T he Basics of SSSD Configurat ion

SSSD is a local service which connects a system to a larger, external identity service. This is done by configuring domains in the SSSD configuration file. Each domain represents a different, external data source. Domains always represent an identity provider which supplies user information and,

optionally, define other providers for different kinds of operations, such as authentication or password changes. (The identity provider can also be used for all operations, if all operations are performed within a single domain or server.)

NOTE

SSSD allows all user identities to be created and maintained in a separate, external identity source. For Windows integration, then the Active Directory domain can be used to manage user accounts (as it is with most environments). Local system users do not need to be created or synced with user accounts in Active Directory — SSSD uses those Windows identities and lets those Windows users access the local system and local services.

SSSD also defines which services on the system use SSSD for credentials caching and user

accounts. These relate to foundational security services such as the Name Service Switch (NSS) and pluggable authentication modules (PAM), which are then used by higher-level applications.

3.1.1. Set t ing up t he sssd.conf File

SSSD services and domains are configured in a . co nf file. By default, this is

/etc/sssd /sssd . co nf — although that file must be created and configured manually, since SSSD is not configured after installation.

3.1 .1 .1 . Cre at ing t he sssd.co nf File

There are three parts of the SSSD configuration file:

[sssd ], for general SSSD process and operational configuration; this basically lists the configured services, domains, and configuration parameters for each

[service_name], for configuration options for each supported system service, as described in Section 3.2, “ SSSD and System Services”

[domain_type/DOMAIN_NAME], for configuration options for each configured identity provider

Important

While services are optional, at least one identity provider domain must be configured before the SSSD service can be started.

Examp le 3.1. Simp le sssd .co n f File

​[sssd]

​domains = LOCAL

​services = nss

​config_file_version = 2

​[nss]

​filter_groups = root

​filter_users = root

​[domain/LOCAL]

​id_provider = local

​auth_provider = local

​access_provider = permit

The [sssd ] section has three important parameters:

d o mai ns lists all of the domains, configured in the sssd . co nf, which SSSD uses as identity providers. If a domain is not listed in the d o mai ns key, it is not used by SSSD, even if it has a configuration section.

servi ces lists all of the system services, configured in the sssd . co nf, which use SSSD; when SSSD starts, the corresponding SSSD service is started for each configured system service. If a service is not listed in the servi ces key, it is not used by SSSD, even if it has a configuration section.

co nfi g _fi l e_versi o n sets the version of the configuration file to set file format expectations.

This is version 2, for all recent SSSD versions.

Note

Even if a service or domain is configured in the sssd . co nf file, SSSD does not interact with that service or domain unless it is listed in the servi ces or d o mai ns parameters,

respectively, in the [sssd ] section.

Other configuration parameters are listed in the sssd . co nf man page.

Each service and domain parameter is described in its respective configuration section in this chapter and in their man pages.

3.1 .1 .2 . Using a Cust o m Co nfigurat io n File

By default, the sssd process assumes that the configuration file is /etc/sssd /sssd . co nf.

An alternative file can be passed to SSSD by using the -c option with the sssd command:

[root@ server ~]# sssd -c /etc/sssd/customfile.conf --daemon

3.1 .1 .3. Addit io nal Re so urce s

While this chapter covers the basics of configuring services and domains in SSSD, this is not a comprehensive resource. Many other configuration options are available for each functional area in SSSD; check out the man page for the specific functional area to get a complete list of options.

Some of the common man pages are listed in Table 3.1, “ A Sampling of SSSD Man Pages”. There is also a complete list of SSSD man pages in the "See Also" section of the sssd (8) man page.

T ab le 3.1. A Samp lin g o f SSSD Man Pag es

Fu n ct io n al Area Man Pag e

General Configuration sssd.conf(8)

sudo Services sssd-sudo

LDAP Domains sssd-ldap

Active Directory Domains sssd-ad

sssd-ldap Identity Management (IdM or IPA) Domains sssd-ipa

sssd-ldap Kerberos Authentication for Domains sssd-krb5

OpenSSH Keys sss_ssh_authorizedkeys

sss_ssh_knownhostsproxy

Cache Maintenance sss_cache (cleanup)

sss_useradd, sss_usermod, sss_userdel, sss_seed (user cache entry management)

3.1.2. St art ing and St opping SSSD

Important

Configure at least one domain before starting SSSD for the first time. See Section 3.3, “ SSSD and Identity Providers (Domains)”.

To start or stop SSSD, use the systemctl utility:

[root@ server ~]# systemctl start sssd.service

[root@ server ~]# systemctl stop sssd.service

By default, SSSD is not configured to start automatically. To configure SSSD to start automatically during system boot, run the systemctl enabl e command:

[root@ server ~]# systemctl enable sssd.service

For more information on managing services using systemctl, see the "Managing System Services"

section in the Red Hat Enterprise Linux 7 System Administrator's Guide.