table of contents
other versions
- wheezy 1.8.4-2
- wheezy-backports 1.11.7.3-3~bpo70+1
- jessie 1.11.7-3
- testing 1.15.0-3
- unstable 1.15.2-1
SSSD.CONF(5) | File Formats and Conventions | SSSD.CONF(5) |
NAME¶
sssd.conf - the configuration file for SSSDFILE FORMAT¶
The file has an ini-style syntax and consists of sections and parameters. A section begins with the name of the section in square brackets and continues until the next section begins. An example of section with single and multi-valued parameters:[section] key = value key2 = value2,value3
SPECIAL SECTIONS¶
The [sssd] section¶
Individual pieces of SSSD functionality are provided by special SSSD services that are started and stopped together with SSSD. The services are managed by a special service frequently called “monitor”. The “[sssd]” section is used to configure the monitor as well as some other important options like the identity domains. Section parameters config_file_version (integer)Indicates what is the syntax of the config
file. SSSD 0.6.0 and later use version 2.
services
Comma separated list of services that are
started when sssd itself starts.
Supported services: nss, pam , sudo , autofs , ssh , ifp
reconnection_retries (integer)
Number of times services should attempt to
reconnect in the event of a Data Provider crash or restart before they give up
Default: 3
domains
A domain is a database containing user
information. SSSD can use more domains at the same time, but at least one must
be configured or SSSD won't start. This parameter described the list of
domains in the order you want them to be queried. A domain name should only
consist of alphanumeric ASCII characters, dashes and underscores.
re_expression (string)
Default regular expression that describes how
to parse the string containing user name and domain into these components.
Each domain can have an individual regular expression configured. For some ID
providers there are also default regular expressions. See DOMAIN SECTIONS for
more info on these regular expressions.
full_name_format (string)
A printf(3)-compatible format that
describes how to compose a fully qualified name from user name and domain name
components.
The following expansions are supported:
%1$s
Each domain can have an individual format string configured. see DOMAIN SECTIONS
for more info on this option.
try_inotify (boolean)
user name
%2$s
domain name as specified in the SSSD config
file.
%3$s
domain flat name. Mostly usable for Active
Directory domains, both directly configured or discovered via IPA
trusts.
SSSD monitors the state of resolv.conf to
identify when it needs to update its internal DNS resolver. By default, we
will attempt to use inotify for this, and will fall back to polling
resolv.conf every five seconds if inotify cannot be used.
There are some limited situations where it is preferred that we should skip even
trying to use inotify. In these rare cases, this option should be set to
'false'
Default: true on platforms where inotify is supported. False on other platforms.
Note: this option will have no effect on platforms where inotify is unavailable.
On these platforms, polling will always be used.
krb5_rcache_dir (string)
Directory on the filesystem where SSSD should
store Kerberos replay cache files.
This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct SSSD
to let libkrb5 decide the appropriate location for the replay cache.
Default: Distribution-specific and specified at build-time.
(__LIBKRB5_DEFAULTS__ if not configured)
default_domain_suffix (string)
This string will be used as a default domain
name for all names without a domain name component. The main use case is
environments where the primary domain is intended for managing host policies
and all users are located in a trusted domain. The option allows those users
to log in just with their user name without giving a domain name as well.
Please note that if this option is set all users from the primary domain have to
use their fully qualified name, e.g. user@domain.name, to log in.
Default: not set
override_space (string)
This parameter will replace spaces (space bar)
with the given character for user and group names. e.g. (_). User name
"john doe" will be "john_doe" This feature was added to
help compatibility with shell scripts that have difficulty handling spaces,
due to the default field separator in the shell.
Please note it is a configuration error to use a replacement character that
might be used in user or group names. If a name contains the replacement
character SSSD tries to return the unmodified name but in general the result
of a lookup is undefined.
Default: not set (spaces will not be replaced)
SERVICES SECTIONS¶
Settings that can be used to configure different services are described in this section. They should reside in the [ $NAME] section, for example, for NSS service, the section would be “[nss]”General service configuration options¶
These options can be used to configure any service. debug_level (integer)SSSD supports two representations for
specifying the debug level. The simplest is to specify a decimal value from
0-9, which represents enabling that level and all lower-level debug messages.
The more comprehensive option is to specify a hexadecimal bitmask to enable or
disable specific levels (such as if you wish to suppress a level).
Currently supported debug levels:
0, 0x0010: Fatal failures. Anything that would prevent SSSD from
starting up or causes it to cease running.
1, 0x0020: Critical failures. An error that doesn't kill the SSSD,
but one that indicates that at least one major feature is not going to work
properly.
2, 0x0040: Serious failures. An error announcing that a particular
request or operation has failed.
3, 0x0080: Minor failures. These are the errors that would
percolate down to cause the operation failure of 2.
4, 0x0100: Configuration settings.
5, 0x0200: Function data.
6, 0x0400: Trace messages for operation functions.
7, 0x1000: Trace messages for internal control functions.
8, 0x2000: Contents of function-internal variables that may be
interesting.
9, 0x4000: Extremely low-level tracing information.
To log required bitmask debug levels, simply add their numbers together as shown
in following examples:
Example: To log fatal failures, critical failures, serious failures and
function data use 0x0270.
Example: To log fatal failures, configuration settings, function data,
trace messages for internal control functions use 0x1310.
Note: The bitmask format of debug levels was introduced in 1.7.0.
Default: 0
debug_timestamps (bool)
Add a timestamp to the debug messages
Default: true
debug_microseconds (bool)
Add microseconds to the timestamp in debug
messages
Default: false
timeout (integer)
Timeout in seconds between heartbeats for this
service. This is used to ensure that the process is alive and capable of
answering requests.
Default: 10
reconnection_retries (integer)
Number of times services should attempt to
reconnect in the event of a Data Provider crash or restart before they give up
Default: 3
fd_limit
This option specifies the maximum number of
file descriptors that may be opened at one time by this SSSD process. On
systems where SSSD is granted the CAP_SYS_RESOURCE capability, this will be an
absolute setting. On systems without this capability, the resulting value will
be the lower value of this or the limits.conf "hard" limit.
Default: 8192 (or limits.conf "hard" limit)
client_idle_timeout
This option specifies the number of seconds
that a client of an SSSD process can hold onto a file descriptor without
communicating on it. This value is limited in order to avoid resource
exhaustion on the system.
Default: 60
force_timeout (integer)
If a service is not responding to ping checks
(see the “timeout” option), it is first sent the SIGTERM signal
that instructs it to quit gracefully. If the service does not terminate after
“force_timeout” seconds, the monitor will forcibly shut it down by
sending a SIGKILL signal.
Default: 60
NSS configuration options¶
These options can be used to configure the Name Service Switch (NSS) service. enum_cache_timeout (integer)How many seconds should nss_sss cache
enumerations (requests for info about all users)
Default: 120
entry_cache_nowait_percentage (integer)
The entry cache can be set to automatically
update entries in the background if they are requested beyond a percentage of
the entry_cache_timeout value for the domain.
For example, if the domain's entry_cache_timeout is set to 30s and
entry_cache_nowait_percentage is set to 50 (percent), entries that come in
after 15 seconds past the last cache update will be returned immediately, but
the SSSD will go and update the cache on its own, so that future requests will
not need to block waiting for a cache update.
Valid values for this option are 0-99 and represent a percentage of the
entry_cache_timeout for each domain. For performance reasons, this percentage
will never reduce the nowait timeout to less than 10 seconds. (0 disables this
feature)
Default: 50
entry_negative_timeout (integer)
Specifies for how many seconds nss_sss should
cache negative cache hits (that is, queries for invalid database entries, like
nonexistent ones) before asking the back end again.
Default: 15
filter_users, filter_groups (string)
Exclude certain users from being fetched from
the sss NSS database. This is particularly useful for system accounts. This
option can also be set per-domain or include fully-qualified names to filter
only users from the particular domain.
Default: root
filter_users_in_groups (bool)
If you want filtered user still be group
members set this option to false.
Default: true
override_homedir (string)
Override the user's home directory. You can
either provide an absolute value or a template. In the template, the following
sequences are substituted:
%u
This option can also be set per-domain.
example:
Default: Not set (SSSD will use the value retrieved from LDAP)
homedir_substring (string)
login name
%U
UID number
%d
domain name
%f
fully qualified user name (user@domain)
%o
The original home directory retrieved from the
identity provider.
%H
The value of configure option
homedir_substring.
%%
a literal '%'
override_homedir = /home/%u
The value of this option will be used in the
expansion of the override_homedir option if the template contains the
format string %H. An LDAP directory entry can directly contain this
template so that this option can be used to expand the home directory path for
each client machine (or operating system). It can be set per-domain or
globally in the [nss] section. A value specified in a domain section will
override one set in the [nss] section.
Default: /home
fallback_homedir (string)
Set a default template for a user's home
directory if one is not specified explicitly by the domain's data provider.
The available values for this option are the same as for override_homedir.
example:
Default: not set (no substitution for unset home directories)
override_shell (string)
fallback_homedir = /home/%u
Override the login shell for all users. This
option supersedes any other shell options if it takes effect and can be set
either in the [nss] section or per-domain.
Default: not set (SSSD will use the value retrieved from LDAP)
allowed_shells (string)
Restrict user shell to one of the listed
values. The order of evaluation is:
1. If the shell is present in “/etc/shells”, it is used.
2. If the shell is in the allowed_shells list but not in
“/etc/shells”, use the value of the shell_fallback parameter.
3. If the shell is not in the allowed_shells list and not in
“/etc/shells”, a nologin shell is used.
An empty string for shell is passed as-is to libc.
The “/etc/shells” is only read on SSSD start up, which means that a
restart of the SSSD is required in case a new shell is installed.
Default: Not set. The user shell is automatically used.
vetoed_shells (string)
Replace any instance of these shells with the
shell_fallback
shell_fallback (string)
The default shell to use if an allowed shell
is not installed on the machine.
Default: /bin/sh
default_shell
The default shell to use if the provider does
not return one during lookup. This option can be specified globally in the
[nss] section or per-domain.
Default: not set (Return NULL if no shell is specified and rely on libc to
substitute something sensible when necessary, usually /bin/sh)
get_domains_timeout (int)
Specifies time in seconds for which the list
of subdomains will be considered valid.
Default: 60
memcache_timeout (int)
Specifies time in seconds for which records in
the in-memory cache will be valid
Default: 300
PAM configuration options¶
These options can be used to configure the Pluggable Authentication Module (PAM) service. offline_credentials_expiration (integer)If the authentication provider is offline, how
long should we allow cached logins (in days since the last successful online
login).
Default: 0 (No limit)
offline_failed_login_attempts (integer)
If the authentication provider is offline, how
many failed login attempts are allowed.
Default: 0 (No limit)
offline_failed_login_delay (integer)
The time in minutes which has to pass after
offline_failed_login_attempts has been reached before a new login attempt is
possible.
If set to 0 the user cannot authenticate offline if
offline_failed_login_attempts has been reached. Only a successful online
authentication can enable offline authentication again.
Default: 5
pam_verbosity (integer)
Controls what kind of messages are shown to
the user during authentication. The higher the number to more messages are
displayed.
Currently sssd supports the following values:
0: do not show any message
1: show only important messages
2: show informational messages
3: show all messages and debug information
Default: 1
pam_id_timeout (integer)
For any PAM request while SSSD is online, the
SSSD will attempt to immediately update the cached identity information for
the user in order to ensure that authentication takes place with the latest
information.
A complete PAM conversation may perform multiple PAM requests, such as account
management and session opening. This option controls (on a
per-client-application basis) how long (in seconds) we can cache the identity
information to avoid excessive round-trips to the identity provider.
Default: 5
pam_pwd_expiration_warning (integer)
Display a warning N days before the password
expires.
Please note that the backend server has to provide information about the
expiration time of the password. If this information is missing, sssd cannot
display a warning.
If zero is set, then this filter is not applied, i.e. if the expiration warning
was received from backend server, it will automatically be displayed.
This setting can be overridden by setting pwd_expiration_warning for a
particular domain.
Default: 0
get_domains_timeout (int)
Specifies time in seconds for which the list
of subdomains will be considered valid.
Default: 60
SUDO configuration options¶
These options can be used to configure the sudo service. The detailed instructions for configuration of sudo(8) to work with sssd(8) are in the manual page sssd-sudo(5). sudo_timed (bool)Whether or not to evaluate the sudoNotBefore
and sudoNotAfter attributes that implement time-dependent sudoers entries.
Default: false
AUTOFS configuration options¶
These options can be used to configure the autofs service. autofs_negative_timeout (integer)Specifies for how many seconds should the
autofs responder negative cache hits (that is, queries for invalid map
entries, like nonexistent ones) before asking the back end again.
Default: 15
Please note that the automounter only reads the master map on startup, so if any
autofs-related changes are made to the sssd.conf, you typically also need to
restart the automounter daemon after restarting the SSSD.
SSH configuration options¶
These options can be used to configure the SSH service. ssh_hash_known_hosts (bool)Whether or not to hash host names and
addresses in the managed known_hosts file.
Default: true
ssh_known_hosts_timeout (integer)
How many seconds to keep a host in the managed
known_hosts file after its host keys were requested.
Default: 180
DOMAIN SECTIONS¶
These configuration options can be present in a domain configuration section, that is, in a section called “[domain/ NAME]” min_id,max_id (integer)UID and GID limits for the domain. If a domain
contains an entry that is outside these limits, it is ignored.
For users, this affects the primary GID limit. The user will not be returned to
NSS if either the UID or the primary GID is outside the range. For non-primary
group memberships, those that are in range will be reported as expected.
These ID limits affect even saving entries to cache, not only returning them by
name or ID.
Default: 1 for min_id, 0 (no limit) for max_id
enumerate (bool)
Determines if a domain can be enumerated. This
parameter can have one of the following values:
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
Default: FALSE
Note: Enabling enumeration has a moderate performance impact on SSSD while
enumeration is running. It may take up to several minutes after SSSD startup
to fully complete enumerations. During this time, individual requests for
information will go directly to LDAP, though it may be slow, due to the heavy
enumeration processing. Saving a large number of entries to cache after the
enumeration completes might also be CPU intensive as the memberships have to
be recomputed.
While the first enumeration is running, requests for the complete user or group
lists may return no results until it completes.
Further, enabling enumeration may increase the time necessary to detect network
disconnection, as longer timeouts are required to ensure that enumeration
lookups are completed successfully. For more information, refer to the man
pages for the specific id_provider in use.
For the reasons cited above, enabling enumeration is not recommended, especially
in large environments.
subdomain_enumerate (string)
Whether any of autodetected trusted domains
should be enumerated. The supported values are:
all
Optionally, a list of one or more domain names can enable enumeration just for
these trusted domains.
Default: none
force_timeout (integer)
All discovered trusted domains will be
enumerated
none
No discovered trusted domains will be
enumerated
If a service is not responding to ping checks
(see the “timeout” option), it is first sent the SIGTERM signal
that instructs it to quit gracefully. If the service does not terminate after
“force_timeout” seconds, the monitor will forcibly shut it down by
sending a SIGKILL signal.
Default: 60
entry_cache_timeout (integer)
How many seconds should nss_sss consider
entries valid before asking the backend again
The cache expiration timestamps are stored as attributes of individual objects
in the cache. Therefore, changing the cache timeout only has effect for newly
added or expired entries. You should run the sss_cache(8) tool in order
to force refresh of entries that have already been cached.
Default: 5400
entry_cache_user_timeout (integer)
How many seconds should nss_sss consider user
entries valid before asking the backend again
Default: entry_cache_timeout
entry_cache_group_timeout (integer)
How many seconds should nss_sss consider group
entries valid before asking the backend again
Default: entry_cache_timeout
entry_cache_netgroup_timeout (integer)
How many seconds should nss_sss consider
netgroup entries valid before asking the backend again
Default: entry_cache_timeout
entry_cache_service_timeout (integer)
How many seconds should nss_sss consider
service entries valid before asking the backend again
Default: entry_cache_timeout
entry_cache_sudo_timeout (integer)
How many seconds should sudo consider rules
valid before asking the backend again
Default: entry_cache_timeout
entry_cache_autofs_timeout (integer)
How many seconds should the autofs service
consider automounter maps valid before asking the backend again
Default: entry_cache_timeout
refresh_expired_interval (integer)
Specifies how many seconds SSSD has to wait
before triggering a background refresh task which will refresh all expired or
nearly expired records.
Currently only refreshing expired netgroups is supported.
You can consider setting this value to 3/4 * entry_cache_timeout.
Default: 0 (disabled)
cache_credentials (bool)
Determines if user credentials are also cached
in the local LDB cache
User credentials are stored in a SHA512 hash, not in plaintext
Default: FALSE
account_cache_expiration (integer)
Number of days entries are left in cache after
last successful login before being removed during a cleanup of the cache. 0
means keep forever. The value of this parameter must be greater than or equal
to offline_credentials_expiration.
Default: 0 (unlimited)
pwd_expiration_warning (integer)
Display a warning N days before the password
expires.
If zero is set, then this filter is not applied, i.e. if the expiration warning
was received from backend server, it will automatically be displayed.
Please note that the backend server has to provide information about the
expiration time of the password. If this information is missing, sssd cannot
display a warning. Also an auth provider has to be configured for the backend.
Default: 7 (Kerberos), 0 (LDAP)
id_provider (string)
The identification provider used for the
domain. Supported ID providers are:
“proxy”: Support a legacy NSS provider
“local”: SSSD internal provider for local users
“ldap”: LDAP provider. See sssd-ldap(5) for more information
on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
use_fully_qualified_names (bool)
Use the full name and domain (as formatted by
the domain's full_name_format) as the user's login name reported to NSS.
If set to TRUE, all requests to this domain must use fully qualified names. For
example, if used in LOCAL domain that contains a "test" user,
getent passwd test wouldn't find the user while getent passwd
test@LOCAL would.
NOTE: This option has no effect on netgroup lookups due to their tendency to
include nested netgroups without qualified names. For netgroups, all domains
will be searched when an unqualified name is requested.
Default: FALSE
ignore_group_members (bool)
Do not return group members for group lookups.
If set to TRUE, the group membership attribute is not requested from the ldap
server, and group members are not returned when processing group lookup calls.
Default: FALSE
auth_provider (string)
The authentication provider used for the
domain. Supported auth providers are:
“ldap” for native LDAP authentication. See sssd-ldap(5) for
more information on configuring LDAP.
“krb5” for Kerberos authentication. See sssd-krb5(5) for more
information on configuring Kerberos.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
“proxy” for relaying authentication to some other PAM target.
“none” disables authentication explicitly.
Default: “id_provider” is used if it is set and can handle
authentication requests.
access_provider (string)
The access control provider used for the
domain. There are two built-in access providers (in addition to any included
in installed backends) Internal special providers are:
“permit” always allow access. It's the only permitted access
provider for a local domain.
“deny” always deny access.
“ldap” for native LDAP authentication. See sssd-ldap(5) for
more information on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
“simple” access control based on access or deny lists. See
sssd-simple(5) for more information on configuring the simple access
module.
Default: “permit”
chpass_provider (string)
The provider which should handle change
password operations for the domain. Supported change password providers are:
“ldap” to change a password stored in a LDAP server. See
sssd-ldap(5) for more information on configuring LDAP.
“krb5” to change the Kerberos password. See sssd-krb5(5) for
more information on configuring Kerberos.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider.
See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
“proxy” for relaying password changes to some other PAM target.
“none” disallows password changes explicitly.
Default: “auth_provider” is used if it is set and can handle change
password requests.
sudo_provider (string)
The SUDO provider used for the domain.
Supported SUDO providers are:
“ldap” for rules stored in LDAP. See sssd-ldap(5) for more
information on configuring LDAP.
“ipa” the same as “ldap” but with IPA default settings.
“ad” the same as “ldap” but with AD default settings.
“none” disables SUDO explicitly.
Default: The value of “id_provider” is used if it is set.
The detailed instructions for configuration of sudo_provider are in the manual
page sssd-sudo(5). There are many configuration options that can be
used to adjust the behavior. Please refer to "ldap_sudo_*" in
sssd-ldap(5).
selinux_provider (string)
The provider which should handle loading of
selinux settings. Note that this provider will be called right after access
provider ends. Supported selinux providers are:
“ipa” to load selinux settings from an IPA server. See
sssd-ipa(5) for more information on configuring IPA.
“none” disallows fetching selinux settings explicitly.
Default: “id_provider” is used if it is set and can handle selinux
loading requests.
subdomains_provider (string)
The provider which should handle fetching of
subdomains. This value should be always the same as id_provider. Supported
subdomain providers are:
“ipa” to load a list of subdomains from an IPA server. See
sssd-ipa(5) for more information on configuring IPA.
“none” disallows fetching subdomains explicitly.
Default: The value of “id_provider” is used if it is set.
autofs_provider (string)
The autofs provider used for the domain.
Supported autofs providers are:
“ldap” to load maps stored in LDAP. See sssd-ldap(5) for more
information on configuring LDAP.
“ipa” to load maps stored in an IPA server. See sssd-ipa(5)
for more information on configuring IPA.
“none” disables autofs explicitly.
Default: The value of “id_provider” is used if it is set.
hostid_provider (string)
The provider used for retrieving host identity
information. Supported hostid providers are:
“ipa” to load host identity stored in an IPA server. See
sssd-ipa(5) for more information on configuring IPA.
“none” disables hostid explicitly.
Default: The value of “id_provider” is used if it is set.
re_expression (string)
Regular expression for this domain that
describes how to parse the string containing user name and domain into these
components. The "domain" can match either the SSSD configuration
domain name, or, in the case of IPA trust subdomains and Active Directory
domains, the flat (NetBIOS) name of the domain.
Default for the AD and IPA provider:
“(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))”
which allows three different styles for user names:
While the first two correspond to the general default the third one is
introduced to allow easy integration of users from Windows domains.
Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which
translates to "the name is everything up to the “@” sign, the
domain everything after that"
PLEASE NOTE: the support for non-unique named subpatterns is not available on
all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre version 7
or higher can support non-unique named subpatterns.
PLEASE NOTE ALSO: older version of libpcre only support the Python syntax
(?P<name>) to label subpatterns.
full_name_format (string)
•username
•username@domain.name
•domain\username
A printf(3)-compatible format that
describes how to compose a fully qualified name from user name and domain name
components.
The following expansions are supported:
%1$s
Default: “%1$s@%2$s”.
lookup_family_order (string)
user name
%2$s
domain name as specified in the SSSD config
file.
%3$s
domain flat name. Mostly usable for Active
Directory domains, both directly configured or discovered via IPA
trusts.
Provides the ability to select preferred
address family to use when performing DNS lookups.
Supported values:
ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
Default: ipv4_first
dns_resolver_timeout (integer)
Defines the amount of time (in seconds) to
wait for a reply from the DNS resolver before assuming that it is unreachable.
If this timeout is reached, the domain will continue to operate in offline
mode.
Default: 6
dns_discovery_domain (string)
If service discovery is used in the back end,
specifies the domain part of the service discovery DNS query.
Default: Use the domain part of machine's hostname
override_gid (integer)
Override the primary GID value with the one
specified.
case_sensitive (boolean)
Treat user and group names as case sensitive.
At the moment, this option is not supported in the local provider.
Default: True
proxy_fast_alias (boolean)
When a user or group is looked up by name in
the proxy provider, a second lookup by ID is performed to
"canonicalize" the name in case the requested name was an alias.
Setting this option to true would cause the SSSD to perform the ID lookup from
cache for performance reasons.
Default: false
subdomain_homedir (string)
Use this homedir as default value for all
subdomains within this domain in IPA AD trust. See override_homedir for
info about possible values. In addition to those, the expansion below can only
be used with subdomain_homedir.
%F
The value can be overridden by override_homedir option.
Default: /home/%d/%u
realmd_tags (string)
flat (NetBIOS) name of a subdomain.
Various tags stored by the realmd
configuration service for this domain.
Options valid for proxy domains.
proxy_pam_target (string)
The proxy target PAM proxies to.
Default: not set by default, you have to take an existing pam configuration or
create a new one and add the service name here.
proxy_lib_name (string)
The name of the NSS library to use in proxy
domains. The NSS functions searched for in the library are in the form of
_nss_$(libName)_$(function), for example _nss_files_getpwent.
The local domain section¶
This section contains settings for domain that stores users and groups in SSSD native database, that is, a domain that uses id_provider=local. Section parameters default_shell (string)The default shell for users created with SSSD
userspace tools.
Default: /bin/bash
base_directory (string)
The tools append the login name to
base_directory and use that as the home directory.
Default: /home
create_homedir (bool)
Indicate if a home directory should be created
by default for new users. Can be overridden on command line.
Default: TRUE
remove_homedir (bool)
Indicate if a home directory should be removed
by default for deleted users. Can be overridden on command line.
Default: TRUE
homedir_umask (integer)
Used by sss_useradd(8) to specify the
default permissions on a newly created home directory.
Default: 077
skel_dir (string)
The skeleton directory, which contains files
and directories to be copied in the user's home directory, when the home
directory is created by sss_useradd(8)
Default: /etc/skel
mail_dir (string)
The mail spool directory. This is needed to
manipulate the mailbox when its corresponding user account is modified or
deleted. If not specified, a default value is used.
Default: /var/mail
userdel_cmd (string)
The command that is run after a user is
removed. The command us passed the username of the user being removed as the
first and only parameter. The return code of the command is not taken into
account.
Default: None, no command is run
EXAMPLE¶
The following example shows a typical SSSD config. It does not describe configuration of the domains themselves - refer to documentation on configuring domains for more details.[sssd] domains = LDAP services = nss, pam config_file_version = 2 [nss] filter_groups = root filter_users = root [pam] [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com auth_provider = krb5 krb5_server = kerberos.example.com krb5_realm = EXAMPLE.COM cache_credentials = true min_id = 10000 max_id = 20000 enumerate = False
SEE ALSO¶
AUTHORS¶
The SSSD upstream - http://fedorahosted.org/sssd07/22/2015 | SSSD |