Provided by: sssd_1.8.2-0ubuntu1_i386 bug

NAME

       sssd.conf - the configuration file for SSSD

FILE FORMAT

       The file has an ini-style syntax and consists of sections and
       parameters. A section begins with the name of the section in square
       brackets and continues until the next section begins. An example of
       section with single and multi-valued parameters:

                           [section]
                           key = value
                           key2 = value2,value3

       The data types used are string (no quotes needed), integer and bool
       (with values of "TRUE/FALSE").

       A line comment starts with a hash sign ("#") or a semicolon (";")

       All sections can have an optional description parameter. Its function
       is only as a label for the section.

       sssd.conf must be a regular file, owned by root and only root may read
       from or write to the file.

SPECIAL SECTIONS

   The [sssd] section
       Individual pieces of SSSD functionality are provided by special SSSD
       services that are started and stopped together with SSSD. The services
       are managed by a special service frequently called "monitor". The
       "[sssd]" section is used to configure the monitor as well as some other
       important options like the identity domains.

       Section parameters

       config_file_version (integer)
           Indicates what is the syntax of the config file. SSSD 0.6.0 and
           later use version 2.

       services
           Comma separated list of services that are started when sssd itself
           starts.

           Supported services: nss, pam , sudo

       reconnection_retries (integer)
           Number of times services should attempt to reconnect in the event
           of a Data Provider crash or restart before they give up

           Default: 3

       domains
           A domain is a database containing user information. SSSD can use
           more domains at the same time, but at least one must be configured
           or SSSD won't start. This parameter described the list of domains
           in the order you want them to be queried.

       re_expression (string)
           Regular expression that describes how to parse the string
           containing user name and domain into these components.

           Default: "(?P<name>[^@]+)@?(?P<domain>[^@]*$)" which translates to
           "the name is everything up to the "@" sign, the domain everything
           after that"

           PLEASE NOTE: the support for non-unique named subpatterns is not
           available on all platforms (e.g. RHEL5 and SLES10). Only platforms
           with libpcre version 7 or higher can support non-unique named
           subpatterns.

           PLEASE NOTE ALSO: older version of libpcre only support the Python
           syntax (?P<name>) to label subpatterns.

       full_name_format (string)
           A printf(3)-compatible format that describes how to translate a
           (name, domain) tuple into a fully qualified name.

           Default: "%1$s@%2$s".

       try_inotify (boolean)
           SSSD monitors the state of resolv.conf to identify when it needs to
           update its internal DNS resolver. By default, we will attempt to
           use inotify for this, and will fall back to polling resolv.conf
           every five seconds if inotify cannot be used.

           There are some limited situations where it is preferred that we
           should skip even trying to use inotify. In these rare cases, this
           option should be set to 'false'

           Default: true on platforms where inotify is supported. False on
           other platforms.

           Note: this option will have no effect on platforms where inotify is
           unavailable. On these platforms, polling will always be used.

       krb5_rcache_dir (string)
           Directory on the filesystem where SSSD should store Kerberos replay
           cache files.

           This option accepts a special value __LIBKRB5_DEFAULTS__ that will
           instruct SSSD to let libkrb5 decide the appropriate location for
           the replay cache.

           Default: Distribution-specific and specified at build-time.
           (__LIBKRB5_DEFAULTS__ if not configured)

SERVICES SECTIONS

       Settings that can be used to configure different services are described
       in this section. They should reside in the [$NAME] section, for
       example, for NSS service, the section would be "[nss]"

   General service configuration options
       These options can be used to configure any service.

       debug_level (integer)
           Bit mask that indicates which debug levels will be visible. 0x0010
           is the default value as well as the lowest allowed value, 0xFFF0 is
           the most verbose mode. This setting overrides the settings from
           config file.

           Currently supported debug levels:

           0x0010: Fatal failures. Anything that would prevent SSSD from
           starting up or causes it to cease running.

           0x0020: Critical failures. An error that doesn't kill the SSSD, but
           one that indicates that at least one major feature is not going to
           work properly.

           0x0040: Serious failures. An error announcing that a particular
           request or operation has failed.

           0x0080: Minor failures. These are the errors that would percolate
           down to cause the operation failure of 2.

           0x0100: Configuration settings.

           0x0200: Function data.

           0x0400: Trace messages for operation functions.

           0x1000: Trace messages for internal control functions.

           0x2000: Contents of function-internal variables that may be
           interesting.

           0x4000: Extremely low-level tracing information.

           To log required debug levels, simply add their numbers together as
           shown in following examples:

           Example: To log fatal failures, critical failures, serious failures
           and function data use 0x0270.

           Example: To log fatal failures, configuration settings, function
           data, trace messages for internal control functions use 0x1310.

           Note: This is new format of debug levels introduced in 1.7.0. Older
           format (numbers from 0-10) is compatible but deprecated.

       debug_timestamps (bool)
           Add a timestamp to the debug messages

           Default: true

       debug_microseconds (bool)
           Add microseconds to the timestamp in debug messages

           Default: false

       reconnection_retries (integer)
           Number of times services should attempt to reconnect in the event
           of a Data Provider crash or restart before they give up

           Default: 3

       command (string)
           By default, the executable representing this service is called
           sssd_${service_name}. This directive allows to change the
           executable name for the service. In the vast majority of
           configurations, the default values should suffice.

           Default: sssd_${service_name}

   NSS configuration options
       These options can be used to configure the Name Service Switch (NSS)
       service.

       enum_cache_timeout (integer)
           How many seconds should nss_sss cache enumerations (requests for
           info about all users)

           Default: 120

       entry_cache_nowait_percentage (integer)
           The entry cache can be set to automatically update entries in the
           background if they are requested beyond a percentage of the
           entry_cache_timeout value for the domain.

           For example, if the domain's entry_cache_timeout is set to 30s and
           entry_cache_nowait_percentage is set to 50 (percent), entries that
           come in after 15 seconds past the last cache update will be
           returned immediately, but the SSSD will go and update the cache on
           its own, so that future requests will not need to block waiting for
           a cache update.

           Valid values for this option are 0-99 and represent a percentage of
           the entry_cache_timeout for each domain. For performance reasons,
           this percentage will never reduce the nowait timeout to less than
           10 seconds. (0 disables this feature)

           Default: 50

       entry_negative_timeout (integer)
           Specifies for how many seconds nss_sss should cache negative cache
           hits (that is, queries for invalid database entries, like
           nonexistent ones) before asking the back end again.

           Default: 15

       filter_users, filter_groups (string)
           Exclude certain users from being fetched from the sss NSS database.
           This is particularly useful for system accounts. This option can
           also be set per-domain or include fully-qualified names to filter
           only users from the particular domain.

           Default: root

       filter_users_in_groups (bool)
           If you want filtered user still be group members set this option to
           false.

           Default: true

       override_homedir (string)
           Override the user's home directory. You can either provide an
           absolute value or a template. In the template, the following
           sequences are substituted:

           %u
               login name

           %U
               UID number

           %d
               domain name

           %f
               fully qualified user name (user@domain)

           %%
               a literal '%'

           This option can also be set per-domain.

       allowed_shells (string)
           Restrict user shell to one of the listed values. The order of
           evaluation is:

           1. If the shell is present in "/etc/shells", it is used.

           2. If the shell is in the allowed_shells list but not in
           "/etc/shells", use the value of the shell_fallback parameter.

           3. If the shell is not in the allowed_shells list and not in
           "/etc/shells", a nologin shell is used.

           An empty string for shell is passed as-is to libc.

           The "/etc/shells" is only read on SSSD start up, which means that a
           restart of the SSSD is required in case a new shell is installed.

           Default: Not set. The user shell is automatically used.

       vetoed_shells (string)
           Replace any instance of these shells with the shell_fallback

       shell_fallback (string)
           The default shell to use if an allowed shell is not installed on
           the machine.

           Default: /bin/sh

   PAM configuration options
       These options can be used to configure the Pluggable Authentication
       Module (PAM) service.

       offline_credentials_expiration (integer)
           If the authentication provider is offline, how long should we allow
           cached logins (in days since the last successful online login).

           Default: 0 (No limit)

       offline_failed_login_attempts (integer)
           If the authentication provider is offline, how many failed login
           attempts are allowed.

           Default: 0 (No limit)

       offline_failed_login_delay (integer)
           The time in minutes which has to pass after
           offline_failed_login_attempts has been reached before a new login
           attempt is possible.

           If set to 0 the user cannot authenticate offline if
           offline_failed_login_attempts has been reached. Only a successful
           online authentication can enable offline authentication again.

           Default: 5

       pam_verbosity (integer)
           Controls what kind of messages are shown to the user during
           authentication. The higher the number to more messages are
           displayed.

           Currently sssd supports the following values:

           0: do not show any message

           1: show only important messages

           2: show informational messages

           3: show all messages and debug information

           Default: 1

       pam_id_timeout (integer)
           For any PAM request while SSSD is online, the SSSD will attempt to
           immediately update the cached identity information for the user in
           order to ensure that authentication takes place with the latest
           information.

           A complete PAM conversation may perform multiple PAM requests, such
           as account management and session opening. This option controls (on
           a per-client-application basis) how long (in seconds) we can cache
           the identity information to avoid excessive round-trips to the
           identity provider.

           Default: 5

       pam_pwd_expiration_warning (integer)
           Display a warning N days before the password expires.

           Please note that the backend server has to provide information
           about the expiration time of the password. If this information is
           missing, sssd cannot display a warning.

           Default: 7

   SUDO configuration options
       These options can be used to configure the sudo service.

        This is an experimental feature, please use
       http://fedorahosted.org/sssd to report any issues.

       sudo_cache_timeout (integer)
           For any sudo request that comes while SSSD is online, the SSSD will
           attempt to update the cached rules in order to ensure that sudo has
           the latest ruleset.

           The user may, however, run a couple of sudo commands successively,
           which would trigger multiple LDAP requests. In order to speed up
           this use-case, the sudo service maintains an in-memory cache that
           would be used for performing fast replies.

           This option controls how long (in seconds) can the sudo service
           cache rules for a user.

           Default: 180

       sudo_timed (bool)
           Whether or not to evaluate the sudoNotBefore and sudoNotAfter
           attributes that implement time-dependent sudoers entries.

           Default: false

   AUTOFS configuration options
       These options can be used to configure the autofs service.

        This is an experimental feature, please use
       http://fedorahosted.org/sssd to report any issues.

       autofs_negative_timeout (integer)
           Specifies for how many seconds should the autofs responder negative
           cache hits (that is, queries for invalid map entries, like
           nonexistent ones) before asking the back end again.

           Default: 15

DOMAIN SECTIONS

       These configuration options can be present in a domain configuration
       section, that is, in a section called "[domain/NAME]"

       min_id,max_id (integer)
           UID and GID limits for the domain. If a domain contains an entry
           that is outside these limits, it is ignored.

           For users, this affects the primary GID limit. The user will not be
           returned to NSS if either the UID or the primary GID is outside the
           range. For non-primary group memberships, those that are in range
           will be reported as expected.

           Default: 1 for min_id, 0 (no limit) for max_id

       timeout (integer)
           Timeout in seconds between heartbeats for this domain. This is used
           to ensure that the backend process is alive and capable of
           answering requests.

           Default: 10

       enumerate (bool)
           Determines if a domain can be enumerated. This parameter can have
           one of the following values:

           TRUE = Users and groups are enumerated

           FALSE = No enumerations for this domain

           Default: FALSE

           Note: Enabling enumeration has a moderate performance impact on
           SSSD while enumeration is running. It may take up to several
           minutes after SSSD startup to fully complete enumerations. During
           this time, individual requests for information will go directly to
           LDAP, though it may be slow, due to the heavy enumeration
           processing.

           While the first enumeration is running, requests for the complete
           user or group lists may return no results until it completes.

           Further, enabling enumeration may increase the time necessary to
           detect network disconnection, as longer timeouts are required to
           ensure that enumeration lookups are completed successfully. For
           more information, refer to the man pages for the specific
           id_provider in use.

       entry_cache_timeout (integer)
           How many seconds should nss_sss consider entries valid before
           asking the backend again

           Default: 5400

       entry_cache_user_timeout (integer)
           How many seconds should nss_sss consider user entries valid before
           asking the backend again

           Default: entry_cache_timeout

       entry_cache_group_timeout (integer)
           How many seconds should nss_sss consider group entries valid before
           asking the backend again

           Default: entry_cache_timeout

       entry_cache_netgroup_timeout (integer)
           How many seconds should nss_sss consider netgroup entries valid
           before asking the backend again

           Default: entry_cache_timeout

       entry_cache_service_timeout (integer)
           How many seconds should nss_sss consider service entries valid
           before asking the backend again

           Default: entry_cache_timeout

       cache_credentials (bool)
           Determines if user credentials are also cached in the local LDB
           cache

           User credentials are stored in a SHA512 hash, not in plaintext

           Default: FALSE

       account_cache_expiration (integer)
           Number of days entries are left in cache after last successful
           login before being removed during a cleanup of the cache. 0 means
           keep forever. The value of this parameter must be greater than or
           equal to offline_credentials_expiration.

           Default: 0 (unlimited)

       id_provider (string)
           The Data Provider identity backend to use for this domain.

           Supported backends:

           proxy: Support a legacy NSS provider

           local: SSSD internal local provider

           ldap: LDAP provider

       use_fully_qualified_names (bool)
           If set to TRUE, all requests to this domain must use fully
           qualified names. For example, if used in LOCAL domain that contains
           a "test" user, getent passwd test wouldn't find the user while
           getent passwd test@LOCAL would.

           Default: FALSE

       auth_provider (string)
           The authentication provider used for the domain. Supported auth
           providers are:

           "ldap" for native LDAP authentication. See sssd-ldap(5) for more
           information on configuring LDAP.

           "krb5" for Kerberos authentication. See sssd-krb5(5) for more
           information on configuring Kerberos.

           "proxy" for relaying authentication to some other PAM target.

           "none" disables authentication explicitly.

           Default: "id_provider" is used if it is set and can handle
           authentication requests.

       access_provider (string)
           The access control provider used for the domain. There are two
           built-in access providers (in addition to any included in installed
           backends) Internal special providers are:

           "permit" always allow access.

           "deny" always deny access.

           "simple" access control based on access or deny lists. See sssd-
           simple(5) for more information on configuring the simple access
           module.

           Default: "permit"

       chpass_provider (string)
           The provider which should handle change password operations for the
           domain. Supported change password providers are:

           "ipa" to change a password stored in an IPA server. See sssd-ipa(5)
           for more information on configuring IPA.

           "ldap" to change a password stored in a LDAP server. See sssd-
           ldap(5) for more information on configuring LDAP.

           "krb5" to change the Kerberos password. See sssd-krb5(5) for more
           information on configuring Kerberos.

           "proxy" for relaying password changes to some other PAM target.

           "none" disallows password changes explicitly.

           Default: "auth_provider" is used if it is set and can handle change
           password requests.

       sudo_provider (string)

            This is an experimental feature, please use
           http://fedorahosted.org/sssd to report any issues.

           The SUDO provider used for the domain. Supported SUDO providers
           are:

           "ldap" for rules stored in LDAP. See sssd-ldap(5) for more
           information on configuring LDAP.

           "none" disables SUDO explicitly.

           Default: The value of "id_provider" is used if it is set.

       session_provider (string)
           The provider which should handle loading of session settings.
           Supported session providers are:

           "ipa" to load session settings from an IPA server. See sssd-ipa(5)
           for more information on configuring IPA.

           "none" disallows fetching session settings explicitly.

           Default: "id_provider" is used if it is set and can handle session
           loading requests.

       lookup_family_order (string)
           Provides the ability to select preferred address family to use when
           performing DNS lookups.

           Supported values:

           ipv4_first: Try looking up IPv4 address, if that fails, try IPv6

           ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.

           ipv6_first: Try looking up IPv6 address, if that fails, try IPv4

           ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.

           Default: ipv4_first

       dns_resolver_timeout (integer)
           Defines the amount of time (in seconds) to wait for a reply from
           the DNS resolver before assuming that it is unreachable. If this
           timeout is reached, the domain will continue to operate in offline
           mode.

           Default: 5

       dns_discovery_domain (string)
           If service discovery is used in the back end, specifies the domain
           part of the service discovery DNS query.

           Default: Use the domain part of machine's hostname

       override_gid (integer)
           Override the primary GID value with the one specified.

       case_sensitive (boolean)
           Treat user and group names as case sensitive. At the moment, this
           option is not supported in the local provider.

           Default: True

       Options valid for proxy domains.

       proxy_pam_target (string)
           The proxy target PAM proxies to.

           Default: not set by default, you have to take an existing pam
           configuration or create a new one and add the service name here.

       proxy_lib_name (string)
           The name of the NSS library to use in proxy domains. The NSS
           functions searched for in the library are in the form of
           _nss_$(libName)_$(function), for example _nss_files_getpwent.

   The local domain section
       This section contains settings for domain that stores users and groups
       in SSSD native database, that is, a domain that uses id_provider=local.

       Section parameters

       default_shell (string)
           The default shell for users created with SSSD userspace tools.

           Default: /bin/bash

       base_directory (string)
           The tools append the login name to base_directory and use that as
           the home directory.

           Default: /home

       create_homedir (bool)
           Indicate if a home directory should be created by default for new
           users. Can be overridden on command line.

           Default: TRUE

       remove_homedir (bool)
           Indicate if a home directory should be removed by default for
           deleted users. Can be overridden on command line.

           Default: TRUE

       homedir_umask (integer)
           Used by sss_useradd(8) to specify the default permissions on a
           newly created home directory.

           Default: 077

       skel_dir (string)
           The skeleton directory, which contains files and directories to be
           copied in the user's home directory, when the home directory is
           created by sss_useradd(8)

           Default: /etc/skel

       mail_dir (string)
           The mail spool directory. This is needed to manipulate the mailbox
           when its corresponding user account is modified or deleted. If not
           specified, a default value is used.

           Default: /var/mail

       userdel_cmd (string)
           The command that is run after a user is removed. The command us
           passed the username of the user being removed as the first and only
           parameter. The return code of the command is not taken into
           account.

           Default: None, no command is run

EXAMPLE

       The following example shows a typical SSSD config. It does not describe
       configuration of the domains themselves - refer to documentation on
       configuring domains for more details.

           [sssd]
           domains = LDAP
           services = nss, pam
           config_file_version = 2

           [nss]
           filter_groups = root
           filter_users = root

           [pam]

           [domain/LDAP]
           id_provider = ldap
           ldap_uri = ldap://ldap.example.com
           ldap_search_base = dc=example,dc=com

           auth_provider = krb5
           krb5_server = kerberos.example.com
           krb5_realm = EXAMPLE.COM
           cache_credentials = true

           min_id = 10000
           max_id = 20000
           enumerate = False

SEE ALSO

       sssd-ldap(5), sssd-krb5(5), sss_groupadd(8), sss_groupdel(8),
       sss_groupmod(8), sss_useradd(8), sss_userdel(8), sss_usermod(8),
       pam_sss(8).

AUTHORS

       The SSSD upstream - http://fedorahosted.org/sssd