1SSSD.CONF(5) File Formats and Conventions SSSD.CONF(5)
2
6 sssd.conf - the configuration file for SSSD
7
9 The file has an ini-style syntax and consists of sections and
10 parameters. A section begins with the name of the section in square
11 brackets and continues until the next section begins. An example of
12 section with single and multi-valued parameters:
13 [section]
15 key = value
16 key2 = value2,value3
17 The data types used are string (no quotes needed), integer and bool
20 (with values of “TRUE/FALSE”).
21 A comment line starts with a hash sign (“#”) or a semicolon (“;”).
23 Inline comments are not supported.
24 All sections can have an optional description parameter. Its function
26 is only as a label for the section.
27 sssd.conf must be a regular file, owned by root and only root may read
29 from or write to the file.
30
32 The configuration file sssd.conf will include configuration snippets
33 using the include directory conf.d. This feature is available if SSSD
34 was compiled with libini version 1.3.0 or later.
35 Any file placed in conf.d that ends in “.conf” and does not begin with
37 a dot (“.”) will be used together with sssd.conf to configure SSSD.
38 The configuration snippets from conf.d have higher priority than
40 sssd.conf and will override sssd.conf when conflicts occur. If several
41 snippets are present in conf.d, then they are included in alphabetical
42 order (based on locale). Files included later have higher priority.
43 Numerical prefixes (01_snippet.conf, 02_snippet.conf etc.) can help
44 visualize the priority (higher number means higher priority).
45 The snippet files require the same owner and permissions as sssd.conf.
47 Which are by default root:root and 0600.
48
50 Following options are usable in more than one configuration sections.
51 Options usable in all sections
53 debug_level (integer)
54 SSSD supports two representations for specifying the debug level.
55 The simplest is to specify a decimal value from 0-9, which
56 represents enabling that level and all lower-level debug messages.
57 The more comprehensive option is to specify a hexadecimal bitmask
58 to enable or disable specific levels (such as if you wish to
59 suppress a level).
60 Please note that each SSSD service logs into its own log file. Also
62 please note that enabling “debug_level” in the “[sssd]” section
63 only enables debugging just for the sssd process itself, not for
64 the responder or provider processes. The “debug_level” parameter
65 should be added to all sections that you wish to produce debug logs
66 from.
67 In addition to changing the log level in the config file using the
69 “debug_level” parameter, which is persistent, but requires SSSD
70 restart, it is also possible to change the debug level on the fly
71 using the sss_debuglevel(8) tool.
72 Currently supported debug levels:
74 0, 0x0010: Fatal failures. Anything that would prevent SSSD from
76 starting up or causes it to cease running.
77 1, 0x0020: Critical failures. An error that doesn't kill SSSD, but
79 one that indicates that at least one major feature is not going to
80 work properly.
81 2, 0x0040: Serious failures. An error announcing that a particular
83 request or operation has failed.
84 3, 0x0080: Minor failures. These are the errors that would
86 percolate down to cause the operation failure of 2.
87 4, 0x0100: Configuration settings.
89 5, 0x0200: Function data.
91 6, 0x0400: Trace messages for operation functions.
93 7, 0x1000: Trace messages for internal control functions.
95 8, 0x2000: Contents of function-internal variables that may be
97 interesting.
98 9, 0x4000: Extremely low-level tracing information.
100 9, 0x20000: Performance and statistical data, please note that due
102 to the way requests are processed internally the logged execution
103 time of a request might be longer than it actually was.
104 10, 0x10000: Even more low-level libldb tracing information. Almost
106 never really required.
107 To log required bitmask debug levels, simply add their numbers
109 together as shown in following examples:
110 Example: To log fatal failures, critical failures, serious failures
112 and function data use 0x0270.
113 Example: To log fatal failures, configuration settings, function
115 data, trace messages for internal control functions use 0x1310.
116 Note: The bitmask format of debug levels was introduced in 1.7.0.
118 Default: 0x0070 (i.e. fatal, critical and serious failures;
120 corresponds to setting 2 in decimal notation)
121 debug (integer)
123 SSSD 1.14 and later also includes the debug alias for debug_level
124 as a convenience feature. If both are specified, the value of
125 debug_level will be used.
126 debug_timestamps (bool)
128 Add a timestamp to the debug messages. If journald is enabled for
129 SSSD debug logging this option is ignored.
130 Default: true
132 debug_microseconds (bool)
134 Add microseconds to the timestamp in debug messages. If journald is
135 enabled for SSSD debug logging this option is ignored.
136 Default: false
138 debug_backtrace_enabled (bool)
140 Enable debug backtrace.
141 In case SSSD is run with debug_level less than 9, everything is
143 logged to a ring buffer in memory and flushed to a log file on any
144 error up to and including `min(0x0040, debug_level)` (i.e. if
145 debug_level is explicitly set to 0 or 1 then only those error
146 levels will trigger backtrace, otherwise up to 2).
147 Feature is only supported for `logger == files` (i.e. setting
149 doesn't have effect for other logger types).
150 Default: true
152 Options usable in SERVICE and DOMAIN sections
154 timeout (integer)
155 Timeout in seconds between heartbeats for this service. This is
156 used to ensure that the process is alive and capable of answering
157 requests. Note that after three missed heartbeats the process will
158 terminate itself.
159 Default: 10
161
163 The [sssd] section
164 Individual pieces of SSSD functionality are provided by special SSSD
165 services that are started and stopped together with SSSD. The services
166 are managed by a special service frequently called “monitor”. The
167 “[sssd]” section is used to configure the monitor as well as some other
168 important options like the identity domains.
169 Section parameters
171 config_file_version (integer)
173 Indicates what is the syntax of the config file. SSSD 0.6.0 and
174 later use version 2.
175 services
177 Comma separated list of services that are started when sssd itself
178 starts. The services' list is optional on platforms where systemd
179 is supported, as they will either be socket or D-Bus activated when
180 needed.
181 Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
183 By default, all services are disabled and the administrator must
185 enable the ones allowed to be used by executing: "systemctl enable
186 sssd-@service@.socket".
187 reconnection_retries (integer)
189 Number of times services should attempt to reconnect in the event
190 of a Data Provider crash or restart before they give up
191 Default: 3
193 domains
195 A domain is a database containing user information. SSSD can use
196 more domains at the same time, but at least one must be configured
197 or SSSD won't start. This parameter describes the list of domains
198 in the order you want them to be queried. A domain name is
199 recommended to contain only alphanumeric ASCII characters, dashes,
200 dots and underscores. '/' character is forbidden.
201 re_expression (string)
203 Default regular expression that describes how to parse the string
204 containing user name and domain into these components.
205 Each domain can have an individual regular expression configured.
207 For some ID providers there are also default regular expressions.
208 See DOMAIN SECTIONS for more info on these regular expressions.
209 full_name_format (string)
211 A printf(3)-compatible format that describes how to compose a fully
212 qualified name from user name and domain name components.
213 The following expansions are supported:
215 %1$s
217 user name
218 %2$s
220 domain name as specified in the SSSD config file.
221 %3$s
223 domain flat name. Mostly usable for Active Directory domains,
224 both directly configured or discovered via IPA trusts.
225 Each domain can have an individual format string configured. See
227 DOMAIN SECTIONS for more info on this option.
228 monitor_resolv_conf (boolean)
230 Controls if SSSD should monitor the state of resolv.conf to
231 identify when it needs to update its internal DNS resolver.
232 Default: true
234 try_inotify (boolean)
236 By default, SSSD will attempt to use inotify to monitor
237 configuration files changes and will fall back to polling every
238 five seconds if inotify cannot be used.
239 There are some limited situations where it is preferred that we
241 should skip even trying to use inotify. In these rare cases, this
242 option should be set to 'false'
243 Default: true on platforms where inotify is supported. False on
245 other platforms.
246 Note: this option will have no effect on platforms where inotify is
248 unavailable. On these platforms, polling will always be used.
249 krb5_rcache_dir (string)
251 Directory on the filesystem where SSSD should store Kerberos replay
252 cache files.
253 This option accepts a special value __LIBKRB5_DEFAULTS__ that will
255 instruct SSSD to let libkrb5 decide the appropriate location for
256 the replay cache.
257 Default: Distribution-specific and specified at build-time.
259 (__LIBKRB5_DEFAULTS__ if not configured)
260 default_domain_suffix (string)
262 This string will be used as a default domain name for all names
263 without a domain name component. The main use case is environments
264 where the primary domain is intended for managing host policies and
265 all users are located in a trusted domain. The option allows those
266 users to log in just with their user name without giving a domain
267 name as well.
268 Please note that if this option is set all users from the primary
270 domain have to use their fully qualified name, e.g.
271 user@domain.name, to log in. Setting this option changes default of
272 use_fully_qualified_names to True. It is not allowed to use this
273 option together with use_fully_qualified_names set to False. One
274 exception from this rule are domains with “id_provider=files” that
275 always try to match the behaviour of nss_files and therefore their
276 output is not qualified even when the default_domain_suffix option
277 is used.
278 Default: not set
280 override_space (string)
282 This parameter will replace spaces (space bar) with the given
283 character for user and group names. e.g. (_). User name "john doe"
284 will be "john_doe" This feature was added to help compatibility
285 with shell scripts that have difficulty handling spaces, due to the
286 default field separator in the shell.
287 Please note it is a configuration error to use a replacement
289 character that might be used in user or group names. If a name
290 contains the replacement character SSSD tries to return the
291 unmodified name but in general the result of a lookup is undefined.
292 Default: not set (spaces will not be replaced)
294 certificate_verification (string)
296 With this parameter the certificate verification can be tuned with
297 a comma separated list of options. Supported options are:
298 no_ocsp
300 Disables Online Certificate Status Protocol (OCSP) checks. This
301 might be needed if the OCSP servers defined in the certificate
302 are not reachable from the client.
303 soft_ocsp
305 If a connection cannot be established to an OCSP responder the
306 OCSP check is skipped. This option should be used to allow
307 authentication when the system is offline and the OCSP
308 responder cannot be reached.
309 ocsp_dgst
311 Digest (hash) function used to create the certificate ID for
312 the OCSP request. Allowed values are:
313 • sha1
315 • sha256
317 • sha384
319 • sha512
321 Default: sha1 (to allow compatibility with RFC5019-compliant
323 responder)
324 no_verification
326 Disables verification completely. This option should only be
327 used for testing.
328 partial_chain
330 Allow verification to succeed even if a complete chain cannot
331 be built to a self-signed trust-anchor, provided it is possible
332 to construct a chain to a trusted certificate that might not be
333 self-signed.
334 ocsp_default_responder=URL
336 Sets the OCSP default responder which should be used instead of
337 the one mentioned in the certificate. URL must be replaced with
338 the URL of the OCSP default responder e.g.
339 http://example.com:80/ocsp.
340 ocsp_default_responder_signing_cert=NAME
342 This option is currently ignored. All needed certificates must
343 be available in the PEM file given by pam_cert_db_path.
344 crl_file=/PATH/TO/CRL/FILE
346 Use the Certificate Revocation List (CRL) from the given file
347 during the verification of the certificate. The CRL must be
348 given in PEM format, see crl(1ssl) for details.
349 soft_crl
351 If a Certificate Revocation List (CRL) is expired ignore the
352 CRL checks for the related certificates. This option should be
353 used to allow authentication when the system is offline and the
354 CRL cannot be renewed.
355 Unknown options are reported but ignored.
357 Default: not set, i.e. do not restrict certificate verification
359 disable_netlink (boolean)
361 SSSD hooks into the netlink interface to monitor changes to routes,
362 addresses, links and trigger certain actions.
363 The SSSD state changes caused by netlink events may be undesirable
365 and can be disabled by setting this option to 'true'
366 Default: false (netlink changes are detected)
368 enable_files_domain (boolean)
370 When this option is enabled, SSSD prepends an implicit domain with
371 “id_provider=files” before any explicitly configured domains.
372 Default: false
374 domain_resolution_order
376 Comma separated list of domains and subdomains representing the
377 lookup order that will be followed. The list doesn't have to
378 include all possible domains as the missing domains will be looked
379 up based on the order they're presented in the “domains”
380 configuration option. The subdomains which are not listed as part
381 of “lookup_order” will be looked up in a random order for each
382 parent domain.
383 Please, note that when this option is set the output format of all
385 commands is always fully-qualified even when using short names for
386 input , for all users but the ones managed by the files provider.
387 In case the administrator wants the output not fully-qualified, the
388 full_name_format option can be used as shown below:
389 “full_name_format=%1$s” However, keep in mind that during login,
390 login applications often canonicalize the username by calling
391 getpwnam(3) which, if a shortname is returned for a qualified input
392 (while trying to reach a user which exists in multiple domains)
393 might re-route the login attempt into the domain which uses
394 shortnames, making this workaround totally not recommended in cases
395 where usernames may overlap between domains.
396 Default: Not set
398 implicit_pac_responder (boolean)
400 The PAC responder is enabled automatically for the IPA and AD
401 provider to evaluate and check the PAC. If it has to be disabled
402 set this option to 'false'.
403 Default: true
405 core_dumpable (boolean)
407 This option can be used for general system hardening: setting it to
408 'false' forbids core dumps for all SSSD processes to avoid leaking
409 plain text passwords. See man page prctl:PR_SET_DUMPABLE for
410 details.
411 Default: true
413
415 Settings that can be used to configure different services are described
416 in this section. They should reside in the [$NAME] section, for
417 example, for NSS service, the section would be “[nss]”
418 General service configuration options
420 These options can be used to configure any service.
421 reconnection_retries (integer)
423 Number of times services should attempt to reconnect in the event
424 of a Data Provider crash or restart before they give up
425 Default: 3
427 fd_limit
429 This option specifies the maximum number of file descriptors that
430 may be opened at one time by this SSSD process. On systems where
431 SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
432 absolute setting. On systems without this capability, the resulting
433 value will be the lower value of this or the limits.conf "hard"
434 limit.
435 Default: 8192 (or limits.conf "hard" limit)
437 client_idle_timeout
439 This option specifies the number of seconds that a client of an
440 SSSD process can hold onto a file descriptor without communicating
441 on it. This value is limited in order to avoid resource exhaustion
442 on the system. The timeout can't be shorter than 10 seconds. If a
443 lower value is configured, it will be adjusted to 10 seconds.
444 Default: 60, KCM: 300
446 offline_timeout (integer)
448 When SSSD switches to offline mode the amount of time before it
449 tries to go back online will increase based upon the time spent
450 disconnected. By default SSSD uses incremental behaviour to
451 calculate delay in between retries. So, the wait time for a given
452 retry will be longer than the wait time for the previous ones.
453 After each unsuccessful attempt to go online, the new interval is
454 recalculated by the following:
455 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
457 random[0...offline_timeout_random_offset]
458 The offline_timeout default value is 60. The offline_timeout_max
460 default value is 3600. The offline_timeout_random_offset default
461 value is 30. The end result is amount of seconds before next retry.
462 Note that the maximum length of each interval is defined by
464 offline_timeout_max (apart of random part).
465 Default: 60
467 offline_timeout_max (integer)
469 Controls by how much the time between attempts to go online can be
470 incremented following unsuccessful attempts to go online.
471 A value of 0 disables the incrementing behaviour.
473 The value of this parameter should be set in correlation to
475 offline_timeout parameter value.
476 With offline_timeout set to 60 (default value) there is no point in
478 setting offlinet_timeout_max to less than 120 as it will saturate
479 instantly. General rule here should be to set offline_timeout_max
480 to at least 4 times offline_timeout.
481 Although a value between 0 and offline_timeout may be specified, it
483 has the effect of overriding the offline_timeout value so is of
484 little use.
485 Default: 3600
487 offline_timeout_random_offset (integer)
489 When SSSD is in offline mode it keeps probing backend servers in
490 specified time intervals:
491 new_delay = Minimum(old_delay * 2, offline_timeout_max) +
493 random[0...offline_timeout_random_offset]
494 This parameter controls the value of the random offset used for the
496 above equation. Final random_offset value will be random number in
497 range:
498 [0 - offline_timeout_random_offset]
500 A value of 0 disables the random offset addition.
502 Default: 30
504 responder_idle_timeout
506 This option specifies the number of seconds that an SSSD responder
507 process can be up without being used. This value is limited in
508 order to avoid resource exhaustion on the system. The minimum
509 acceptable value for this option is 60 seconds. Setting this option
510 to 0 (zero) means that no timeout will be set up to the responder.
511 This option only has effect when SSSD is built with systemd support
512 and when services are either socket or D-Bus activated.
513 Default: 300
515 cache_first
517 This option specifies whether the responder should query all caches
518 before querying the Data Providers.
519 Default: false
521 NSS configuration options
523 These options can be used to configure the Name Service Switch (NSS)
524 service.
525 enum_cache_timeout (integer)
527 How many seconds should nss_sss cache enumerations (requests for
528 info about all users)
529 Default: 120
531 entry_cache_nowait_percentage (integer)
533 The entry cache can be set to automatically update entries in the
534 background if they are requested beyond a percentage of the
535 entry_cache_timeout value for the domain.
536 For example, if the domain's entry_cache_timeout is set to 30s and
538 entry_cache_nowait_percentage is set to 50 (percent), entries that
539 come in after 15 seconds past the last cache update will be
540 returned immediately, but the SSSD will go and update the cache on
541 its own, so that future requests will not need to block waiting for
542 a cache update.
543 Valid values for this option are 0-99 and represent a percentage of
545 the entry_cache_timeout for each domain. For performance reasons,
546 this percentage will never reduce the nowait timeout to less than
547 10 seconds. (0 disables this feature)
548 Default: 50
550 entry_negative_timeout (integer)
552 Specifies for how many seconds nss_sss should cache negative cache
553 hits (that is, queries for invalid database entries, like
554 nonexistent ones) before asking the back end again.
555 Default: 15
557 local_negative_timeout (integer)
559 Specifies for how many seconds nss_sss should keep local users and
560 groups in negative cache before trying to look it up in the back
561 end again. Setting the option to 0 disables this feature.
562 Default: 14400 (4 hours)
564 filter_users, filter_groups (string)
566 Exclude certain users or groups from being fetched from the sss NSS
567 database. This is particularly useful for system accounts. This
568 option can also be set per-domain or include fully-qualified names
569 to filter only users from the particular domain or by a user
570 principal name (UPN).
571 NOTE: The filter_groups option doesn't affect inheritance of nested
573 group members, since filtering happens after they are propagated
574 for returning via NSS. E.g. a group having a member group filtered
575 out will still have the member users of the latter listed.
576 Default: root
578 filter_users_in_groups (bool)
580 If you want filtered user still be group members set this option to
581 false.
582 Default: true
584 override_homedir (string)
586 Override the user's home directory. You can either provide an
587 absolute value or a template. In the template, the following
588 sequences are substituted:
589 %u
591 login name
592 %U
594 UID number
595 %d
597 domain name
598 %f
600 fully qualified user name (user@domain)
601 %l
603 The first letter of the login name.
604 %P
606 UPN - User Principal Name (name@REALM)
607 %o
609 The original home directory retrieved from the identity
610 provider.
611 %h
613 The original home directory retrieved from the identity
614 provider, but in lower case.
615 %H
617 The value of configure option homedir_substring.
618 %%
620 a literal '%'
621 This option can also be set per-domain.
623 example:
625 override_homedir = /home/%u
627 Default: Not set (SSSD will use the value retrieved from LDAP)
630 Please note, the home directory from a specific override for the
632 user, either locally (see sss_override(8)) or centrally managed IPA
633 id-overrides, has a higher precedence and will be used instead of
634 the value given by override_homedir.
635 homedir_substring (string)
637 The value of this option will be used in the expansion of the
638 override_homedir option if the template contains the format string
639 %H. An LDAP directory entry can directly contain this template so
640 that this option can be used to expand the home directory path for
641 each client machine (or operating system). It can be set per-domain
642 or globally in the [nss] section. A value specified in a domain
643 section will override one set in the [nss] section.
644 Default: /home
646 fallback_homedir (string)
648 Set a default template for a user's home directory if one is not
649 specified explicitly by the domain's data provider.
650 The available values for this option are the same as for
652 override_homedir.
653 example:
655 fallback_homedir = /home/%u
657 Default: not set (no substitution for unset home directories)
660 override_shell (string)
662 Override the login shell for all users. This option supersedes any
663 other shell options if it takes effect and can be set either in the
664 [nss] section or per-domain.
665 Default: not set (SSSD will use the value retrieved from LDAP)
667 allowed_shells (string)
669 Restrict user shell to one of the listed values. The order of
670 evaluation is:
671 1. If the shell is present in “/etc/shells”, it is used.
673 2. If the shell is in the allowed_shells list but not in
675 “/etc/shells”, use the value of the shell_fallback parameter.
676 3. If the shell is not in the allowed_shells list and not in
678 “/etc/shells”, a nologin shell is used.
679 The wildcard (*) can be used to allow any shell.
681 The (*) is useful if you want to use shell_fallback in case that
683 user's shell is not in “/etc/shells” and maintaining list of all
684 allowed shells in allowed_shells would be to much overhead.
685 An empty string for shell is passed as-is to libc.
687 The “/etc/shells” is only read on SSSD start up, which means that a
689 restart of the SSSD is required in case a new shell is installed.
690 Default: Not set. The user shell is automatically used.
692 vetoed_shells (string)
694 Replace any instance of these shells with the shell_fallback
695 shell_fallback (string)
697 The default shell to use if an allowed shell is not installed on
698 the machine.
699 Default: /bin/sh
701 default_shell
703 The default shell to use if the provider does not return one during
704 lookup. This option can be specified globally in the [nss] section
705 or per-domain.
706 Default: not set (Return NULL if no shell is specified and rely on
708 libc to substitute something sensible when necessary, usually
709 /bin/sh)
710 get_domains_timeout (int)
712 Specifies time in seconds for which the list of subdomains will be
713 considered valid.
714 Default: 60
716 memcache_timeout (integer)
718 Specifies time in seconds for which records in the in-memory cache
719 will be valid. Setting this option to zero will disable the
720 in-memory cache.
721 Default: 300
723 WARNING: Disabling the in-memory cache will have significant
725 negative impact on SSSD's performance and should only be used for
726 testing.
727 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
729 "NO", client applications will not use the fast in-memory cache.
730 memcache_size_passwd (integer)
732 Size (in megabytes) of the data table allocated inside fast
733 in-memory cache for passwd requests. Setting the size to 0 will
734 disable the passwd in-memory cache.
735 Default: 8
737 WARNING: Disabled or too small in-memory cache can have significant
739 negative impact on SSSD's performance.
740 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
742 "NO", client applications will not use the fast in-memory cache.
743 memcache_size_group (integer)
745 Size (in megabytes) of the data table allocated inside fast
746 in-memory cache for group requests. Setting the size to 0 will
747 disable the group in-memory cache.
748 Default: 6
750 WARNING: Disabled or too small in-memory cache can have significant
752 negative impact on SSSD's performance.
753 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
755 "NO", client applications will not use the fast in-memory cache.
756 memcache_size_initgroups (integer)
758 Size (in megabytes) of the data table allocated inside fast
759 in-memory cache for initgroups requests. Setting the size to 0 will
760 disable the initgroups in-memory cache.
761 Default: 10
763 WARNING: Disabled or too small in-memory cache can have significant
765 negative impact on SSSD's performance.
766 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
768 "NO", client applications will not use the fast in-memory cache.
769 memcache_size_sid (integer)
771 Size (in megabytes) of the data table allocated inside fast
772 in-memory cache for SID related requests. Only SID-by-ID and
773 ID-by-SID requests are currently cached in fast in-memory cache.
774 Setting the size to 0 will disable the SID in-memory cache.
775 Default: 6
777 WARNING: Disabled or too small in-memory cache can have significant
779 negative impact on SSSD's performance.
780 NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to
782 "NO", client applications will not use the fast in-memory cache.
783 user_attributes (string)
785 Some of the additional NSS responder requests can return more
786 attributes than just the POSIX ones defined by the NSS interface.
787 The list of attributes is controlled by this option. It is handled
788 the same way as the “user_attributes” option of the InfoPipe
789 responder (see sssd-ifp(5) for details) but with no default values.
790 To make configuration more easy the NSS responder will check the
792 InfoPipe option if it is not set for the NSS responder.
793 Default: not set, fallback to InfoPipe option
795 pwfield (string)
797 The value that NSS operations that return users or groups will
798 return for the “password” field.
799 Default: “*”
801 Note: This option can also be set per-domain which overwrites the
803 value in [nss] section.
804 Default: “not set” (remote domains), “x” (the files domain), “x”
806 (proxy domain with nss_files and sssd-shadowutils target)
807 PAM configuration options
809 These options can be used to configure the Pluggable Authentication
810 Module (PAM) service.
811 offline_credentials_expiration (integer)
813 If the authentication provider is offline, how long should we allow
814 cached logins (in days since the last successful online login).
815 Default: 0 (No limit)
817 offline_failed_login_attempts (integer)
819 If the authentication provider is offline, how many failed login
820 attempts are allowed.
821 Default: 0 (No limit)
823 offline_failed_login_delay (integer)
825 The time in minutes which has to pass after
826 offline_failed_login_attempts has been reached before a new login
827 attempt is possible.
828 If set to 0 the user cannot authenticate offline if
830 offline_failed_login_attempts has been reached. Only a successful
831 online authentication can enable offline authentication again.
832 Default: 5
834 pam_verbosity (integer)
836 Controls what kind of messages are shown to the user during
837 authentication. The higher the number to more messages are
838 displayed.
839 Currently sssd supports the following values:
841 0: do not show any message
843 1: show only important messages
845 2: show informational messages
847 3: show all messages and debug information
849 Default: 1
851 pam_response_filter (string)
853 A comma separated list of strings which allows to remove (filter)
854 data sent by the PAM responder to pam_sss PAM module. There are
855 different kind of responses sent to pam_sss e.g. messages displayed
856 to the user or environment variables which should be set by
857 pam_sss.
858 While messages already can be controlled with the help of the
860 pam_verbosity option this option allows to filter out other kind of
861 responses as well.
862 Currently the following filters are supported:
864 ENV
866 Do not send any environment variables to any service.
867 ENV:var_name
869 Do not send environment variable var_name to any service.
870 ENV:var_name:service
872 Do not send environment variable var_name to service.
873 The list of strings can either be the list of filters which would
875 set this list of filters and overwrite the defaults. Or each
876 element of the list can be prefixed by a '+' or '-' character which
877 would add the filter to the existing default or remove it from the
878 defaults, respectively. Please note that either all list elements
879 must have a '+' or '-' prefix or none. It is considered as an error
880 to mix both styles.
881 Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i
883 Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the
885 default list
886 pam_id_timeout (integer)
888 For any PAM request while SSSD is online, the SSSD will attempt to
889 immediately update the cached identity information for the user in
890 order to ensure that authentication takes place with the latest
891 information.
892 A complete PAM conversation may perform multiple PAM requests, such
894 as account management and session opening. This option controls (on
895 a per-client-application basis) how long (in seconds) we can cache
896 the identity information to avoid excessive round-trips to the
897 identity provider.
898 Default: 5
900 pam_pwd_expiration_warning (integer)
902 Display a warning N days before the password expires.
903 Please note that the backend server has to provide information
905 about the expiration time of the password. If this information is
906 missing, sssd cannot display a warning.
907 If zero is set, then this filter is not applied, i.e. if the
909 expiration warning was received from backend server, it will
910 automatically be displayed.
911 This setting can be overridden by setting pwd_expiration_warning
913 for a particular domain.
914 Default: 0
916 get_domains_timeout (int)
918 Specifies time in seconds for which the list of subdomains will be
919 considered valid.
920 Default: 60
922 pam_trusted_users (string)
924 Specifies the comma-separated list of UID values or user names that
925 are allowed to run PAM conversations against trusted domains. Users
926 not included in this list can only access domains marked as public
927 with “pam_public_domains”. User names are resolved to UIDs at
928 startup.
929 Default: All users are considered trusted by default
931 Please note that UID 0 is always allowed to access the PAM
933 responder even in case it is not in the pam_trusted_users list.
934 pam_public_domains (string)
936 Specifies the comma-separated list of domain names that are
937 accessible even to untrusted users.
938 Two special values for pam_public_domains option are defined:
940 all (Untrusted users are allowed to access all domains in PAM
942 responder.)
943 none (Untrusted users are not allowed to access any domains PAM in
945 responder.)
946 Default: none
948 pam_account_expired_message (string)
950 Allows a custom expiration message to be set, replacing the default
951 'Permission denied' message.
952 Note: Please be aware that message is only printed for the SSH
954 service unless pam_verbosity is set to 3 (show all messages and
955 debug information).
956 example:
958 pam_account_expired_message = Account expired, please contact help desk.
960 Default: none
963 pam_account_locked_message (string)
965 Allows a custom lockout message to be set, replacing the default
966 'Permission denied' message.
967 example:
969 pam_account_locked_message = Account locked, please contact help desk.
971 Default: none
974 pam_cert_auth (bool)
976 Enable certificate based Smartcard authentication. Since this
977 requires additional communication with the Smartcard which will
978 delay the authentication process this option is disabled by
979 default.
980 Default: False
982 pam_cert_db_path (string)
984 The path to the certificate database.
985 Default:
987 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
989 CA certificates in PEM format)
990 pam_cert_verification (string)
993 With this parameter the PAM certificate verification can be tuned
994 with a comma separated list of options that override the
995 “certificate_verification” value in “[sssd]” section. Supported
996 options are the same of “certificate_verification”.
997 example:
999 pam_cert_verification = partial_chain
1001 Default: not set, i.e. use default “certificate_verification”
1004 option defined in “[sssd]” section.
1005 p11_child_timeout (integer)
1007 How many seconds will pam_sss wait for p11_child to finish.
1008 Default: 10
1010 pam_app_services (string)
1012 Which PAM services are permitted to contact domains of type
1013 “application”
1014 Default: Not set
1016 pam_p11_allowed_services (integer)
1018 A comma-separated list of PAM service names for which it will be
1019 allowed to use Smartcards.
1020 It is possible to add another PAM service name to the default set
1022 by using “+service_name” or to explicitly remove a PAM service name
1023 from the default set by using “-service_name”. For example, in
1024 order to replace a default PAM service name for authentication with
1025 Smartcards (e.g. “login”) with a custom PAM service name (e.g.
1026 “my_pam_service”), you would use the following configuration:
1027 pam_p11_allowed_services = +my_pam_service, -login
1029 Default: the default set of PAM service names includes:
1032 • login
1034 • su
1036 • su-l
1038 • gdm-smartcard
1040 • gdm-password
1042 • kdm
1044 • sudo
1046 • sudo-i
1048 • gnome-screensaver
1050 p11_wait_for_card_timeout (integer)
1053 If Smartcard authentication is required how many extra seconds in
1054 addition to p11_child_timeout should the PAM responder wait until a
1055 Smartcard is inserted.
1056 Default: 60
1058 p11_uri (string)
1060 PKCS#11 URI (see RFC-7512 for details) which can be used to
1061 restrict the selection of devices used for Smartcard
1062 authentication. By default SSSD's p11_child will search for a
1063 PKCS#11 slot (reader) where the 'removable' flags is set and read
1064 the certificates from the inserted token from the first slot found.
1065 If multiple readers are connected p11_uri can be used to tell
1066 p11_child to use a specific reader.
1067 Example:
1069 p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader
1071 or
1074 p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2
1076 To find suitable URI please check the debug output of p11_child. As
1079 an alternative the GnuTLS utility 'p11tool' with e.g. the
1080 '--list-all' will show PKCS#11 URIs as well.
1081 Default: none
1083 pam_initgroups_scheme
1085 The PAM responder can force an online lookup to get the current
1086 group memberships of the user trying to log in. This option
1087 controls when this should be done and the following values are
1088 allowed:
1089 always
1091 Always do an online lookup, please note that pam_id_timeout
1092 still applies
1093 no_session
1095 Only do an online lookup if there is no active session of the
1096 user, i.e. if the user is currently not logged in
1097 never
1099 Never force an online lookup, use the data from the cache as
1100 long as they are not expired
1101 Default: no_session
1103 pam_gssapi_services
1105 Comma separated list of PAM services that are allowed to try GSSAPI
1106 authentication using pam_sss_gss.so module.
1107 To disable GSSAPI authentication, set this option to “-” (dash).
1109 Note: This option can also be set per-domain which overwrites the
1111 value in [pam] section. It can also be set for trusted domain which
1112 overwrites the value in the domain section.
1113 Example:
1115 pam_gssapi_services = sudo, sudo-i
1117 Default: - (GSSAPI authentication is disabled)
1120 pam_gssapi_check_upn
1122 If True, SSSD will require that the Kerberos user principal that
1123 successfully authenticated through GSSAPI can be associated with
1124 the user who is being authenticated. Authentication will fail if
1125 the check fails.
1126 If False, every user that is able to obtained required service
1128 ticket will be authenticated.
1129 Note: This option can also be set per-domain which overwrites the
1131 value in [pam] section. It can also be set for trusted domain which
1132 overwrites the value in the domain section.
1133 Default: True
1135 pam_gssapi_indicators_map
1137 Comma separated list of authentication indicators required to be
1138 present in a Kerberos ticket to access a PAM service that is
1139 allowed to try GSSAPI authentication using pam_sss_gss.so module.
1140 Each element of the list can be either an authentication indicator
1142 name or a pair “service:indicator”. Indicators not prefixed with
1143 the PAM service name will be required to access any PAM service
1144 configured to be used with pam_gssapi_services. A resulting list of
1145 indicators per PAM service is then checked against indicators in
1146 the Kerberos ticket during authentication by pam_sss_gss.so. Any
1147 indicator from the ticket that matches the resulting list of
1148 indicators for the PAM service would grant access. If none of the
1149 indicators in the list match, access will be denied. If the
1150 resulting list of indicators for the PAM service is empty, the
1151 check will not prevent the access.
1152 To disable GSSAPI authentication indicator check, set this option
1154 to “-” (dash). To disable the check for a specific PAM service, add
1155 “service:-”.
1156 Note: This option can also be set per-domain which overwrites the
1158 value in [pam] section. It can also be set for trusted domain which
1159 overwrites the value in the domain section.
1160 Following authentication indicators are supported by IPA Kerberos
1162 deployments:
1163 • pkinit -- pre-authentication using X.509 certificates --
1165 whether stored in files or on smart cards.
1166 • hardened -- SPAKE pre-authentication or any pre-authentication
1168 wrapped in a FAST channel.
1169 • radius -- pre-authentication with the help of a RADIUS server.
1171 • otp -- pre-authentication using integrated two-factor
1173 authentication (2FA or one-time password, OTP) in IPA.
1174 • idp -- pre-authentication using external identity provider.
1176 Example: to require access to SUDO services only for users which
1178 obtained their Kerberos tickets with a X.509 certificate
1179 pre-authentication (PKINIT), set
1180 pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
1182 Default: not set (use of authentication indicators is not required)
1185 SUDO configuration options
1187 These options can be used to configure the sudo service. The detailed
1188 instructions for configuration of sudo(8) to work with sssd(8) are in
1189 the manual page sssd-sudo(5).
1190 sudo_timed (bool)
1192 Whether or not to evaluate the sudoNotBefore and sudoNotAfter
1193 attributes that implement time-dependent sudoers entries.
1194 Default: false
1196 sudo_threshold (integer)
1198 Maximum number of expired rules that can be refreshed at once. If
1199 number of expired rules is below threshold, those rules are
1200 refreshed with “rules refresh” mechanism. If the threshold is
1201 exceeded a “full refresh” of sudo rules is triggered instead. This
1202 threshold number also applies to IPA sudo command and command group
1203 searches.
1204 Default: 50
1206 AUTOFS configuration options
1208 These options can be used to configure the autofs service.
1209 autofs_negative_timeout (integer)
1211 Specifies for how many seconds should the autofs responder negative
1212 cache hits (that is, queries for invalid map entries, like
1213 nonexistent ones) before asking the back end again.
1214 Default: 15
1216 Please note that the automounter only reads the master map on startup,
1218 so if any autofs-related changes are made to the sssd.conf, you
1219 typically also need to restart the automounter daemon after restarting
1220 the SSSD.
1221 SSH configuration options
1223 These options can be used to configure the SSH service.
1224 ssh_hash_known_hosts (bool)
1226 Whether or not to hash host names and addresses in the managed
1227 known_hosts file.
1228 Default: false
1230 ssh_known_hosts_timeout (integer)
1232 How many seconds to keep a host in the managed known_hosts file
1233 after its host keys were requested.
1234 Default: 180
1236 ssh_use_certificate_keys (bool)
1238 If set to true the sss_ssh_authorizedkeys will return ssh keys
1239 derived from the public key of X.509 certificates stored in the
1240 user entry as well. See sss_ssh_authorizedkeys(1) for details.
1241 Default: true
1243 ssh_use_certificate_matching_rules (string)
1245 By default the ssh responder will use all available certificate
1246 matching rules to filter the certificates so that ssh keys are only
1247 derived from the matching ones. With this option the used rules can
1248 be restricted with a comma separated list of mapping and matching
1249 rule names. All other rules will be ignored.
1250 There are two special key words 'all_rules' and 'no_rules' which
1252 will enable all or no rules, respectively. The latter means that no
1253 certificates will be filtered out and ssh keys will be generated
1254 from all valid certificates.
1255 If no rules are configured using 'all_rules' will enable a default
1257 rule which enables all certificates suitable for client
1258 authentication. This is the same behavior as for the PAM responder
1259 if certificate authentication is enabled.
1260 A non-existing rule name is considered an error. If as a result no
1262 rule is selected all certificates will be ignored.
1263 Default: not set, equivalent to 'all_rules', all found rules or the
1265 default rule are used
1266 ca_db (string)
1268 Path to a storage of trusted CA certificates. The option is used to
1269 validate user certificates before deriving public ssh keys from
1270 them.
1271 Default:
1273 • /etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted
1275 CA certificates in PEM format)
1276 PAC responder configuration options
1279 The PAC responder works together with the authorization data plugin for
1280 MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin
1281 sends the PAC data during a GSSAPI authentication to the PAC responder.
1282 The sub-domain provider collects domain SID and ID ranges of the domain
1283 the client is joined to and of remote trusted domains from the local
1284 domain controller. If the PAC is decoded and evaluated some of the
1285 following operations are done:
1286 • If the remote user does not exist in the cache, it is created. The
1288 UID is determined with the help of the SID, trusted domains will
1289 have UPGs and the GID will have the same value as the UID. The home
1290 directory is set based on the subdomain_homedir parameter. The
1291 shell will be empty by default, i.e. the system defaults are used,
1292 but can be overwritten with the default_shell parameter.
1293 • If there are SIDs of groups from domains sssd knows about, the user
1295 will be added to those groups.
1296 These options can be used to configure the PAC responder.
1298 allowed_uids (string)
1300 Specifies the comma-separated list of UID values or user names that
1301 are allowed to access the PAC responder. User names are resolved to
1302 UIDs at startup.
1303 Default: 0 (only the root user is allowed to access the PAC
1305 responder)
1306 Please note that although the UID 0 is used as the default it will
1308 be overwritten with this option. If you still want to allow the
1309 root user to access the PAC responder, which would be the typical
1310 case, you have to add 0 to the list of allowed UIDs as well.
1311 pac_lifetime (integer)
1313 Lifetime of the PAC entry in seconds. As long as the PAC is valid
1314 the PAC data can be used to determine the group memberships of a
1315 user.
1316 Default: 300
1318 pac_check (string)
1320 Apply additional checks on the PAC of the Kerberos ticket which is
1321 available in Active Directory and FreeIPA domains, if configured.
1322 Please note that Kerberos ticket validation must be enabled to be
1323 able to check the PAC, i.e. the krb5_validate option must be set to
1324 'True' which is the default for the IPA and AD provider. If
1325 krb5_validate is set to 'False' the PAC checks will be skipped.
1326 The following options can be used alone or in a comma-separated
1328 list:
1329 no_check
1331 The PAC must not be present and even if it is present no
1332 additional checks will be done.
1333 pac_present
1335 The PAC must be present in the service ticket which SSSD will
1336 request with the help of the user's TGT. If the PAC is not
1337 available the authentication will fail.
1338 check_upn
1340 If the PAC is present check if the user principal name (UPN)
1341 information is consistent.
1342 check_upn_allow_missing
1344 This option should be used together with 'check_upn' and
1345 handles the case where a UPN is set on the server-side but is
1346 not read by SSSD. The typical example is a FreeIPA domain where
1347 'ldap_user_principal' is set to a not existing attribute name.
1348 This was typically done to work-around issues in the handling
1349 of enterprise principals. But this is fixed since quite some
1350 time and FreeIPA can handle enterprise principals just fine and
1351 there is no need anymore to set 'ldap_user_principal'.
1352 Currently this option is set by default to avoid regressions in
1354 such environments. A log message will be added to the system
1355 log and SSSD's debug log in case a UPN is found in the PAC but
1356 not in SSSD's cache. To avoid this log message it would be best
1357 to evaluate if the 'ldap_user_principal' option can be removed.
1358 If this is not possible, removing 'check_upn' will skip the
1359 test and avoid the log message.
1360 upn_dns_info_present
1362 The PAC must contain the UPN-DNS-INFO buffer, implies
1363 'check_upn'.
1364 check_upn_dns_info_ex
1366 If the PAC is present and the extension to the UPN-DNS-INFO
1367 buffer is available check if the information in the extension
1368 is consistent.
1369 upn_dns_info_ex_present
1371 The PAC must contain the extension of the UPN-DNS-INFO buffer,
1372 implies 'check_upn_dns_info_ex', 'upn_dns_info_present' and
1373 'check_upn'.
1374 Default: no_check (AD and IPA provider 'check_upn,
1376 check_upn_allow_missing, check_upn_dns_info_ex')
1377 Session recording configuration options
1379 Session recording works in conjunction with tlog-rec-session(8), a part
1380 of tlog package, to log what users see and type when they log in on a
1381 text terminal. See also sssd-session-recording(5).
1382 These options can be used to configure session recording.
1384 scope (string)
1386 One of the following strings specifying the scope of session
1387 recording:
1388 "none"
1390 No users are recorded.
1391 "some"
1393 Users/groups specified by users and groups options are
1394 recorded.
1395 "all"
1397 All users are recorded.
1398 Default: "none"
1400 users (string)
1402 A comma-separated list of users which should have session recording
1403 enabled. Matches user names as returned by NSS. I.e. after the
1404 possible space replacement, case changes, etc.
1405 Default: Empty. Matches no users.
1407 groups (string)
1409 A comma-separated list of groups, members of which should have
1410 session recording enabled. Matches group names as returned by NSS.
1411 I.e. after the possible space replacement, case changes, etc.
1412 NOTE: using this option (having it set to anything) has a
1414 considerable performance cost, because each uncached request for a
1415 user requires retrieving and matching the groups the user is member
1416 of.
1417 Default: Empty. Matches no groups.
1419 exclude_users (string)
1421 A comma-separated list of users to be excluded from recording, only
1422 applicable with 'scope=all'.
1423 Default: Empty. No users excluded.
1425 exclude_groups (string)
1427 A comma-separated list of groups, members of which should be
1428 excluded from recording. Only applicable with 'scope=all'.
1429 NOTE: using this option (having it set to anything) has a
1431 considerable performance cost, because each uncached request for a
1432 user requires retrieving and matching the groups the user is member
1433 of.
1434 Default: Empty. No groups excluded.
1436
1438 These configuration options can be present in a domain configuration
1439 section, that is, in a section called “[domain/NAME]”
1440 enabled
1442 Explicitly enable or disable the domain. If “true”, the domain is
1443 always “enabled”. If “false”, the domain is always “disabled”. If
1444 this option is not set, the domain is enabled only if it is listed
1445 in the domains option in the “[sssd]” section.
1446 domain_type (string)
1448 Specifies whether the domain is meant to be used by POSIX-aware
1449 clients such as the Name Service Switch or by applications that do
1450 not need POSIX data to be present or generated. Only objects from
1451 POSIX domains are available to the operating system interfaces and
1452 utilities.
1453 Allowed values for this option are “posix” and “application”.
1455 POSIX domains are reachable by all services. Application domains
1457 are only reachable from the InfoPipe responder (see sssd-ifp(5))
1458 and the PAM responder.
1459 NOTE: The application domains are currently well tested with
1461 “id_provider=ldap” only.
1462 For an easy way to configure a non-POSIX domains, please see the
1464 “Application domains” section.
1465 Default: posix
1467 min_id,max_id (integer)
1469 UID and GID limits for the domain. If a domain contains an entry
1470 that is outside these limits, it is ignored.
1471 For users, this affects the primary GID limit. The user will not be
1473 returned to NSS if either the UID or the primary GID is outside the
1474 range. For non-primary group memberships, those that are in range
1475 will be reported as expected.
1476 These ID limits affect even saving entries to cache, not only
1478 returning them by name or ID.
1479 Default: 1 for min_id, 0 (no limit) for max_id
1481 enumerate (bool)
1483 Determines if a domain can be enumerated, that is, whether the
1484 domain can list all the users and group it contains. Note that it
1485 is not required to enable enumeration in order for secondary groups
1486 to be displayed. This parameter can have one of the following
1487 values:
1488 TRUE = Users and groups are enumerated
1490 FALSE = No enumerations for this domain
1492 Default: FALSE
1494 Enumerating a domain requires SSSD to download and store ALL user
1496 and group entries from the remote server.
1497 Note: Enabling enumeration has a moderate performance impact on
1499 SSSD while enumeration is running. It may take up to several
1500 minutes after SSSD startup to fully complete enumerations. During
1501 this time, individual requests for information will go directly to
1502 LDAP, though it may be slow, due to the heavy enumeration
1503 processing. Saving a large number of entries to cache after the
1504 enumeration completes might also be CPU intensive as the
1505 memberships have to be recomputed. This can lead to the “sssd_be”
1506 process becoming unresponsive or even restarted by the internal
1507 watchdog.
1508 While the first enumeration is running, requests for the complete
1510 user or group lists may return no results until it completes.
1511 Further, enabling enumeration may increase the time necessary to
1513 detect network disconnection, as longer timeouts are required to
1514 ensure that enumeration lookups are completed successfully. For
1515 more information, refer to the man pages for the specific
1516 id_provider in use.
1517 For the reasons cited above, enabling enumeration is not
1519 recommended, especially in large environments.
1520 subdomain_enumerate (string)
1522 Whether any of autodetected trusted domains should be enumerated.
1523 The supported values are:
1524 all
1526 All discovered trusted domains will be enumerated
1527 none
1529 No discovered trusted domains will be enumerated
1530 Optionally, a list of one or more domain names can enable
1532 enumeration just for these trusted domains.
1533 Default: none
1535 entry_cache_timeout (integer)
1537 How many seconds should nss_sss consider entries valid before
1538 asking the backend again
1539 The cache expiration timestamps are stored as attributes of
1541 individual objects in the cache. Therefore, changing the cache
1542 timeout only has effect for newly added or expired entries. You
1543 should run the sss_cache(8) tool in order to force refresh of
1544 entries that have already been cached.
1545 Default: 5400
1547 entry_cache_user_timeout (integer)
1549 How many seconds should nss_sss consider user entries valid before
1550 asking the backend again
1551 Default: entry_cache_timeout
1553 entry_cache_group_timeout (integer)
1555 How many seconds should nss_sss consider group entries valid before
1556 asking the backend again
1557 Default: entry_cache_timeout
1559 entry_cache_netgroup_timeout (integer)
1561 How many seconds should nss_sss consider netgroup entries valid
1562 before asking the backend again
1563 Default: entry_cache_timeout
1565 entry_cache_service_timeout (integer)
1567 How many seconds should nss_sss consider service entries valid
1568 before asking the backend again
1569 Default: entry_cache_timeout
1571 entry_cache_resolver_timeout (integer)
1573 How many seconds should nss_sss consider hosts and networks entries
1574 valid before asking the backend again
1575 Default: entry_cache_timeout
1577 entry_cache_sudo_timeout (integer)
1579 How many seconds should sudo consider rules valid before asking the
1580 backend again
1581 Default: entry_cache_timeout
1583 entry_cache_autofs_timeout (integer)
1585 How many seconds should the autofs service consider automounter
1586 maps valid before asking the backend again
1587 Default: entry_cache_timeout
1589 entry_cache_ssh_host_timeout (integer)
1591 How many seconds to keep a host ssh key after refresh. IE how long
1592 to cache the host key for.
1593 Default: entry_cache_timeout
1595 entry_cache_computer_timeout (integer)
1597 How many seconds to keep the local computer entry before asking the
1598 backend again
1599 Default: entry_cache_timeout
1601 refresh_expired_interval (integer)
1603 Specifies how many seconds SSSD has to wait before triggering a
1604 background refresh task which will refresh all expired or nearly
1605 expired records.
1606 The background refresh will process users, groups and netgroups in
1608 the cache. For users who have performed the initgroups (get group
1609 membership for user, typically ran at login) operation in the past,
1610 both the user entry and the group membership are updated.
1611 This option is automatically inherited for all trusted domains.
1613 You can consider setting this value to 3/4 * entry_cache_timeout.
1615 Cache entry will be refreshed by background task when 2/3 of cache
1617 timeout has already passed. If there are existing cached entries,
1618 the background task will refer to their original cache timeout
1619 values instead of current configuration value. This may lead to a
1620 situation in which background refresh task appears to not be
1621 working. This is done by design to improve offline mode operation
1622 and reuse of existing valid cache entries. To make this change
1623 instant the user may want to manually invalidate existing cache.
1624 Default: 0 (disabled)
1626 cache_credentials (bool)
1628 Determines if user credentials are also cached in the local LDB
1629 cache. The cached credentials refer to passwords, which includes
1630 the first (long term) factor of two-factor authentication, not
1631 other authentication mechanisms. Passkey and Smartcard
1632 authentications are expected to work offline as long as a
1633 successful online authentication is recorded in the cache without
1634 additional configuration.
1635 Take a note that while credentials are stored as a salted SHA512
1637 hash, this still potentially poses some security risk in case an
1638 attacker manages to get access to a cache file (normally requires
1639 privileged access) and to break a password using brute force
1640 attack.
1641 Default: FALSE
1643 cache_credentials_minimal_first_factor_length (int)
1645 If 2-Factor-Authentication (2FA) is used and credentials should be
1646 saved this value determines the minimal length the first
1647 authentication factor (long term password) must have to be saved as
1648 SHA512 hash into the cache.
1649 This should avoid that the short PINs of a PIN based 2FA scheme are
1651 saved in the cache which would make them easy targets for
1652 brute-force attacks.
1653 Default: 8
1655 account_cache_expiration (integer)
1657 Number of days entries are left in cache after last successful
1658 login before being removed during a cleanup of the cache. 0 means
1659 keep forever. The value of this parameter must be greater than or
1660 equal to offline_credentials_expiration.
1661 Default: 0 (unlimited)
1663 pwd_expiration_warning (integer)
1665 Display a warning N days before the password expires.
1666 If zero is set, then this filter is not applied, i.e. if the
1668 expiration warning was received from backend server, it will
1669 automatically be displayed.
1670 Please note that the backend server has to provide information
1672 about the expiration time of the password. If this information is
1673 missing, sssd cannot display a warning. Also an auth provider has
1674 to be configured for the backend.
1675 Default: 7 (Kerberos), 0 (LDAP)
1677 id_provider (string)
1679 The identification provider used for the domain. Supported ID
1680 providers are:
1681 “proxy”: Support a legacy NSS provider.
1683 “files”: FILES provider. See sssd-files(5) for more information on
1685 how to mirror local users and groups into SSSD.
1686 “ldap”: LDAP provider. See sssd-ldap(5) for more information on
1688 configuring LDAP.
1689 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1691 See sssd-ipa(5) for more information on configuring FreeIPA.
1692 “ad”: Active Directory provider. See sssd-ad(5) for more
1694 information on configuring Active Directory.
1695 use_fully_qualified_names (bool)
1697 Use the full name and domain (as formatted by the domain's
1698 full_name_format) as the user's login name reported to NSS.
1699 If set to TRUE, all requests to this domain must use fully
1701 qualified names. For example, if used in LOCAL domain that contains
1702 a "test" user, getent passwd test wouldn't find the user while
1703 getent passwd test@LOCAL would.
1704 NOTE: This option has no effect on netgroup lookups due to their
1706 tendency to include nested netgroups without qualified names. For
1707 netgroups, all domains will be searched when an unqualified name is
1708 requested.
1709 Default: FALSE (TRUE for trusted domain/sub-domains or if
1711 default_domain_suffix is used)
1712 ignore_group_members (bool)
1714 Do not return group members for group lookups.
1715 If set to TRUE, the group membership attribute is not requested
1717 from the ldap server, and group members are not returned when
1718 processing group lookup calls, such as getgrnam(3) or getgrgid(3).
1719 As an effect, “getent group $groupname” would return the requested
1720 group as if it was empty.
1721 Enabling this option can also make access provider checks for group
1723 membership significantly faster, especially for groups containing
1724 many members.
1725 This option can be also set per subdomain or inherited via
1727 subdomain_inherit.
1728 Default: FALSE
1730 auth_provider (string)
1732 The authentication provider used for the domain. Supported auth
1733 providers are:
1734 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1736 information on configuring LDAP.
1737 “krb5” for Kerberos authentication. See sssd-krb5(5) for more
1739 information on configuring Kerberos.
1740 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1742 See sssd-ipa(5) for more information on configuring FreeIPA.
1743 “ad”: Active Directory provider. See sssd-ad(5) for more
1745 information on configuring Active Directory.
1746 “proxy” for relaying authentication to some other PAM target.
1748 “none” disables authentication explicitly.
1750 Default: “id_provider” is used if it is set and can handle
1752 authentication requests.
1753 access_provider (string)
1755 The access control provider used for the domain. There are two
1756 built-in access providers (in addition to any included in installed
1757 backends) Internal special providers are:
1758 “permit” always allow access. It's the only permitted access
1760 provider for a local domain.
1761 “deny” always deny access.
1763 “ldap” for native LDAP authentication. See sssd-ldap(5) for more
1765 information on configuring LDAP.
1766 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1768 See sssd-ipa(5) for more information on configuring FreeIPA.
1769 “ad”: Active Directory provider. See sssd-ad(5) for more
1771 information on configuring Active Directory.
1772 “simple” access control based on access or deny lists. See sssd-
1774 simple(5) for more information on configuring the simple access
1775 module.
1776 “krb5”: .k5login based access control. See sssd-krb5(5) for more
1778 information on configuring Kerberos.
1779 “proxy” for relaying access control to another PAM module.
1781 Default: “permit”
1783 chpass_provider (string)
1785 The provider which should handle change password operations for the
1786 domain. Supported change password providers are:
1787 “ldap” to change a password stored in a LDAP server. See sssd-
1789 ldap(5) for more information on configuring LDAP.
1790 “krb5” to change the Kerberos password. See sssd-krb5(5) for more
1792 information on configuring Kerberos.
1793 “ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
1795 See sssd-ipa(5) for more information on configuring FreeIPA.
1796 “ad”: Active Directory provider. See sssd-ad(5) for more
1798 information on configuring Active Directory.
1799 “proxy” for relaying password changes to some other PAM target.
1801 “none” disallows password changes explicitly.
1803 Default: “auth_provider” is used if it is set and can handle change
1805 password requests.
1806 sudo_provider (string)
1808 The SUDO provider used for the domain. Supported SUDO providers
1809 are:
1810 “ldap” for rules stored in LDAP. See sssd-ldap(5) for more
1812 information on configuring LDAP.
1813 “ipa” the same as “ldap” but with IPA default settings.
1815 “ad” the same as “ldap” but with AD default settings.
1817 “none” disables SUDO explicitly.
1819 Default: The value of “id_provider” is used if it is set.
1821 The detailed instructions for configuration of sudo_provider are in
1823 the manual page sssd-sudo(5). There are many configuration options
1824 that can be used to adjust the behavior. Please refer to
1825 "ldap_sudo_*" in sssd-ldap(5).
1826 NOTE: Sudo rules are periodically downloaded in the background
1828 unless the sudo provider is explicitly disabled. Set sudo_provider
1829 = None to disable all sudo-related activity in SSSD if you do not
1830 want to use sudo with SSSD at all.
1831 selinux_provider (string)
1833 The provider which should handle loading of selinux settings. Note
1834 that this provider will be called right after access provider ends.
1835 Supported selinux providers are:
1836 “ipa” to load selinux settings from an IPA server. See sssd-ipa(5)
1838 for more information on configuring IPA.
1839 “none” disallows fetching selinux settings explicitly.
1841 Default: “id_provider” is used if it is set and can handle selinux
1843 loading requests.
1844 subdomains_provider (string)
1846 The provider which should handle fetching of subdomains. This value
1847 should be always the same as id_provider. Supported subdomain
1848 providers are:
1849 “ipa” to load a list of subdomains from an IPA server. See sssd-
1851 ipa(5) for more information on configuring IPA.
1852 “ad” to load a list of subdomains from an Active Directory server.
1854 See sssd-ad(5) for more information on configuring the AD provider.
1855 “none” disallows fetching subdomains explicitly.
1857 Default: The value of “id_provider” is used if it is set.
1859 session_provider (string)
1861 The provider which configures and manages user session related
1862 tasks. The only user session task currently provided is the
1863 integration with Fleet Commander, which works only with IPA.
1864 Supported session providers are:
1865 “ipa” to allow performing user session related tasks.
1867 “none” does not perform any kind of user session related tasks.
1869 Default: “id_provider” is used if it is set and can perform session
1871 related tasks.
1872 NOTE: In order to have this feature working as expected SSSD must
1874 be running as "root" and not as the unprivileged user.
1875 autofs_provider (string)
1877 The autofs provider used for the domain. Supported autofs providers
1878 are:
1879 “ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
1881 information on configuring LDAP.
1882 “ipa” to load maps stored in an IPA server. See sssd-ipa(5) for
1884 more information on configuring IPA.
1885 “ad” to load maps stored in an AD server. See sssd-ad(5) for more
1887 information on configuring the AD provider.
1888 “none” disables autofs explicitly.
1890 Default: The value of “id_provider” is used if it is set.
1892 hostid_provider (string)
1894 The provider used for retrieving host identity information.
1895 Supported hostid providers are:
1896 “ipa” to load host identity stored in an IPA server. See sssd-
1898 ipa(5) for more information on configuring IPA.
1899 “none” disables hostid explicitly.
1901 Default: The value of “id_provider” is used if it is set.
1903 resolver_provider (string)
1905 The provider which should handle hosts and networks lookups.
1906 Supported resolver providers are:
1907 “proxy” to forward lookups to another NSS library. See
1909 “proxy_resolver_lib_name”
1910 “ldap” to fetch hosts and networks stored in LDAP. See sssd-ldap(5)
1912 for more information on configuring LDAP.
1913 “ad” to fetch hosts and networks stored in AD. See sssd-ad(5) for
1915 more information on configuring the AD provider.
1916 “none” disallows fetching hosts and networks explicitly.
1918 Default: The value of “id_provider” is used if it is set.
1920 re_expression (string)
1922 Regular expression for this domain that describes how to parse the
1923 string containing user name and domain into these components. The
1924 "domain" can match either the SSSD configuration domain name, or,
1925 in the case of IPA trust subdomains and Active Directory domains,
1926 the flat (NetBIOS) name of the domain.
1927 Default: “^((?P<name>.+)@(?P<domain>[^@]*)|(?P<name>[^@]+))$” which
1929 allows two different styles for user names:
1930 • username
1932 • username@domain.name
1934 Default for the AD and IPA provider:
1936 “^(((?P<domain>[^\\]+)\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<name>[^@\\]+)))$”
1937 which allows three different styles for user names:
1938 • username
1940 • username@domain.name
1942 • domain\username
1944 While the first two correspond to the general default the third one
1946 is introduced to allow easy integration of users from Windows
1947 domains.
1948 The default re_expression uses the “@” character as a separator
1950 between the name and the domain. As a result of this setting the
1951 default does not accept the “@” character in short names (as it is
1952 allowed in Windows group names). If a user wishes to use short
1953 names with “@” they must create their own re_expression.
1954 full_name_format (string)
1956 A printf(3)-compatible format that describes how to compose a fully
1957 qualified name from user name and domain name components.
1958 The following expansions are supported:
1960 %1$s
1962 user name
1963 %2$s
1965 domain name as specified in the SSSD config file.
1966 %3$s
1968 domain flat name. Mostly usable for Active Directory domains,
1969 both directly configured or discovered via IPA trusts.
1970 Default: “%1$s@%2$s”.
1972 lookup_family_order (string)
1974 Provides the ability to select preferred address family to use when
1975 performing DNS lookups.
1976 Supported values:
1978 ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
1980 ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
1982 ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
1984 ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
1986 Default: ipv4_first
1988 dns_resolver_server_timeout (integer)
1990 Defines the amount of time (in milliseconds) SSSD would try to talk
1991 to DNS server before trying next DNS server.
1992 The AD provider will use this option for the CLDAP ping timeouts as
1994 well.
1995 Please see the section “FAILOVER” for more information about the
1997 service resolution.
1998 Default: 1000
2000 dns_resolver_op_timeout (integer)
2002 Defines the amount of time (in seconds) to wait to resolve single
2003 DNS query (e.g. resolution of a hostname or an SRV record) before
2004 trying the next hostname or DNS discovery.
2005 Please see the section “FAILOVER” for more information about the
2007 service resolution.
2008 Default: 3
2010 dns_resolver_timeout (integer)
2012 Defines the amount of time (in seconds) to wait for a reply from
2013 the internal fail over service before assuming that the service is
2014 unreachable. If this timeout is reached, the domain will continue
2015 to operate in offline mode.
2016 Please see the section “FAILOVER” for more information about the
2018 service resolution.
2019 Default: 6
2021 dns_resolver_use_search_list (bool)
2023 Normally, the DNS resolver searches the domain list defined in the
2024 "search" directive from the resolv.conf file. This can lead to
2025 delays in environments with improperly configured DNS.
2026 If fully qualified domain names (or _srv_) are used in the SSSD
2028 configuration, setting this option to FALSE can prevent unnecessary
2029 DNS lookups in such environments.
2030 Default: TRUE
2032 dns_discovery_domain (string)
2034 If service discovery is used in the back end, specifies the domain
2035 part of the service discovery DNS query.
2036 Default: Use the domain part of machine's hostname
2038 override_gid (integer)
2040 Override the primary GID value with the one specified.
2041 case_sensitive (string)
2043 Treat user and group names as case sensitive. Possible option
2044 values are:
2045 True
2047 Case sensitive. This value is invalid for AD provider.
2048 False
2050 Case insensitive.
2051 Preserving
2053 Same as False (case insensitive), but does not lowercase names
2054 in the result of NSS operations. Note that name aliases (and in
2055 case of services also protocol names) are still lowercased in
2056 the output.
2057 If you want to set this value for trusted domain with IPA
2059 provider, you need to set it on both the client and SSSD on the
2060 server.
2061 This option can be also set per subdomain or inherited via
2063 subdomain_inherit.
2064 Default: True (False for AD provider)
2066 subdomain_inherit (string)
2068 Specifies a list of configuration parameters that should be
2069 inherited by a subdomain. Please note that only selected parameters
2070 can be inherited. Currently the following options can be inherited:
2071 ldap_search_timeout
2073 ldap_network_timeout
2075 ldap_opt_timeout
2077 ldap_offline_timeout
2079 ldap_enumeration_refresh_timeout
2081 ldap_enumeration_refresh_offset
2083 ldap_purge_cache_timeout
2085 ldap_purge_cache_offset
2087 ldap_krb5_keytab (the value of krb5_keytab will be used if
2089 ldap_krb5_keytab is not set explicitly)
2090 ldap_krb5_ticket_lifetime
2092 ldap_enumeration_search_timeout
2094 ldap_connection_expire_timeout
2096 ldap_connection_expire_offset
2098 ldap_connection_idle_timeout
2100 ldap_use_tokengroups
2102 ldap_user_principal
2104 ignore_group_members
2106 auto_private_groups
2108 case_sensitive
2110 Example:
2112 subdomain_inherit = ldap_purge_cache_timeout
2114 Default: none
2117 Note: This option only works with the IPA and AD provider.
2119 subdomain_homedir (string)
2121 Use this homedir as default value for all subdomains within this
2122 domain in IPA AD trust. See override_homedir for info about
2123 possible values. In addition to those, the expansion below can only
2124 be used with subdomain_homedir.
2125 %F
2127 flat (NetBIOS) name of a subdomain.
2128 The value can be overridden by override_homedir option.
2130 Default: /home/%d/%u
2132 realmd_tags (string)
2134 Various tags stored by the realmd configuration service for this
2135 domain.
2136 cached_auth_timeout (int)
2138 Specifies time in seconds since last successful online
2139 authentication for which user will be authenticated using cached
2140 credentials while SSSD is in the online mode. If the credentials
2141 are incorrect, SSSD falls back to online authentication.
2142 This option's value is inherited by all trusted domains. At the
2144 moment it is not possible to set a different value per trusted
2145 domain.
2146 Special value 0 implies that this feature is disabled.
2148 Please note that if “cached_auth_timeout” is longer than
2150 “pam_id_timeout” then the back end could be called to handle
2151 “initgroups.”
2152 Default: 0
2154 local_auth_policy (string)
2156 Local authentication methods policy. Some backends (i.e. LDAP,
2157 proxy provider) only support a password based authentication, while
2158 others can handle PKINIT based Smartcard authentication (AD, IPA),
2159 two-factor authentication (IPA), or other methods against a central
2160 instance. By default in such cases authentication is only performed
2161 with the methods supported by the backend.
2162 There are three possible values for this option: match, only,
2164 enable. “match” is used to match offline and online states for
2165 Kerberos methods. “only” ignores the online methods and only offer
2166 the local ones. enable allows explicitly defining the methods for
2167 local authentication. As an example, “enable:passkey”, only enables
2168 passkey for local authentication. Multiple enable values should be
2169 comma-separated, such as “enable:passkey, enable:smartcard”
2170 Please note that if local Smartcard authentication is enabled and a
2172 Smartcard is present, Smartcard authentication will be preferred
2173 over the authentication methods supported by the backend. I.e.
2174 there will be a PIN prompt instead of e.g. a password prompt.
2175 The following configuration example allows local users to
2177 authenticate locally using any enabled method (i.e. smartcard,
2178 passkey).
2179 [domain/shadowutils]
2181 id_provider = proxy
2182 proxy_lib_name = files
2183 auth_provider = none
2184 local_auth_policy = only
2185 This option is ignored for the files provider.
2187 Default: match
2189 auto_private_groups (string)
2191 This option takes any of three available values:
2192 true
2194 Create user's private group unconditionally from user's UID
2195 number. The GID number is ignored in this case.
2196 NOTE: Because the GID number and the user private group are
2198 inferred from the UID number, it is not supported to have
2199 multiple entries with the same UID or GID number with this
2200 option. In other words, enabling this option enforces
2201 uniqueness across the ID space.
2202 false
2204 Always use the user's primary GID number. The GID number must
2205 refer to a group object in the LDAP database.
2206 hybrid
2208 A primary group is autogenerated for user entries whose UID and
2209 GID numbers have the same value and at the same time the GID
2210 number does not correspond to a real group object in LDAP. If
2211 the values are the same, but the primary GID in the user entry
2212 is also used by a group object, the primary GID of the user
2213 resolves to that group object.
2214 If the UID and GID of a user are different, then the GID must
2216 correspond to a group entry, otherwise the GID is simply not
2217 resolvable.
2218 This feature is useful for environments that wish to stop
2220 maintaining a separate group objects for the user private
2221 groups, but also wish to retain the existing user private
2222 groups.
2223 For subdomains, the default value is False for subdomains that use
2225 assigned POSIX IDs and True for subdomains that use automatic
2226 ID-mapping.
2227 The value of auto_private_groups can either be set per subdomains
2229 in a subsection, for example:
2230 [domain/forest.domain/sub.domain]
2232 auto_private_groups = false
2233 or globally for all subdomains in the main domain section using the
2235 subdomain_inherit option:
2236 [domain/forest.domain]
2238 subdomain_inherit = auto_private_groups
2239 auto_private_groups = false
2240 Options valid for proxy domains.
2243 proxy_pam_target (string)
2245 The proxy target PAM proxies to.
2246 Default: not set by default, you have to take an existing pam
2248 configuration or create a new one and add the service name here. As
2249 an alternative you can enable local authentication with the
2250 local_auth_policy option.
2251 proxy_lib_name (string)
2253 The name of the NSS library to use in proxy domains. The NSS
2254 functions searched for in the library are in the form of
2255 _nss_$(libName)_$(function), for example _nss_files_getpwent.
2256 proxy_resolver_lib_name (string)
2258 The name of the NSS library to use for hosts and networks lookups
2259 in proxy domains. The NSS functions searched for in the library are
2260 in the form of _nss_$(libName)_$(function), for example
2261 _nss_dns_gethostbyname2_r.
2262 proxy_fast_alias (boolean)
2264 When a user or group is looked up by name in the proxy provider, a
2265 second lookup by ID is performed to "canonicalize" the name in case
2266 the requested name was an alias. Setting this option to true would
2267 cause the SSSD to perform the ID lookup from cache for performance
2268 reasons.
2269 Default: false
2271 proxy_max_children (integer)
2273 This option specifies the number of pre-forked proxy children. It
2274 is useful for high-load SSSD environments where sssd may run out of
2275 available child slots, which would cause some issues due to the
2276 requests being queued.
2277 Default: 10
2279 Application domains
2281 SSSD, with its D-Bus interface (see sssd-ifp(5)) is appealing to
2282 applications as a gateway to an LDAP directory where users and groups
2283 are stored. However, contrary to the traditional SSSD deployment where
2284 all users and groups either have POSIX attributes or those attributes
2285 can be inferred from the Windows SIDs, in many cases the users and
2286 groups in the application support scenario have no POSIX attributes.
2287 Instead of setting a “[domain/NAME]” section, the administrator can set
2288 up an “[application/NAME]” section that internally represents a domain
2289 with type “application” optionally inherits settings from a tradition
2290 SSSD domain.
2291 Please note that the application domain must still be explicitly
2293 enabled in the “domains” parameter so that the lookup order between the
2294 application domain and its POSIX sibling domain is set correctly.
2295 Application domain parameters
2297 inherit_from (string)
2299 The SSSD POSIX-type domain the application domain inherits all
2300 settings from. The application domain can moreover add its own
2301 settings to the application settings that augment or override the
2302 “sibling” domain settings.
2303 Default: Not set
2305 The following example illustrates the use of an application domain. In
2307 this setup, the POSIX domain is connected to an LDAP server and is used
2308 by the OS through the NSS responder. In addition, the application
2309 domain also requests the telephoneNumber attribute, stores it as the
2310 phone attribute in the cache and makes the phone attribute reachable
2311 through the D-Bus interface.
2312 [sssd]
2314 domains = appdom, posixdom
2315 [ifp]
2317 user_attributes = +phone
2318 [domain/posixdom]
2320 id_provider = ldap
2321 ldap_uri = ldap://ldap.example.com
2322 ldap_search_base = dc=example,dc=com
2323 [application/appdom]
2325 inherit_from = posixdom
2326 ldap_user_extra_attrs = phone:telephoneNumber
2327
2329 Some options used in the domain section can also be used in the trusted
2330 domain section, that is, in a section called
2331 “[domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]”. Where DOMAIN_NAME is the
2332 actual joined-to base domain. Please refer to examples below for
2333 explanation. Currently supported options in the trusted domain section
2334 are:
2335 ldap_search_base,
2337 ldap_user_search_base,
2339 ldap_group_search_base,
2341 ldap_netgroup_search_base,
2343 ldap_service_search_base,
2345 ldap_sasl_mech,
2347 ad_server,
2349 ad_backup_server,
2351 ad_site,
2353 use_fully_qualified_names
2355 pam_gssapi_services
2357 pam_gssapi_check_upn
2359 For more details about these options see their individual description
2361 in the manual page.
2362
2364 To allow authentication with Smartcards and certificates SSSD must be
2365 able to map certificates to users. This can be done by adding the full
2366 certificate to the LDAP object of the user or to a local override.
2367 While using the full certificate is required to use the Smartcard
2368 authentication feature of SSH (see sss_ssh_authorizedkeys(8) for
2369 details) it might be cumbersome or not even possible to do this for the
2370 general case where local services use PAM for authentication.
2371 To make the mapping more flexible mapping and matching rules were added
2373 to SSSD (see sss-certmap(5) for details).
2374 A mapping and matching rule can be added to the SSSD configuration in a
2376 section on its own with a name like “[certmap/DOMAIN_NAME/RULE_NAME]”.
2377 In this section the following options are allowed:
2378 matchrule (string)
2380 Only certificates from the Smartcard which matches this rule will
2381 be processed, all others are ignored.
2382 Default: KRB5:<EKU>clientAuth, i.e. only certificates which have
2384 the Extended Key Usage “clientAuth”
2385 maprule (string)
2387 Defines how the user is found for a given certificate.
2388 Default:
2390 • LDAP:(userCertificate;binary={cert!bin}) for LDAP based
2392 providers like “ldap”, “AD” or “ipa”.
2393 • The RULE_NAME for the “files” provider which tries to find a
2395 user with the same name.
2396 domains (string)
2399 Comma separated list of domain names the rule should be applied. By
2400 default a rule is only valid in the domain configured in sssd.conf.
2401 If the provider supports subdomains this option can be used to add
2402 the rule to subdomains as well.
2403 Default: the configured domain in sssd.conf
2405 priority (integer)
2407 Unsigned integer value defining the priority of the rule. The
2408 higher the number the lower the priority. “0” stands for the
2409 highest priority while “4294967295” is the lowest.
2410 Default: the lowest priority
2412 To make the configuration simple and reduce the amount of configuration
2414 options the “files” provider has some special properties:
2415 • if maprule is not set the RULE_NAME name is assumed to be the name
2417 of the matching user
2418 • if a maprule is used both a single user name or a template like
2420 “{subject_rfc822_name.short_name}” must be in braces like e.g.
2421 “(username)” or “({subject_rfc822_name.short_name})”
2422 • the “domains” option is ignored
2424
2427 If a special file (/var/lib/sss/pubconf/pam_preauth_available) exists
2428 SSSD's PAM module pam_sss will ask SSSD to figure out which
2429 authentication methods are available for the user trying to log in.
2430 Based on the results pam_sss will prompt the user for appropriate
2431 credentials.
2432 With the growing number of authentication methods and the possibility
2434 that there are multiple ones for a single user the heuristic used by
2435 pam_sss to select the prompting might not be suitable for all use
2436 cases. The following options should provide a better flexibility here.
2437 Each supported authentication method has its own configuration
2439 subsection under “[prompting/...]”. Currently there are:
2440 [prompting/password]
2442 to configure password prompting, allowed options are:
2443 password_prompt
2445 to change the string of the password prompt
2446 [prompting/2fa]
2449 to configure two-factor authentication prompting, allowed options
2450 are:
2451 first_prompt
2453 to change the string of the prompt for the first factor
2454 second_prompt
2456 to change the string of the prompt for the second factor
2457 single_prompt
2459 boolean value, if True there will be only a single prompt using
2460 the value of first_prompt where it is expected that both
2461 factors are entered as a single string. Please note that both
2462 factors have to be entered here, even if the second factor is
2463 optional.
2464 If the second factor is optional and it should be possible to log
2466 in either only with the password or with both factors two-step
2467 prompting has to be used.
2468 It is possible to add a subsection for specific PAM services, e.g.
2471 “[prompting/password/sshd]” to individual change the prompting for this
2472 service.
2473
2475 1. The following example shows a typical SSSD config. It does not
2476 describe configuration of the domains themselves - refer to
2477 documentation on configuring domains for more details.
2478 [sssd]
2480 domains = LDAP
2481 services = nss, pam
2482 config_file_version = 2
2483 [nss]
2485 filter_groups = root
2486 filter_users = root
2487 [pam]
2489 [domain/LDAP]
2491 id_provider = ldap
2492 ldap_uri = ldap://ldap.example.com
2493 ldap_search_base = dc=example,dc=com
2494 auth_provider = krb5
2496 krb5_server = kerberos.example.com
2497 krb5_realm = EXAMPLE.COM
2498 cache_credentials = true
2499 min_id = 10000
2501 max_id = 20000
2502 enumerate = False
2503 2. The following example shows configuration of IPA AD trust where the
2505 AD forest consists of two domains in a parent-child structure. Suppose
2506 IPA domain (ipa.com) has trust with AD domain(ad.com). ad.com has child
2507 domain (child.ad.com). To enable shortnames in the child domain the
2508 following configuration should be used.
2509 [domain/ipa.com/child.ad.com]
2511 use_fully_qualified_names = false
2512 3. The following example shows the configuration of a certificate
2514 mapping rule. It is valid for the configured domain “my.domain” and
2515 additionally for the subdomains “your.domain” and uses the full
2516 certificate in the search filter.
2517 [certmap/my.domain/rule_name]
2519 matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
2520 maprule = (userCertificate;binary={cert!bin})
2521 domains = my.domain, your.domain
2522 priority = 10
2523
2526 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-
2527 krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-
2528 sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8),
2529 sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8),
2530 sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5),
2531 pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5)
2532
2534 The SSSD upstream - https://github.com/SSSD/sssd/
2535SSSD 11/15/2023 SSSD.CONF(5)