sssd.conf
file. The [sssd]
section also lists the services that are active and should be started when sssd
starts within the services
directive.
sssd_nss
module. This is configured in the [nss]
section of the SSSD configuration.
sssd_pam
module. This is configured in the [pam]
section of the configuration.
monitor
, a special service that monitors and starts or restarts all other SSSD services. Its options are specified in the [sssd]
section of the /etc/sssd/sssd.conf
configuration file.
Note
lookup family order
option in the sssd.conf
configuration file.
sssd_nss
, which instructs the system to use SSSD to retrieve user information. The NSS configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with NSS.
passwd
)
shadow
)
groups
)
netgroups
)
services
)
nss_sss
module has to be included for the desired service type.
nsswitch.conf
file to use SSSD as a provider.
[root@server ~]# authconfig --enablesssd --update
passwd: files sss shadow: files sss group: files sss netgroup: files sss
authconfig
. To include that map, open the nsswitch.conf
file and add the sss
module to the services
map:
[root@server ~]# vim /etc/nsswitch.conf
...
services: file sss
...
[nss]
services section.
sssd.conf
file.
[root@server ~]# vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss
, pam
[nss]
section, change any of the NSS parameters. These are listed in Table 7.1, “SSSD [nss] Configuration Parameters”.
[nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
[root@server ~]# service sssd restart
Table 7.1. SSSD [nss] Configuration Parameters
Parameter | Value Format | Description |
---|---|---|
enum_cache_timeout | integer | Specifies how long, in seconds, sssd_nss should cache requests for information about all users (enumerations). |
entry_cache_nowait_percentage | integer | Specifies how long sssd_nss should return cached entries before refreshing the cache. Setting this to zero (0 ) disables the entry cache refresh.
This configures the entry cache to update entries in the background automatically if they are requested if the time before the next update is a certain percentage of the next interval. For example, if the interval is 300 seconds and the cache percentage is 75, then the entry cache will begin refreshing when a request comes in at 225 seconds — 75% of the interval.
The allowed values for this option are 0 to 99, which sets the percentage based on the
entry_cache_timeout value. The default value is 50%.
|
entry_negative_timeout | integer | Specifies how long, in seconds, sssd_nss should cache negative cache hits. A negative cache hit is a query for an invalid database entries, including non-existent entries. |
filter_users, filter_groups | string | Tells SSSD to exclude certain users from being fetched from the NSS database. This is particularly useful for system accounts such as root . |
filter_users_in_groups | Boolean | Sets whether users listed in the filter_users list appear in group memberships when performing group lookups. If set to FALSE , group lookups return all users that are members of that group. If not specified, this value defaults to true , which filters the group member lists. |
debug_level | integer, 0 - 9 | Sets a debug logging level. |
Warning
sssd_pam
, which instructs the system to use SSSD to retrieve user information. The PAM configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with PAM.
authconfig
to enable SSSD for system authentication.
# authconfig --update --enablesssd --enablesssdauthThis automatically updates the PAM configuration to reference all of the SSSD modules:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quietauth sufficient pam_sss.so use_first_pass
auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quietaccount [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword sufficient pam_sss.so use_authtok
password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession sufficient pam_sss.so
session required pam_unix.so
include
statements, as necessary.
sssd.conf
file.
# vim /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
[pam]
section, change any of the PAM parameters. These are listed in Table 7.2, “SSSD [pam] Configuration Parameters”.
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[root@server ~]# service sssd restart
Table 7.2. SSSD [pam] Configuration Parameters
Parameter | Value Format | Description |
---|---|---|
offline_credentials_expiration | integer | Sets how long, in days, to allow cached logins if the authentication provider is offline. This value is measured from the last successful online login. If not specified, this defaults to zero (0 ), which is unlimited. |
offline_failed_login_attempts | integer | Sets how many failed login attempts are allowed if the authentication provider is offline. If not specified, this defaults to zero (0 ), which is unlimited. |
offline_failed_login_delay | integer | Sets how long to prevent login attempts if a user hits the failed login attempt limit. If set to zero (0 ), the user cannot authenticate while the provider is offline once he hits the failed attempt limit. Only a successful online authentication can re-enable offline authentication. If not specified, this defaults to five (5 ). |