain (child.ad.com). To enable shortnames in the child domain the
2465 following configuration should be used.
2466 [domain/ipa.com/child.ad.com]
2468 use_fully_qualified_names = false
2469 3. The following example shows the configuration for two certificate
2471 mapping rules. The first is valid for the configured domain “my.domain”
2472 and additionally for the subdomains “your.domain” and uses the full
2473 certificate in the search filter. The second example is valid for the
2474 domain “files” where it is assumed the files provider is used for this
2475 domain and contains a matching rule for the local user “myname”.
2476 [certmap/my.domain/rule_name]
2478 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2479 maprule = (userCertificate;binary={cert!bin})
2480 domains = my.domain, your.domain
2481 priority = 10
2482 [certmap/files/myname]
2484 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
2485
2488 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
2489 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
2490 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
2491 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
2492 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
2493 sssd-systemtap(5)
2494
2496 The SSSD upstream - https://github.com/SSSD/sssd/
2497SSSD 12/09/2022 SSSD.CONF(5)