table of contents
SSSD.CONF(5) | File Formats and Conventions | SSSD.CONF(5) |
NAME¶
sssd.conf - the configuration file for SSSD
FILE FORMAT¶
The file has an ini-style syntax and consists of sections and parameters. A section begins with the name of the section in square brackets and continues until the next section begins. An example of section with single and multi-valued parameters:
[section] key = value key2 = value2,value3
The data types used are string (no quotes needed), integer and bool (with values of “TRUE/FALSE”).
A line comment starts with a hash sign (“#”) or a semicolon (“;”). Inline comments are not supported.
All sections can have an optional description parameter. Its function is only as a label for the section.
sssd.conf must be a regular file, owned by root and only root may read from or write to the file.
GENERAL OPTIONS¶
Following options are usable in more than one configuration sections.
Options usable in all sections¶
debug_level (integer)
Please note that each SSSD service logs into its own log file. Also please note that enabling “debug_level” in the “[sssd]” section only enables debugging just for the sssd process itself, not for the responder or provider processes. The “debug_level” parameter should be added to all sections that you wish to produce debug logs from.
In addition to changing the log level in the config file using the “debug_level” parameter, which is persistent, but requires SSSD restart, it is also possible to change the debug level on the fly using the sss_debuglevel(8) tool.
Currently supported debug levels:
0, 0x0010: Fatal failures. Anything that would prevent SSSD from starting up or causes it to cease running.
1, 0x0020: Critical failures. An error that doesn´t kill the SSSD, but one that indicates that at least one major feature is not going to work properly.
2, 0x0040: Serious failures. An error announcing that a particular request or operation has failed.
3, 0x0080: Minor failures. These are the errors that would percolate down to cause the operation failure of 2.
4, 0x0100: Configuration settings.
5, 0x0200: Function data.
6, 0x0400: Trace messages for operation functions.
7, 0x1000: Trace messages for internal control functions.
8, 0x2000: Contents of function-internal variables that may be interesting.
9, 0x4000: Extremely low-level tracing information.
To log required bitmask debug levels, simply add their numbers together as shown in following examples:
Example: To log fatal failures, critical failures, serious failures and function data use 0x0270.
Example: To log fatal failures, configuration settings, function data, trace messages for internal control functions use 0x1310.
Note: The bitmask format of debug levels was introduced in 1.7.0.
Default: 0
debug_timestamps (bool)
Default: true
debug_microseconds (bool)
Default: false
Options usable in SERVICE and DOMAIN sections¶
timeout (integer)
Default: 10
SPECIAL SECTIONS¶
The [sssd] section¶
Individual pieces of SSSD functionality are provided by special SSSD services that are started and stopped together with SSSD. The services are managed by a special service frequently called “monitor”. The “[sssd]” section is used to configure the monitor as well as some other important options like the identity domains.
Section parameters
config_file_version (integer)
services
Supported services: nss, pam , sudo , autofs , ssh , pac , ifp
reconnection_retries (integer)
Default: 3
domains
re_expression (string)
Each domain can have an individual regular expression configured. For some ID providers there are also default regular expressions. See DOMAIN SECTIONS for more info on these regular expressions.
full_name_format (string)
The following expansions are supported:
%1$s
%2$s
%3$s
Each domain can have an individual format string configured. see DOMAIN SECTIONS for more info on this option.
try_inotify (boolean)
There are some limited situations where it is preferred that we should skip even trying to use inotify. In these rare cases, this option should be set to ´false´
Default: true on platforms where inotify is supported. False on other platforms.
Note: this option will have no effect on platforms where inotify is unavailable. On these platforms, polling will always be used.
krb5_rcache_dir (string)
This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct SSSD to let libkrb5 decide the appropriate location for the replay cache.
Default: Distribution-specific and specified at build-time. (__LIBKRB5_DEFAULTS__ if not configured)
user (string)
Default: not set, process will run as root
default_domain_suffix (string)
Please note that if this option is set all users from the primary domain have to use their fully qualified name, e.g. user@domain.name, to log in. Setting this option changes default of use_fully_qualified_names to True. It is not allowed to use this option together with use_fully_qualified_names set to False.
Default: not set
override_space (string)
Please note it is a configuration error to use a replacement character that might be used in user or group names. If a name contains the replacement character SSSD tries to return the unmodified name but in general the result of a lookup is undefined.
Default: not set (spaces will not be replaced)
certificate_verification (string)
no_ocsp
no_verification
ocsp_default_responder=URL
This option must be used together with ocsp_default_responder_signing_cert.
ocsp_default_responder_signing_cert=NAME
This option must be used together with ocsp_default_responder.
Unknown options are reported but ignored.
Default: not set, i.e. do not restrict certificate vertification
SERVICES SECTIONS¶
Settings that can be used to configure different services are described in this section. They should reside in the [$NAME] section, for example, for NSS service, the section would be “[nss]”
General service configuration options¶
These options can be used to configure any service.
reconnection_retries (integer)
Default: 3
fd_limit
Default: 8192 (or limits.conf "hard" limit)
client_idle_timeout
Default: 60
force_timeout (integer)
Default: 60
offline_timeout (integer)
offline_timeout + random_offset
The random offset can increment up to 30 seconds. After each unsuccessful attempt to go online, the new interval is recalculated by the following:
new_interval = old_interval*2 + random_offset
Note that the maximum length of each interval is currently limited to one hour. If the calculated length of new_interval is greater than an hour, it will be forced to one hour.
Default: 60
subdomain_inherit (string)
ignore_group_members
ldap_purge_cache_timeout
ldap_use_tokengroups
ldap_user_principal
Example:
subdomain_inherit = ldap_purge_cache_timeout
Default: none
NSS configuration options¶
These options can be used to configure the Name Service Switch (NSS) service.
enum_cache_timeout (integer)
Default: 120
entry_cache_nowait_percentage (integer)
For example, if the domain´s entry_cache_timeout is set to 30s and entry_cache_nowait_percentage is set to 50 (percent), entries that come in after 15 seconds past the last cache update will be returned immediately, but the SSSD will go and update the cache on its own, so that future requests will not need to block waiting for a cache update.
Valid values for this option are 0-99 and represent a percentage of the entry_cache_timeout for each domain. For performance reasons, this percentage will never reduce the nowait timeout to less than 10 seconds. (0 disables this feature)
Default: 50
entry_negative_timeout (integer)
Default: 15
filter_users, filter_groups (string)
Default: root
filter_users_in_groups (bool)
Default: true
override_homedir (string)
%u
%U
%d
%f
%P
%o
%H
%%
This option can also be set per-domain.
example:
override_homedir = /home/%u
Default: Not set (SSSD will use the value retrieved from LDAP)
homedir_substring (string)
Default: /home
fallback_homedir (string)
The available values for this option are the same as for override_homedir.
example:
fallback_homedir = /home/%u
Default: not set (no substitution for unset home directories)
override_shell (string)
Default: not set (SSSD will use the value retrieved from LDAP)
allowed_shells (string)
1. If the shell is present in “/etc/shells”, it is used.
2. If the shell is in the allowed_shells list but not in “/etc/shells”, use the value of the shell_fallback parameter.
3. If the shell is not in the allowed_shells list and not in “/etc/shells”, a nologin shell is used.
The wildcard (*) can be used to allow any shell.
The (*) is useful if you want to use shell_fallback in case that user´s shell is not in “/etc/shells” and maintaining list of all allowed shells in allowed_shells would be to much overhead.
An empty string for shell is passed as-is to libc.
The “/etc/shells” is only read on SSSD start up, which means that a restart of the SSSD is required in case a new shell is installed.
Default: Not set. The user shell is automatically used.
vetoed_shells (string)
shell_fallback (string)
Default: /bin/sh
default_shell
Default: not set (Return NULL if no shell is specified and rely on libc to substitute something sensible when necessary, usually /bin/sh)
get_domains_timeout (int)
Default: 60
memcache_timeout (int)
Default: 300
NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", client applications will not use the fast in-memory cache.
user_attributes (string)
To make configuration more easy the NSS responder will check the InfoPipe option if it is not set for the NSS responder.
Default: not set, fallback to InfoPipe option
PAM configuration options¶
These options can be used to configure the Pluggable Authentication Module (PAM) service.
offline_credentials_expiration (integer)
Default: 0 (No limit)
offline_failed_login_attempts (integer)
Default: 0 (No limit)
offline_failed_login_delay (integer)
If set to 0 the user cannot authenticate offline if offline_failed_login_attempts has been reached. Only a successful online authentication can enable offline authentication again.
Default: 5
pam_verbosity (integer)
Currently sssd supports the following values:
0: do not show any message
1: show only important messages
2: show informational messages
3: show all messages and debug information
Default: 1
pam_response_filter (integer)
While messages already can be controlled with the help of the pam_verbosity option this option allows to filter out other kind of responses as well.
Currently the following filters are supported:
ENV
ENV:var_name
ENV:var_name:service
Default: not set
Example: ENV:KRB5CCNAME:sudo-i
pam_id_timeout (integer)
A complete PAM conversation may perform multiple PAM requests, such as account management and session opening. This option controls (on a per-client-application basis) how long (in seconds) we can cache the identity information to avoid excessive round-trips to the identity provider.
Default: 5
pam_pwd_expiration_warning (integer)
Please note that the backend server has to provide information about the expiration time of the password. If this information is missing, sssd cannot display a warning.
If zero is set, then this filter is not applied, i.e. if the expiration warning was received from backend server, it will automatically be displayed.
This setting can be overridden by setting pwd_expiration_warning for a particular domain.
Default: 0
get_domains_timeout (int)
Default: 60
pam_trusted_users (string)
Default: all (All users are allowed to access the PAM responder)
Please note that UID 0 is always allowed to access the PAM responder even in case it is not in the pam_trusted_users list.
pam_public_domains (string)
Two special values for pam_public_domains option are defined:
all (Untrusted users are allowed to access all domains in PAM responder.)
none (Untrusted users are not allowed to access any domains PAM in responder.)
Default: none
pam_account_expired_message (string)
Note: Please be aware that message is only printed for the SSH service unless pam_verbostiy is set to 3 (show all messages and debug information).
example:
pam_account_expired_message = Account expired, please contact help desk.
Default: none
pam_account_locked_message (string)
example:
pam_account_locked_message = Account locked, please contact help desk.
Default: none
pam_cert_auth (bool)
Default: False
pam_cert_db_path (string)
Default: /etc/pki/nssdb (NSS version)
p11_child_timeout (integer)
Default: 10
SUDO configuration options¶
These options can be used to configure the sudo service. The detailed instructions for configuration of sudo(8) to work with sssd(8) are in the manual page sssd-sudo(5).
sudo_timed (bool)
Default: false
AUTOFS configuration options¶
These options can be used to configure the autofs service.
autofs_negative_timeout (integer)
Default: 15
Please note that the automounter only reads the master map on startup, so if any autofs-related changes are made to the sssd.conf, you typically also need to restart the automounter daemon after restarting the SSSD.
SSH configuration options¶
These options can be used to configure the SSH service.
ssh_hash_known_hosts (bool)
Default: true
ssh_known_hosts_timeout (integer)
Default: 180
ca_db (string)
Default: /etc/pki/nssdb
PAC responder configuration options¶
The PAC responder works together with the authorization data plugin for MIT Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the PAC data during a GSSAPI authentication to the PAC responder. The sub-domain provider collects domain SID and ID ranges of the domain the client is joined to and of remote trusted domains from the local domain controller. If the PAC is decoded and evaluated some of the following operations are done:
These options can be used to configure the PAC responder.
allowed_uids (string)
Default: 0 (only the root user is allowed to access the PAC responder)
Please note that although the UID 0 is used as the default it will be overwritten with this option. If you still want to allow the root user to access the PAC responder, which would be the typical case, you have to add 0 to the list of allowed UIDs as well.
DOMAIN SECTIONS¶
These configuration options can be present in a domain configuration section, that is, in a section called “[domain/NAME]”
min_id,max_id (integer)
For users, this affects the primary GID limit. The user will not be returned to NSS if either the UID or the primary GID is outside the range. For non-primary group memberships, those that are in range will be reported as expected.
These ID limits affect even saving entries to cache, not only returning them by name or ID.
Default: 1 for min_id, 0 (no limit) for max_id
enumerate (bool)
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
Default: FALSE
Note: Enabling enumeration has a moderate performance impact on SSSD while enumeration is running. It may take up to several minutes after SSSD startup to fully complete enumerations. During this time, individual requests for information will go directly to LDAP, though it may be slow, due to the heavy enumeration processing. Saving a large number of entries to cache after the enumeration completes might also be CPU intensive as the memberships have to be recomputed.
While the first enumeration is running, requests for the complete user or group lists may return no results until it completes.
Further, enabling enumeration may increase the time necessary to detect network disconnection, as longer timeouts are required to ensure that enumeration lookups are completed successfully. For more information, refer to the man pages for the specific id_provider in use.
For the reasons cited above, enabling enumeration is not recommended, especially in large environments.
subdomain_enumerate (string)
all
none
Optionally, a list of one or more domain names can enable enumeration just for these trusted domains.
Default: none
force_timeout (integer)
Default: 60
entry_cache_timeout (integer)
The cache expiration timestamps are stored as attributes of individual objects in the cache. Therefore, changing the cache timeout only has effect for newly added or expired entries. You should run the sss_cache(8) tool in order to force refresh of entries that have already been cached.
Default: 5400
entry_cache_user_timeout (integer)
Default: entry_cache_timeout
entry_cache_group_timeout (integer)
Default: entry_cache_timeout
entry_cache_netgroup_timeout (integer)
Default: entry_cache_timeout
entry_cache_service_timeout (integer)
Default: entry_cache_timeout
entry_cache_sudo_timeout (integer)
Default: entry_cache_timeout
entry_cache_autofs_timeout (integer)
Default: entry_cache_timeout
entry_cache_ssh_host_timeout (integer)
Default: entry_cache_timeout
refresh_expired_interval (integer)
The background refresh will process users, groups and netgroups in the cache.
You can consider setting this value to 3/4 * entry_cache_timeout.
Default: 0 (disabled)
cache_credentials (bool)
User credentials are stored in a SHA512 hash, not in plaintext
Default: FALSE
cache_credentials_minimal_first_factor_length (int)
This should avoid that the short PINs of a PIN based 2FA scheme are saved in the cache which would make them easy targets for brute-force attacks.
Default: 8
account_cache_expiration (integer)
Default: 0 (unlimited)
pwd_expiration_warning (integer)
If zero is set, then this filter is not applied, i.e. if the expiration warning was received from backend server, it will automatically be displayed.
Please note that the backend server has to provide information about the expiration time of the password. If this information is missing, sssd cannot display a warning. Also an auth provider has to be configured for the backend.
Default: 7 (Kerberos), 0 (LDAP)
id_provider (string)
“proxy”: Support a legacy NSS provider
“local”: SSSD internal provider for local users
“ldap”: LDAP provider. See sssd-ldap(5) for more information on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more information on configuring Active Directory.
use_fully_qualified_names (bool)
If set to TRUE, all requests to this domain must use fully qualified names. For example, if used in LOCAL domain that contains a "test" user, getent passwd test wouldn´t find the user while getent passwd test@LOCAL would.
NOTE: This option has no effect on netgroup lookups due to their tendency to include nested netgroups without qualified names. For netgroups, all domains will be searched when an unqualified name is requested.
Default: FALSE (TRUE if default_domain_suffix is used)
ignore_group_members (bool)
If set to TRUE, the group membership attribute is not requested from the ldap server, and group members are not returned when processing group lookup calls, such as getgrnam(3) or getgrgid(3). As an effect, “getent group $groupname” would return the requested group as if it was empty.
Enabling this option can also make access provider checks for group membership significantly faster, especially for groups containing many members.
Default: FALSE
auth_provider (string)
“ldap” for native LDAP authentication. See sssd-ldap(5) for more information on configuring LDAP.
“krb5” for Kerberos authentication. See sssd-krb5(5) for more information on configuring Kerberos.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more information on configuring Active Directory.
“proxy” for relaying authentication to some other PAM target.
“local”: SSSD internal provider for local users
“none” disables authentication explicitly.
Default: “id_provider” is used if it is set and can handle authentication requests.
access_provider (string)
“permit” always allow access. It´s the only permitted access provider for a local domain.
“deny” always deny access.
“ldap” for native LDAP authentication. See sssd-ldap(5) for more information on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more information on configuring Active Directory.
“simple” access control based on access or deny lists. See sssd-simple(5) for more information on configuring the simple access module.
Default: “permit”
chpass_provider (string)
“ldap” to change a password stored in a LDAP server. See sssd-ldap(5) for more information on configuring LDAP.
“krb5” to change the Kerberos password. See sssd-krb5(5) for more information on configuring Kerberos.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more information on configuring Active Directory.
“proxy” for relaying password changes to some other PAM target.
“none” disallows password changes explicitly.
Default: “auth_provider” is used if it is set and can handle change password requests.
sudo_provider (string)
“ldap” for rules stored in LDAP. See sssd-ldap(5) for more information on configuring LDAP.
“ipa” the same as “ldap” but with IPA default settings.
“ad” the same as “ldap” but with AD default settings.
“none” disables SUDO explicitly.
Default: The value of “id_provider” is used if it is set.
The detailed instructions for configuration of sudo_provider are in the manual page sssd-sudo(5). There are many configuration options that can be used to adjust the behavior. Please refer to "ldap_sudo_*" in sssd-ldap(5).
selinux_provider (string)
“ipa” to load selinux settings from an IPA server. See sssd-ipa(5) for more information on configuring IPA.
“none” disallows fetching selinux settings explicitly.
Default: “id_provider” is used if it is set and can handle selinux loading requests.
subdomains_provider (string)
“ipa” to load a list of subdomains from an IPA server. See sssd-ipa(5) for more information on configuring IPA.
“ad” to load a list of subdomains from an Active Directory server. See sssd-ad(5) for more information on configuring the AD provider.
“none” disallows fetching subdomains explicitly.
Default: The value of “id_provider” is used if it is set.
autofs_provider (string)
“ldap” to load maps stored in LDAP. See sssd-ldap(5) for more information on configuring LDAP.
“ipa” to load maps stored in an IPA server. See sssd-ipa(5) for more information on configuring IPA.
“ad” to load maps stored in an AD server. See sssd-ad(5) for more information on configuring the AD provider.
“none” disables autofs explicitly.
Default: The value of “id_provider” is used if it is set.
hostid_provider (string)
“ipa” to load host identity stored in an IPA server. See sssd-ipa(5) for more information on configuring IPA.
“none” disables hostid explicitly.
Default: The value of “id_provider” is used if it is set.
re_expression (string)
Default for the AD and IPA provider: “(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))” which allows three different styles for user names:
Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to "the name is everything up to the “@” sign, the domain everything after that"
PLEASE NOTE: the support for non-unique named subpatterns is not available on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre version 7 or higher can support non-unique named subpatterns.
PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?P<name>) to label subpatterns.
full_name_format (string)
The following expansions are supported:
%1$s
%2$s
%3$s
Default: “%1$s@%2$s”.
lookup_family_order (string)
Supported values:
ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
Default: ipv4_first
dns_resolver_timeout (integer)
Default: 6
dns_discovery_domain (string)
Default: Use the domain part of machine´s hostname
override_gid (integer)
case_sensitive (string)
True
False
Preserving
Default: True (False for AD provider)
proxy_fast_alias (boolean)
Default: false
subdomain_homedir (string)
%F
The value can be overridden by override_homedir option.
Default: /home/%d/%u
realmd_tags (string)
cached_auth_timeout (int)
Special value 0 implies that this feature is disabled.
Please note that if “cached_auth_timeout” is longer than “pam_id_timeout” then the back end could be called to handle “initgroups.”
Default: 0
Options valid for proxy domains.
proxy_pam_target (string)
Default: not set by default, you have to take an existing pam configuration or create a new one and add the service name here.
proxy_lib_name (string)
proxy_max_children (integer)
Default: 10
The local domain section¶
This section contains settings for domain that stores users and groups in SSSD native database, that is, a domain that uses id_provider=local.
Section parameters
default_shell (string)
Default: /bin/bash
base_directory (string)
Default: /home
create_homedir (bool)
Default: TRUE
remove_homedir (bool)
Default: TRUE
homedir_umask (integer)
Default: 077
skel_dir (string)
Default: /etc/skel
mail_dir (string)
Default: /var/mail
userdel_cmd (string)
Default: None, no command is run
EXAMPLE¶
The following example shows a typical SSSD config. It does not describe configuration of the domains themselves - refer to documentation on configuring domains for more details.
[sssd] domains = LDAP services = nss, pam config_file_version = 2 [nss] filter_groups = root filter_users = root [pam] [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com auth_provider = krb5 krb5_server = kerberos.example.com krb5_realm = EXAMPLE.COM cache_credentials = true min_id = 10000 max_id = 20000 enumerate = False
SEE ALSO¶
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-sudo(5), sss_cache(8), sss_debuglevel(8), sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8), sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
AUTHORS¶
The SSSD upstream - http://fedorahosted.org/sssd
01/16/2019 | SSSD |