Customizing SSSD

By default, the SSSD service used by the sssd profile uses Pluggable Authentication Modules (PAM) and the Name Service Switch (NSS) for managing system access and authentication. As you enable extra features for the profile to customize SSSD authentication, you must also configure SSSD for the enabled feature.

Customize an SSSD configuration by creating configuration files within the /etc/sssd/conf.d directory. Each configuration file must have the .conf suffix.

Configuration files use ini-style syntax. The file is divided into sections, identified by square brackets. Each section contains parameters which are listed as key = value entries.

The following example shows how you might configure SSSD to authenticate against an LDAP provider that uses Kerberos:

1. Create a configuration file for the feature and store it in /etc/sssd/conf.d, for example /etc/sssd/conf.d/00-ldap.conf.

2. Configure /etc/sssd/conf.d/00-ldap.conf with the appropriate parameter definitions, for example:

   [sssd]
   config_file_version = 2
   domains = LDAP
   services = nss, pam
   
   [domain/LDAP]
   id_provider = ldap
   ldap_uri = ldap://ldap.mydom.com
   ldap_search_base = dc=mydom,dc=com
   
   auth_provider = krb5
   krb5_server = krbsvr.mydom.com
   krb5_realm = MYDOM.COM
   cache_credentials = true
   
   min_id = 5000
   max_id = 25000
   enumerate = false
   
   [nss]
   filter_groups = root
   filter_users = root
   reconnection_retries = 3
   entry_cache_timeout = 300
   
   [pam]
   reconnection_retries = 3
   offline_credentials_expiration = 2
   offline_failed_login_attempts = 3
   offline_failed_login_delay = 5

   [sssd]

   Contains configuration settings for SSSD monitor options, domains, and services. The SSSD monitor service manages the services that SSSD provides.

   • services defines the services SSSD works with, which includes nss for the Name Service Switch and pam for Pluggable Authentication Modules.

   • The domains entry specifies the names of the sections that define authentication domains.

   [domain/LDAP]

   Defines a domain for an LDAP identity provider that uses Kerberos authentication. Each domain defines where user information is stored, the authentication method, and any configuration options. SSSD can work with LDAP identity providers such as OpenLDAP, Red Hat Directory Server, IPA, and Microsoft Active Directory, and it can use either native LDAP or Kerberos authentication.

   • id_provider specifies the type of provider (in this example, LDAP).

   • ldap_uri specifies a comma-separated list of the Universal Resource Identifiers (URIs) of the LDAP servers, in order of preference, which SSSD can connect to.

   • ldap_search_base specifies the base distinguished name (dn) that SSSD uses when performing LDAP user operations on a relative distinguished name (RDN) such as a common name (cn).

   • auth_provider entry specifies the authentication provider (in this example, Kerberos).

   • krb5_server specifies a comma-separated list of Kerberos servers, in order of preference, which SSSD can connect to.

   • krb5_realm specifies the Kerberos realm.

   • cache_credentials specifies if SSSD caches user credentials such as tickets, session keys, and other identifying information to enable offline authentication and single sign-on.

     Note:

     To enable SSSD to use Kerberos authentication with an LDAP server, you must configure the LDAP server to use both Simple Authentication and Security Layer (SASL) and the Generic Security Services API (GSSAPI). For more information about configuring SASL and GSSAPI for OpenLDAP, see https://www.openldap.org/doc/admin24/sasl.html.

   • min_id and max_id specify upper and lower limits on the values of user and group IDs.

   • enumerate specifies whether SSSD caches the complete list of users and groups that are available on the provider. The recommended setting is False unless a domain contains relatively few users or groups.

   [nss]

   Configures the Name Service Switch (NSS) module that integrates the SSSD database (SSS) with NSS.

   • filter_users and filter_groups prevent NSS from extracting information about the specified users and groups being retrieved from SSS.

   • reconnection_retries specifies the number of times that SSSD tries to reconnect if a data provider fails.

   • enum_cache_timeout specifies the number of seconds SSSD caches user information requests for.

   [pam]

   Configures the PAM module that integrates SSSD with PAM.

   • offline_credentials_expiration specifies the number of days for which to enable cached logins if the authentication provider is offline.

   • offline_failed_login_attempts specifies how many failed sign-ins are allowed if the authentication provider is offline.

   • offline_failed_login_delay specifies how many minutes after the maximum number of failed sign-ins before the user can try to sign-in again.

3. Change the mode of /etc/sssd/conf.d/00-ldap.conf to 0600:

   sudo chmod 0600 /etc/sssd/conf.d/00-ldap.conf

4. Ensure that the sssd service is running:

   sudo systemctl status sssd

   Start and enable the sssd service if required:

   sudo systemctl enable --now sssd

5. Select the sssd profile.

   sudo authselect select sssd

For more information about SSSD, see the README file: https://github.com/SSSD/sssd.

The manual pages provided for SSSD are comprehensive and provide detailed information on the options that are available. These include sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), and sssd-ipa(5).