sssd.conf 5 File Formats and Conventions sssd.conf the configuration file for SSSD The file has an ini-style syntax and consists of sections and parameters. A section begins with the name of the section in square brackets and continues until the next section begins. An example of section with single and multi-valued parameters: [section] key = value key2 = value2,value3 The data types used are string (no quotes needed), integer and bool (with values of TRUE/FALSE). A line comment starts with a hash sign (#) or a semicolon (;) All sections can have an optional description parameter. Its function is only as a label for the section. sssd.conf must be a regular file, owned by root and only root may read from or write to the file. Individual pieces of SSSD functionality are provided by special SSSD services that are started and stopped together with SSSD. The services are managed by a special service frequently called monitor. The [sssd] section is used to configure the monitor as well as some other important options like the identity domains. services Comma separated list of services that are started when sssd itself starts. Since Data Provider (dp) is a required service, it will be started even if omitted. Default: dp Supported services: dp, nss, pam reconnection_retries Number of times services should attempt to reconnect in the event of a Data Provider crash or restart before they give up Default: 3 domains A domain is a database containing user information. SSSD can use more domains at the same time, but at least one must be configured or SSSD won't start. This parameter described the list of domains in the order you want them to be queried. re_expression (string) Regular expression that describes how to parse the string containing user name and domain into these components. Default: (?P<name>[^@]+)@?(?P<domain>[^@]*$) which translates to "the name is everything up to the @ sign, the domain everything after that" PLEASE NOTE: the support for non-unique named subpatterns is not available on all plattforms (e.g. RHEL5 and SLES10). Only plattforms with libpcre version 7 or higher can support non-unique named subpatterns. PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?P<name>) to label subpatterns. full_name_format (string) A printf 3 -compatible format that describes how to translate a (name, domain) tuple into a fully qualified name. Default: %1$s@%2$s. Settings that can be used to configure different services are described in this section. They should reside in the [$NAME] section, for example, for NSS service, the section would be [nss] These options can be used to configure any service. debug_level (integer) Sets the debug level for the service. The value can be in range from 0 (only critical messages) to 10 (very verbose). Default: 0 reconnection_retries (integer) Number of times services should attempt to reconnect in the event of a Data Provider crash or restart before they give up Default: 3 command (string) By default, the executable representing this service is called sssd_${service_name}. This directive allows to change the executable name for the service. In the vast majority of configurations, the default values should suffice. Default: sssd_${service_name} Monitor is the central controller of the SSSD. It is responsible for running all the other services that provide specific pieces of functionality. sbus_timeout (string) Specifies the timeout for messages sent over the SBUS. Default: -1 (implies a reasonable timeout as defined by the D-BUS library) These options can be used to configure the Name Service Switch (NSS) service. enum_cache_timeout (integer) How long should nss_sss cache enumerations (requests for info about all users) Default: 120 entry_cache_timeout (integer) How long should nss_sss cache positive cache hits (that is, queries for valid database entries) before asking the backend again Default: 600 entry_cache_nowait_timeout (integer) How long should nss_sss return cached entries before initiating an out-of-band cache refresh (0 disables this feature) Default: 0 entry_negative_timeout (integer) How long should nss_sss cache negative cache hits (that is, queries for invalid database entries, like nonexistent ones) before asking the backend again Default: 15 filter_users, filter_groups (string) Exclude certain users from being fetched from the sss NSS database. This is particulary useful for system accounts. Default: root filter_users_in_groups (bool) If you want filtered user still be group members set this option to false. Default: true These configuration options can be present in a domain configuration section, that is, in a section called [domain/NAME] min_id,max_id (integer) UID limits for the domain. If a domain contains entry that is outside these limits, it is ignored Default: 1000 for min_id, 0 (no limit) for max_id timeout (integer) Timeout in seconds for this particular domain. Raising this timeout might prove useful for slower backends like distant LDAP servers. Default: 0 (no timeout) enumerate (bool) Determines if a domain can be enumerated. This parameter can have one of the following values: TRUE = Users and groups are enumerated FALSE = No enumerations for this domain Default: FALSE cache_credentials (bool) Determines if user credentials are also cached in the local LDB cache Default: FALSE store_legacy_passwords (bool) Whether to also store passwords in a legacy domain Default: FALSE id_provider (string) The Data Provider identity backend to use for this domain. Supported backends: proxy: Support a legacy NSS provider local: SSSD internal local provider ldap: LDAP provider use_fully_qualified_names (bool) If set to TRUE, all requests to this domain must use fully qualified names. For example, if used in LOCAL domain that contains a "test" user, getent passwd test wouldn't find the user while getent passwd test@LOCAL would. Default: FALSE auth_provider (string) The authentication provider used for the domain. Supported auth providers are: ldap for native LDAP authentication. See sssd-ldap 5 for more information on configuring LDAP. krb5 for Kerberos authentication. See sssd-krb5 5 for more information on configuring Kerberos. proxy for relaying authentication to some other PAM target. none disables authentication explicitly. Default: id_provider is used if it is set and can handle authentication requests. access_provider (string) The access control provider used for the domain. Supported access providers are: permit always allow access. deny always deny access. Default: id_provider is used if it is set and can handle access control requests or permit otherwise. chpass_provider (string) The provider which should handle change password operations for the domain. Supported change password providers are: ldap to change a password stored in a LDAP server. See sssd-ldap 5 for more information on configuring LDAP. krb5 to change the Kerberos password. See sssd-krb5 5 for more information on configuring Kerberos. proxy for relaying password changes to some other PAM target. none disallows password changes explicitly. Default: auth_provider is used if it is set and can handle change password requests. Options valid for proxy domains. proxy_pam_target (string) The proxy target PAM proxies to. Default: sssd_pam_proxy_default proxy_lib_name (string) The name of the NSS library to use in proxy domains. The NSS functions searched for in the library are in the form of _nss_$(libName)_$(function), for example _nss_files_getpwent. This section contains settings for domain that stores users and groups in SSSD native database, that is, a domain that uses id_provider=local. default_shell (string) The default shell for users created with SSSD userspace tools. Default: /bin/bash base_directory (string) The tools append the login name to base_directory and use that as the home directory. Default: /home The following example shows a typical SSSD config. It does not describe configuration of the domains themselves - refer to documentation on configuring domains for more details. [sssd] domains = LOCAL services = nss, dp, pam config_file_version = 2 sbus_timeout = 30 [nss] filter_groups = root filter_users = root [pam] [dp] [domain/LOCAL] id_provider = local min_id = 1000 max_id = 5000 default_shell = /bin/ksh enumerate = true sssd.conf5 , sssd-ldap5 , sss_groupadd8 , sss_groupdel8 , sss_groupmod8 , sss_useradd8 , sss_userdel8 , sss_usermod8 , pam_sss8 .