Provided by: sssd_0.5.0-0ubuntu2_i386 bug


       sssd.conf - the configuration file for SSSD


       The file has an ini-style syntax and consists of sections and
       parameters. A section begins with the name of the section in square
       brackets and continues until the next section begins. An example of
       section with single and multi-valued parameters:

                           key = value
                           key2 = value2,value3

       The data types used are string (no quotes needed), integer and bool
       (with values of “TRUE/FALSE”).

       A line comment starts with a hash sign (“#”) or a semicolon (“;”)

       All sections can have an optional description parameter. Its function
       is only as a label for the section.


   The [services] section
       Individual pieces of SSSD functionality are provided by special SSSD
       services that are started and stopped together with SSSD. The services
       are managed by a special service called “monitor”.

       Section parameters

           Comma separated list of services that are started when sssd itself
           starts. Since Data Provider (“dp”) is a required service, it will
           be started even if omitted.

           Default: dp

           Supported services: dp, nss, pam

           Number of times services should attempt to reconnect in the event
           of a Data Provider crash or restart before they give up

           Default: 3

   The [domains] section
       A domain is a database containing user information. SSSD can use more
       domains at the same time, but at least one must be configured or SSSD
       won´t start.

       Section parameters

           The list of domains in the order you want them to be queried

   The [names] section
       This section allows to configure how a name, or a fully qualified name
       looks like. These settings are used by both the PAM and NSS responders.

       Section parameters

       re-expression (string)
           Regular expression that describes how to parse the string
           containing user name and domain into these components.

           Default: “(?<name>[^@]+)@?(?<domain>[^@]*$)” which translates to
           "the name is everything up to the “@” sign, the domain everything
           after that"

       full-name-format (string)
           A printf(3)-compatible format that describes how to translate a
           (name, domain) tuple into a fully qualified name.

           Default: “%1$s@%2$s”.

   The [user_defaults] section
       This section contains settings that alter default values used when
       adding a user with SSSD userspace tools (sss_useradd).

       Section parameters

       defaultShell (string)
           The default shell for users created with SSSD userspace tools.

           Default: /bin/bash

       baseDirectory (string)
           The tools append the login name to baseDirectory and use that as
           the home directory.

           Default: /home


       Settings that can be used to configure different services are described
       in this section. They should reside in the [services/NAME] section, for
       example, for NSS service, the section would be “[services/nss]”

   General service configuration options
       These options can be used to configure any service.

       debug-level (integer)
           Sets the debug level for the service. The value can be in range
           from 0 (only critical messages) to 10 (very verbose).

           Default: 0

       reconnection_retries (integer)
           Number of times services should attempt to reconnect in the event
           of a Data Provider crash or restart before they give up

           Default: 3

       command (string)
           By default, the executable representing this service is called
           sssd_${service_name}. This directive allows to change the
           executable name for the service. In the vast majority of
           configurations, the default values should suffice.

           Default: sssd_${service_name}

   Monitor configuration options
       Monitor is the central controller of the SSSD. It is responsible for
       running all the other services that provide specific pieces of

       sbusAddress (string)
           The services in sssd communicate over an internal wrapper on top of
           D-Bus called S-Bus. This directive can be used to specify the
           address to connect to. The vast majority of configurations will not
           need to change this setting.

       sbusTimeout (string)
           Specifies the timeout for messages sent over the SBUS.

           Default: -1 (implies a reasonable timeout as defined by the D-BUS

   NSS configuration options
       These options can be used to configure the Name Service Switch (NSS)

       EnumCacheTimeout (integer)
           How long should nss_sss cache enumerations (requests for info about
           all users)

           Default: 120

       EntryCacheTimeout (integer)
           How long should nss_sss cache positive cache hits (that is, queries
           for valid database entries) before asking the backend again

           Default: 600

       EntryNegativeTimeout (integer)
           How long should nss_sss cache negative cache hits (that is, queries
           for invalid database entries, like nonexistent ones) before asking
           the backend again

           Default: 15

       filterUsers, filterGroups (string)
           Exclude certain users from being fetched from the sss NSS database.
           This is particulary useful for system accounts like root.

       filterUsersInGroups (bool)
           If you want filtered user still be group members set this option to

           Default: true


       These configuration options can be present in a domain configuration
       section, that is, in a section called “[domains/NAME]”

       minId,maxId (integer)
           UID limits for the domain. If a domain contains entry that is
           outside these limits, it is ignored

           Default: 0 (no limit)

       timeout (integer)
           Timeout in seconds for this particular domain. Raising this timeout
           might prove useful for slower backends like distant LDAP servers.

           Default: 0 (no timeout)

       magicPrivateGroups (bool)
           By using the Magic Private Groups option, you are imposing two
           limitations to the ID space and name space:

           1. Users and groups in the domain share a common name space. There
           can never be an explicit group with the same name as a user

           2. Users and groups share a common ID space, there can never be an
           explicit group with a same ID as a user

           Using Magic Private groups bring the benefit of better Windows
           Interoperability (in Windows, the ID and name spaces are unique)
           and also avoids creating a group for every user, thus cluttering
           the group space. Also, for NSS calls, every user is actually
           returned as user´s private group without having to explicitly
           create the group, thus having the same effect as User Private

           Default: FALSE*

           *Magic Private Groups are always enabled when provider=local and
           this setting does not affect that in any way. For other providers,
           Magic Private Groups default to FALSE

       enumerate (integer)
           Determines if a domain can be enumerated. This parameter can have
           one of the following values:

           0 = No enumeration

           1 = Enumerate users

           2 = Enumerate groups

           3 = Enumerate both

           Default: 0

       cache-credentials (bool)
           Determines if user credentials are also cached in the local LDB

           Default: FALSE

       legacy (bool)
           A legacy domain is a strictly POSIX domain in terms of attributes
           it supports. Groups in legacy domains can´t be nested.

           Default: FALSE

       store-legacy-passwords (bool)
           Whether to also store passwords in a legacy domain

           Default: FALSE

       provider (string)
           The Data Provider backend to use for this domain.

           Supported backends:

           files: traditional UNIX files (/etc/passwd)

           proxy: Support a legacy NSS provider

           local: SSSD internal local provider

           ldap: LDAP provider

       useFullyQualifiedNames (bool)
           If set to TRUE, all requests to this domain must use fully
           qualified names. For example, if used in LOCAL domain that contains
           a "test" user, getent passwd test wouldn´t find the user while
           getent passwd test@LOCAL would.

           Default: FALSE

       Options valid for proxy domains.

       auth-module (string)
           The authentication module used. Two authentication modules are
           provided - “ldap” for native LDAP authentication and “proxy”, used
           for relaying authentication to some other PAM target.

       pam-target (string)
           The proxy target PAM proxies to.

           Default: sssd_pam_proxy_default

       libName (string)
           The name of the NSS library to use in proxy domains. The NSS
           functions searched for in the library are in the form of
           _nss_$(libName)_$(function), for example _nss_files_getpwent.


       The following example shows a typical SSSD config. It does not describe
       configuration of the domains themselves - refer to documentation on
       configuring domains for more details.

           description =  Local Service Configuration
           activeServices = nss, pam
           reconnection_retries = 3

           description = NSS Responder Configuration
           filterGroups = root
           filterUsers = root
           debug-level = 4

           description = Data Provider Configuration
           debug-level = 4

           description = PAM Responder Configuration

           description = Service Monitor Configuration

           description = Domains served by SSSD
           domains = LOCAL,FILES

           description = LOCAL Users domain
           enumerate = 3
           minId = 5000
           maxId = 30000
           legacy = FALSE
           magicPrivateGroups = TRUE
           provider = local

           description = Users stored in UNIX files
           enumerate = 3
           minId = 500
           maxId = 4999
           provider = files


       sssd.conf(5), sss_groupadd(8), sss_groupdel(8), sss_groupmod(8),
       sss_useradd(8), sss_userdel(8), sss_usermod(8).


       The SSSD upstream -