sssd.conf.5.xml revision ae526063fcbc4b4c440e35e01e4eca35358c2906
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa<?xml version="1.0" encoding="UTF-8"?>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa<reference>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa<title>SSSD Manual pages</title>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa<refentry>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <refmeta>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <refentrytitle>sssd.conf</refentrytitle>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <manvolnum>5</manvolnum>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa </refmeta>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <refnamediv id='name'>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <refname>sssd.conf</refname>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <refpurpose>the configuration file for SSSD</refpurpose>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa </refnamediv>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <refsect1 id='file-format'>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <title>FILE FORMAT</title>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <para>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa The file has an ini-style syntax and consists of sections and
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa parameters. A section begins with the name of the section in
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa square brackets and continues until the next section begins. An
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa example of section with single and multi-valued parameters:
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <programlisting>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <replaceable>[section]</replaceable>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <replaceable>key</replaceable> = <replaceable>value</replaceable>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa </programlisting>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa </para>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <para>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa The data types used are string (no quotes needed), integer
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa and bool (with values of <quote>TRUE/FALSE</quote>).
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa </para>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <para>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa A line comment starts with a hash sign (<quote>#</quote>) or a
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa semicolon (<quote>;</quote>).
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa Inline comments are not supported.
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa </para>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa All sections can have an optional
670c6ab8caac48ce5cf043796dd8908114b7f607Natanael Copa <replaceable>description</replaceable> parameter. Its function
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa is only as a label for the section.
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa </para>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <para>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <filename>sssd.conf</filename> must be a regular file, owned by
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa root and only root may read from or write to the file.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </refsect1>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <refsect1 id='special-sections'>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <title>SPECIAL SECTIONS</title>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <refsect2 id='services'>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <title>The [sssd] section</title>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa Individual pieces of SSSD functionality are provided by special
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa SSSD services that are started and stopped together with SSSD.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa The services are managed by a special service frequently called
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <quote>monitor</quote>. The <quote>[sssd]</quote> section is used
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa to configure the monitor as well as some other important options
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa like the identity domains.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <variablelist>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <title>Section parameters</title>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <term>config_file_version (integer)</term>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa Indicates what is the syntax of the config
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa file. SSSD 0.6.0 and later use version 2.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <term>services</term>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa Comma separated list of services that are
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa started when sssd itself starts.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa Supported services: nss, pam
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <phrase condition="with_sudo">, sudo</phrase>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <phrase condition="with_autofs">, autofs</phrase>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <phrase condition="with_ssh">, ssh</phrase>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <phrase condition="with_pac_responder">, pac</phrase>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <term>reconnection_retries (integer)</term>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa Number of times services should attempt to
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa reconnect in the event of a Data Provider
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa crash or restart before they give up
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa Default: 3
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <term>domains</term>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa A domain is a database containing user
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa information. SSSD can use more domains
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa at the same time, but at least one
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa must be configured or SSSD won't start.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa This parameter described the list of domains
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa in the order you want them to be queried.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </listitem>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa </varlistentry>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <varlistentry>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <term>re_expression (string)</term>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa <listitem>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa <para>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa Default regular expression that describes how to
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa parse the string containing user name and domain
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa into these components.
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa </para>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa <para>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa Each domain can have an individual regular
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa expression configured. For some ID providers
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa there are also default regular expressions. See
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa DOMAIN SECTIONS for more info on these regular
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa expressions.
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa </para>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa </listitem>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa </varlistentry>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa <varlistentry>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa <term>full_name_format (string)</term>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa <listitem>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa <para>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa The default <citerefentry>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa <refentrytitle>printf</refentrytitle>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa <manvolnum>3</manvolnum>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa </citerefentry>-compatible format that describes how to
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa translate a (name, domain) tuple into a fully qualified
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa name.
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa </para>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa <para>
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa Each domain can have an individual format string configured.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa see DOMAIN SECTIONS for more info on this option.
d42277f769d1bed8a4a198a49dbe96582a4fa2ecNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <varlistentry>
eee3ba81c88e64b8a732694fc4843a39d5bde491Serge Hallyn <term>try_inotify (boolean)</term>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa SSSD monitors the state of resolv.conf to
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa identify when it needs to update its internal
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa DNS resolver. By default, we will attempt to
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa use inotify for this, and will fall back to
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa polling resolv.conf every five seconds if
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa inotify cannot be used.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa There are some limited situations where it is
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa preferred that we should skip even trying to
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa use inotify. In these rare cases, this option
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa should be set to 'false'
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa Default: true on platforms where inotify is
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa supported. False on other platforms.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
eee3ba81c88e64b8a732694fc4843a39d5bde491Serge Hallyn Note: this option will have no effect on
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa platforms where inotify is unavailable. On
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa these platforms, polling will always be used.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <term>krb5_rcache_dir (string)</term>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa Directory on the filesystem where SSSD should
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa store Kerberos replay cache files.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa This option accepts a special value
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa __LIBKRB5_DEFAULTS__ that will instruct SSSD
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa to let libkrb5 decide the appropriate
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa location for the replay cache.
e5846a6f89db72bdbf3d651e5faf232045d17af8Natanael Copa </para>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <para>
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn Default: Distribution-specific and specified
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn at build-time. (__LIBKRB5_DEFAULTS__ if not
e5846a6f89db72bdbf3d651e5faf232045d17af8Natanael Copa configured)
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <term>force_timeout (integer)</term>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa If a service is not responding to ping checks (see
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa the <quote>timeout</quote> option), it is first sent
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa the SIGTERM signal that instructs it to quit gracefully.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa If the service does not terminate after <quote>force_timeout</quote>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa seconds, the monitor will forcibly shut it down by
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa sending a SIGKILL signal.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa Default: 60
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa </listitem>
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa </varlistentry>
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa <varlistentry>
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa <term>default_domain_suffix (string)</term>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa This string will be used as a default domain
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa name for all names without a domain name
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa component. The main use case are environments
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa where the local domain is only managing hosts
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa but no users and all users are coming from a
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa trusted domain. The option allows those users
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn to log in just with their user name without
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn giving a domain name as well.
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn </para>
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn <para>
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn Please note that if this option is set all
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa users from the local domain have to use their
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa fully qualified name, e.g. user@domain.name,
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa to log in.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
e5846a6f89db72bdbf3d651e5faf232045d17af8Natanael Copa Default: not set
e5846a6f89db72bdbf3d651e5faf232045d17af8Natanael Copa </para>
e5846a6f89db72bdbf3d651e5faf232045d17af8Natanael Copa </listitem>
e5846a6f89db72bdbf3d651e5faf232045d17af8Natanael Copa </varlistentry>
e5846a6f89db72bdbf3d651e5faf232045d17af8Natanael Copa </variablelist>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa </para>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa </refsect2>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa </refsect1>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa <refsect1 id='services-sections'>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <title>SERVICES SECTIONS</title>
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa <para>
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa Settings that can be used to configure different services
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa are described in this section. They should reside in the
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa [<replaceable>$NAME</replaceable>] section, for example,
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa for NSS service, the section would be <quote>[nss]</quote>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa <refsect2 id='general'>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <title>General service configuration options</title>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa These options can be used to configure any service.
b1aa0624bae5a81d6f6bbc2653a388d148cffef8Natanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <variablelist>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <term>debug_level (integer)</term>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/debug_levels.xml" />
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <varlistentry>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <term>debug_timestamps (bool)</term>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa Add a timestamp to the debug messages
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn </para>
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn <para>
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn Default: true
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </listitem>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </varlistentry>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <varlistentry>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <term>debug_microseconds (bool)</term>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <listitem>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <para>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa Add microseconds to the timestamp in debug messages
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa </para>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <para>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa Default: false
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa </para>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa </listitem>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa </varlistentry>
2b49de9a3ff182c208148d780f6b26cf8cdd09d8Natanael Copa <varlistentry>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <term>timeout (integer)</term>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <listitem>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa <para>
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa Timeout in seconds between heartbeats for this
569bee5cc3d647032573db8f72734faa9307d577Natanael Copa service. This is used to ensure that the process
670c6ab8caac48ce5cf043796dd8908114b7f607Natanael Copa is alive and capable of answering requests.
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa </para>
2a9a0a08077d88ee1d70ca46ca122216f3d1c89aNatanael Copa <para>
Default: 10
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>reconnection_retries (integer)</term>
<listitem>
<para>
Number of times services should attempt to
reconnect in the event of a Data Provider
crash or restart before they give up
</para>
<para>
Default: 3
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>fd_limit</term>
<listitem>
<para>
This option specifies the maximum number of file
descriptors that may be opened at one time by this
SSSD process. On systems where SSSD is granted the
CAP_SYS_RESOURCE capability, this will be an
absolute setting. On systems without this
capability, the resulting value will be the lower
value of this or the limits.conf "hard" limit.
</para>
<para>
Default: 8192 (or limits.conf "hard" limit)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>client_idle_timeout</term>
<listitem>
<para>
This option specifies the number of seconds that
a client of an SSSD process can hold onto a file
descriptor without communicating on it. This value
is limited in order to avoid resource exhaustion
on the system.
</para>
<para>
Default: 60
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2 id='NSS'>
<title>NSS configuration options</title>
<para>
These options can be used to configure the
Name Service Switch (NSS) service.
</para>
<variablelist>
<varlistentry>
<term>enum_cache_timeout (integer)</term>
<listitem>
<para>
How many seconds should nss_sss cache enumerations
(requests for info about all users)
</para>
<para>
Default: 120
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>entry_cache_nowait_percentage (integer)</term>
<listitem>
<para>
The entry cache can be set to automatically update
entries in the background if they are requested
beyond a percentage of the entry_cache_timeout
value for the domain.
</para>
<para>
For example, if the domain's entry_cache_timeout
is set to 30s and entry_cache_nowait_percentage is
set to 50 (percent), entries that come in after 15
seconds past the last cache update will be
returned immediately, but the SSSD will go and
update the cache on its own, so that future
requests will not need to block waiting for a
cache update.
</para>
<para>
Valid values for this option are 0-99 and
represent a percentage of the entry_cache_timeout
for each domain. For performance reasons, this
percentage will never reduce the nowait timeout to
less than 10 seconds.
(0 disables this feature)
</para>
<para>
Default: 50
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>entry_negative_timeout (integer)</term>
<listitem>
<para>
Specifies for how many seconds nss_sss should cache
negative cache hits (that is, queries for
invalid database entries, like nonexistent ones)
before asking the back end again.
</para>
<para>
Default: 15
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filter_users, filter_groups (string)</term>
<listitem>
<para>
Exclude certain users from being fetched from the sss
NSS database. This is particularly useful for system
accounts. This option can also be set per-domain or
include fully-qualified names to filter only users from
the particular domain.
</para>
<para>
Default: root
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filter_users_in_groups (bool)</term>
<listitem>
<para>
If you want filtered user still be group members
set this option to false.
</para>
<para>
Default: true
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>override_homedir (string)</term>
<listitem>
<para>
Override the user's home directory. You
can either provide an absolute value or a
template. In the template, the following
sequences are substituted:
<variablelist>
<varlistentry>
<term>%u</term>
<listitem><para>login name</para></listitem>
</varlistentry>
<varlistentry>
<term>%U</term>
<listitem><para>UID number</para></listitem>
</varlistentry>
<varlistentry>
<term>%d</term>
<listitem><para>domain name</para></listitem>
</varlistentry>
<varlistentry>
<term>%f</term>
<listitem><para>fully qualified user name (user@domain)</para></listitem>
</varlistentry>
<varlistentry>
<term>%%</term>
<listitem><para>a literal '%'</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
This option can also be set per-domain.
</para>
<para>
example:
<programlisting>
override_homedir = /home/%u
</programlisting>
</para>
<para>
Default: Not set (SSSD will use the value
retrieved from LDAP)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>fallback_homedir (string)</term>
<listitem>
<para>
Set a default template for a user's home directory
if one is not specified explicitly by the domain's
data provider.
</para>
<para>
The available values for this option are the same
as for override_homedir.
</para>
<para>
example:
<programlisting>
override_homedir = /home/%u
</programlisting>
</para>
<para>
Default: not set (no substitution for unset home
directories)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>override_shell (string)</term>
<listitem>
<para>
Override the login shell for all users. This
option can be specified globally in the [nss]
section or per-domain.
</para>
<para>
Default: not set (SSSD will use the value
retrieved from LDAP)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>allowed_shells (string)</term>
<listitem>
<para>
Restrict user shell to one of the listed values. The order of evaluation is:
</para>
<para>
1. If the shell is present in
<quote>/etc/shells</quote>, it is used.
</para>
<para>
2. If the shell is in the allowed_shells list but
not in <quote>/etc/shells</quote>, use the
value of the shell_fallback parameter.
</para>
<para>
3. If the shell is not in the allowed_shells list and
not in <quote>/etc/shells</quote>, a nologin shell
is used.
</para>
<para>
An empty string for shell is passed as-is to libc.
</para>
<para>
The <quote>/etc/shells</quote> is only read on SSSD start up, which means that
a restart of the SSSD is required in case a new shell is installed.
</para>
<para>
Default: Not set. The user shell is automatically used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>vetoed_shells (string)</term>
<listitem>
<para>
Replace any instance of these shells with the shell_fallback
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>shell_fallback (string)</term>
<listitem>
<para>
The default shell to use if an allowed shell is not
installed on the machine.
</para>
<para>
Default: /bin/sh
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>default_shell</term>
<listitem>
<para>
The default shell to use if the provider does not
return one during lookup. This option supersedes
any other shell options if it takes effect.
</para>
<para>
Default: not set (Return NULL if no shell is
specified and rely on libc to substitute something
sensible when necessary, usually /bin/sh)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>get_domains_timeout (int)</term>
<listitem>
<para>
Specifies time in seconds for which the list of
subdomains will be considered valid.
</para>
<para>
Default: 60
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>memcache_timeout (int)</term>
<listitem>
<para>
Specifies time in seconds for which records
in the in-memory cache will be valid
</para>
<para>
Default: 300
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2 id='PAM'>
<title>PAM configuration options</title>
<para>
These options can be used to configure the
Pluggable Authentication Module (PAM) service.
</para>
<variablelist>
<varlistentry>
<term>offline_credentials_expiration (integer)</term>
<listitem>
<para>
If the authentication provider is offline, how
long should we allow cached logins (in days since
the last successful online login).
</para>
<para>
Default: 0 (No limit)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>offline_failed_login_attempts (integer)</term>
<listitem>
<para>
If the authentication provider is offline, how
many failed login attempts are allowed.
</para>
<para>
Default: 0 (No limit)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>offline_failed_login_delay (integer)</term>
<listitem>
<para>
The time in minutes which has to pass after
offline_failed_login_attempts has been reached
before a new login attempt is possible.
</para>
<para>
If set to 0 the user cannot authenticate offline if
offline_failed_login_attempts has been reached. Only
a successful online authentication can enable
offline authentication again.
</para>
<para>
Default: 5
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pam_verbosity (integer)</term>
<listitem>
<para>
Controls what kind of messages are shown to the user
during authentication. The higher the number to more
messages are displayed.
</para>
<para>
Currently sssd supports the following values:
</para>
<para>
<emphasis>0</emphasis>: do not show any message
</para>
<para>
<emphasis>1</emphasis>: show only important
messages
</para>
<para>
<emphasis>2</emphasis>: show informational messages
</para>
<para>
<emphasis>3</emphasis>: show all messages and debug
information
</para>
<para>
Default: 1
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pam_id_timeout (integer)</term>
<listitem>
<para>
For any PAM request while SSSD is online, the SSSD will
attempt to immediately update the cached identity
information for the user in order to ensure that
authentication takes place with the latest information.
</para>
<para>
A complete PAM conversation may perform multiple PAM
requests, such as account management and session
opening. This option controls (on a
per-client-application basis) how long (in seconds) we
can cache the identity information to avoid excessive
round-trips to the identity provider.
</para>
<para>
Default: 5
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pam_pwd_expiration_warning (integer)</term>
<listitem>
<para>
Display a warning N days before the password expires.
</para>
<para>
Please note that the backend server has to provide
information about the expiration time of the password.
If this information is missing, sssd cannot display a
warning.
</para>
<para>
If zero is set, then this filter is not applied,
i.e. if the expiration warning was received from
backend server, it will automatically be displayed.
</para>
<para>
This setting can be overridden by setting
<emphasis>pwd_expiration_warning</emphasis>
for a particular domain.
</para>
<para>
Default: 0
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>get_domains_timeout (int)</term>
<listitem>
<para>
Specifies time in seconds for which the list of
subdomains will be considered valid.
</para>
<para>
Default: 60
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2 id='SUDO' condition="with_sudo">
<title>SUDO configuration options</title>
<para>
These options can be used to configure the sudo service.
</para>
<variablelist>
<varlistentry>
<term>sudo_timed (bool)</term>
<listitem>
<para>
Whether or not to evaluate the sudoNotBefore
and sudoNotAfter attributes that implement
time-dependent sudoers entries.
</para>
<para>
Default: false
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2 id='AUTOFS' condition="with_autofs">
<title>AUTOFS configuration options</title>
<para>
These options can be used to configure the autofs service.
</para>
<variablelist>
<varlistentry>
<term>autofs_negative_timeout (integer)</term>
<listitem>
<para>
Specifies for how many seconds should the
autofs responder negative cache hits
(that is, queries for invalid map entries,
like nonexistent ones) before asking the back
end again.
</para>
<para>
Default: 15
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ssh_known_hosts_timeout (integer)</term>
<listitem>
<para>
How many seconds to keep a host in the managed
known_hosts file after its host keys were requested.
</para>
<para>
Default: 180
</para>
</listitem>
</varlistentry>
</variablelist>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/autofs_restart.xml" />
</refsect2>
<refsect2 id='SSH' condition="with_ssh">
<title>SSH configuration options</title>
<para>
These options can be used to configure the SSH service.
</para>
<variablelist>
<varlistentry>
<term>ssh_hash_known_hosts (bool)</term>
<listitem>
<para>
Whether or not to hash host names and addresses in
the managed known_hosts file.
</para>
<para>
Default: true
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2 id='PAC_RESPONDER' condition="with_pac_responder">
<title>PAC responder configuration options</title>
<para>
The PAC responder works together with the authorization data
plugin for MIT Kerberos sssd_pac_plugin.so and a sub-domain
provider. The plugin sends the PAC data during a GSSAPI
authentication to the PAC responder. The sub-domain provider
collects domain SID and ID ranges of the domain the client is
joined to and of remote trusted domains from the local domain
controller. If the PAC is decoded and evaluated some of the
following operations are done:
<itemizedlist>
<listitem><para>If the remote user does not exist in the
cache, it is created. The uid is calculated based on the
SID, trusted domains will have UPGs and the gid will have
the same value as the uid. The home directory is set based
on the subdomain_homedir parameter. The shell will be empty
by default, i.e. the system defaults are used, but can be
overwritten with the default_shell parameter.</para>
</listitem>
<listitem><para>If there are SIDs of groups from the domain
the sssd client belongs to, the user will be added to those
groups.</para></listitem>
</itemizedlist>
</para>
<para>
These options can be used to configure the PAC responder.
</para>
<variablelist>
<varlistentry>
<term>allowed_uids (string)</term>
<listitem>
<para>
Specifies the comma-separated list of UID values or
user names that are allowed to access the PAC
responder. User names are resolved to UIDs at
startup.
</para>
<para>
Default: 0 (only the root user is allowed to access
the PAC responder)
</para>
<para>
Please note that although the UID 0 is used as the
default it will be overwritten with this option. If
you still want to allow the root user to access the
PAC responder, which would be the typical case, you
have to add 0 to the list of allowed UIDs as well.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
</refsect1>
<refsect1 id='domain-sections'>
<title>DOMAIN SECTIONS</title>
<para>
These configuration options can be present in a domain
configuration section, that is, in a section called
<quote>[domain/<replaceable>NAME</replaceable>]</quote>
<variablelist>
<varlistentry>
<term>min_id,max_id (integer)</term>
<listitem>
<para>
UID and GID limits for the domain. If a domain
contains an entry that is outside these limits, it
is ignored.
</para>
<para>
For users, this affects the primary GID limit. The
user will not be returned to NSS if either the
UID or the primary GID is outside the range. For
non-primary group memberships, those that are in
range will be reported as expected.
</para>
<para>
Default: 1 for min_id, 0 (no limit) for max_id
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>enumerate (bool)</term>
<listitem>
<para>
Determines if a domain can be enumerated. This
parameter can have one of the following values:
</para>
<para>
TRUE = Users and groups are enumerated
</para>
<para>
FALSE = No enumerations for this domain
</para>
<para>
Default: FALSE
</para>
<para>
Note: Enabling enumeration has a moderate
performance impact on SSSD while enumeration
is running. It may take up to several minutes
after SSSD startup to fully complete enumerations.
During this time, individual requests for
information will go directly to LDAP, though it
may be slow, due to the heavy enumeration
processing.
</para>
<para>
While the first enumeration is running, requests
for the complete user or group lists may return
no results until it completes.
</para>
<para>
Further, enabling enumeration may increase the time
necessary to detect network disconnection, as
longer timeouts are required to ensure that
enumeration lookups are completed successfully.
For more information, refer to the man pages for
the specific id_provider in use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>entry_cache_timeout (integer)</term>
<listitem>
<para>
How many seconds should nss_sss consider
entries valid before asking the backend again
</para>
<para>
Default: 5400
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>entry_cache_user_timeout (integer)</term>
<listitem>
<para>
How many seconds should nss_sss consider
user entries valid before asking the backend again
</para>
<para>
Default: entry_cache_timeout
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>entry_cache_group_timeout (integer)</term>
<listitem>
<para>
How many seconds should nss_sss consider
group entries valid before asking the backend again
</para>
<para>
Default: entry_cache_timeout
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>entry_cache_netgroup_timeout (integer)</term>
<listitem>
<para>
How many seconds should nss_sss consider
netgroup entries valid before asking the backend again
</para>
<para>
Default: entry_cache_timeout
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>entry_cache_service_timeout (integer)</term>
<listitem>
<para>
How many seconds should nss_sss consider
service entries valid before asking the backend again
</para>
<para>
Default: entry_cache_timeout
</para>
</listitem>
</varlistentry>
<varlistentry condition="with_sudo">
<term>entry_cache_sudo_timeout (integer)</term>
<listitem>
<para>
How many seconds should sudo consider
rules valid before asking the backend again
</para>
<para>
Default: entry_cache_timeout
</para>
</listitem>
</varlistentry>
<varlistentry condition="with_autofs">
<term>entry_cache_autofs_timeout (integer)</term>
<listitem>
<para>
How many seconds should the autofs service
consider automounter maps valid before asking
the backend again
</para>
<para>
Default: entry_cache_timeout
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>cache_credentials (bool)</term>
<listitem>
<para>
Determines if user credentials are also cached
in the local LDB cache
</para>
<para>
User credentials are stored in a SHA512 hash, not
in plaintext
</para>
<para>
Default: FALSE
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>account_cache_expiration (integer)</term>
<listitem>
<para>
Number of days entries are left in cache after
last successful login before being removed during
a cleanup of the cache. 0 means keep forever.
The value of this parameter must be greater than or
equal to offline_credentials_expiration.
</para>
<para>
Default: 0 (unlimited)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pwd_expiration_warning (integer)</term>
<listitem>
<para>
Display a warning N days before the password expires.
</para>
<para>
If zero is set, then this filter is not applied,
i.e. if the expiration warning was received from
backend server, it will automatically be displayed.
</para>
<para>
Please note that the backend server has to provide
information about the expiration time of the password.
If this information is missing, sssd cannot display a
warning. Also an auth provider has to be configured for
the backend.
</para>
<para>
Default: 7 (Kerberos), 0 (LDAP)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>id_provider (string)</term>
<listitem>
<para>
The identification provider used for the domain.
Supported ID providers are:
</para>
<para>
proxy: Support a legacy NSS provider
</para>
<para>
<quote>local</quote>: SSSD internal provider for
local users
</para>
<para>
<quote>ldap</quote>: LDAP provider. See
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on
configuring LDAP.
</para>
<para>
<quote>ipa</quote>: FreeIPA and Red Hat Enterprise
Identity Management provider. See
<citerefentry>
<refentrytitle>sssd-ipa</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on
configuring FreeIPA.
</para>
<para>
<quote>ad</quote>: Active Directory provider. See
<citerefentry>
<refentrytitle>sssd-ad</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on
configuring Active Directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>use_fully_qualified_names (bool)</term>
<listitem>
<para>
Use the full name and domain (as formatted by
the domain's full_name_format) as the user's login
name reported to NSS.
</para>
<para>
If set to TRUE, all requests to this domain
must use fully qualified names. For example,
if used in LOCAL domain that contains a "test"
user, <command>getent passwd test</command>
wouldn't find the user while <command>getent
passwd test@LOCAL</command> would.
</para>
<para>
Default: FALSE
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>auth_provider (string)</term>
<listitem>
<para>
The authentication provider used for the domain.
Supported auth providers are:
</para>
<para>
<quote>ldap</quote> for native LDAP authentication. See
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on configuring LDAP.
</para>
<para>
<quote>krb5</quote> for Kerberos authentication. See
<citerefentry>
<refentrytitle>sssd-krb5</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on configuring Kerberos.
</para>
<para>
<quote>ipa</quote>: FreeIPA and Red Hat Enterprise
Identity Management provider. See
<citerefentry>
<refentrytitle>sssd-ipa</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on
configuring FreeIPA.
</para>
<para>
<quote>ad</quote>: Active Directory provider. See
<citerefentry>
<refentrytitle>sssd-ad</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on
configuring Active Directory.
</para>
<para>
<quote>proxy</quote> for relaying authentication to some other PAM target.
</para>
<para>
<quote>none</quote> disables authentication explicitly.
</para>
<para>
Default: <quote>id_provider</quote> is used if it
is set and can handle authentication requests.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>access_provider (string)</term>
<listitem>
<para>
The access control provider used for the domain.
There are two built-in access providers (in
addition to any included in installed backends)
Internal special providers are:
</para>
<para>
<quote>permit</quote> always allow access. It's the only permitted access provider for a local domain.
</para>
<para>
<quote>deny</quote> always deny access.
</para>
<para>
<quote>ldap</quote> for native LDAP authentication. See
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on configuring LDAP.
</para>
<para>
<quote>ipa</quote>: FreeIPA and Red Hat Enterprise
Identity Management provider. See
<citerefentry>
<refentrytitle>sssd-ipa</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on
configuring FreeIPA.
</para>
<para>
<quote>ad</quote>: Active Directory provider. See
<citerefentry>
<refentrytitle>sssd-ad</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on
configuring Active Directory.
</para>
<para>
<quote>simple</quote> access control based on access
or deny lists. See <citerefentry>
<refentrytitle>sssd-simple</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for more
information on configuring the simple access module.
</para>
<para>
Default: <quote>permit</quote>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>chpass_provider (string)</term>
<listitem>
<para>
The provider which should handle change password
operations for the domain.
Supported change password providers are:
</para>
<para>
<quote>ldap</quote> to change a password stored
in a LDAP server. See
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on configuring LDAP.
</para>
<para>
<quote>krb5</quote> to change the Kerberos
password. See
<citerefentry>
<refentrytitle>sssd-krb5</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on configuring Kerberos.
</para>
<para>
<quote>ipa</quote>: FreeIPA and Red Hat Enterprise
Identity Management provider. See
<citerefentry>
<refentrytitle>sssd-ipa</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on
configuring FreeIPA.
</para>
<para>
<quote>ad</quote>: Active Directory provider. See
<citerefentry>
<refentrytitle>sssd-ad</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on
configuring Active Directory.
</para>
<para>
<quote>proxy</quote> for relaying password changes
to some other PAM target.
</para>
<para>
<quote>none</quote> disallows password changes explicitly.
</para>
<para>
Default: <quote>auth_provider</quote> is used if it
is set and can handle change password requests.
</para>
</listitem>
</varlistentry>
<varlistentry condition="with_sudo">
<term>sudo_provider (string)</term>
<listitem>
<para>
The SUDO provider used for the domain.
Supported SUDO providers are:
</para>
<para>
<quote>ldap</quote> for rules stored in LDAP. See
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on configuring LDAP.
</para>
<para>
<quote>none</quote> disables SUDO explicitly.
</para>
<para>
Default: The value of <quote>id_provider</quote> is used if it
is set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>selinux_provider (string)</term>
<listitem>
<para>
The provider which should handle loading of selinux
settings. Note that this provider will be called right
after access provider ends.
Supported selinux providers are:
</para>
<para>
<quote>ipa</quote> to load selinux settings
from an IPA server. See
<citerefentry>
<refentrytitle>sssd-ipa</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on configuring IPA.
</para>
<para>
<quote>none</quote> disallows fetching selinux settings explicitly.
</para>
<para>
Default: <quote>id_provider</quote> is used if it
is set and can handle selinux loading requests.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>subdomains_provider (string)</term>
<listitem>
<para>
The provider which should handle fetching of subdomains.
This value should be always the same as id_provider.
Supported subdomain providers are:
</para>
<para>
<quote>ipa</quote> to load a list of subdomains
from an IPA server. See
<citerefentry>
<refentrytitle>sssd-ipa</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on configuring IPA.
</para>
<para>
<quote>none</quote> disallows fetching subdomains explicitly.
</para>
<para>
Default: none
</para>
</listitem>
</varlistentry>
<varlistentry condition="with_autofs">
<term>autofs_provider (string)</term>
<listitem>
<para>
The autofs provider used for the domain.
Supported autofs providers are:
</para>
<para>
<quote>ldap</quote> to load maps stored in LDAP. See
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on configuring LDAP.
</para>
<para>
<quote>ipa</quote> to load maps stored in an IPA
server. See
<citerefentry>
<refentrytitle>sssd-ipa</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on configuring IPA.
</para>
<para>
<quote>none</quote> disables autofs explicitly.
</para>
<para>
Default: The value of <quote>id_provider</quote> is used if it
is set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>hostid_provider (string)</term>
<listitem>
<para>
The provider used for retrieving host identity information.
Supported hostid providers are:
</para>
<para>
<quote>ipa</quote> to load host identity stored in an IPA
server. See
<citerefentry>
<refentrytitle>sssd-ipa</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more information on configuring IPA.
</para>
<para>
<quote>none</quote> disables hostid explicitly.
</para>
<para>
Default: The value of <quote>id_provider</quote> is used if it
is set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>re_expression (string)</term>
<listitem>
<para>
Regular expression for this domain that describes
how to parse the string containing user name and
domain into these components.
</para>
<para>
Default for the AD and IPA provider:
<quote>(((?P&lt;domain&gt;[^\\]+)\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?P&lt;name&gt;[^@\\]+)$))</quote>
which allows three different styles for user names:
<itemizedlist>
<listitem>
<para>username</para>
</listitem>
<listitem>
<para>username@domain.name</para>
</listitem>
<listitem>
<para>domain\username</para>
</listitem>
</itemizedlist>
While the first two correspond to the general
default the third one is introduced to allow easy
integration of users from Windows domains.
</para>
<para>
Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote>
which translates to "the name is everything up to
the <quote>@</quote> sign, the domain everything
after that"
</para>
<para>
PLEASE NOTE: the support for non-unique named
subpatterns is not available on all platforms
(e.g. RHEL5 and SLES10). Only platforms with
libpcre version 7 or higher can support non-unique
named subpatterns.
</para>
<para>
PLEASE NOTE ALSO: older version of libpcre only
support the Python syntax (?P&lt;name&gt;) to label
subpatterns.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>full_name_format (string)</term>
<listitem>
<para>
A <citerefentry>
<refentrytitle>printf</refentrytitle>
<manvolnum>3</manvolnum>
</citerefentry>-compatible format that describes how to
translate a (name, domain) tuple for this domain into a fully
qualified name.
</para>
<para>
Default: <quote>%1$s@%2$s</quote>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>lookup_family_order (string)</term>
<listitem>
<para>
Provides the ability to select preferred address family
to use when performing DNS lookups.
</para>
<para>
Supported values:
</para>
<para>
ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
</para>
<para>
ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
</para>
<para>
ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
</para>
<para>
ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
</para>
<para>
Default: ipv4_first
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dns_resolver_timeout (integer)</term>
<listitem>
<para>
Defines the amount of time (in seconds) to wait for a reply from
the DNS resolver before assuming that it is unreachable. If this
timeout is reached, the domain will continue to operate in
offline mode.
</para>
<para>
Default: 5
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>dns_discovery_domain (string)</term>
<listitem>
<para>
If service discovery is used in the back end, specifies
the domain part of the service discovery DNS query.
</para>
<para>
Default: Use the domain part of machine's hostname
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>override_gid (integer)</term>
<listitem>
<para>
Override the primary GID value with the one specified.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>case_sensitive (boolean)</term>
<listitem>
<para>
Treat user and group names as case sensitive. At
the moment, this option is not supported in
the local provider.
</para>
<para>
Default: True
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>proxy_fast_alias (boolean)</term>
<listitem>
<para>
When a user or group is looked up by name in
the proxy provider, a second lookup by ID is
performed to "canonicalize" the name in case
the requested name was an alias. Setting this
option to true would cause the SSSD to perform
the ID lookup from cache for performance reasons.
</para>
<para>
Default: false
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>subdomain_homedir (string)</term>
<listitem>
<para>
Use this homedir as default value for all subdomains
within this domain. See <emphasis>override_homedir</emphasis>
for info about possible values.
</para>
<para>
The value can be overridden by
<emphasis>override_homedir</emphasis> option.
</para>
<para>
Default: <filename>/home/%d/%u</filename>
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
Options valid for proxy domains.
<variablelist>
<varlistentry>
<term>proxy_pam_target (string)</term>
<listitem>
<para>
The proxy target PAM proxies to.
</para>
<para>
Default: not set by default, you have to take an
existing pam configuration or create a new one and
add the service name here.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>proxy_lib_name (string)</term>
<listitem>
<para>
The name of the NSS library to use in proxy
domains. The NSS functions searched for in the
library are in the form of
_nss_$(libName)_$(function), for example
_nss_files_getpwent.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<refsect2 id='local_domain'>
<title>The local domain section</title>
<para>
This section contains settings for domain that stores users and
groups in SSSD native database, that is, a domain that uses
<replaceable>id_provider=local</replaceable>.
</para>
<variablelist>
<title>Section parameters</title>
<varlistentry>
<term>default_shell (string)</term>
<listitem>
<para>
The default shell for users created
with SSSD userspace tools.
</para>
<para>
Default: <filename>/bin/bash</filename>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>base_directory (string)</term>
<listitem>
<para>
The tools append the login name to
<replaceable>base_directory</replaceable> and
use that as the home directory.
</para>
<para>
Default: <filename>/home</filename>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>create_homedir (bool)</term>
<listitem>
<para>
Indicate if a home directory should be created by default for new users.
Can be overridden on command line.
</para>
<para>
Default: TRUE
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>remove_homedir (bool)</term>
<listitem>
<para>
Indicate if a home directory should be removed by default for deleted users.
Can be overridden on command line.
</para>
<para>
Default: TRUE
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>homedir_umask (integer)</term>
<listitem>
<para>
Used by
<citerefentry>
<refentrytitle>sss_useradd</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry> to specify the default permissions on a newly created
home directory.
</para>
<para>
Default: 077
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>skel_dir (string)</term>
<listitem>
<para>
The skeleton directory, which contains files
and directories to be copied in the user's
home directory, when the home directory is
created by
<citerefentry>
<refentrytitle>sss_useradd</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>
</para>
<para>
Default: <filename>/etc/skel</filename>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>mail_dir (string)</term>
<listitem>
<para>
The mail spool directory. This is needed to
manipulate the mailbox when its corresponding
user account is modified or deleted.
If not specified, a default
value is used.
</para>
<para>
Default: <filename>/var/mail</filename>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>userdel_cmd (string)</term>
<listitem>
<para>
The command that is run after a user is removed.
The command us passed the username of the user being
removed as the first and only parameter. The return
code of the command is not taken into account.
</para>
<para>
Default: None, no command is run
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
</refsect1>
<refsect1 id='example'>
<title>EXAMPLE</title>
<para>
The following example shows a typical SSSD config. It does
not describe configuration of the domains themselves - refer to
documentation on configuring domains for more details.
<programlisting>
[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = kerberos.example.com
krb5_realm = EXAMPLE.COM
cache_credentials = true
min_id = 10000
max_id = 20000
enumerate = False
</programlisting>
</para>
</refsect1>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
</refentry>
</reference>