Provided by:
sssd_0.5.0-0ubuntu2_i386 
NAME
sssd.conf - the configuration file for SSSD
FILE FORMAT
The file has an ini-style syntax and consists of sections and
parameters. A section begins with the name of the section in square
brackets and continues until the next section begins. An example of
section with single and multi-valued parameters:
[section]
key = value
key2 = value2,value3
The data types used are string (no quotes needed), integer and bool
(with values of “TRUE/FALSE”).
A line comment starts with a hash sign (“#”) or a semicolon (“;”)
All sections can have an optional description parameter. Its function
is only as a label for the section.
SPECIAL SECTIONS
The [services] section
Individual pieces of SSSD functionality are provided by special SSSD
services that are started and stopped together with SSSD. The services
are managed by a special service called “monitor”.
Section parameters
activeServices
Comma separated list of services that are started when sssd itself
starts. Since Data Provider (“dp”) is a required service, it will
be started even if omitted.
Default: dp
Supported services: dp, nss, pam
reconnection_retries
Number of times services should attempt to reconnect in the event
of a Data Provider crash or restart before they give up
Default: 3
The [domains] section
A domain is a database containing user information. SSSD can use more
domains at the same time, but at least one must be configured or SSSD
won´t start.
Section parameters
domains
The list of domains in the order you want them to be queried
The [names] section
This section allows to configure how a name, or a fully qualified name
looks like. These settings are used by both the PAM and NSS responders.
Section parameters
re-expression (string)
Regular expression that describes how to parse the string
containing user name and domain into these components.
Default: “(?<name>[^@]+)@?(?<domain>[^@]*$)” which translates to
"the name is everything up to the “@” sign, the domain everything
after that"
full-name-format (string)
A printf(3)-compatible format that describes how to translate a
(name, domain) tuple into a fully qualified name.
Default: “%1$s@%2$s”.
The [user_defaults] section
This section contains settings that alter default values used when
adding a user with SSSD userspace tools (sss_useradd).
Section parameters
defaultShell (string)
The default shell for users created with SSSD userspace tools.
Default: /bin/bash
baseDirectory (string)
The tools append the login name to baseDirectory and use that as
the home directory.
Default: /home
SERVICES SECTIONS
Settings that can be used to configure different services are described
in this section. They should reside in the [services/NAME] section, for
example, for NSS service, the section would be “[services/nss]”
General service configuration options
These options can be used to configure any service.
debug-level (integer)
Sets the debug level for the service. The value can be in range
from 0 (only critical messages) to 10 (very verbose).
Default: 0
reconnection_retries (integer)
Number of times services should attempt to reconnect in the event
of a Data Provider crash or restart before they give up
Default: 3
command (string)
By default, the executable representing this service is called
sssd_${service_name}. This directive allows to change the
executable name for the service. In the vast majority of
configurations, the default values should suffice.
Default: sssd_${service_name}
Monitor configuration options
Monitor is the central controller of the SSSD. It is responsible for
running all the other services that provide specific pieces of
functionality.
sbusAddress (string)
The services in sssd communicate over an internal wrapper on top of
D-Bus called S-Bus. This directive can be used to specify the
address to connect to. The vast majority of configurations will not
need to change this setting.
sbusTimeout (string)
Specifies the timeout for messages sent over the SBUS.
Default: -1 (implies a reasonable timeout as defined by the D-BUS
library)
NSS configuration options
These options can be used to configure the Name Service Switch (NSS)
service.
EnumCacheTimeout (integer)
How long should nss_sss cache enumerations (requests for info about
all users)
Default: 120
EntryCacheTimeout (integer)
How long should nss_sss cache positive cache hits (that is, queries
for valid database entries) before asking the backend again
Default: 600
EntryNegativeTimeout (integer)
How long should nss_sss cache negative cache hits (that is, queries
for invalid database entries, like nonexistent ones) before asking
the backend again
Default: 15
filterUsers, filterGroups (string)
Exclude certain users from being fetched from the sss NSS database.
This is particulary useful for system accounts like root.
filterUsersInGroups (bool)
If you want filtered user still be group members set this option to
false.
Default: true
DOMAIN SECTIONS
These configuration options can be present in a domain configuration
section, that is, in a section called “[domains/NAME]”
minId,maxId (integer)
UID limits for the domain. If a domain contains entry that is
outside these limits, it is ignored
Default: 0 (no limit)
timeout (integer)
Timeout in seconds for this particular domain. Raising this timeout
might prove useful for slower backends like distant LDAP servers.
Default: 0 (no timeout)
magicPrivateGroups (bool)
By using the Magic Private Groups option, you are imposing two
limitations to the ID space and name space:
1. Users and groups in the domain share a common name space. There
can never be an explicit group with the same name as a user
2. Users and groups share a common ID space, there can never be an
explicit group with a same ID as a user
Using Magic Private groups bring the benefit of better Windows
Interoperability (in Windows, the ID and name spaces are unique)
and also avoids creating a group for every user, thus cluttering
the group space. Also, for NSS calls, every user is actually
returned as user´s private group without having to explicitly
create the group, thus having the same effect as User Private
Groups
Default: FALSE*
*Magic Private Groups are always enabled when provider=local and
this setting does not affect that in any way. For other providers,
Magic Private Groups default to FALSE
enumerate (integer)
Determines if a domain can be enumerated. This parameter can have
one of the following values:
0 = No enumeration
1 = Enumerate users
2 = Enumerate groups
3 = Enumerate both
Default: 0
cache-credentials (bool)
Determines if user credentials are also cached in the local LDB
cache
Default: FALSE
legacy (bool)
A legacy domain is a strictly POSIX domain in terms of attributes
it supports. Groups in legacy domains can´t be nested.
Default: FALSE
store-legacy-passwords (bool)
Whether to also store passwords in a legacy domain
Default: FALSE
provider (string)
The Data Provider backend to use for this domain.
Supported backends:
files: traditional UNIX files (/etc/passwd)
proxy: Support a legacy NSS provider
local: SSSD internal local provider
ldap: LDAP provider
useFullyQualifiedNames (bool)
If set to TRUE, all requests to this domain must use fully
qualified names. For example, if used in LOCAL domain that contains
a "test" user, getent passwd test wouldn´t find the user while
getent passwd test@LOCAL would.
Default: FALSE
Options valid for proxy domains.
auth-module (string)
The authentication module used. Two authentication modules are
provided - “ldap” for native LDAP authentication and “proxy”, used
for relaying authentication to some other PAM target.
pam-target (string)
The proxy target PAM proxies to.
Default: sssd_pam_proxy_default
libName (string)
The name of the NSS library to use in proxy domains. The NSS
functions searched for in the library are in the form of
_nss_$(libName)_$(function), for example _nss_files_getpwent.
EXAMPLE
The following example shows a typical SSSD config. It does not describe
configuration of the domains themselves - refer to documentation on
configuring domains for more details.
[services]
description = Local Service Configuration
activeServices = nss, pam
reconnection_retries = 3
[services/nss]
description = NSS Responder Configuration
filterGroups = root
filterUsers = root
debug-level = 4
[services/dp]
description = Data Provider Configuration
debug-level = 4
[services/pam]
description = PAM Responder Configuration
[services/monitor]
description = Service Monitor Configuration
[domains]
description = Domains served by SSSD
domains = LOCAL,FILES
[domains/LOCAL]
description = LOCAL Users domain
enumerate = 3
minId = 5000
maxId = 30000
legacy = FALSE
magicPrivateGroups = TRUE
provider = local
[domains/FILES]
description = Users stored in UNIX files
enumerate = 3
minId = 500
maxId = 4999
provider = files
SEE ALSO
sssd.conf(5), sss_groupadd(8), sss_groupdel(8), sss_groupmod(8),
sss_useradd(8), sss_userdel(8), sss_usermod(8).
AUTHORS
The SSSD upstream - http://fedorahosted.org/sssd