SSSD Manual pages
sssd.conf
5
File Formats and Conventions
sssd.conf
the configuration file for SSSD
FILE FORMAT
The file has an ini-style syntax and consists of sections and
parameters. A section begins with the name of the section in
square brackets and continues until the next section begins. An
example of section with single and multi-valued parameters:
[section]
key = value
key2 = value2,value3
The data types used are string (no quotes needed), integer
and bool (with values of TRUE/FALSE
).
A line comment starts with a hash sign (#
) or a
semicolon (;
)
All sections can have an optional
description parameter. Its function
is only as a label for the section.
sssd.conf must be a regular file, owned by
root and only root may read from or write to the file.
SPECIAL SECTIONS
The [sssd] section
Individual pieces of SSSD functionality are provided by special
SSSD services that are started and stopped together with SSSD.
The services are managed by a special service frequently called
monitor
. The [sssd]
section is used
to configure the monitor as well as some other important options
like the identity domains.
Section parameters
services
Comma separated list of services that are
started when sssd itself starts. Since Data
Provider (dp
) is a required
service, it will be started even if omitted.
Default: dp
Supported services: dp, nss, pam
reconnection_retries
Number of times services should attempt to
reconnect in the event of a Data Provider
crash or restart before they give up
Default: 3
domains
A domain is a database containing user
information. SSSD can use more domains
at the same time, but at least one
must be configured or SSSD won't start.
This parameter described the list of domains
in the order you want them to be queried.
re_expression (string)
Regular expression that describes how to parse the string
containing user name and domain into these components.
Default: (?P<name>[^@]+)@?(?P<domain>[^@]*$)
which translates to "the name is everything up to the
@
sign, the domain everything after that"
PLEASE NOTE: the support for non-unique named
subpatterns is not available on all plattforms
(e.g. RHEL5 and SLES10). Only plattforms with
libpcre version 7 or higher can support non-unique
named subpatterns.
PLEASE NOTE ALSO: older version of libpcre only
support the Python syntax (?P<name>) to label
subpatterns.
full_name_format (string)
A
printf
3
-compatible format that describes how to
translate a (name, domain) tuple into a fully qualified
name.
Default: %1$s@%2$s
.
SERVICES SECTIONS
Settings that can be used to configure different services
are described in this section. They should reside in the
[$NAME] section, for example,
for NSS service, the section would be [nss]
General service configuration options
These options can be used to configure any service.
debug_level (integer)
Sets the debug level for the service. The
value can be in range from 0 (only critical
messages) to 10 (very verbose).
Default: 0
reconnection_retries (integer)
Number of times services should attempt to
reconnect in the event of a Data Provider
crash or restart before they give up
Default: 3
command (string)
By default, the executable
representing this service is called
sssd_${service_name}.
This directive allows to change the executable
name for the service. In the vast majority of
configurations, the default values should suffice.
Default: sssd_${service_name}
Monitor configuration options
Monitor is the central controller of the SSSD. It is
responsible for running all the other services that provide
specific pieces of functionality.
sbus_timeout (string)
Specifies the timeout for messages sent over the SBUS.
Default: -1 (implies a reasonable timeout as defined
by the D-BUS library)
NSS configuration options
These options can be used to configure the
Name Service Switch (NSS) service.
enum_cache_timeout (integer)
How long should nss_sss cache enumerations
(requests for info about all users)
Default: 120
entry_cache_timeout (integer)
How long should nss_sss cache positive cache hits
(that is, queries for valid database entries) before
asking the backend again
Default: 600
entry_cache_nowait_timeout (integer)
How long should nss_sss return cached entries before
initiating an out-of-band cache refresh (0 disables
this feature)
Default: 0
entry_negative_timeout (integer)
How long should nss_sss cache negative cache hits
(that is, queries for invalid database entries, like
nonexistent ones) before asking the backend again
Default: 15
filter_users, filter_groups (string)
Exclude certain users from being fetched from the sss
NSS database. This is particulary useful for system
accounts.
Default: root
filter_users_in_groups (bool)
If you want filtered user still be group members
set this option to false.
Default: true
DOMAIN SECTIONS
These configuration options can be present in a domain
configuration section, that is, in a section called
[domain/NAME]
min_id,max_id (integer)
UID limits for the domain. If a domain contains
entry that is outside these limits, it is ignored
Default: 1000 for min_id, 0 (no limit) for max_id
timeout (integer)
Timeout in seconds for this particular domain.
Raising this timeout might prove useful for slower
backends like distant LDAP servers.
Default: 0 (no timeout)
magic_private_groups (bool)
By using the Magic Private Groups option, you
are imposing two limitations to the ID space
and name space:
1. Users and groups in the domain share a common
name space. There can never be an explicit group
with the same name as a user
2. Users and groups share a common ID
space, there can never be an explicit group with
a same ID as a user
Using Magic Private groups bring the benefit of
better Windows Interoperability (in Windows,
the ID and name spaces are unique) and also
avoids creating a group for every user,
thus cluttering the group space. Also, for
NSS calls, every user is actually returned
as user's private group without having to
explicitly create the group, thus having the
same effect as User Private Groups
Default: FALSE*
*Magic Private Groups are always enabled when
provider=local and this setting does not
affect that in any way. For other providers,
Magic Private Groups default to FALSE
enumerate (bool)
Determines if a domain can be enumerated. This
parameter can have one of the following values:
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
Default: FALSE
cache_credentials (bool)
Determines if user credentials are also cached
in the local LDB cache
Default: FALSE
store_legacy_passwords (bool)
Whether to also store passwords in a legacy domain
Default: FALSE
id_provider (string)
The Data Provider identity backend to use for this
domain.
Supported backends:
proxy: Support a legacy NSS provider
local: SSSD internal local provider
ldap: LDAP provider
use_fully_qualified_names (bool)
If set to TRUE, all requests to this domain
must use fully qualified names. For example,
if used in LOCAL domain that contains a "test"
user, getent passwd test
wouldn't find the user while getent
passwd test@LOCAL would.
Default: FALSE
auth_provider (string)
The authentication provider used for the domain.
Supported auth providers are:
ldap
for native LDAP authentication. See
sssd-ldap
5
for more information on configuring LDAP.
krb5
for Kerberos authentication. See
sssd-krb5
5
for more information on configuring Kerberos.
proxy
for relaying authentication to some other PAM target.
chpass_provider (string)
The provider which should handle change password
operations for the domain.
Supported change password providers are:
ldap
to change a password stored
in a LDAP server. See
sssd-ldap
5
for more information on configuring LDAP.
krb5
to change the Kerberos
password. See
sssd-krb5
5
for more information on configuring Kerberos.
proxy
for relaying password changes
to some other PAM target.
Options valid for proxy domains.
proxy_pam_target (string)
The proxy target PAM proxies to.
Default: sssd_pam_proxy_default
proxy_lib_name (string)
The name of the NSS library to use in proxy
domains. The NSS functions searched for in the
library are in the form of
_nss_$(libName)_$(function), for example
_nss_files_getpwent.
The local domain section
This section contains settings for domain that stores users and
groups in SSSD native database, that is, a domain that uses
id_provider=local.
Section parameters
default_shell (string)
The default shell for users created
with SSSD userspace tools.
Default: /bin/bash
base_directory (string)
The tools append the login name to
base_directory and
use that as the home directory.
Default: /home
EXAMPLE
The following example shows a typical SSSD config. It does
not describe configuration of the domains themselves - refer to
documentation on configuring domains for more details.
[sssd]
domains = LOCAL
services = nss, dp, pam
config_file_version = 2
sbus_timeout = 30
[nss]
filter_groups = root
filter_users = root
[pam]
[dp]
[domain/LOCAL]
id_provider = local
min_id = 1000
max_id = 5000
default_shell = /bin/ksh
enumerate = true
SEE ALSO
sssd.conf5
,
sssd-ldap5
,
sss_groupadd8
,
sss_groupdel8
,
sss_groupmod8
,
sss_useradd8
,
sss_userdel8
,
sss_usermod8
,
pam_sss8
.