Provided by: sssd_1.0.5-0ubuntu1_i386 bug


       sssd.conf - the configuration file for SSSD


       The file has an ini-style syntax and consists of sections and
       parameters. A section begins with the name of the section in square
       brackets and continues until the next section begins. An example of
       section with single and multi-valued parameters:

                           key = value
                           key2 = value2,value3

       The data types used are string (no quotes needed), integer and bool
       (with values of “TRUE/FALSE”).

       A line comment starts with a hash sign (“#”) or a semicolon (“;”)

       All sections can have an optional description parameter. Its function
       is only as a label for the section.

       sssd.conf must be a regular file, owned by root and only root may read
       from or write to the file.


   The [sssd] section
       Individual pieces of SSSD functionality are provided by special SSSD
       services that are started and stopped together with SSSD. The services
       are managed by a special service frequently called “monitor”. The
       “[sssd]” section is used to configure the monitor as well as some other
       important options like the identity domains.

       Section parameters

       config_file_version (integer)
           Indicates what is the syntax of the config file. SSSD 0.6.0 and
           later use version 2.

           Comma separated list of services that are started when sssd itself

           Supported services: nss, pam

       reconnection_retries (integer)
           Number of times services should attempt to reconnect in the event
           of a Data Provider crash or restart before they give up

           Default: 3

           A domain is a database containing user information. SSSD can use
           more domains at the same time, but at least one must be configured
           or SSSD won´t start. This parameter described the list of domains
           in the order you want them to be queried.

       re_expression (string)
           Regular expression that describes how to parse the string
           containing user name and domain into these components.

           Default: “(?P<name>[^@]+)@?(?P<domain>[^@]*$)” which translates to
           "the name is everything up to the “@” sign, the domain everything
           after that"

           PLEASE NOTE: the support for non-unique named subpatterns is not
           available on all plattforms (e.g. RHEL5 and SLES10). Only
           plattforms with libpcre version 7 or higher can support non-unique
           named subpatterns.

           PLEASE NOTE ALSO: older version of libpcre only support the Python
           syntax (?P<name>) to label subpatterns.

       full_name_format (string)
           A printf(3)-compatible format that describes how to translate a
           (name, domain) tuple into a fully qualified name.

           Default: “%1$s@%2$s”.


       Settings that can be used to configure different services are described
       in this section. They should reside in the [$NAME] section, for
       example, for NSS service, the section would be “[nss]”

   General service configuration options
       These options can be used to configure any service.

       debug_level (integer)
           Sets the debug level for the service. The value can be in range
           from 0 (only critical messages) to 10 (very verbose).

           Default: 0

       debug_timestamps (bool)
           Add a timestamp to the debug messages

           Default: false

       reconnection_retries (integer)
           Number of times services should attempt to reconnect in the event
           of a Data Provider crash or restart before they give up

           Default: 3

       command (string)
           By default, the executable representing this service is called
           sssd_${service_name}. This directive allows to change the
           executable name for the service. In the vast majority of
           configurations, the default values should suffice.

           Default: sssd_${service_name}

   NSS configuration options
       These options can be used to configure the Name Service Switch (NSS)

       enum_cache_timeout (integer)
           How long should nss_sss cache enumerations (requests for info about
           all users)

           Default: 120

       entry_cache_nowait_percentage (integer)
           The entry cache can be set to automatically update entries in the
           background if they are requested beyond a percentage of the
           entry_cache_timeout value for the domain.

           For example, if the domain´s entry_cache_timeout is set to 30s and
           entry_cache_nowait_percentage is set to 50 (percent), entries that
           come in after 15 seconds past the last cache update will be
           returned immediately, but the SSSD will go and update the cache on
           its own, so that future requests will not need to block waiting for
           a cache update.

           Valid values for this option are 0-99 and represent a percentage of
           the entry_cache_timeout for each domain. For performance reasons,
           this percentage will never reduce the nowait timeout to less than
           10 seconds. (0 disables this feature)

           Default: 0

       entry_negative_timeout (integer)
           Specifies for how long nss_sss should cache negative cache hits
           (that is, queries for invalid database entries, like nonexistent
           ones) before asking the back end again.

           Default: 15

       filter_users, filter_groups (string)
           Exclude certain users from being fetched from the sss NSS database.
           This is particulary useful for system accounts.

           Default: root

       filter_users_in_groups (bool)
           If you want filtered user still be group members set this option to

           Default: true

   PAM configuration options
       These options can be used to configure the Pluggable Authentication
       Module (PAM) service.

       offline_credentials_expiration (integer)
           If the authentication provider is offline, how long should we allow
           cached logins (in days).

           Default: 0 (No limit)


       These configuration options can be present in a domain configuration
       section, that is, in a section called “[domain/NAME]”

       min_id,max_id (integer)
           UID limits for the domain. If a domain contains entry that is
           outside these limits, it is ignored

           Default: 1000 for min_id, 0 (no limit) for max_id

       timeout (integer)
           Timeout in seconds between heartbeats for this domain. This is used
           to ensure that the backend process is alive and capable of
           answering requests.

           Default: 10

       enumerate (bool)
           Determines if a domain can be enumerated. This parameter can have
           one of the following values:

           TRUE = Users and groups are enumerated

           FALSE = No enumerations for this domain

           Default: TRUE

       entry_cache_timeout (integer)
           How long should nss_sss consider entries valid before asking the
           backend again

           Default: 600

       cache_credentials (bool)
           Determines if user credentials are also cached in the local LDB

           Default: FALSE

       store_legacy_passwords (bool)
           Whether to also store passwords in a legacy domain

           Default: FALSE

       id_provider (string)
           The Data Provider identity backend to use for this domain.

           Supported backends:

           proxy: Support a legacy NSS provider

           local: SSSD internal local provider

           ldap: LDAP provider

       use_fully_qualified_names (bool)
           If set to TRUE, all requests to this domain must use fully
           qualified names. For example, if used in LOCAL domain that contains
           a "test" user, getent passwd test wouldn´t find the user while
           getent passwd test@LOCAL would.

           Default: FALSE

       auth_provider (string)
           The authentication provider used for the domain. Supported auth
           providers are:

           “ldap” for native LDAP authentication. See sssd-ldap(5) for more
           information on configuring LDAP.

           “krb5” for Kerberos authentication. See sssd-krb5(5) for more
           information on configuring Kerberos.

           “proxy” for relaying authentication to some other PAM target.

           “none” disables authentication explicitly.

           Default: “id_provider” is used if it is set and can handle
           authentication requests.

       access_provider (string)
           The access control provider used for the domain. There are two
           built-in access providers (in addition to any included in installed
           backends) Internal special providers are:

           “permit” always allow access.

           “deny” always deny access.

           Default: “permit”

       chpass_provider (string)
           The provider which should handle change password operations for the
           domain. Supported change password providers are:

           “ldap” to change a password stored in a LDAP server. See sssd-
           ldap(5) for more information on configuring LDAP.

           “krb5” to change the Kerberos password. See sssd-krb5(5) for more
           information on configuring Kerberos.

           “proxy” for relaying password changes to some other PAM target.

           “none” disallows password changes explicitly.

           Default: “auth_provider” is used if it is set and can handle change
           password requests.

       Options valid for proxy domains.

       proxy_pam_target (string)
           The proxy target PAM proxies to.

           Default: not set by default, you have to take an existing pam
           configuration or create a new one and add the service name here.

       proxy_lib_name (string)
           The name of the NSS library to use in proxy domains. The NSS
           functions searched for in the library are in the form of
           _nss_$(libName)_$(function), for example _nss_files_getpwent.

   The local domain section
       This section contains settings for domain that stores users and groups
       in SSSD native database, that is, a domain that uses id_provider=local.

       Section parameters

       default_shell (string)
           The default shell for users created with SSSD userspace tools.

           Default: /bin/bash

       base_directory (string)
           The tools append the login name to base_directory and use that as
           the home directory.

           Default: /home

       create_homedir (bool)
           Indicate if a home directory should be created by default for new
           users. Can be overriden on command line.

           Default: TRUE

       remove_homedir (bool)
           Indicate if a home directory should be removed by default for
           deleted users. Can be overriden on command line.

           Default: TRUE

       homedir_umask (integer)
           Used by sss_useradd(8) to specify the default permissions on a
           newly created home directory.

           Default: 077

       skel_dir (string)
           The skeleton directory, which contains files and directories to be
           copied in the user´s home directory, when the home directory is
           created by sss_useradd(8)

           Default: /etc/skel

       mail_dir (string)
           The mail spool directory. This is needed to manipulate the mailbox
           when its corresponding user account is modified or deleted. If not
           specified, a default value is used.

           Default: /var/mail


       The following example shows a typical SSSD config. It does not describe
       configuration of the domains themselves - refer to documentation on
       configuring domains for more details.

           domains = LOCAL
           services = nss, pam
           config_file_version = 2
           sbus_timeout = 30

           filter_groups = root
           filter_users = root


           id_provider = local
           min_id = 1000
           max_id = 5000
           default_shell = /bin/ksh
           enumerate = true


       sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sss_groupadd(8),
       sss_groupdel(8), sss_groupmod(8), sss_useradd(8), sss_userdel(8),
       sss_usermod(8), pam_sss(8).


       The SSSD upstream -