Langue: en

Autres versions - même langue

Version: 08/03/2010 (fedora - 01/12/10)

Section: 5 (Format de fichier)


sssd.conf - the configuration file for SSSD


The file has an ini-style syntax and consists of sections and parameters. A section begins with the name of the section in square brackets and continues until the next section begins. An example of section with single and multi-valued parameters:

                 key = value
                 key2 = value2,value3

The data types used are string (no quotes needed), integer and bool (with values of lqTRUE/FALSErq).

A line comment starts with a hash sign (lq#rq) or a semicolon (lq;rq)

All sections can have an optional description parameter. Its function is only as a label for the section.

sssd.conf must be a regular file, owned by root and only root may read from or write to the file.


The [sssd] section

Individual pieces of SSSD functionality are provided by special SSSD services that are started and stopped together with SSSD. The services are managed by a special service frequently called lqmonitorrq. The lq[sssd]rq section is used to configure the monitor as well as some other important options like the identity domains.

Section parameters

config_file_version (integer)

Indicates what is the syntax of the config file. SSSD 0.6.0 and later use version 2.


Comma separated list of services that are started when sssd itself starts.
Supported services: nss, pam

reconnection_retries (integer)

Number of times services should attempt to reconnect in the event of a Data Provider crash or restart before they give up
Default: 3


A domain is a database containing user information. SSSD can use more domains at the same time, but at least one must be configured or SSSD won't start. This parameter described the list of domains in the order you want them to be queried.

re_expression (string)

Regular expression that describes how to parse the string containing user name and domain into these components.
Default: lq(?P<name>[^@]+)@?(?P<domain>[^@]*$)rq which translates to "the name is everything up to the lq@rq sign, the domain everything after that"
PLEASE NOTE: the support for non-unique named subpatterns is not available on all plattforms (e.g. RHEL5 and SLES10). Only plattforms with libpcre version 7 or higher can support non-unique named subpatterns.
PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?P<name>) to label subpatterns.

full_name_format (string)

A printf(3)-compatible format that describes how to translate a (name, domain) tuple into a fully qualified name.
Default: lq%1$s@%2$srq.

try_inotify (boolean)

SSSD monitors the state of resolv.conf to identify when it needs to update its internal DNS resolver. By default, we will attempt to use inotify for this, and will fall back to polling resolv.conf every five seconds if inotify cannot be used.
There are some limited situations where it is preferred that we should skip even trying to use inotify. In these rare cases, this option should be set to 'false'
Default: true on platforms where inotify is supported. False on other platforms.
Note: this option will have no effect on platforms where inotify is unavailable. On these platforms, polling will always be used.


Settings that can be used to configure different services are described in this section. They should reside in the [$NAME] section, for example, for NSS service, the section would be lq[nss]rq

General service configuration options

These options can be used to configure any service.

debug_level (integer)

Sets the debug level for the service. The value can be in range from 0 (only critical messages) to 10 (very verbose).
Default: 0

debug_timestamps (bool)

Add a timestamp to the debug messages
Default: true

reconnection_retries (integer)

Number of times services should attempt to reconnect in the event of a Data Provider crash or restart before they give up
Default: 3

command (string)

By default, the executable representing this service is called sssd_${service_name}. This directive allows to change the executable name for the service. In the vast majority of configurations, the default values should suffice.
Default: sssd_${service_name}

NSS configuration options

These options can be used to configure the Name Service Switch (NSS) service.

enum_cache_timeout (integer)

How many seconds should nss_sss cache enumerations (requests for info about all users)
Default: 120

entry_cache_nowait_percentage (integer)

The entry cache can be set to automatically update entries in the background if they are requested beyond a percentage of the entry_cache_timeout value for the domain.
For example, if the domain's entry_cache_timeout is set to 30s and entry_cache_nowait_percentage is set to 50 (percent), entries that come in after 15 seconds past the last cache update will be returned immediately, but the SSSD will go and update the cache on its own, so that future requests will not need to block waiting for a cache update.
Valid values for this option are 0-99 and represent a percentage of the entry_cache_timeout for each domain. For performance reasons, this percentage will never reduce the nowait timeout to less than 10 seconds. (0 disables this feature)
Default: 0

entry_negative_timeout (integer)

Specifies for how many seconds nss_sss should cache negative cache hits (that is, queries for invalid database entries, like nonexistent ones) before asking the back end again.
Default: 15

filter_users, filter_groups (string)

Exclude certain users from being fetched from the sss NSS database. This is particulary useful for system accounts. This option can also be set per-domain or include fully-qualified names to filter only users from the particular domain.
Default: root

filter_users_in_groups (bool)

If you want filtered user still be group members set this option to false.
Default: true

PAM configuration options

These options can be used to configure the Pluggable Authentication Module (PAM) service.

offline_credentials_expiration (integer)

If the authentication provider is offline, how long should we allow cached logins (in days since the last successful online login).
Default: 0 (No limit)

offline_failed_login_attempts (integer)

If the authentication provider is offline, how many failed login attempts are allowed.
Default: 0 (No limit)

offline_failed_login_delay (integer)

The time in minutes which has to pass after offline_failed_login_attempts has been reached before a new login attempt is possible.
If set to 0 the user cannot authenticate offline if offline_failed_login_attempts has been reached. Only a successful online authentication can enable enable offline authentication again.
Default: 5


These configuration options can be present in a domain configuration section, that is, in a section called lq[domain/NAME]rq

min_id,max_id (integer)

UID and GID limits for the domain. If a domain contains an entry that is outside these limits, it is ignored.
For users, this affects the primary GID limit. The user will not be returned to NSS if either the UID or the primary GID is outside the range. For non-primary group memberships, those that are in range will be reported as expected.
Default: 1 for min_id, 0 (no limit) for max_id

timeout (integer)

Timeout in seconds between heartbeats for this domain. This is used to ensure that the backend process is alive and capable of answering requests.
Default: 10

enumerate (bool)

Determines if a domain can be enumerated. This parameter can have one of the following values:
TRUE = Users and groups are enumerated
FALSE = No enumerations for this domain
Default: FALSE
Note: Enabling enumeration has a moderate performance impact on SSSD while enumeration is running. It may take up to several minutes after SSSD startup to fully complete enumerations. During this time, individual requests for information will go directly to LDAP, though it may be slow, due to the heavy enumeration processing.
Further, enabling enumeration may increase the time necessary to detect network disconnection, as longer timeouts are required to ensure that enumeration lookups are completed successfully. For more information, refer to the man pages for the specific id_provider in use.

entry_cache_timeout (integer)

How many seconds should nss_sss consider entries valid before asking the backend again
Default: 5400

cache_credentials (bool)

Determines if user credentials are also cached in the local LDB cache
Default: FALSE

account_cache_expiration (integer)

Number of days entries are left in cache after last successful login before being removed during a cleanup of the cache. 0 means keep forever. The value of this parameter must be greater than or equal to offline_credentials_expiration.
Default: 0 (unlimited)

id_provider (string)

The Data Provider identity backend to use for this domain.
Supported backends:
proxy: Support a legacy NSS provider
local: SSSD internal local provider
ldap: LDAP provider

use_fully_qualified_names (bool)

If set to TRUE, all requests to this domain must use fully qualified names. For example, if used in LOCAL domain that contains a "test" user, getent passwd test wouldn't find the user while getent passwd test@LOCAL would.
Default: FALSE

auth_provider (string)

The authentication provider used for the domain. Supported auth providers are:

lqldaprq for native LDAP authentication. See sssd-ldap(5) for more information on configuring LDAP.

lqkrb5rq for Kerberos authentication. See sssd-krb5(5) for more information on configuring Kerberos.

lqproxyrq for relaying authentication to some other PAM target.

lqnonerq disables authentication explicitly.
Default: lqid_providerrq is used if it is set and can handle authentication requests.

access_provider (string)

The access control provider used for the domain. There are two built-in access providers (in addition to any included in installed backends) Internal special providers are:

lqpermitrq always allow access.

lqdenyrq always deny access.

lqsimplerq access control based on access or deny lists. See sssd-simple(5) for more information on configuring the simple access module.
Default: lqpermitrq

chpass_provider (string)

The provider which should handle change password operations for the domain. Supported change password providers are:

lqldaprq to change a password stored in a LDAP server. See sssd-ldap(5) for more information on configuring LDAP.

lqkrb5rq to change the Kerberos password. See sssd-krb5(5) for more information on configuring Kerberos.

lqproxyrq for relaying password changes to some other PAM target.

lqnonerq disallows password changes explicitly.
Default: lqauth_providerrq is used if it is set and can handle change password requests.

lookup_family_order (string)

Provides the ability to select preferred address family to use when performing DNS lookups.
Supported values:
ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
Default: ipv4_first

dns_resolver_timeout (integer)

Defines the amount of time (in seconds) to wait for a reply from the DNS resolver before assuming that it is unreachable. If this timeout is reached, the domain will continue to operate in offline mode.
Default: 5

dns_discovery_domain (string)

If service discovery is used in the back end, specifies the domain part of the service discovery DNS query.
Default: Use the domain part of machine's hostname

Options valid for proxy domains.

proxy_pam_target (string)

The proxy target PAM proxies to.
Default: not set by default, you have to take an existing pam configuration or create a new one and add the service name here.

proxy_lib_name (string)

The name of the NSS library to use in proxy domains. The NSS functions searched for in the library are in the form of _nss_$(libName)_$(function), for example _nss_files_getpwent.

The local domain section

This section contains settings for domain that stores users and groups in SSSD native database, that is, a domain that uses id_provider=local.

Section parameters

default_shell (string)

The default shell for users created with SSSD userspace tools.
Default: /bin/bash

base_directory (string)

The tools append the login name to base_directory and use that as the home directory.
Default: /home

create_homedir (bool)

Indicate if a home directory should be created by default for new users. Can be overriden on command line.
Default: TRUE

remove_homedir (bool)

Indicate if a home directory should be removed by default for deleted users. Can be overriden on command line.
Default: TRUE

homedir_umask (integer)

Used by sss_useradd(8) to specify the default permissions on a newly created home directory.
Default: 077

skel_dir (string)

The skeleton directory, which contains files and directories to be copied in the user's home directory, when the home directory is created by sss_useradd(8)
Default: /etc/skel

mail_dir (string)

The mail spool directory. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted. If not specified, a default value is used.
Default: /var/mail

userdel_cmd (string)

The command that is run after a user is removed. The command us passed the username of the user being removed as the first and only parameter. The return code of the command is not taken into account.
Default: None, no command is run


The following example shows a typical SSSD config. It does not describe configuration of the domains themselves - refer to documentation on configuring domains for more details.

 domains = LDAP
 services = nss, pam
 config_file_version = 2
 filter_groups = root
 filter_users = root
 id_provider = ldap
 ldap_uri = ldap://
 ldap_search_base = dc=example,dc=com
 auth_provider = krb5
 krb5_kdcip =
 krb5_realm = EXAMPLE.COM
 cache_credentials = true
 min_id = 10000
 max_id = 20000
 enumerate = False


sssd-ldap(5), sssd-krb5(5), sss_groupadd(8), sss_groupdel(8), sss_groupmod(8), sss_useradd(8), sss_userdel(8), sss_usermod(8), pam_sss(8).


The SSSD upstream -