The file has an ini-style syntax and consists of sections and parameters. A section begins with the name of the section in square brackets and continues until the next section begins. An example of section with single and multi-valued parameters:
[section] key = value key2 = value2,value3
The data types used are string (no quotes needed), integer and bool (with values of "TRUE/FALSE").
A line comment starts with a hash sign ("#") or a semicolon (";")
All sections can have an optional description parameter. Its function is only as a label for the section.
sssd.conf must be a regular file, owned by root and only root may read from or write to the file.
Individual pieces of SSSD functionality are provided by special SSSD services that are started and stopped together with SSSD. The services are managed by a special service frequently called "monitor". The "[sssd]" section is used to configure the monitor as well as some other important options like the identity domains.
Supported services: nss, pam
Default: "(?P<name>[^@]+)@?(?P<domain>[^@]*$)" which translates to "the name is everything up to the "@" sign, the domain everything after that"
PLEASE NOTE: the support for non-unique named subpatterns is not available on all plattforms (e.g. RHEL5 and SLES10). Only plattforms with libpcre version 7 or higher can support non-unique named subpatterns.
PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?P<name>) to label subpatterns.
Settings that can be used to configure different services are described in this section. They should reside in the [$NAME] section, for example, for NSS service, the section would be "[nss]"
These options can be used to configure any service.
These options can be used to configure the Name Service Switch (NSS) service.
For example, if the domain's entry_cache_timeout is set to 30s and entry_cache_nowait_percentage is set to 50 (percent), entries that come in after 15 seconds past the last cache update will be returned immediately, but the SSSD will go and update the cache on its own, so that future requests will not need to block waiting for a cache update.
Valid values for this option are 0-99 and represent a percentage of the entry_cache_timeout for each domain. For performance reasons, this percentage will never reduce the nowait timeout to less than 10 seconds. (0 disables this feature)
filter_users, filter_groups (string)
These options can be used to configure the Pluggable Authentication Module (PAM) service.
Default: 0 (No limit)
Default: 0 (No limit)
If set to 0 the user cannot authenticate offline if offline_failed_login_attempts has been reached. Only a successful online authentication can enable enable offline authentication again.
These configuration options can be present in a domain configuration section, that is, in a section called "[domain/NAME]"
For users, this affects the primary GID limit. The user will not be returned to NSS if either the UID or the primary GID is outside the range. For non-primary group memberships, those that are in range will be reported as expected.
Default: 1 for min_id, 0 (no limit) for max_id
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
Note: Enabling enumeration has a moderate performance impact on SSSD while enumeration is running. It may take up to several minutes after SSSD startup to fully complete enumerations. During this time, individual requests for information will go directly to LDAP, though it may be slow, due to the heavy enumeration processing.
Further, enabling enumeration may increase the time necessary to detect network disconnection, as longer timeouts are required to ensure that enumeration lookups are completed successfully. For more information, refer to the man pages for the specific id_provider in use.
Default: 0 (unlimited)
proxy: Support a legacy NSS provider
local: SSSD internal local provider
ldap: LDAP provider
"ldap" for native LDAP authentication. See sssd-ldap(5) for more information on configuring LDAP.
"krb5" for Kerberos authentication. See sssd-krb5(5) for more information on configuring Kerberos.
"proxy" for relaying authentication to some other PAM target.
"none" disables authentication explicitly.
Default: "id_provider" is used if it is set and can handle authentication requests.
"permit" always allow access.
"deny" always deny access.
"simple" access control based on access or deny lists. See sssd-simple(5) for more information on configuring the simple access module.
"ldap" to change a password stored in a LDAP server. See sssd-ldap(5) for more information on configuring LDAP.
"krb5" to change the Kerberos password. See sssd-krb5(5) for more information on configuring Kerberos.
"proxy" for relaying password changes to some other PAM target.
"none" disallows password changes explicitly.
Default: "auth_provider" is used if it is set and can handle change password requests.
ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
Options valid for proxy domains.
Default: not set by default, you have to take an existing pam configuration or create a new one and add the service name here.
This section contains settings for domain that stores users and groups in SSSD native database, that is, a domain that uses id_provider=local.
Default: None, no command is run
The following example shows a typical SSSD config. It does not describe configuration of the domains themselves - refer to documentation on configuring domains for more details.
[sssd] domains = LDAP services = nss, pam config_file_version = 2 [nss] filter_groups = root filter_users = root [pam] [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com auth_provider = krb5 krb5_kdcip = kerberos.example.com krb5_realm = EXAMPLE.COM cache_credentials = true min_id = 10000 max_id = 20000 enumerate = False
sssd-ldap(5), sssd-krb5(5), sss_groupadd(8), sss_groupdel(8), sss_groupmod(8), sss_useradd(8), sss_userdel(8), sss_usermod(8), pam_sss(8).
The SSSD upstream - http://fedorahosted.org/sssd