"Fossies" - the Fresh Open Source Software Archive

Member "sssd-2.4.2/src/man/sssd.conf.5.xml" (19 Feb 2021, 204954 Bytes) of package /linux/misc/sssd-2.4.2.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) XML source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "sssd.conf.5.xml": 2.4.1_vs_2.4.2.

    1 <?xml version="1.0" encoding="UTF-8"?>
    2 <!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
    3 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
    4 <reference>
    5 <title>SSSD Manual pages</title>
    6 <refentry>
    7     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
    8 
    9     <refmeta>
   10         <refentrytitle>sssd.conf</refentrytitle>
   11         <manvolnum>5</manvolnum>
   12         <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
   13     </refmeta>
   14 
   15     <refnamediv id='name'>
   16         <refname>sssd.conf</refname>
   17         <refpurpose>the configuration file for SSSD</refpurpose>
   18     </refnamediv>
   19 
   20     <refsect1 id='file-format'>
   21         <title>FILE FORMAT</title>
   22 
   23         <para>
   24             The file has an ini-style syntax and consists of sections and
   25             parameters. A section begins with the name of the section in
   26             square brackets and continues until the next section begins. An
   27             example of section with single and multi-valued parameters:
   28             <programlisting>
   29 <replaceable>[section]</replaceable>
   30 <replaceable>key</replaceable> = <replaceable>value</replaceable>
   31 <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>
   32             </programlisting>
   33         </para>
   34 
   35         <para>
   36             The data types used are string (no quotes needed), integer
   37             and bool (with values of <quote>TRUE/FALSE</quote>).
   38         </para>
   39 
   40         <para>
   41             A comment line starts with a hash sign (<quote>#</quote>) or a
   42             semicolon (<quote>;</quote>).
   43             Inline comments are not supported.
   44         </para>
   45 
   46         <para>
   47             All sections can have an optional
   48             <replaceable>description</replaceable> parameter. Its function
   49             is only as a label for the section.
   50         </para>
   51 
   52         <para>
   53             <filename>sssd.conf</filename> must be a regular file, owned by
   54             root and only root may read from or write to the file.
   55         </para>
   56     </refsect1>
   57 
   58     <refsect1 id='config-snippets'>
   59         <title>CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY</title>
   60 
   61         <para>
   62             The configuration file <filename>sssd.conf</filename> will
   63             include configuration snippets using the include directory
   64             <filename>conf.d</filename>. This feature is available if
   65             SSSD was compiled with libini version 1.3.0 or later.
   66         </para>
   67 
   68         <para>
   69             Any file placed in <filename>conf.d</filename>
   70             that ends in <quote><filename>.conf</filename></quote>
   71             and does not begin with a dot (<quote>.</quote>) will
   72             be used together with <filename>sssd.conf</filename>
   73             to configure SSSD.
   74         </para>
   75 
   76         <para>
   77             The configuration snippets from <filename>conf.d</filename>
   78             have higher priority than <filename>sssd.conf</filename>
   79             and will override <filename>sssd.conf</filename> when
   80             conflicts occur. If several snippets are present in
   81             <filename>conf.d</filename>, then they are included in
   82             alphabetical order (based on locale).
   83             Files included later have higher priority. Numerical
   84             prefixes (<filename>01_snippet.conf</filename>,
   85             <filename>02_snippet.conf</filename> etc.) can help
   86             visualize the priority (higher number means higher
   87             priority).
   88         </para>
   89 
   90         <para>
   91             The snippet files require the same owner and permissions
   92             as <filename>sssd.conf</filename>. Which are by default
   93             root:root and 0600.
   94         </para>
   95     </refsect1>
   96 
   97     <refsect1 id='general-options'>
   98         <title>GENERAL OPTIONS</title>
   99         <para>
  100             Following options are usable in more than one configuration
  101             sections.
  102         </para>
  103         <refsect2 id='all-section-options'>
  104             <title>Options usable in all sections</title>
  105             <para>
  106               <variablelist>
  107                 <varlistentry>
  108                     <term>debug_level (integer)</term>
  109                     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/debug_levels.xml" />
  110                 </varlistentry>
  111                 <varlistentry>
  112                     <term>debug (integer)</term>
  113                     <listitem>
  114                         <para>
  115                             SSSD 1.14 and later also includes the
  116                             <replaceable>debug</replaceable> alias for
  117                             <replaceable>debug_level</replaceable> as a
  118                             convenience feature. If both are specified, the
  119                             value of <replaceable>debug_level</replaceable>
  120                             will be used.
  121                         </para>
  122                     </listitem>
  123                 </varlistentry>
  124                 <varlistentry>
  125                     <term>debug_timestamps (bool)</term>
  126                     <listitem>
  127                         <para>
  128                             Add a timestamp to the debug messages.
  129                             If journald is enabled for SSSD debug logging this
  130                             option is ignored.
  131                         </para>
  132                         <para>
  133                             Default: true
  134                         </para>
  135                     </listitem>
  136                 </varlistentry>
  137                 <varlistentry>
  138                     <term>debug_microseconds (bool)</term>
  139                     <listitem>
  140                         <para>
  141                             Add microseconds to the timestamp in debug messages.
  142                             If journald is enabled for SSSD debug logging this
  143                             option is ignored.
  144                         </para>
  145                         <para>
  146                             Default: false
  147                         </para>
  148                     </listitem>
  149                 </varlistentry>
  150               </variablelist>
  151             </para>
  152         </refsect2>
  153 
  154         <refsect2 id='services-and-domains-section-options'>
  155             <title>Options usable in SERVICE and DOMAIN sections</title>
  156             <para>
  157               <variablelist>
  158                 <varlistentry>
  159                     <term>timeout (integer)</term>
  160                     <listitem>
  161                         <para>
  162                             Timeout in seconds between heartbeats for this
  163                             service. This is used to ensure that the process
  164                             is alive and capable of answering requests. Note
  165                             that after three missed heartbeats the process
  166                             will terminate itself.
  167                         </para>
  168                         <para>
  169                             Default: 10
  170                         </para>
  171                     </listitem>
  172                 </varlistentry>
  173               </variablelist>
  174             </para>
  175         </refsect2>
  176     </refsect1>
  177 
  178     <refsect1 id='special-sections'>
  179         <title>SPECIAL SECTIONS</title>
  180 
  181         <refsect2 id='services'>
  182             <title>The [sssd] section</title>
  183             <para>
  184                 Individual pieces of SSSD functionality are provided by special
  185                 SSSD services that are started and stopped together with SSSD.
  186                 The services are managed by a special service frequently called
  187                 <quote>monitor</quote>. The <quote>[sssd]</quote> section is used
  188                 to configure the monitor as well as some other important options
  189                 like the identity domains.
  190                 <variablelist>
  191                     <title>Section parameters</title>
  192                     <varlistentry>
  193                         <term>config_file_version (integer)</term>
  194                         <listitem>
  195                             <para>
  196                                 Indicates what is the syntax of the config
  197                                 file. SSSD 0.6.0 and later use version 2.
  198                             </para>
  199                         </listitem>
  200                     </varlistentry>
  201                     <varlistentry>
  202                         <term>services</term>
  203                         <listitem>
  204                             <para>
  205                                 Comma separated list of services that are
  206                                 started when sssd itself starts.
  207                                 <phrase condition="have_systemd">
  208                                     The services' list is optional on platforms
  209                                     where systemd is supported, as they will either
  210                                     be socket or D-Bus activated when needed.
  211                                 </phrase>
  212                             </para>
  213                             <para>
  214                                 Supported services: nss, pam
  215                                 <phrase condition="with_sudo">, sudo</phrase>
  216                                 <phrase condition="with_autofs">, autofs</phrase>
  217                                 <phrase condition="with_ssh">, ssh</phrase>
  218                                 <phrase condition="with_pac_responder">, pac</phrase>
  219                                 <phrase condition="with_ifp">, ifp</phrase>
  220                             </para>
  221                             <para>
  222                                 <phrase condition="have_systemd">
  223                                     By default, all services are disabled and the administrator
  224                                     must enable the ones allowed to be used by executing:
  225                                     "systemctl enable sssd-@service@.socket".
  226                                 </phrase>
  227                             </para>
  228                         </listitem>
  229                     </varlistentry>
  230                     <varlistentry>
  231                         <term>reconnection_retries (integer)</term>
  232                         <listitem>
  233                             <para>
  234                                 Number of times services should attempt to
  235                                 reconnect in the event of a Data Provider
  236                                 crash or restart before they give up
  237                             </para>
  238                             <para>
  239                                 Default: 3
  240                             </para>
  241                         </listitem>
  242                     </varlistentry>
  243                     <varlistentry>
  244                         <term>domains</term>
  245                         <listitem>
  246                             <para>
  247                                 A domain is a database containing user
  248                                 information. SSSD can use more domains
  249                                 at the same time, but at least one
  250                                 must be configured or SSSD won't start.
  251                                 This parameter describes the list of domains
  252                                 in the order you want them to be queried.
  253                                 A domain name is recommended to contain only
  254                                 alphanumeric ASCII characters, dashes, dots
  255                                 and underscores. '/' character is forbidden.
  256                             </para>
  257                         </listitem>
  258                     </varlistentry>
  259                     <varlistentry>
  260                         <term>re_expression (string)</term>
  261                         <listitem>
  262                             <para>
  263                                 Default regular expression that describes how to
  264                                 parse the string containing user name and domain
  265                                 into these components.
  266                             </para>
  267                             <para>
  268                                 Each domain can have an individual regular
  269                                 expression configured. For some ID providers
  270                                 there are also default regular expressions. See
  271                                 DOMAIN SECTIONS for more info on these regular
  272                                 expressions.
  273                             </para>
  274                         </listitem>
  275                     </varlistentry>
  276                     <varlistentry>
  277                         <term>full_name_format (string)</term>
  278                         <listitem>
  279                             <para>
  280                                 A <citerefentry>
  281                                     <refentrytitle>printf</refentrytitle>
  282                                     <manvolnum>3</manvolnum>
  283                                 </citerefentry>-compatible format that describes how to
  284                                 compose a fully qualified name from user name
  285                                 and domain name components.
  286                             </para>
  287                             <para>
  288                                 The following expansions are supported:
  289                                 <variablelist>
  290                                     <varlistentry>
  291                                         <term>%1$s</term>
  292                                         <listitem><para>user name</para></listitem>
  293                                     </varlistentry>
  294                                     <varlistentry>
  295                                         <term>%2$s</term>
  296                                         <listitem>
  297                                             <para>
  298                                                 domain name as specified in the
  299                                                 SSSD config file.
  300                                             </para>
  301                                         </listitem>
  302                                     </varlistentry>
  303                                     <varlistentry>
  304                                         <term>%3$s</term>
  305                                         <listitem>
  306                                             <para>
  307                                                 domain flat name. Mostly usable
  308                                                 for Active Directory domains, both
  309                                                 directly configured or discovered
  310                                                 via IPA trusts.
  311                                             </para>
  312                                         </listitem>
  313                                     </varlistentry>
  314                                 </variablelist>
  315                             </para>
  316                             <para>
  317                                 Each domain can have an individual format string configured.
  318                                 See DOMAIN SECTIONS for more info on this option.
  319                             </para>
  320                         </listitem>
  321                     </varlistentry>
  322                     <varlistentry>
  323                         <term>monitor_resolv_conf (boolean)</term>
  324                         <listitem>
  325                             <para>
  326                                 Controls if SSSD should monitor the state of
  327                                 resolv.conf to identify when it needs to
  328                                 update its internal DNS resolver.
  329                             </para>
  330                             <para>
  331                                 Default: true
  332                             </para>
  333                         </listitem>
  334                     </varlistentry>
  335                     <varlistentry>
  336                         <term>try_inotify (boolean)</term>
  337                         <listitem>
  338                             <para>
  339                                 By default, SSSD will attempt to use inotify
  340                                 to monitor configuration files changes and
  341                                 will fall back to polling every five seconds
  342                                 if inotify cannot be used.
  343                             </para>
  344                             <para>
  345                                 There are some limited situations where it is
  346                                 preferred that we should skip even trying to
  347                                 use inotify. In these rare cases, this option
  348                                 should be set to 'false'
  349                             </para>
  350                             <para>
  351                                 Default: true on platforms where inotify is
  352                                 supported. False on other platforms.
  353                             </para>
  354                             <para>
  355                                 Note: this option will have no effect on
  356                                 platforms where inotify is unavailable. On
  357                                 these platforms, polling will always be used.
  358                             </para>
  359                         </listitem>
  360                     </varlistentry>
  361                     <varlistentry>
  362                         <term>krb5_rcache_dir (string)</term>
  363                         <listitem>
  364                             <para>
  365                                 Directory on the filesystem where SSSD should
  366                                 store Kerberos replay cache files.
  367                             </para>
  368                             <para>
  369                                 This option accepts a special value
  370                                 __LIBKRB5_DEFAULTS__ that will instruct SSSD
  371                                 to let libkrb5 decide the appropriate
  372                                 location for the replay cache.
  373                             </para>
  374                             <para>
  375                                 Default: Distribution-specific and specified
  376                                 at build-time. (__LIBKRB5_DEFAULTS__ if not
  377                                 configured)
  378                             </para>
  379                         </listitem>
  380                     </varlistentry>
  381                     <varlistentry>
  382                         <term>user (string)</term>
  383                         <listitem>
  384                             <para>
  385                                 The user to drop the privileges to where
  386                                 appropriate to avoid running as the
  387                                 root user.
  388                                 <phrase condition="have_systemd">
  389                                     This option does not work when running socket-activated
  390                                     services, as the user set up to run the processes is
  391                                     set up during compilation time.
  392 
  393                                     The way to override the systemd unit files is by creating
  394                                     the appropriate files in /etc/systemd/system/.
  395 
  396                                     Keep in mind that any change in the socket user, group or
  397                                     permissions may result in a non-usable SSSD. The same may
  398                                     occur in case of changes of the user running the NSS
  399                                     responder.
  400                                 </phrase>
  401                             </para>
  402                             <para>
  403                                 Default: not set, process will run as root
  404                             </para>
  405                         </listitem>
  406                     </varlistentry>
  407                     <varlistentry>
  408                         <term>default_domain_suffix (string)</term>
  409                         <listitem>
  410                             <para>
  411                                 This string will be used as a default domain
  412                                 name for all names without a domain name
  413                                 component. The main use case is environments
  414                                 where the primary domain is intended for managing host
  415                                 policies and all users are located in a trusted domain.
  416                                 The option allows those users
  417                                 to log in just with their user name without
  418                                 giving a domain name as well.
  419                             </para>
  420                             <para>
  421                                 Please note that if this option is set all
  422                                 users from the primary domain have to use their
  423                                 fully qualified name, e.g. user@domain.name,
  424                                 to log in. Setting this option changes default
  425                                 of use_fully_qualified_names to True. It is not
  426                                 allowed to use this option together with
  427                                 use_fully_qualified_names set to False. One
  428                                 exception from this rule are domains with
  429                                 <quote>id_provider=files</quote> that always try
  430                                 to match the behaviour of nss_files
  431                                 and therefore their output is not
  432                                 qualified even when the default_domain_suffix
  433                                 option is used.
  434                             </para>
  435                             <para>
  436                                 Default: not set
  437                             </para>
  438                         </listitem>
  439                     </varlistentry>
  440                     <varlistentry>
  441                         <term>override_space (string)</term>
  442                         <listitem>
  443                             <para>
  444                                 This parameter will replace spaces (space bar)
  445                                 with the given character for user and group names.
  446                                 e.g. (_). User name &quot;john doe&quot; will
  447                                 be &quot;john_doe&quot; This feature was added to
  448                                 help compatibility with shell scripts that have
  449                                 difficulty handling spaces, due to the
  450                                 default field separator in the shell.
  451                             </para>
  452                             <para>
  453                                 Please note it is a configuration error to use
  454                                 a replacement character that might be used in
  455                                 user or group names. If a name contains the
  456                                 replacement character SSSD tries to return the
  457                                 unmodified name but in general the result of a
  458                                 lookup is undefined.
  459                             </para>
  460                             <para>
  461                                 Default: not set (spaces will not be replaced)
  462                             </para>
  463                         </listitem>
  464                     </varlistentry>
  465                     <varlistentry>
  466                         <term>certificate_verification (string)</term>
  467                         <listitem>
  468                             <para>
  469                                 With this parameter the certificate verification
  470                                 can be tuned with a comma separated list of
  471                                 options. Supported options are:
  472                                 <variablelist>
  473                                 <varlistentry>
  474                                     <term>no_ocsp</term>
  475                                     <listitem>
  476                                         <para>Disables Online Certificate Status
  477                                         Protocol (OCSP) checks. This might be
  478                                         needed if the OCSP servers defined in
  479                                         the certificate are not reachable from
  480                                         the client.</para>
  481                                     </listitem>
  482                                 </varlistentry>
  483                                 <varlistentry>
  484                                     <term>soft_ocsp</term>
  485                                     <listitem>
  486                                         <para> If a connection
  487                                         cannot be established to an OCSP
  488                                         responder the OCSP check is skipped.
  489                                         This option should be used to allow
  490                                         authentication when the system is
  491                                         offline and the OCSP responder cannot be
  492                                         reached.</para>
  493                                     </listitem>
  494                                 </varlistentry>
  495                                 <varlistentry>
  496                                     <term>ocsp_dgst</term>
  497                                     <listitem>
  498                                         <para>Digest (hash) function used to
  499                                         create the certificate ID for the OCSP
  500                                         request. Allowed values are:
  501                                         <itemizedlist>
  502                                           <listitem><para>sha1</para></listitem>
  503                                           <listitem><para>sha256</para></listitem>
  504                                           <listitem><para>sha384</para></listitem>
  505                                           <listitem><para>sha512</para></listitem>
  506                                         </itemizedlist></para>
  507                                         <para>
  508                                             Default: sha1 (to allow compatibility with
  509                                             RFC5019-compliant responder)
  510                                         </para>
  511                                     </listitem>
  512                                 </varlistentry>
  513                                 <varlistentry>
  514                                     <term>no_verification</term>
  515                                     <listitem>
  516                                         <para>Disables verification completely.
  517                                         This option should only be used for
  518                                         testing.</para>
  519                                     </listitem>
  520                                 </varlistentry>
  521                                 <varlistentry>
  522                                     <term>ocsp_default_responder=URL</term>
  523                                     <listitem>
  524                                         <para>Sets the OCSP default responder
  525                                         which should be used instead of the one
  526                                         mentioned in the certificate. URL must
  527                                         be replaced with the URL of the OCSP
  528                                         default responder e.g.
  529                                         http://example.com:80/ocsp.</para>
  530                                     </listitem>
  531                                 </varlistentry>
  532                                 <varlistentry>
  533                                     <term>
  534                                     ocsp_default_responder_signing_cert=NAME</term>
  535                                     <listitem>
  536                                         <para>This option is
  537                                         currently ignored. All needed
  538                                         certificates must be available in the
  539                                         PEM file given by
  540                                         pam_cert_db_path.</para>
  541                                     </listitem>
  542                                 </varlistentry>
  543                                 <varlistentry>
  544                                     <term>crl_file=/PATH/TO/CRL/FILE</term>
  545                                     <listitem>
  546                                         <para>Use the
  547                                         Certificate Revocation List (CRL) from
  548                                         the given file during the verification
  549                                         of the certificate. The CRL must be
  550                                         given in PEM format, see
  551                                             <citerefentry>
  552                                                 <refentrytitle>crl</refentrytitle>
  553                                                 <manvolnum>1ssl</manvolnum>
  554                                             </citerefentry>
  555                                         for details.</para>
  556                                     </listitem>
  557                                 </varlistentry>
  558                                 <varlistentry>
  559                                     <term>soft_crl</term>
  560                                     <listitem>
  561                                         <para>
  562                                         If a Certificate Revocation List (CRL)
  563                                         is expired ignore the CRL checks for the
  564                                         related certificates. This option should
  565                                         be used to allow authentication when the
  566                                         system is offline and the CRL cannot be
  567                                         renewed.</para>
  568                                     </listitem>
  569                                 </varlistentry>
  570                                 </variablelist>
  571                             </para>
  572                             <para>
  573                                 Unknown options are reported but ignored.
  574                             </para>
  575                             <para>
  576                                 Default: not set, i.e. do not restrict
  577                                 certificate verification
  578                             </para>
  579                         </listitem>
  580                     </varlistentry>
  581                     <varlistentry>
  582                         <term>disable_netlink (boolean)</term>
  583                         <listitem>
  584                             <para>
  585                                 SSSD hooks into the netlink interface to
  586                                 monitor changes to routes, addresses, links
  587                                 and trigger certain actions.
  588                             </para>
  589                             <para>
  590                                 The SSSD state changes caused by netlink
  591                                 events may be undesirable and can be disabled
  592                                 by setting this option to 'true'
  593                             </para>
  594                             <para>
  595                                 Default: false (netlink changes are detected)
  596                             </para>
  597                         </listitem>
  598                     </varlistentry>
  599                     <varlistentry>
  600                         <term>enable_files_domain (boolean)</term>
  601                         <listitem>
  602                             <para>
  603                                 When this option is enabled, SSSD
  604                                 prepends an implicit domain with
  605                                 <quote>id_provider=files</quote> before
  606                                 any explicitly configured domains.
  607                             </para>
  608                             <para condition="no_enable_files_domain">
  609                                 Default: false
  610                             </para>
  611                             <para condition="enable_files_domain">
  612                                 Default: true
  613                             </para>
  614                         </listitem>
  615                     </varlistentry>
  616                     <varlistentry>
  617                         <term>domain_resolution_order</term>
  618                         <listitem>
  619                             <para>
  620                                 Comma separated list of domains and subdomains
  621                                 representing the lookup order that will be
  622                                 followed.
  623                                 The list doesn't have to include all possible
  624                                 domains as the missing domains will be looked
  625                                 up based on the order they're presented in the
  626                                 <quote>domains</quote> configuration option.
  627                                 The subdomains which are not listed as part of
  628                                 <quote>lookup_order</quote> will be looked up
  629                                 in a random order for each parent domain.
  630                             </para>
  631                             <para>
  632                                 Please, note that when this option is set the
  633                                 output format of all commands is always
  634                                 fully-qualified even when using short names
  635                                 for input, for all users but the ones managed
  636                                 by the files provider.
  637                                 In case the administrator wants the output not
  638                                 fully-qualified, the full_name_format option
  639                                 can be used as shown below:
  640                                 <quote>full_name_format=%1$s</quote>
  641                                 However, keep in mind that during login, login
  642                                 applications often canonicalize the username by
  643                                 calling
  644                                 <citerefentry>
  645                                     <refentrytitle>getpwnam</refentrytitle>
  646                                     <manvolnum>3</manvolnum>
  647                                 </citerefentry>
  648                                 which, if a shortname is returned for a
  649                                 qualified input (while trying to reach a user
  650                                 which exists in multiple domains) might
  651                                 re-route the login attempt into the domain
  652                                 which uses shortnames, making this workaround
  653                                 totally not recommended in cases where
  654                                 usernames may overlap between domains.
  655                             </para>
  656                             <para>
  657                                 Default: Not set
  658                             </para>
  659                         </listitem>
  660                     </varlistentry>
  661                 </variablelist>
  662             </para>
  663         </refsect2>
  664 
  665     </refsect1>
  666 
  667     <refsect1 id='services-sections'>
  668         <title>SERVICES SECTIONS</title>
  669         <para>
  670             Settings that can be used to configure different services
  671             are described in this section. They should reside in the
  672             [<replaceable>$NAME</replaceable>] section, for example,
  673             for NSS service, the section would be <quote>[nss]</quote>
  674         </para>
  675 
  676         <refsect2 id='general'>
  677             <title>General service configuration options</title>
  678             <para>
  679                 These options can be used to configure any service.
  680             </para>
  681             <variablelist>
  682                 <varlistentry>
  683                     <term>reconnection_retries (integer)</term>
  684                     <listitem>
  685                         <para>
  686                             Number of times services should attempt to
  687                             reconnect in the event of a Data Provider
  688                             crash or restart before they give up
  689                         </para>
  690                         <para>
  691                             Default: 3
  692                         </para>
  693                     </listitem>
  694                 </varlistentry>
  695                 <varlistentry>
  696                     <term>fd_limit</term>
  697                     <listitem>
  698                         <para>
  699                             This option specifies the maximum number of file
  700                             descriptors that may be opened at one time by this
  701                             SSSD process. On systems where SSSD is granted the
  702                             CAP_SYS_RESOURCE capability, this will be an
  703                             absolute setting. On systems without this
  704                             capability, the resulting value will be the lower
  705                             value of this or the limits.conf "hard" limit.
  706                         </para>
  707                         <para>
  708                             Default: 8192 (or limits.conf "hard" limit)
  709                         </para>
  710                     </listitem>
  711                 </varlistentry>
  712                 <varlistentry>
  713                     <term>client_idle_timeout</term>
  714                     <listitem>
  715                         <para>
  716                             This option specifies the number of seconds that
  717                             a client of an SSSD process can hold onto a file
  718                             descriptor without communicating on it. This value
  719                             is limited in order to avoid resource exhaustion
  720                             on the system. The timeout can't be shorter than
  721                             10 seconds. If a lower value is configured, it
  722                             will be adjusted to 10 seconds.
  723                         </para>
  724                         <para>
  725                             Default: 60, KCM: 300
  726                         </para>
  727                     </listitem>
  728                 </varlistentry>
  729                 <varlistentry>
  730                     <term>offline_timeout (integer)</term>
  731                     <listitem>
  732                         <para>
  733                             When SSSD switches to offline mode the amount of
  734                             time before it tries to go back online will
  735                             increase based upon the time spent disconnected.
  736                             This value is in seconds and calculated by the
  737                             following:
  738                         </para>
  739                         <para>
  740                              offline_timeout + random_offset
  741                         </para>
  742                         <para>
  743                             The random offset value is from 0 to 30.
  744                             After each unsuccessful attempt to go online,
  745                             the new interval is recalculated by the following:
  746                         </para>
  747                         <para>
  748                             new_interval = (old_interval * 2) + random_offset
  749                         </para>
  750                         <para>
  751                             Note that the maximum length of each interval
  752                             is defined by offline_timeout_max, which defaults
  753                             to one hour. If the calculated length of new_interval
  754                             is greater than offline_timeout_max, it will be forced
  755                             to the offline_timeout_max value.
  756                         </para>
  757                         <para>
  758                             Default: 60
  759                         </para>
  760                     </listitem>
  761                 </varlistentry>
  762                 <varlistentry>
  763                     <term>offline_timeout_max (integer)</term>
  764                     <listitem>
  765                         <para>
  766                             Controls by how much the time between attempts to go
  767                             online can be incremented following unsuccessful
  768                             attempts to go online.
  769                         </para>
  770                         <para>
  771                             A value of 0 disables the incrementing behaviour.
  772                         </para>
  773                         <para>
  774                             The value of this parameter should be set in correlation
  775                             to offline_timeout parameter value.
  776                         </para>
  777                         <para>
  778                             With offline_timeout set to 60 (default value) there is no point
  779                             in setting offlinet_timeout_max to less than 120 as it will
  780                             saturate instantly. General rule here should be to set
  781                             offline_timeout_max to at least 4 times offline_timeout.
  782                         </para>
  783                         <para>
  784                             Although a value between 0 and offline_timeout may be
  785                             specified, it has the effect of overriding the
  786                             offline_timeout value so is of little use.
  787                         </para>
  788                         <para>
  789                             Default: 3600
  790                         </para>
  791                     </listitem>
  792                 </varlistentry>
  793                 <varlistentry>
  794                     <term>responder_idle_timeout</term>
  795                     <listitem>
  796                         <para>
  797                             This option specifies the number of seconds that
  798                             an SSSD responder process can be up without being
  799                             used. This value is limited in order to avoid
  800                             resource exhaustion on the system.
  801                             The minimum acceptable value for this option is 60
  802                             seconds.
  803                             Setting this option to 0 (zero) means that no
  804                             timeout will be set up to the responder.
  805 
  806                             This option only has effect when SSSD is built with
  807                             systemd support and when services are either socket
  808                             or D-Bus activated.
  809                         </para>
  810                         <para>
  811                             Default: 300
  812                         </para>
  813                     </listitem>
  814                 </varlistentry>
  815                 <varlistentry>
  816                     <term>cache_first</term>
  817                     <listitem>
  818                         <para>
  819                             This option specifies whether the responder should
  820                             query all caches before querying the Data Providers.
  821                         </para>
  822                         <para>
  823                             Default: false
  824                         </para>
  825                     </listitem>
  826                 </varlistentry>
  827             </variablelist>
  828         </refsect2>
  829 
  830         <refsect2 id='NSS'>
  831             <title>NSS configuration options</title>
  832             <para>
  833                 These options can be used to configure the
  834                 Name Service Switch (NSS) service.
  835             </para>
  836             <variablelist>
  837                 <varlistentry>
  838                     <term>enum_cache_timeout (integer)</term>
  839                     <listitem>
  840                         <para>
  841                             How many seconds should nss_sss cache enumerations
  842                             (requests for info about all users)
  843                         </para>
  844                         <para>
  845                             Default: 120
  846                         </para>
  847                     </listitem>
  848                 </varlistentry>
  849                 <varlistentry>
  850                     <term>entry_cache_nowait_percentage (integer)</term>
  851                     <listitem>
  852                         <para>
  853                             The entry cache can be set to automatically update
  854                             entries in the background if they are requested
  855                             beyond a percentage of the entry_cache_timeout
  856                             value for the domain.
  857                         </para>
  858                         <para>
  859                             For example, if the domain's entry_cache_timeout
  860                             is set to 30s and entry_cache_nowait_percentage is
  861                             set to 50 (percent), entries that come in after 15
  862                             seconds past the last cache update will be
  863                             returned immediately, but the SSSD will go and
  864                             update the cache on its own, so that future
  865                             requests will not need to block waiting for a
  866                             cache update.
  867                         </para>
  868                         <para>
  869                             Valid values for this option are 0-99 and
  870                             represent a percentage of the entry_cache_timeout
  871                             for each domain. For performance reasons, this
  872                             percentage will never reduce the nowait timeout to
  873                             less than 10 seconds.
  874                             (0 disables this feature)
  875                         </para>
  876                         <para>
  877                             Default: 50
  878                         </para>
  879                     </listitem>
  880                 </varlistentry>
  881                 <varlistentry>
  882                     <term>entry_negative_timeout (integer)</term>
  883                     <listitem>
  884                         <para>
  885                             Specifies for how many seconds nss_sss should cache
  886                             negative cache hits (that is, queries for
  887                             invalid database entries, like nonexistent ones)
  888                             before asking the back end again.
  889                         </para>
  890                         <para>
  891                             Default: 15
  892                         </para>
  893                     </listitem>
  894                 </varlistentry>
  895                 <varlistentry>
  896                     <term>local_negative_timeout (integer)</term>
  897                     <listitem>
  898                         <para>
  899                             Specifies for how many seconds nss_sss should keep
  900                             local users and groups in negative cache before
  901                             trying to look it up in the back end again. Setting
  902                             the option to 0 disables this feature.
  903                         </para>
  904                         <para>
  905                             Default: 14400 (4 hours)
  906                         </para>
  907                     </listitem>
  908                 </varlistentry>
  909                 <varlistentry>
  910                     <term>filter_users, filter_groups (string)</term>
  911                     <listitem>
  912                         <para>
  913                             Exclude certain users or groups from being fetched
  914                             from the sss NSS database. This is particularly
  915                             useful for system accounts. This option can also
  916                             be set per-domain or include fully-qualified names
  917                             to filter only users from the particular domain or
  918                             by a user principal name (UPN).
  919                         </para>
  920                         <para>
  921                             NOTE: The filter_groups option doesn't affect
  922                             inheritance of nested group members, since
  923                             filtering happens after they are propagated for
  924                             returning via NSS. E.g. a group having a member
  925                             group filtered out will still have the member
  926                             users of the latter listed.
  927                         </para>
  928                         <para>
  929                             Default: root
  930                         </para>
  931                     </listitem>
  932                 </varlistentry>
  933                 <varlistentry>
  934                     <term>filter_users_in_groups (bool)</term>
  935                     <listitem>
  936                         <para>
  937                             If you want filtered user still be group members
  938                             set this option to false.
  939                         </para>
  940                         <para>
  941                             Default: true
  942                         </para>
  943                     </listitem>
  944                 </varlistentry>
  945                 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/override_homedir.xml" />
  946                 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/homedir_substring.xml" />
  947                 <varlistentry>
  948                     <term>fallback_homedir (string)</term>
  949                     <listitem>
  950                         <para>
  951                             Set a default template for a user's home directory
  952                             if one is not specified explicitly by the domain's
  953                             data provider.
  954                         </para>
  955                         <para>
  956                             The available values for this option are the same
  957                             as for override_homedir.
  958                         </para>
  959                         <para>
  960                             example:
  961                             <programlisting>
  962 fallback_homedir = /home/%u
  963                             </programlisting>
  964                         </para>
  965                         <para>
  966                             Default: not set (no substitution for unset home
  967                             directories)
  968                         </para>
  969                     </listitem>
  970                 </varlistentry>
  971                 <varlistentry>
  972                     <term>override_shell (string)</term>
  973                     <listitem>
  974                         <para>
  975                             Override the login shell for all users. This
  976                             option supersedes any other shell options if
  977                             it takes effect and can be set either in the
  978                             [nss] section or per-domain.
  979                         </para>
  980                         <para>
  981                             Default: not set (SSSD will use the value
  982                             retrieved from LDAP)
  983                         </para>
  984                     </listitem>
  985                 </varlistentry>
  986                 <varlistentry>
  987                     <term>allowed_shells (string)</term>
  988                     <listitem>
  989                         <para>
  990                             Restrict user shell to one of the listed values. The order of evaluation is:
  991                         </para>
  992                         <para>
  993                             1. If the shell is present in
  994                             <quote>/etc/shells</quote>, it is used.
  995                         </para>
  996                         <para>
  997                             2. If the shell is in the allowed_shells list but
  998                             not in <quote>/etc/shells</quote>, use the
  999                             value of the shell_fallback parameter.
 1000                         </para>
 1001                         <para>
 1002                             3. If the shell is not in the allowed_shells list and
 1003                             not in <quote>/etc/shells</quote>, a nologin shell
 1004                             is used.
 1005                         </para>
 1006                         <para>
 1007                             The wildcard (*) can be used to allow any shell.
 1008                         </para>
 1009                         <para>
 1010                             The (*) is useful if you want to use
 1011                             shell_fallback in case that user's shell is not
 1012                             in <quote>/etc/shells</quote> and maintaining list
 1013                             of all allowed shells in allowed_shells would be
 1014                             to much overhead.
 1015                         </para>
 1016                         <para>
 1017                             An empty string for shell is passed as-is to libc.
 1018                         </para>
 1019                         <para>
 1020                             The <quote>/etc/shells</quote> is only read on SSSD start up, which means that
 1021                             a restart of the SSSD is required in case a new shell is installed.
 1022                         </para>
 1023                         <para>
 1024                             Default: Not set. The user shell is automatically used.
 1025                         </para>
 1026                     </listitem>
 1027                 </varlistentry>
 1028                 <varlistentry>
 1029                     <term>vetoed_shells (string)</term>
 1030                     <listitem>
 1031                         <para>
 1032                             Replace any instance of these shells with the shell_fallback
 1033                         </para>
 1034                     </listitem>
 1035                 </varlistentry>
 1036                 <varlistentry>
 1037                     <term>shell_fallback (string)</term>
 1038                     <listitem>
 1039                         <para>
 1040                             The default shell to use if an allowed shell is not
 1041                             installed on the machine.
 1042                         </para>
 1043                         <para>
 1044                             Default: /bin/sh
 1045                         </para>
 1046                     </listitem>
 1047                 </varlistentry>
 1048                 <varlistentry>
 1049                     <term>default_shell</term>
 1050                     <listitem>
 1051                         <para>
 1052                             The default shell to use if the provider does
 1053                             not return one during lookup. This option can
 1054                             be specified globally in the [nss] section
 1055                             or per-domain.
 1056                         </para>
 1057                         <para>
 1058                             Default: not set (Return NULL if no shell is
 1059                             specified and rely on libc to substitute something
 1060                             sensible when necessary, usually /bin/sh)
 1061                         </para>
 1062                     </listitem>
 1063                 </varlistentry>
 1064                 <varlistentry>
 1065                     <term>get_domains_timeout (int)</term>
 1066                     <listitem>
 1067                         <para>
 1068                             Specifies time in seconds for which the list of
 1069                             subdomains will be considered valid.
 1070                         </para>
 1071                         <para>
 1072                             Default: 60
 1073                         </para>
 1074                     </listitem>
 1075                 </varlistentry>
 1076                 <varlistentry>
 1077                     <term>memcache_timeout (integer)</term>
 1078                     <listitem>
 1079                         <para>
 1080                             Specifies time in seconds for which records
 1081                             in the in-memory cache will be valid. Setting this
 1082                             option to zero will disable the in-memory cache.
 1083                         </para>
 1084                         <para>
 1085                             Default: 300
 1086                         </para>
 1087                         <para>
 1088                             WARNING: Disabling the in-memory cache will
 1089                             have significant negative impact on SSSD's
 1090                             performance and should only be used for
 1091                             testing.
 1092                         </para>
 1093                         <para>
 1094                             NOTE: If the environment variable
 1095                             SSS_NSS_USE_MEMCACHE is set to "NO", client
 1096                             applications will not use the fast in-memory
 1097                             cache.
 1098                         </para>
 1099                     </listitem>
 1100                 </varlistentry>
 1101                 <varlistentry>
 1102                     <term>memcache_size_passwd (integer)</term>
 1103                     <listitem>
 1104                         <para>
 1105                             Size (in megabytes) of the data table allocated inside
 1106                             fast in-memory cache for passwd requests.
 1107                             Setting the size to 0 will disable the passwd
 1108                             in-memory cache.
 1109                         </para>
 1110                         <para>
 1111                             Default: 8
 1112                         </para>
 1113                         <para>
 1114                             WARNING: Disabled or too small in-memory cache can
 1115                             have significant negative impact on SSSD's
 1116                             performance.
 1117                         </para>
 1118                         <para>
 1119                             NOTE: If the environment variable
 1120                             SSS_NSS_USE_MEMCACHE is set to "NO", client
 1121                             applications will not use the fast in-memory
 1122                             cache.
 1123                         </para>
 1124                     </listitem>
 1125                 </varlistentry>
 1126                 <varlistentry>
 1127                     <term>memcache_size_group (integer)</term>
 1128                     <listitem>
 1129                         <para>
 1130                             Size (in megabytes) of the data table allocated inside
 1131                             fast in-memory cache for group requests.
 1132                             Setting the size to 0 will disable the group
 1133                             in-memory cache.
 1134                         </para>
 1135                         <para>
 1136                             Default: 6
 1137                         </para>
 1138                         <para>
 1139                             WARNING: Disabled or too small in-memory cache can
 1140                             have significant negative impact on SSSD's
 1141                             performance.
 1142                         </para>
 1143                         <para>
 1144                             NOTE: If the environment variable
 1145                             SSS_NSS_USE_MEMCACHE is set to "NO", client
 1146                             applications will not use the fast in-memory
 1147                             cache.
 1148                         </para>
 1149                     </listitem>
 1150                 </varlistentry>
 1151                 <varlistentry>
 1152                     <term>memcache_size_initgroups (integer)</term>
 1153                     <listitem>
 1154                         <para>
 1155                             Size (in megabytes) of the data table allocated inside
 1156                             fast in-memory cache for initgroups requests.
 1157                             Setting the size to 0 will disable the initgroups
 1158                             in-memory cache.
 1159                         </para>
 1160                         <para>
 1161                             Default: 10
 1162                         </para>
 1163                         <para>
 1164                             WARNING: Disabled or too small in-memory cache can
 1165                             have significant negative impact on SSSD's
 1166                             performance.
 1167                         </para>
 1168                         <para>
 1169                             NOTE: If the environment variable
 1170                             SSS_NSS_USE_MEMCACHE is set to "NO", client
 1171                             applications will not use the fast in-memory
 1172                             cache.
 1173                         </para>
 1174                     </listitem>
 1175                 </varlistentry>
 1176                 <varlistentry>
 1177                     <term>user_attributes (string)</term>
 1178                     <listitem>
 1179                         <para>
 1180                             Some of the additional NSS responder requests can
 1181                             return more attributes than just the POSIX ones
 1182                             defined by the NSS interface. The list of attributes
 1183                             is controlled by this option. It is handled the same
 1184                             way as the <quote>user_attributes</quote> option of
 1185                             the InfoPipe responder (see
 1186                             <citerefentry>
 1187                                 <refentrytitle>sssd-ifp</refentrytitle>
 1188                                 <manvolnum>5</manvolnum>
 1189                             </citerefentry>
 1190                             for details) but with no default values.
 1191                         </para>
 1192                         <para>
 1193                             To make configuration more easy the NSS responder
 1194                             will check the InfoPipe option if it is not set for
 1195                             the NSS responder.
 1196                         </para>
 1197                         <para>
 1198                             Default: not set, fallback to InfoPipe option
 1199                         </para>
 1200                     </listitem>
 1201                 </varlistentry>
 1202                 <varlistentry>
 1203                     <term>pwfield (string)</term>
 1204                     <listitem>
 1205                         <para>
 1206                             The value that NSS operations that return
 1207                             users or groups will return for the
 1208                             <quote>password</quote> field.
 1209                         </para>
 1210                         <para>
 1211                             Default: <quote>*</quote>
 1212                         </para>
 1213                         <para>
 1214                             Note: This option can also be set per-domain which
 1215                             overwrites the value in [nss] section.
 1216                         </para>
 1217                         <para>
 1218                             Default: <quote>not set</quote> (remote domains),
 1219                             <quote>x</quote> (the files domain),
 1220                             <quote>x</quote> (proxy domain with nss_files
 1221                             and sssd-shadowutils target)
 1222                         </para>
 1223                     </listitem>
 1224                 </varlistentry>
 1225             </variablelist>
 1226         </refsect2>
 1227         <refsect2 id='PAM'>
 1228             <title>PAM configuration options</title>
 1229             <para>
 1230                 These options can be used to configure the
 1231                 Pluggable Authentication Module (PAM) service.
 1232             </para>
 1233             <variablelist>
 1234                 <varlistentry>
 1235                     <term>offline_credentials_expiration (integer)</term>
 1236                     <listitem>
 1237                         <para>
 1238                             If the authentication provider is offline, how
 1239                             long should we allow cached logins (in days since
 1240                             the last successful online login).
 1241                         </para>
 1242                         <para>
 1243                             Default: 0 (No limit)
 1244                         </para>
 1245                     </listitem>
 1246                 </varlistentry>
 1247 
 1248                 <varlistentry>
 1249                     <term>offline_failed_login_attempts (integer)</term>
 1250                     <listitem>
 1251                         <para>
 1252                             If the authentication provider is offline, how
 1253                             many failed login attempts are allowed.
 1254                         </para>
 1255                         <para>
 1256                             Default: 0 (No limit)
 1257                         </para>
 1258                     </listitem>
 1259                 </varlistentry>
 1260 
 1261                 <varlistentry>
 1262                     <term>offline_failed_login_delay (integer)</term>
 1263                     <listitem>
 1264                         <para>
 1265                             The time in minutes which has to pass after
 1266                             offline_failed_login_attempts has been reached
 1267                             before a new login attempt is possible.
 1268                         </para>
 1269                         <para>
 1270                             If set to 0 the user cannot authenticate offline if
 1271                             offline_failed_login_attempts has been reached. Only
 1272                             a successful online authentication can enable
 1273                             offline authentication again.
 1274                         </para>
 1275                         <para>
 1276                             Default: 5
 1277                         </para>
 1278                     </listitem>
 1279                 </varlistentry>
 1280 
 1281                 <varlistentry>
 1282                     <term>pam_verbosity (integer)</term>
 1283                     <listitem>
 1284                         <para>
 1285                             Controls what kind of messages are shown to the user
 1286                             during authentication. The higher the number to more
 1287                             messages are displayed.
 1288                         </para>
 1289                         <para>
 1290                              Currently sssd supports the following values:
 1291                         </para>
 1292                         <para>
 1293                              <emphasis>0</emphasis>: do not show any message
 1294                         </para>
 1295                         <para>
 1296                              <emphasis>1</emphasis>: show only important
 1297                              messages
 1298                         </para>
 1299                         <para>
 1300                              <emphasis>2</emphasis>: show informational messages
 1301                         </para>
 1302                         <para>
 1303                              <emphasis>3</emphasis>: show all messages and debug
 1304                              information
 1305                         </para>
 1306                         <para>
 1307                             Default: 1
 1308                         </para>
 1309                     </listitem>
 1310                 </varlistentry>
 1311 
 1312                 <varlistentry>
 1313                     <term>pam_response_filter (string)</term>
 1314                     <listitem>
 1315                         <para>
 1316                             A comma separated list of strings which allows to
 1317                             remove (filter) data sent by the PAM responder to
 1318                             pam_sss PAM module. There are different kind of
 1319                             responses sent to pam_sss e.g. messages displayed to
 1320                             the user or environment variables which should be
 1321                             set by pam_sss.
 1322                         </para>
 1323                         <para>
 1324                             While messages already can be controlled with the
 1325                             help of the pam_verbosity option this option allows
 1326                             to filter out other kind of responses as well.
 1327                         </para>
 1328                         <para>
 1329                             Currently the following filters are supported:
 1330                             <variablelist>
 1331                                 <varlistentry><term>ENV</term>
 1332                                     <listitem><para>Do not send any environment
 1333                                     variables to any service.</para></listitem>
 1334                                 </varlistentry>
 1335                                 <varlistentry><term>ENV:var_name</term>
 1336                                     <listitem><para>Do not send environment
 1337                                     variable var_name to any
 1338                                     service.</para></listitem>
 1339                                 </varlistentry>
 1340                                 <varlistentry><term>ENV:var_name:service</term>
 1341                                     <listitem><para>Do not send environment
 1342                                     variable var_name to
 1343                                     service.</para></listitem>
 1344                                 </varlistentry>
 1345                             </variablelist>
 1346                         </para>
 1347                         <para>
 1348                             Default: not set
 1349                         </para>
 1350                         <para>
 1351                             Example: ENV:KRB5CCNAME:sudo-i
 1352                         </para>
 1353                     </listitem>
 1354                 </varlistentry>
 1355 
 1356                 <varlistentry>
 1357                   <term>pam_id_timeout (integer)</term>
 1358                   <listitem>
 1359                     <para>
 1360                       For any PAM request while SSSD is online, the SSSD will
 1361                       attempt to immediately update the cached identity
 1362                       information for the user in order to ensure that
 1363                       authentication takes place with the latest information.
 1364                     </para>
 1365                     <para>
 1366                       A complete PAM conversation may perform multiple PAM
 1367                       requests, such as account management and session
 1368                       opening. This option controls (on a
 1369                       per-client-application basis) how long (in seconds) we
 1370                       can cache the identity information to avoid excessive
 1371                       round-trips to the identity provider.
 1372                     </para>
 1373                     <para>
 1374                       Default: 5
 1375                     </para>
 1376                   </listitem>
 1377                 </varlistentry>
 1378 
 1379                 <varlistentry>
 1380                   <term>pam_pwd_expiration_warning (integer)</term>
 1381                   <listitem>
 1382                     <para>
 1383                       Display a warning N days before the password expires.
 1384                     </para>
 1385                     <para>
 1386                       Please note that the backend server has to provide
 1387                       information about the expiration time of the password.
 1388                       If this information is missing, sssd cannot display a
 1389                       warning.
 1390                     </para>
 1391                     <para>
 1392                       If zero is set, then this filter is not applied,
 1393                       i.e. if the expiration warning was received from
 1394                       backend server, it will automatically be displayed.
 1395                     </para>
 1396                     <para>
 1397                       This setting can be overridden by setting
 1398                       <emphasis>pwd_expiration_warning</emphasis>
 1399                       for a particular domain.
 1400                     </para>
 1401                     <para>
 1402                       Default: 0
 1403                     </para>
 1404                   </listitem>
 1405                 </varlistentry>
 1406                 <varlistentry>
 1407                     <term>get_domains_timeout (int)</term>
 1408                     <listitem>
 1409                         <para>
 1410                             Specifies time in seconds for which the list of
 1411                             subdomains will be considered valid.
 1412                         </para>
 1413                         <para>
 1414                             Default: 60
 1415                         </para>
 1416                     </listitem>
 1417                 </varlistentry>
 1418                 <varlistentry>
 1419                     <term>pam_trusted_users (string)</term>
 1420                     <listitem>
 1421                         <para>
 1422                             Specifies the comma-separated list of UID
 1423                             values or user names that are allowed to run
 1424                             PAM conversations against trusted domains.
 1425                             Users not included in this list can only access
 1426                             domains marked as public with
 1427                             <quote>pam_public_domains</quote>.
 1428                             User names are resolved to UIDs at
 1429                             startup.
 1430                         </para>
 1431                         <para>
 1432                             Default: All users are considered trusted
 1433                             by default
 1434                         </para>
 1435                         <para>
 1436                             Please note that UID 0 is always allowed to access
 1437                             the PAM responder even in case it is not in the
 1438                             pam_trusted_users list.
 1439                         </para>
 1440                     </listitem>
 1441                 </varlistentry>
 1442                 <varlistentry>
 1443                     <term>pam_public_domains (string)</term>
 1444                     <listitem>
 1445                         <para>
 1446                             Specifies the comma-separated list of domain names
 1447                             that are accessible even to untrusted users.
 1448                         </para>
 1449                         <para>
 1450                             Two special values for pam_public_domains option
 1451                             are defined:
 1452                         </para>
 1453                         <para>
 1454                             all (Untrusted users are allowed to access
 1455                             all domains in PAM responder.)
 1456                         </para>
 1457                         <para>
 1458                             none (Untrusted users are not allowed to access
 1459                             any domains PAM in responder.)
 1460                         </para>
 1461                         <para>
 1462                             Default: none
 1463                         </para>
 1464                     </listitem>
 1465                 </varlistentry>
 1466                 <varlistentry>
 1467                     <term>pam_account_expired_message (string)</term>
 1468                     <listitem>
 1469                         <para>
 1470                            Allows a custom expiration message to be set,
 1471                            replacing the default 'Permission denied'
 1472                            message.
 1473                         </para>
 1474                         <para>
 1475                             Note: Please be aware that message is only
 1476                             printed for the SSH service unless pam_verbosity
 1477                             is set to 3 (show all messages and debug
 1478                             information).
 1479                         </para>
 1480                         <para>
 1481                             example:
 1482                             <programlisting>
 1483 pam_account_expired_message = Account expired, please contact help desk.
 1484                             </programlisting>
 1485                         </para>
 1486                         <para>
 1487                             Default: none
 1488                         </para>
 1489                     </listitem>
 1490                 </varlistentry>
 1491                 <varlistentry>
 1492                     <term>pam_account_locked_message (string)</term>
 1493                     <listitem>
 1494                         <para>
 1495                            Allows a custom lockout message to be set,
 1496                            replacing the default 'Permission denied'
 1497                            message.
 1498                         </para>
 1499                         <para>
 1500                             example:
 1501                             <programlisting>
 1502 pam_account_locked_message = Account locked, please contact help desk.
 1503                             </programlisting>
 1504                         </para>
 1505                         <para>
 1506                             Default: none
 1507                         </para>
 1508                     </listitem>
 1509                 </varlistentry>
 1510                 <varlistentry>
 1511                     <term>pam_cert_auth (bool)</term>
 1512                     <listitem>
 1513                         <para>
 1514                             Enable certificate based Smartcard authentication.
 1515                             Since this requires additional communication with
 1516                             the Smartcard which will delay the authentication
 1517                             process this option is disabled by default.
 1518                         </para>
 1519                         <para>
 1520                             Default: False
 1521                         </para>
 1522                     </listitem>
 1523                 </varlistentry>
 1524                 <varlistentry>
 1525                     <term>pam_cert_db_path (string)</term>
 1526                     <listitem>
 1527                         <para>
 1528                             The path to the certificate database.
 1529                         </para>
 1530                         <para>
 1531                             Default:
 1532                             <itemizedlist>
 1533                                 <listitem><para>/etc/sssd/pki/sssd_auth_ca_db.pem
 1534                                                 (path to a file with trusted CA
 1535                                                 certificates in PEM format)
 1536                                           </para>
 1537                                 </listitem>
 1538                             </itemizedlist>
 1539                         </para>
 1540                     </listitem>
 1541                 </varlistentry>
 1542                 <varlistentry>
 1543                     <term>p11_child_timeout (integer)</term>
 1544                     <listitem>
 1545                         <para>
 1546                             How many seconds will pam_sss wait for
 1547                             p11_child to finish.
 1548                         </para>
 1549                         <para>
 1550                             Default: 10
 1551                         </para>
 1552                     </listitem>
 1553                 </varlistentry>
 1554                 <varlistentry>
 1555                     <term>pam_app_services (string)</term>
 1556                     <listitem>
 1557                         <para>
 1558                             Which PAM services are permitted to contact
 1559                             domains of type <quote>application</quote>
 1560                         </para>
 1561                         <para>
 1562                             Default: Not set
 1563                         </para>
 1564                     </listitem>
 1565                 </varlistentry>
 1566                 <varlistentry>
 1567                     <term>pam_p11_allowed_services (integer)</term>
 1568                     <listitem>
 1569                         <para>
 1570                             A comma-separated list of PAM service names for
 1571                             which it will be allowed to use Smartcards.
 1572                         </para>
 1573                         <para>
 1574                             It is possible to add another PAM service name to
 1575                             the default set by using
 1576                             <quote>+service_name</quote> or to explicitly
 1577                             remove a PAM service name from the default set by
 1578                             using <quote>-service_name</quote>. For example,
 1579                             in order to replace a default PAM service name for
 1580                             authentication with Smartcards
 1581                             (e.g. <quote>login</quote>) with a custom PAM
 1582                             service name (e.g. <quote>my_pam_service</quote>),
 1583                             you would use the following configuration:
 1584                             <programlisting>
 1585 pam_p11_allowed_services = +my_pam_service, -login
 1586                             </programlisting>
 1587                         </para>
 1588                         <para>
 1589                             Default: the default set of PAM service names
 1590                             includes:
 1591                             <itemizedlist>
 1592                                 <listitem>
 1593                                     <para>
 1594                                         login
 1595                                     </para>
 1596                                 </listitem>
 1597                                 <listitem>
 1598                                     <para>
 1599                                         su
 1600                                     </para>
 1601                                 </listitem>
 1602                                 <listitem>
 1603                                     <para>
 1604                                         su-l
 1605                                     </para>
 1606                                 </listitem>
 1607                                 <listitem>
 1608                                     <para>
 1609                                         gdm-smartcard
 1610                                     </para>
 1611                                 </listitem>
 1612                                 <listitem>
 1613                                     <para>
 1614                                         gdm-password
 1615                                     </para>
 1616                                 </listitem>
 1617                                 <listitem>
 1618                                     <para>
 1619                                         kdm
 1620                                     </para>
 1621                                 </listitem>
 1622                                 <listitem>
 1623                                     <para>
 1624                                         sudo
 1625                                     </para>
 1626                                 </listitem>
 1627                                 <listitem>
 1628                                     <para>
 1629                                         sudo-i
 1630                                     </para>
 1631                                 </listitem>
 1632                                 <listitem>
 1633                                     <para>
 1634                                         gnome-screensaver
 1635                                     </para>
 1636                                 </listitem>
 1637                             </itemizedlist>
 1638                         </para>
 1639                     </listitem>
 1640                 </varlistentry>
 1641                 <varlistentry>
 1642                     <term>p11_wait_for_card_timeout (integer)</term>
 1643                     <listitem>
 1644                         <para>
 1645                             If Smartcard authentication is required how many
 1646                             extra seconds in addition to p11_child_timeout
 1647                             should the PAM responder wait until a Smartcard is
 1648                             inserted.
 1649                         </para>
 1650                         <para>
 1651                             Default: 60
 1652                         </para>
 1653                     </listitem>
 1654                 </varlistentry>
 1655                 <varlistentry>
 1656                     <term>p11_uri (string)</term>
 1657                     <listitem>
 1658                         <para>
 1659                             PKCS#11 URI (see RFC-7512 for details) which can be
 1660                             used to restrict the selection of devices used for
 1661                             Smartcard authentication. By default SSSD's
 1662                             p11_child will search for a PKCS#11 slot (reader)
 1663                             where the 'removable' flags is set and read the
 1664                             certificates from the inserted token from the first
 1665                             slot found. If multiple readers are connected
 1666                             p11_uri can be used to tell p11_child to use a
 1667                             specific reader.
 1668                         </para>
 1669                         <para>
 1670                             Example:
 1671                             <programlisting>
 1672 p11_uri = slot-description=My%20Smartcard%20Reader
 1673                             </programlisting>
 1674                             or
 1675                             <programlisting>
 1676 p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
 1677                             </programlisting>
 1678                             To find suitable URI please check the debug output
 1679                             of p11_child. As an alternative the GnuTLS utility
 1680                             'p11tool' with e.g. the '--list-all' will show
 1681                             PKCS#11 URIs as well.
 1682                         </para>
 1683                         <para>
 1684                             Default: none
 1685                         </para>
 1686                     </listitem>
 1687                 </varlistentry>
 1688                 <varlistentry>
 1689                     <term>pam_initgroups_scheme</term>
 1690                     <listitem>
 1691                         <para>
 1692                             The PAM responder can force an online lookup to get
 1693                             the current group memberships of the user trying to
 1694                             log in. This option controls when this should be
 1695                             done and the following values are allowed:
 1696                             <variablelist>
 1697                             <varlistentry><term>always</term>
 1698                                 <listitem><para>Always do an online lookup,
 1699                                 please note that pam_id_timeout still
 1700                                 applies</para></listitem>
 1701                             </varlistentry>
 1702                             <varlistentry><term>no_session</term>
 1703                                 <listitem><para>Only do an online
 1704                                 lookup if there is no active session of the
 1705                                 user, i.e. if the user is currently not logged
 1706                                 in</para></listitem>
 1707                             </varlistentry>
 1708                             <varlistentry><term>never</term>
 1709                                 <listitem><para>Never force an online lookup,
 1710                                 use the data from the cache as long as they are
 1711                                 not expired</para></listitem>
 1712                             </varlistentry>
 1713                             </variablelist>
 1714                         </para>
 1715                         <para>
 1716                             Default: no_session
 1717                         </para>
 1718                     </listitem>
 1719                 </varlistentry>
 1720                 <varlistentry>
 1721                     <term>pam_gssapi_services</term>
 1722                     <listitem>
 1723                         <para>
 1724                             Comma separated list of PAM services that are
 1725                             allowed to try GSSAPI authentication using
 1726                             pam_sss_gss.so module.
 1727                         </para>
 1728                         <para>
 1729                             To disable GSSAPI authentication, set this option
 1730                             to <quote>-</quote> (dash).
 1731                         </para>
 1732                         <para>
 1733                             Note: This option can also be set per-domain which
 1734                             overwrites the value in [pam] section. It can also
 1735                             be set for trusted domain which overwrites the value
 1736                             in the domain section.
 1737                         </para>
 1738                         <para>
 1739                             Example:
 1740                             <programlisting>
 1741 pam_gssapi_services = sudo, sudo-i
 1742                             </programlisting>
 1743                         </para>
 1744                         <para>
 1745                             Default: - (GSSAPI authentication is disabled)
 1746                         </para>
 1747                     </listitem>
 1748                 </varlistentry>
 1749                 <varlistentry>
 1750                     <term>pam_gssapi_check_upn</term>
 1751                     <listitem>
 1752                         <para>
 1753                             If True, SSSD will require that the Kerberos user
 1754                             principal that successfully authenticated through
 1755                             GSSAPI can be associated with the user who is being
 1756                             authenticated. Authentication will fail if the check
 1757                             fails.
 1758                         </para>
 1759                         <para>
 1760                             If False, every user that is able to obtained
 1761                             required service ticket will be authenticated.
 1762                         </para>
 1763                         <para>
 1764                             Note: This option can also be set per-domain which
 1765                             overwrites the value in [pam] section. It can also
 1766                             be set for trusted domain which overwrites the value
 1767                             in the domain section.
 1768                         </para>
 1769                         <para>
 1770                             Default: True
 1771                         </para>
 1772                     </listitem>
 1773                 </varlistentry>
 1774                 <varlistentry>
 1775                     <term>pam_gssapi_indicators_map</term>
 1776                     <listitem>
 1777                         <para>
 1778                            Comma separated list of authentication indicators required
 1779                            to be present in a Kerberos ticket to access a PAM service
 1780                            that is allowed to try GSSAPI authentication using
 1781                            pam_sss_gss.so module.
 1782                         </para>
 1783                         <para>
 1784                            Each element of the list can be either an authentication indicator
 1785                            name or a pair <quote>service:indicator</quote>. Indicators not
 1786                            prefixed with the PAM service name will be required to access any
 1787                            PAM service configured to be used with
 1788                            <option>pam_gssapi_services</option>. A resulting list of indicators
 1789                            per PAM service is then checked against indicators in the Kerberos
 1790                            ticket during authentication by pam_sss_gss.so. Any indicator from the
 1791                            ticket that matches the resulting list of indicators for the PAM service
 1792                            would grant access. If none of the indicators in the list match, access
 1793                            will be denied. If the resulting list of indicators for the PAM service
 1794                            is empty, the check will not prevent the access.
 1795                         </para>
 1796                         <para>
 1797                            To disable GSSAPI authentication indicator check, set this option
 1798                            to <quote>-</quote> (dash). To disable the check for a specific PAM
 1799                            service, add <quote>service:-</quote>.
 1800                         </para>
 1801                         <para>
 1802                            Note: This option can also be set per-domain which
 1803                            overwrites the value in [pam] section. It can also
 1804                            be set for trusted domain which overwrites the value
 1805                            in the domain section.
 1806                         </para>
 1807                         <para>
 1808                             Following authentication indicators are supported by IPA Kerberos deployments:
 1809                             <itemizedlist>
 1810                                 <listitem>
 1811                                     <para>pkinit -- pre-authentication using X.509 certificates -- whether stored in files or on smart cards.</para>
 1812                                 </listitem>
 1813                                 <listitem>
 1814                                     <para>hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a FAST channel.</para>
 1815                                 </listitem>
 1816                                 <listitem>
 1817                                     <para>radius -- pre-authentication with the help of a RADIUS server.</para>
 1818                                 </listitem>
 1819                                 <listitem>
 1820                                     <para>otp -- pre-authentication using integrated two-factor authentication (2FA or one-time password, OTP) in IPA.</para>
 1821                                 </listitem>
 1822                             </itemizedlist>
 1823                         </para>
 1824                         <para>
 1825                             Example: to require access to SUDO services only
 1826                             for users which obtained their Kerberos tickets
 1827                             with a X.509 certificate pre-authentication
 1828                             (PKINIT), set
 1829                                 <programlisting>
 1830 pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
 1831                             </programlisting>
 1832                         </para>
 1833                         <para>
 1834                             Default: not set (use of authentication indicators is not required)
 1835                         </para>
 1836                     </listitem>
 1837                 </varlistentry>
 1838             </variablelist>
 1839         </refsect2>
 1840 
 1841         <refsect2 id='SUDO' condition="with_sudo">
 1842             <title>SUDO configuration options</title>
 1843             <para>
 1844                 These options can be used to configure the sudo service.
 1845                 The detailed instructions for configuration of
 1846                 <citerefentry>
 1847                     <refentrytitle>sudo</refentrytitle>
 1848                     <manvolnum>8</manvolnum>
 1849                 </citerefentry> to work with
 1850                 <citerefentry>
 1851                     <refentrytitle>sssd</refentrytitle>
 1852                     <manvolnum>8</manvolnum>
 1853                 </citerefentry> are in the manual page
 1854                 <citerefentry>
 1855                     <refentrytitle>sssd-sudo</refentrytitle>
 1856                     <manvolnum>5</manvolnum>
 1857                 </citerefentry>.
 1858             </para>
 1859             <variablelist>
 1860                 <varlistentry>
 1861                     <term>sudo_timed (bool)</term>
 1862                     <listitem>
 1863                         <para>
 1864                             Whether or not to evaluate the sudoNotBefore
 1865                             and sudoNotAfter attributes that implement
 1866                             time-dependent sudoers entries.
 1867                         </para>
 1868                         <para>
 1869                             Default: false
 1870                         </para>
 1871                     </listitem>
 1872                 </varlistentry>
 1873             </variablelist>
 1874             <variablelist>
 1875                 <varlistentry>
 1876                     <term>sudo_threshold (integer)</term>
 1877                     <listitem>
 1878                         <para>
 1879                             Maximum number of expired rules that can be
 1880                             refreshed at once. If number of expired rules
 1881                             is below threshold, those rules are refreshed
 1882                             with <quote>rules refresh</quote> mechanism. If
 1883                             the threshold is exceeded a
 1884                             <quote>full refresh</quote> of sudo rules is
 1885                             triggered instead. This threshold number also
 1886                             applies to IPA sudo command and command group
 1887                             searches.
 1888                         </para>
 1889                         <para>
 1890                             Default: 50
 1891                         </para>
 1892                     </listitem>
 1893                 </varlistentry>
 1894             </variablelist>
 1895         </refsect2>
 1896 
 1897         <refsect2 id='AUTOFS' condition="with_autofs">
 1898             <title>AUTOFS configuration options</title>
 1899             <para>
 1900                 These options can be used to configure the autofs service.
 1901             </para>
 1902             <variablelist>
 1903                 <varlistentry>
 1904                     <term>autofs_negative_timeout (integer)</term>
 1905                     <listitem>
 1906                         <para>
 1907                             Specifies for how many seconds should the
 1908                             autofs responder negative cache hits
 1909                             (that is, queries for invalid map entries,
 1910                             like nonexistent ones) before asking the back
 1911                             end again.
 1912                         </para>
 1913                         <para>
 1914                             Default: 15
 1915                         </para>
 1916                     </listitem>
 1917                 </varlistentry>
 1918             </variablelist>
 1919             <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/autofs_restart.xml" />
 1920         </refsect2>
 1921 
 1922         <refsect2 id='SSH' condition="with_ssh">
 1923             <title>SSH configuration options</title>
 1924             <para>
 1925                 These options can be used to configure the SSH service.
 1926             </para>
 1927             <variablelist>
 1928                 <varlistentry>
 1929                     <term>ssh_hash_known_hosts (bool)</term>
 1930                     <listitem>
 1931                         <para>
 1932                             Whether or not to hash host names and addresses in
 1933                             the managed known_hosts file.
 1934                         </para>
 1935                         <para>
 1936                             Default: true
 1937                         </para>
 1938                     </listitem>
 1939                 </varlistentry>
 1940                 <varlistentry>
 1941                     <term>ssh_known_hosts_timeout (integer)</term>
 1942                     <listitem>
 1943                         <para>
 1944                             How many seconds to keep a host in the managed
 1945                             known_hosts file after its host keys were requested.
 1946                         </para>
 1947                         <para>
 1948                             Default: 180
 1949                         </para>
 1950                     </listitem>
 1951                 </varlistentry>
 1952                 <varlistentry>
 1953                     <term>ssh_use_certificate_keys (bool)</term>
 1954                     <listitem>
 1955                         <para>
 1956                             If set to true the
 1957                             <command>sss_ssh_authorizedkeys</command> will
 1958                             return ssh keys derived from the public key of X.509
 1959                             certificates stored in the user entry as well. See
 1960                             <citerefentry>
 1961                                 <refentrytitle>sss_ssh_authorizedkeys</refentrytitle>
 1962                                 <manvolnum>1</manvolnum>
 1963                             </citerefentry> for details.
 1964                         </para>
 1965                         <para>
 1966                             Default: true
 1967                         </para>
 1968                     </listitem>
 1969                 </varlistentry>
 1970                 <varlistentry>
 1971                     <term>ssh_use_certificate_matching_rules (string)</term>
 1972                     <listitem>
 1973                         <para>
 1974                             By default the ssh responder will use all available
 1975                             certificate matching rules to filter the
 1976                             certificates so that ssh keys are only derived from
 1977                             the matching ones. With this option the used rules
 1978                             can be restricted with a comma separated list of
 1979                             mapping and matching rule names. All other rules
 1980                             will be ignored.
 1981                         </para>
 1982                         <para>
 1983                             There are two special key words 'all_rules' and
 1984                             'no_rules' which will enable all or no rules,
 1985                             respectively. The latter means that no certificates
 1986                             will be filtered out and ssh keys will be generated
 1987                             from all valid certificates.
 1988                         </para>
 1989                         <para>
 1990                             If no rules are configured using 'all_rules' will
 1991                             enable a default rule which enables all
 1992                             certificates suitable for client authentication.
 1993                             This is the same behavior as for the PAM responder
 1994                             if certificate authentication is enabled.
 1995                         </para>
 1996                         <para>
 1997                             A non-existing rule name is considered an error.
 1998                             If as a result no rule is selected all certificates
 1999                             will be ignored.
 2000                         </para>
 2001                         <para>
 2002                             Default: not set, equivalent to 'all_rules',
 2003                             all found rules or the default rule are used
 2004                         </para>
 2005                     </listitem>
 2006                 </varlistentry>
 2007                 <varlistentry>
 2008                     <term>ca_db (string)</term>
 2009                     <listitem>
 2010                         <para>
 2011                             Path to a storage of trusted CA certificates. The
 2012                             option is used to validate user certificates before
 2013                             deriving public ssh keys from them.
 2014                         </para>
 2015                         <para>
 2016                             Default:
 2017                             <itemizedlist>
 2018                                 <listitem><para>/etc/sssd/pki/sssd_auth_ca_db.pem
 2019                                                 (path to a file with trusted CA
 2020                                                 certificates in PEM format)
 2021                                           </para>
 2022                                 </listitem>
 2023                             </itemizedlist>
 2024                         </para>
 2025                     </listitem>
 2026                 </varlistentry>
 2027             </variablelist>
 2028         </refsect2>
 2029 
 2030         <refsect2 id='PAC_RESPONDER' condition="with_pac_responder">
 2031             <title>PAC responder configuration options</title>
 2032             <para>
 2033                 The PAC responder works together with the authorization data
 2034                 plugin for MIT Kerberos sssd_pac_plugin.so and a sub-domain
 2035                 provider. The plugin sends the PAC data during a GSSAPI
 2036                 authentication to the PAC responder. The sub-domain provider
 2037                 collects domain SID and ID ranges of the domain the client is
 2038                 joined to and of remote trusted domains from the local domain
 2039                 controller. If the PAC is decoded and evaluated some of the
 2040                 following operations are done:
 2041                 <itemizedlist>
 2042                     <listitem><para>If the remote user does not exist in the
 2043                     cache, it is created. The UID is determined with the help
 2044                     of the SID, trusted domains will have UPGs and the GID
 2045                     will have the same value as the UID. The home directory is
 2046                     set based on the subdomain_homedir parameter. The shell will
 2047                     be empty by default, i.e. the system defaults are used, but
 2048                     can be overwritten with the default_shell parameter.</para>
 2049                     </listitem>
 2050                     <listitem><para>If there are SIDs of groups from domains
 2051                     sssd knows about, the user will be added to those groups.
 2052                     </para></listitem>
 2053                 </itemizedlist>
 2054             </para>
 2055             <para>
 2056                 These options can be used to configure the PAC responder.
 2057             </para>
 2058             <variablelist>
 2059                 <varlistentry>
 2060                     <term>allowed_uids (string)</term>
 2061                     <listitem>
 2062                         <para>
 2063                             Specifies the comma-separated list of UID values or
 2064                             user names that are allowed to access the PAC
 2065                             responder. User names are resolved to UIDs at
 2066                             startup.
 2067                         </para>
 2068                         <para>
 2069                             Default: 0 (only the root user is allowed to access
 2070                             the PAC responder)
 2071                         </para>
 2072                         <para>
 2073                             Please note that although the UID 0 is used as the
 2074                             default it will be overwritten with this option. If
 2075                             you still want to allow the root user to access the
 2076                             PAC responder, which would be the typical case, you
 2077                             have to add 0 to the list of allowed UIDs as well.
 2078                         </para>
 2079                     </listitem>
 2080                 </varlistentry>
 2081                 <varlistentry>
 2082                     <term>pac_lifetime (integer)</term>
 2083                     <listitem>
 2084                         <para>
 2085                             Lifetime of the PAC entry in seconds. As long as the
 2086                             PAC is valid the PAC data can be used to determine
 2087                             the group memberships of a user.
 2088                         </para>
 2089                         <para>
 2090                             Default: 300
 2091                         </para>
 2092                     </listitem>
 2093                 </varlistentry>
 2094             </variablelist>
 2095         </refsect2>
 2096 
 2097         <refsect2 id='SESSION_RECORDING'>
 2098             <title>Session recording configuration options</title>
 2099             <para>
 2100                 Session recording works in conjunction with
 2101                 <citerefentry>
 2102                     <refentrytitle>tlog-rec-session</refentrytitle>
 2103                     <manvolnum>8</manvolnum>
 2104                 </citerefentry>, a part of tlog package, to log what users see
 2105                 and type when they log in on a text terminal.
 2106                 See also
 2107                 <citerefentry>
 2108                     <refentrytitle>sssd-session-recording</refentrytitle>
 2109                     <manvolnum>5</manvolnum>
 2110                 </citerefentry>.
 2111             </para>
 2112             <para>
 2113                 These options can be used to configure session recording.
 2114             </para>
 2115             <variablelist>
 2116                 <varlistentry>
 2117                     <term>scope (string)</term>
 2118                     <listitem>
 2119                         <para>
 2120                             One of the following strings specifying the scope
 2121                             of session recording:
 2122                             <variablelist>
 2123                                 <varlistentry>
 2124                                     <term>"none"</term>
 2125                                     <listitem>
 2126                                         <para>
 2127                                             No users are recorded.
 2128                                         </para>
 2129                                     </listitem>
 2130                                 </varlistentry>
 2131                                 <varlistentry>
 2132                                     <term>"some"</term>
 2133                                     <listitem>
 2134                                         <para>
 2135                                             Users/groups specified by
 2136                                             <replaceable>users</replaceable>
 2137                                             and
 2138                                             <replaceable>groups</replaceable>
 2139                                             options are recorded.
 2140                                         </para>
 2141                                     </listitem>
 2142                                 </varlistentry>
 2143                                 <varlistentry>
 2144                                     <term>"all"</term>
 2145                                     <listitem>
 2146                                         <para>
 2147                                             All users are recorded.
 2148                                         </para>
 2149                                     </listitem>
 2150                                 </varlistentry>
 2151                             </variablelist>
 2152                         </para>
 2153                         <para>
 2154                             Default: "none"
 2155                         </para>
 2156                     </listitem>
 2157                 </varlistentry>
 2158                 <varlistentry>
 2159                     <term>users (string)</term>
 2160                     <listitem>
 2161                         <para>
 2162                             A comma-separated list of users which should have
 2163                             session recording enabled. Matches user names as
 2164                             returned by NSS. I.e. after the possible space
 2165                             replacement, case changes, etc.
 2166                         </para>
 2167                         <para>
 2168                             Default: Empty. Matches no users.
 2169                         </para>
 2170                     </listitem>
 2171                 </varlistentry>
 2172                 <varlistentry>
 2173                     <term>groups (string)</term>
 2174                     <listitem>
 2175                         <para>
 2176                             A comma-separated list of groups, members of which
 2177                             should have session recording enabled. Matches
 2178                             group names as returned by NSS. I.e. after the
 2179                             possible space replacement, case changes, etc.
 2180                         </para>
 2181                         <para>
 2182                             NOTE: using this option (having it set to
 2183                             anything) has a considerable performance cost,
 2184                             because each uncached request for a user requires
 2185                             retrieving and matching the groups the user is
 2186                             member of.
 2187                         </para>
 2188                         <para>
 2189                             Default: Empty. Matches no groups.
 2190                         </para>
 2191                     </listitem>
 2192                 </varlistentry>
 2193                 <varlistentry>
 2194                     <term>exclude_users (string)</term>
 2195                     <listitem>
 2196                         <para>
 2197                             A comma-separated list of users to be excluded from
 2198                             recording, only applicable with 'scope=all'.
 2199                         </para>
 2200                         <para>
 2201                             Default: Empty. No users excluded.
 2202                         </para>
 2203                     </listitem>
 2204                 </varlistentry>
 2205                 <varlistentry>
 2206                     <term>exclude_groups (string)</term>
 2207                     <listitem>
 2208                         <para>
 2209                             A comma-separated list of groups, members of which
 2210                             should be excluded from recording. Only applicable
 2211                             with 'scope=all'.
 2212                         </para>
 2213                         <para>
 2214                             NOTE: using this option (having it set to
 2215                             anything) has a considerable performance cost,
 2216                             because each uncached request for a user requires
 2217                             retrieving and matching the groups the user is
 2218                             member of.
 2219                         </para>
 2220                         <para>
 2221                             Default: Empty. No groups excluded.
 2222                         </para>
 2223                     </listitem>
 2224                 </varlistentry>
 2225             </variablelist>
 2226         </refsect2>
 2227 
 2228     </refsect1>
 2229 
 2230     <refsect1 id='domain-sections'>
 2231         <title>DOMAIN SECTIONS</title>
 2232         <para>
 2233             These configuration options can be present in a domain
 2234             configuration section, that is, in a section called
 2235             <quote>[domain/<replaceable>NAME</replaceable>]</quote>
 2236             <variablelist>
 2237                 <varlistentry>
 2238                     <term>enabled</term>
 2239                     <listitem>
 2240                         <para>
 2241                             Explicitly enable or disable the domain. If
 2242                             <quote>true</quote>, the domain is always
 2243                             <quote>enabled</quote>. If <quote>false</quote>,
 2244                             the domain is always <quote>disabled</quote>. If
 2245                             this option is not set, the domain is enabled only
 2246                             if it is listed in the domains option in the
 2247                             <quote>[sssd]</quote> section.
 2248                         </para>
 2249                     </listitem>
 2250                 </varlistentry>
 2251 
 2252                 <varlistentry>
 2253                     <term>domain_type (string)</term>
 2254                     <listitem>
 2255                         <para>
 2256                             Specifies whether the domain is meant to be used
 2257                             by POSIX-aware clients such as the Name Service Switch
 2258                             or by applications that do not need POSIX data to be
 2259                             present or generated. Only objects from POSIX domains
 2260                             are available to the operating system interfaces and
 2261                             utilities.
 2262                         </para>
 2263                         <para>
 2264                             Allowed values for this option are <quote>posix</quote>
 2265                             and <quote>application</quote>.
 2266                         </para>
 2267                         <para>
 2268                             POSIX domains are reachable by all services. Application
 2269                             domains are only reachable from the InfoPipe responder (see
 2270                             <citerefentry>
 2271                                 <refentrytitle>sssd-ifp</refentrytitle>
 2272                                 <manvolnum>5</manvolnum>
 2273                             </citerefentry>) and the PAM responder.
 2274                         </para>
 2275                         <para>
 2276                             NOTE: The application domains are currently well tested with
 2277                             <quote>id_provider=ldap</quote> only.
 2278                         </para>
 2279                         <para>
 2280                             For an easy way to configure a non-POSIX domains, please
 2281                             see the <quote>Application domains</quote> section.
 2282                         </para>
 2283                         <para>
 2284                             Default: posix
 2285                         </para>
 2286                     </listitem>
 2287                 </varlistentry>
 2288 
 2289                 <varlistentry>
 2290                     <term>min_id,max_id (integer)</term>
 2291                     <listitem>
 2292                         <para>
 2293                             UID and GID limits for the domain. If a domain
 2294                             contains an entry that is outside these limits, it
 2295                             is ignored.
 2296                         </para>
 2297                         <para>
 2298                             For users, this affects the primary GID limit. The
 2299                             user will not be returned to NSS if either the
 2300                             UID or the primary GID is outside the range. For
 2301                             non-primary group memberships, those that are in
 2302                             range will be reported as expected.
 2303                         </para>
 2304                         <para>
 2305                             These ID limits affect even saving entries to
 2306                             cache, not only returning them by name or ID.
 2307                         </para>
 2308                         <para>
 2309                             Default: 1 for min_id, 0 (no limit) for max_id
 2310                         </para>
 2311                     </listitem>
 2312                 </varlistentry>
 2313 
 2314                 <varlistentry>
 2315                     <term>enumerate (bool)</term>
 2316                     <listitem>
 2317                         <para>
 2318                             Determines if a domain can be enumerated,
 2319                             that is, whether the domain can list all the
 2320                             users and group it contains. Note that it is
 2321                             not required to enable enumeration in order
 2322                             for secondary groups to be displayed. This
 2323                             parameter can have one of the following values:
 2324                         </para>
 2325                         <para>
 2326                             TRUE = Users and groups are enumerated
 2327                         </para>
 2328                         <para>
 2329                             FALSE = No enumerations for this domain
 2330                         </para>
 2331                         <para>
 2332                             Default: FALSE
 2333                         </para>
 2334                         <para>
 2335                             Enumerating a domain requires SSSD to download
 2336                             and store ALL user and group entries from the
 2337                             remote server.
 2338                         </para>
 2339                         <para>
 2340                             Note: Enabling enumeration has a moderate
 2341                             performance impact on SSSD while enumeration
 2342                             is running. It may take up to several minutes
 2343                             after SSSD startup to fully complete enumerations.
 2344                             During this time, individual requests for
 2345                             information will go directly to LDAP, though it
 2346                             may be slow, due to the heavy enumeration
 2347                             processing. Saving a large number of entries
 2348                             to cache after the enumeration completes might
 2349                             also be CPU intensive as the memberships have
 2350                             to be recomputed. This can lead to the
 2351                             <quote>sssd_be</quote> process becoming unresponsive
 2352                             or even restarted by the internal watchdog.
 2353                         </para>
 2354                         <para>
 2355                             While the first enumeration is running, requests
 2356                             for the complete user or group lists may return
 2357                             no results until it completes.
 2358                         </para>
 2359                         <para>
 2360                             Further, enabling enumeration may increase the time
 2361                             necessary to detect network disconnection, as
 2362                             longer timeouts are required to ensure that
 2363                             enumeration lookups are completed successfully.
 2364                             For more information, refer to the man pages for
 2365                             the specific id_provider in use.
 2366                         </para>
 2367                         <para>
 2368                             For the reasons cited above, enabling enumeration
 2369                             is not recommended, especially in large
 2370                             environments.
 2371                         </para>
 2372                     </listitem>
 2373                 </varlistentry>
 2374 
 2375                 <varlistentry>
 2376                     <term>subdomain_enumerate (string)</term>
 2377                     <listitem>
 2378                         <para>
 2379                             Whether any of autodetected trusted domains should
 2380                             be enumerated. The supported values are:
 2381                             <variablelist>
 2382                                 <varlistentry>
 2383                                     <term>all</term>
 2384                                     <listitem><para>All discovered trusted domains will be enumerated</para></listitem>
 2385                                 </varlistentry>
 2386                                 <varlistentry>
 2387                                     <term>none</term>
 2388                                     <listitem><para>No discovered trusted domains will be enumerated</para></listitem>
 2389                                 </varlistentry>
 2390                             </variablelist>
 2391                             Optionally, a list of one or more domain
 2392                             names can enable enumeration just for these
 2393                             trusted domains.
 2394                         </para>
 2395                         <para>
 2396                             Default: none
 2397                         </para>
 2398                     </listitem>
 2399                 </varlistentry>
 2400 
 2401                 <varlistentry>
 2402                     <term>entry_cache_timeout (integer)</term>
 2403                     <listitem>
 2404                         <para>
 2405                             How many seconds should nss_sss consider
 2406                             entries valid before asking the backend again
 2407                         </para>
 2408                         <para>
 2409                             The cache expiration timestamps are stored
 2410                             as attributes of individual objects in the
 2411                             cache. Therefore, changing the cache timeout only
 2412                             has effect for newly added or expired entries.
 2413                             You should run the
 2414                             <citerefentry>
 2415                                 <refentrytitle>sss_cache</refentrytitle>
 2416                                 <manvolnum>8</manvolnum>
 2417                             </citerefentry>
 2418                             tool in order to force refresh of entries that
 2419                             have already been cached.
 2420                         </para>
 2421                         <para>
 2422                             Default: 5400
 2423                         </para>
 2424                     </listitem>
 2425                 </varlistentry>
 2426 
 2427                 <varlistentry>
 2428                     <term>entry_cache_user_timeout (integer)</term>
 2429                     <listitem>
 2430                         <para>
 2431                             How many seconds should nss_sss consider
 2432                             user entries valid before asking the backend again
 2433                         </para>
 2434                         <para>
 2435                             Default: entry_cache_timeout
 2436                         </para>
 2437                     </listitem>
 2438                 </varlistentry>
 2439 
 2440                 <varlistentry>
 2441                     <term>entry_cache_group_timeout (integer)</term>
 2442                     <listitem>
 2443                         <para>
 2444                             How many seconds should nss_sss consider
 2445                             group entries valid before asking the backend again
 2446                         </para>
 2447                         <para>
 2448                             Default: entry_cache_timeout
 2449                         </para>
 2450                     </listitem>
 2451                 </varlistentry>
 2452 
 2453                 <varlistentry>
 2454                     <term>entry_cache_netgroup_timeout (integer)</term>
 2455                     <listitem>
 2456                         <para>
 2457                             How many seconds should nss_sss consider
 2458                             netgroup entries valid before asking the backend again
 2459                         </para>
 2460                         <para>
 2461                             Default: entry_cache_timeout
 2462                         </para>
 2463                     </listitem>
 2464                 </varlistentry>
 2465 
 2466                 <varlistentry>
 2467                     <term>entry_cache_service_timeout (integer)</term>
 2468                     <listitem>
 2469                         <para>
 2470                             How many seconds should nss_sss consider
 2471                             service entries valid before asking the backend again
 2472                         </para>
 2473                         <para>
 2474                             Default: entry_cache_timeout
 2475                         </para>
 2476                     </listitem>
 2477                 </varlistentry>
 2478 
 2479                 <varlistentry>
 2480                     <term>entry_cache_resolver_timeout (integer)</term>
 2481                     <listitem>
 2482                         <para>
 2483                             How many seconds should nss_sss consider
 2484                             hosts and networks entries valid before asking
 2485                             the backend again
 2486                         </para>
 2487                         <para>
 2488                             Default: entry_cache_timeout
 2489                         </para>
 2490                     </listitem>
 2491                 </varlistentry>
 2492 
 2493                 <varlistentry condition="with_sudo">
 2494                     <term>entry_cache_sudo_timeout (integer)</term>
 2495                     <listitem>
 2496                         <para>
 2497                             How many seconds should sudo consider
 2498                             rules valid before asking the backend again
 2499                         </para>
 2500                         <para>
 2501                             Default: entry_cache_timeout
 2502                         </para>
 2503                     </listitem>
 2504                 </varlistentry>
 2505 
 2506                 <varlistentry condition="with_autofs">
 2507                     <term>entry_cache_autofs_timeout (integer)</term>
 2508                     <listitem>
 2509                         <para>
 2510                             How many seconds should the autofs service
 2511                             consider automounter maps valid before asking
 2512                             the backend again
 2513                         </para>
 2514                         <para>
 2515                             Default: entry_cache_timeout
 2516                         </para>
 2517                     </listitem>
 2518                 </varlistentry>
 2519 
 2520                 <varlistentry condition="with_ssh">
 2521                     <term>entry_cache_ssh_host_timeout (integer)</term>
 2522                     <listitem>
 2523                         <para>
 2524                             How many seconds to keep a host ssh key after
 2525                             refresh. IE how long to cache the host key
 2526                             for.
 2527                         </para>
 2528                         <para>
 2529                             Default: entry_cache_timeout
 2530                         </para>
 2531                     </listitem>
 2532                 </varlistentry>
 2533 
 2534                 <varlistentry>
 2535                     <term>entry_cache_computer_timeout (integer)</term>
 2536                     <listitem>
 2537                         <para>
 2538                             How many seconds to keep the local computer
 2539                             entry before asking the backend again
 2540                         </para>
 2541                         <para>
 2542                             Default: entry_cache_timeout
 2543                         </para>
 2544                     </listitem>
 2545                 </varlistentry>
 2546 
 2547                 <varlistentry>
 2548                     <term>refresh_expired_interval (integer)</term>
 2549                     <listitem>
 2550                         <para>
 2551                             Specifies how many seconds SSSD has to wait before
 2552                             triggering a background refresh task which will
 2553                             refresh all expired or nearly expired records.
 2554                         </para>
 2555                         <para>
 2556                             The background refresh will process users,
 2557                             groups and netgroups in the cache. For users
 2558                             who have performed the initgroups (get group
 2559                             membership for user, typically ran at login)
 2560                             operation in the past, both the user entry
 2561                             and the group membership are updated.
 2562                         </para>
 2563                         <para>
 2564                             This option is automatically inherited for all
 2565                             trusted domains.
 2566                         </para>
 2567                         <para>
 2568                             You can consider setting this value to
 2569                             3/4 * entry_cache_timeout.
 2570                         </para>
 2571                         <para>
 2572                             Cache entry will be refreshed by background task
 2573                             when 2/3 of cache timeout has already passed.
 2574                             If there are existing cached entries, the background
 2575                             task will refer to their original cache timeout
 2576                             values instead of current configuration value.
 2577                             This may lead to a situation in which background refresh
 2578                             task appears to not be working. This is done
 2579                             by design to improve offline mode operation and
 2580                             reuse of existing valid cache entries.
 2581                             To make this change instant the user may want to
 2582                             manually invalidate existing cache.
 2583                         </para>
 2584                         <para>
 2585                             Default: 0 (disabled)
 2586                         </para>
 2587                     </listitem>
 2588                 </varlistentry>
 2589 
 2590                 <varlistentry>
 2591                     <term>cache_credentials (bool)</term>
 2592                     <listitem>
 2593                         <para>
 2594                             Determines if user credentials are also cached
 2595                             in the local LDB cache
 2596                         </para>
 2597                         <para>
 2598                             User credentials are stored in a SHA512 hash, not
 2599                             in plaintext
 2600                         </para>
 2601                         <para>
 2602                             Default: FALSE
 2603                         </para>
 2604                     </listitem>
 2605                 </varlistentry>
 2606 
 2607                 <varlistentry>
 2608                     <term>cache_credentials_minimal_first_factor_length (int)</term>
 2609                     <listitem>
 2610                         <para>
 2611                             If 2-Factor-Authentication (2FA) is used and
 2612                             credentials should be saved this value determines
 2613                             the minimal length the first authentication factor
 2614                             (long term password) must have to be saved as SHA512
 2615                             hash into the cache.
 2616                         </para>
 2617                         <para>
 2618                             This should avoid that the short PINs of a PIN based
 2619                             2FA scheme are saved in the cache which would make
 2620                             them easy targets for brute-force attacks.
 2621                         </para>
 2622                         <para>
 2623                             Default: 8
 2624                         </para>
 2625                     </listitem>
 2626                 </varlistentry>
 2627 
 2628                 <varlistentry>
 2629                     <term>account_cache_expiration (integer)</term>
 2630                     <listitem>
 2631                         <para>
 2632                             Number of days entries are left in cache after
 2633                             last successful login before being removed during
 2634                             a cleanup of the cache. 0 means keep forever.
 2635                             The value of this parameter must be greater than or
 2636                             equal to offline_credentials_expiration.
 2637                         </para>
 2638                         <para>
 2639                             Default: 0 (unlimited)
 2640                         </para>
 2641                     </listitem>
 2642                 </varlistentry>
 2643                 <varlistentry>
 2644                   <term>pwd_expiration_warning (integer)</term>
 2645                   <listitem>
 2646                     <para>
 2647                       Display a warning N days before the password expires.
 2648                     </para>
 2649                     <para>
 2650                         If zero is set, then this filter is not applied,
 2651                         i.e. if the expiration warning was received from
 2652                         backend server, it will automatically be displayed.
 2653                     </para>
 2654                     <para>
 2655                       Please note that the backend server has to provide
 2656                       information about the expiration time of the password.
 2657                       If this information is missing, sssd cannot display a
 2658                       warning. Also an auth provider has to be configured for
 2659                       the backend.
 2660                     </para>
 2661                     <para>
 2662                       Default: 7 (Kerberos), 0 (LDAP)
 2663                     </para>
 2664                   </listitem>
 2665                 </varlistentry>
 2666 
 2667                 <varlistentry>
 2668                     <term>id_provider (string)</term>
 2669                     <listitem>
 2670                         <para>
 2671                             The identification provider used for the domain.
 2672                             Supported ID providers are:
 2673                         </para>
 2674                         <para>
 2675                             <quote>proxy</quote>: Support a legacy NSS provider.
 2676                         </para>
 2677                         <para condition="enable_local_provider">
 2678                             <quote>local</quote>: SSSD internal provider for
 2679                             local users (DEPRECATED).
 2680                         </para>
 2681                         <para>
 2682                             <quote>files</quote>: FILES provider. See
 2683                             <citerefentry>
 2684                                 <refentrytitle>sssd-files</refentrytitle>
 2685                                 <manvolnum>5</manvolnum>
 2686                             </citerefentry> for more information on
 2687                             how to mirror local users and groups into SSSD.
 2688                         </para>
 2689                         <para>
 2690                             <quote>ldap</quote>:  LDAP provider. See
 2691                             <citerefentry>
 2692                                 <refentrytitle>sssd-ldap</refentrytitle>
 2693                                 <manvolnum>5</manvolnum>
 2694                             </citerefentry> for more information on
 2695                             configuring LDAP.
 2696                         </para>
 2697                         <para>
 2698                             <quote>ipa</quote>: FreeIPA and Red Hat Enterprise
 2699                             Identity Management provider. See
 2700                             <citerefentry>
 2701                                 <refentrytitle>sssd-ipa</refentrytitle>
 2702                                 <manvolnum>5</manvolnum>
 2703                             </citerefentry> for more information on
 2704                             configuring FreeIPA.
 2705                         </para>
 2706                         <para>
 2707                             <quote>ad</quote>: Active Directory provider. See
 2708                             <citerefentry>
 2709                                 <refentrytitle>sssd-ad</refentrytitle>
 2710                                 <manvolnum>5</manvolnum>
 2711                             </citerefentry> for more information on
 2712                             configuring Active Directory.
 2713                         </para>
 2714                     </listitem>
 2715                 </varlistentry>
 2716 
 2717                 <varlistentry>
 2718                     <term>use_fully_qualified_names (bool)</term>
 2719                     <listitem>
 2720                         <para>
 2721                             Use the full name and domain (as formatted by
 2722                             the domain's full_name_format) as the user's login
 2723                             name reported to NSS.
 2724                         </para>
 2725                         <para>
 2726                             If set to TRUE, all requests to this domain
 2727                             must use fully qualified names. For example,
 2728                             if used in LOCAL domain that contains a "test"
 2729                             user, <command>getent passwd test</command>
 2730                             wouldn't find the user while <command>getent
 2731                             passwd test@LOCAL</command> would.
 2732                         </para>
 2733                         <para>
 2734                             NOTE: This option has no effect on netgroup
 2735                             lookups due to their tendency to include nested
 2736                             netgroups without qualified names. For netgroups,
 2737                             all domains will be searched when an unqualified
 2738                             name is requested.
 2739                         </para>
 2740                         <para>
 2741                             Default: FALSE (TRUE for trusted
 2742                             domain/sub-domains or if default_domain_suffix
 2743                             is used)
 2744                         </para>
 2745                     </listitem>
 2746                 </varlistentry>
 2747                 <varlistentry>
 2748                     <term>ignore_group_members (bool)</term>
 2749                     <listitem>
 2750                         <para>
 2751                             Do not return group members for group lookups.
 2752                         </para>
 2753                         <para>
 2754                             If set to TRUE, the group membership attribute
 2755                             is not requested from the ldap server, and
 2756                             group members are not returned when processing
 2757                             group lookup calls, such as
 2758                             <citerefentry>
 2759                                 <refentrytitle>getgrnam</refentrytitle>
 2760                                 <manvolnum>3</manvolnum>
 2761                             </citerefentry>
 2762                             or
 2763                             <citerefentry>
 2764                                 <refentrytitle>getgrgid</refentrytitle>
 2765                                 <manvolnum>3</manvolnum>
 2766                             </citerefentry>.
 2767                             As an effect, <quote>getent group
 2768                             $groupname</quote> would return the requested
 2769                             group as if it was empty.
 2770                         </para>
 2771                         <para>
 2772                             Enabling this option can also make access
 2773                             provider checks for group membership
 2774                             significantly faster, especially for groups
 2775                             containing many members.
 2776                         </para>
 2777                         <para>
 2778                             Default: FALSE
 2779                         </para>
 2780                     </listitem>
 2781                 </varlistentry>
 2782                 <varlistentry>
 2783                     <term>auth_provider (string)</term>
 2784                     <listitem>
 2785                         <para>
 2786                             The authentication provider used for the domain.
 2787                             Supported auth providers are:
 2788                         </para>
 2789                         <para>
 2790                             <quote>ldap</quote> for native LDAP authentication. See
 2791                             <citerefentry>
 2792                                 <refentrytitle>sssd-ldap</refentrytitle>
 2793                                 <manvolnum>5</manvolnum>
 2794                             </citerefentry> for more information on configuring LDAP.
 2795                         </para>
 2796                         <para>
 2797                             <quote>krb5</quote> for Kerberos authentication. See
 2798                             <citerefentry>
 2799                                 <refentrytitle>sssd-krb5</refentrytitle>
 2800                                 <manvolnum>5</manvolnum>
 2801                             </citerefentry> for more information on configuring Kerberos.
 2802                         </para>
 2803                         <para>
 2804                             <quote>ipa</quote>: FreeIPA and Red Hat Enterprise
 2805                             Identity Management provider. See
 2806                             <citerefentry>
 2807                                 <refentrytitle>sssd-ipa</refentrytitle>
 2808                                 <manvolnum>5</manvolnum>
 2809                             </citerefentry> for more information on
 2810                             configuring FreeIPA.
 2811                         </para>
 2812                         <para>
 2813                             <quote>ad</quote>: Active Directory provider. See
 2814                             <citerefentry>
 2815                                 <refentrytitle>sssd-ad</refentrytitle>
 2816                                 <manvolnum>5</manvolnum>
 2817                             </citerefentry> for more information on
 2818                             configuring Active Directory.
 2819                         </para>
 2820                         <para>
 2821                             <quote>proxy</quote> for relaying authentication to some other PAM target.
 2822                         </para>
 2823                         <para condition="enable_local_provider">
 2824                             <quote>local</quote>: SSSD internal provider for
 2825                             local users
 2826                         </para>
 2827                         <para>
 2828                             <quote>none</quote> disables authentication explicitly.
 2829                         </para>
 2830                         <para>
 2831                             Default: <quote>id_provider</quote> is used if it
 2832                             is set and can handle authentication requests.
 2833                         </para>
 2834                     </listitem>
 2835                 </varlistentry>
 2836                 <varlistentry>
 2837                     <term>access_provider (string)</term>
 2838                     <listitem>
 2839                         <para>
 2840                             The access control provider used for the domain.
 2841                             There are two built-in access providers (in
 2842                             addition to any included in installed backends)
 2843                             Internal special providers are:
 2844                         </para>
 2845                         <para>
 2846                             <quote>permit</quote> always allow access. It's the only permitted access provider for a local domain.
 2847                         </para>
 2848                         <para>
 2849                             <quote>deny</quote> always deny access.
 2850                         </para>
 2851                         <para>
 2852                             <quote>ldap</quote> for native LDAP authentication. See
 2853                             <citerefentry>
 2854                                 <refentrytitle>sssd-ldap</refentrytitle>
 2855                                 <manvolnum>5</manvolnum>
 2856                             </citerefentry> for more information on configuring LDAP.
 2857                         </para>
 2858                         <para>
 2859                             <quote>ipa</quote>: FreeIPA and Red Hat Enterprise
 2860                             Identity Management provider. See
 2861                             <citerefentry>
 2862                                 <refentrytitle>sssd-ipa</refentrytitle>
 2863                                 <manvolnum>5</manvolnum>
 2864                             </citerefentry> for more information on
 2865                             configuring FreeIPA.
 2866                         </para>
 2867                         <para>
 2868                             <quote>ad</quote>: Active Directory provider. See
 2869                             <citerefentry>
 2870                                 <refentrytitle>sssd-ad</refentrytitle>
 2871                                 <manvolnum>5</manvolnum>
 2872                             </citerefentry> for more information on
 2873                             configuring Active Directory.
 2874                         </para>
 2875                         <para>
 2876                             <quote>simple</quote> access control based on access
 2877                             or deny lists. See <citerefentry>
 2878                             <refentrytitle>sssd-simple</refentrytitle>
 2879                             <manvolnum>5</manvolnum></citerefentry> for more
 2880                             information on configuring the simple access module.
 2881                         </para>
 2882                         <para>
 2883                             <quote>krb5</quote>: .k5login based access control.
 2884                             See <citerefentry>
 2885                             <refentrytitle>sssd-krb5</refentrytitle>
 2886                             <manvolnum>5</manvolnum></citerefentry> for more
 2887                             information on configuring Kerberos.
 2888                         </para>
 2889                         <para>
 2890                             <quote>proxy</quote> for relaying access control to another PAM module.
 2891                         </para>
 2892                         <para>
 2893                             Default: <quote>permit</quote>
 2894                         </para>
 2895                     </listitem>
 2896                 </varlistentry>
 2897                 <varlistentry>
 2898                     <term>chpass_provider (string)</term>
 2899                     <listitem>
 2900                         <para>
 2901                             The provider which should handle change password
 2902                             operations for the domain.
 2903                             Supported change password providers are:
 2904                         </para>
 2905                         <para>
 2906                             <quote>ldap</quote> to change a password stored
 2907                             in a LDAP server. See
 2908                             <citerefentry>
 2909                                 <refentrytitle>sssd-ldap</refentrytitle>
 2910                                 <manvolnum>5</manvolnum>
 2911                             </citerefentry> for more information on configuring LDAP.
 2912                         </para>
 2913                         <para>
 2914                             <quote>krb5</quote>  to change the Kerberos
 2915                             password. See
 2916                             <citerefentry>
 2917                                 <refentrytitle>sssd-krb5</refentrytitle>
 2918                                 <manvolnum>5</manvolnum>
 2919                             </citerefentry> for more information on configuring Kerberos.
 2920                         </para>
 2921                         <para>
 2922                             <quote>ipa</quote>: FreeIPA and Red Hat Enterprise
 2923                             Identity Management provider. See
 2924                             <citerefentry>
 2925                                 <refentrytitle>sssd-ipa</refentrytitle>
 2926                                 <manvolnum>5</manvolnum>
 2927                             </citerefentry> for more information on
 2928                             configuring FreeIPA.
 2929                         </para>
 2930                         <para>
 2931                             <quote>ad</quote>: Active Directory provider. See
 2932                             <citerefentry>
 2933                                 <refentrytitle>sssd-ad</refentrytitle>
 2934                                 <manvolnum>5</manvolnum>
 2935                             </citerefentry> for more information on
 2936                             configuring Active Directory.
 2937                         </para>
 2938                         <para>
 2939                             <quote>proxy</quote> for relaying password changes
 2940                             to some other PAM target.
 2941                         </para>
 2942                         <para>
 2943                             <quote>none</quote> disallows password changes explicitly.
 2944                         </para>
 2945                         <para>
 2946                             Default: <quote>auth_provider</quote> is used if it
 2947                             is set and can handle change password requests.
 2948                         </para>
 2949                     </listitem>
 2950                 </varlistentry>
 2951 
 2952                 <varlistentry condition="with_sudo">
 2953                     <term>sudo_provider (string)</term>
 2954                     <listitem>
 2955                         <para>
 2956                             The SUDO provider used for the domain.
 2957                             Supported SUDO providers are:
 2958                         </para>
 2959                         <para>
 2960                             <quote>ldap</quote> for rules stored in LDAP. See
 2961                             <citerefentry>
 2962                                 <refentrytitle>sssd-ldap</refentrytitle>
 2963                                 <manvolnum>5</manvolnum>
 2964                             </citerefentry> for more information on configuring
 2965                             LDAP.
 2966                         </para>
 2967                         <para>
 2968                             <quote>ipa</quote> the same as <quote>ldap</quote>
 2969                             but with IPA default settings.
 2970                         </para>
 2971                         <para>
 2972                             <quote>ad</quote> the same as <quote>ldap</quote>
 2973                             but with AD default settings.
 2974                         </para>
 2975                         <para>
 2976                             <quote>none</quote> disables SUDO explicitly.
 2977                         </para>
 2978                         <para>
 2979                             Default: The value of <quote>id_provider</quote> is
 2980                             used if it is set.
 2981                         </para>
 2982                         <para>
 2983                             The detailed instructions for configuration of
 2984                             sudo_provider are in the manual page
 2985                             <citerefentry>
 2986                                 <refentrytitle>sssd-sudo</refentrytitle>
 2987                                 <manvolnum>5</manvolnum>
 2988                             </citerefentry>.
 2989                              There are many configuration options that can be
 2990                              used to adjust the behavior. Please refer to
 2991                              "ldap_sudo_*" in
 2992                              <citerefentry>
 2993                                  <refentrytitle>sssd-ldap</refentrytitle>
 2994                                  <manvolnum>5</manvolnum>
 2995                              </citerefentry>.
 2996                         </para>
 2997                         <para>
 2998                             <emphasis>NOTE:</emphasis> Sudo rules are
 2999                             periodically downloaded in the background unless
 3000                             the sudo provider is explicitly disabled. Set
 3001                             <emphasis>sudo_provider = None</emphasis> to
 3002                             disable all sudo-related activity in SSSD if you do
 3003                             not want to use sudo with SSSD at all.
 3004                         </para>
 3005                     </listitem>
 3006                 </varlistentry>
 3007                 <varlistentry>
 3008                     <term>selinux_provider (string)</term>
 3009                     <listitem>
 3010                         <para>
 3011                             The provider which should handle loading of selinux
 3012                             settings. Note that this provider will be called right
 3013                             after access provider ends.
 3014                             Supported selinux providers are:
 3015                         </para>
 3016                         <para>
 3017                             <quote>ipa</quote> to load selinux settings
 3018                             from an IPA server. See
 3019                             <citerefentry>
 3020                                 <refentrytitle>sssd-ipa</refentrytitle>
 3021                                 <manvolnum>5</manvolnum>
 3022                             </citerefentry> for more information on configuring IPA.
 3023                         </para>
 3024                         <para>
 3025                             <quote>none</quote> disallows fetching selinux settings explicitly.
 3026                         </para>
 3027                         <para>
 3028                             Default: <quote>id_provider</quote> is used if it
 3029                             is set and can handle selinux loading requests.
 3030                         </para>
 3031                     </listitem>
 3032                 </varlistentry>
 3033                 <varlistentry>
 3034                     <term>subdomains_provider (string)</term>
 3035                     <listitem>
 3036                         <para>
 3037                             The provider which should handle fetching of
 3038                             subdomains. This value should be always the same as
 3039                             id_provider.
 3040                             Supported subdomain providers are:
 3041                         </para>
 3042                         <para>
 3043                             <quote>ipa</quote> to load a list of subdomains
 3044                             from an IPA server. See
 3045                             <citerefentry>
 3046                                 <refentrytitle>sssd-ipa</refentrytitle>
 3047                                 <manvolnum>5</manvolnum>
 3048                             </citerefentry> for more information on configuring
 3049                             IPA.
 3050                         </para>
 3051                         <para>
 3052                             <quote>ad</quote> to load a list of subdomains
 3053                             from an Active Directory server. See
 3054                             <citerefentry>
 3055                                 <refentrytitle>sssd-ad</refentrytitle>
 3056                                 <manvolnum>5</manvolnum>
 3057                             </citerefentry> for more information on configuring
 3058                             the AD provider.
 3059                         </para>
 3060                         <para>
 3061                             <quote>none</quote> disallows fetching subdomains
 3062                             explicitly.
 3063                         </para>
 3064                         <para>
 3065                             Default: The value of <quote>id_provider</quote> is
 3066                             used if it is set.
 3067                         </para>
 3068                     </listitem>
 3069                 </varlistentry>
 3070                 <varlistentry>
 3071                     <term>session_provider (string)</term>
 3072                     <listitem>
 3073                         <para>
 3074                             The provider which configures and manages user session
 3075                             related tasks. The only user session task currently
 3076                             provided is the integration with Fleet Commander, which
 3077                             works only with IPA.
 3078                             Supported session providers are:
 3079                         </para>
 3080                         <para>
 3081                             <quote>ipa</quote> to allow performing user session
 3082                             related tasks.
 3083                         </para>
 3084                         <para>
 3085                             <quote>none</quote> does not perform any kind of user
 3086                             session related tasks.
 3087                         </para>
 3088                         <para>
 3089                             Default: <quote>id_provider</quote> is used if it
 3090                             is set and can perform session related tasks.
 3091                         </para>
 3092                         <para>
 3093                             <emphasis>NOTE:</emphasis> In order to have this feature
 3094                             working as expected SSSD must be running as "root" and
 3095                             not as the unprivileged user.
 3096                         </para>
 3097                     </listitem>
 3098                 </varlistentry>
 3099 
 3100                 <varlistentry condition="with_autofs">
 3101                     <term>autofs_provider (string)</term>
 3102                     <listitem>
 3103                         <para>
 3104                             The autofs provider used for the domain.
 3105                             Supported autofs providers are:
 3106                         </para>
 3107                         <para>
 3108                             <quote>ldap</quote> to load maps stored in LDAP. See
 3109                             <citerefentry>
 3110                                 <refentrytitle>sssd-ldap</refentrytitle>
 3111                                 <manvolnum>5</manvolnum>
 3112                             </citerefentry> for more information on configuring LDAP.
 3113                         </para>
 3114                         <para>
 3115                             <quote>ipa</quote> to load maps stored in an IPA
 3116                             server. See
 3117                             <citerefentry>
 3118                                 <refentrytitle>sssd-ipa</refentrytitle>
 3119                                 <manvolnum>5</manvolnum>
 3120                             </citerefentry> for more information on configuring IPA.
 3121                         </para>
 3122                         <para>
 3123                             <quote>ad</quote> to load maps stored in an AD
 3124                             server. See
 3125                             <citerefentry>
 3126                                 <refentrytitle>sssd-ad</refentrytitle>
 3127                                 <manvolnum>5</manvolnum>
 3128                             </citerefentry> for more information on configuring
 3129                             the AD provider.
 3130                         </para>
 3131                         <para>
 3132                             <quote>none</quote> disables autofs explicitly.
 3133                         </para>
 3134                         <para>
 3135                             Default: The value of <quote>id_provider</quote> is used if it
 3136                             is set.
 3137                         </para>
 3138                     </listitem>
 3139                 </varlistentry>
 3140 
 3141                 <varlistentry>
 3142                     <term>hostid_provider (string)</term>
 3143                     <listitem>
 3144                         <para>
 3145                             The provider used for retrieving host identity information.
 3146                             Supported hostid providers are:
 3147                         </para>
 3148                         <para>
 3149                             <quote>ipa</quote> to load host identity stored in an IPA
 3150                             server. See
 3151                             <citerefentry>
 3152                                 <refentrytitle>sssd-ipa</refentrytitle>
 3153                                 <manvolnum>5</manvolnum>
 3154                             </citerefentry> for more information on configuring IPA.
 3155                         </para>
 3156                         <para>
 3157                             <quote>none</quote> disables hostid explicitly.
 3158                         </para>
 3159                         <para>
 3160                             Default: The value of <quote>id_provider</quote> is used if it
 3161                             is set.
 3162                         </para>
 3163                     </listitem>
 3164                 </varlistentry>
 3165 
 3166                 <varlistentry>
 3167                     <term>resolver_provider (string)</term>
 3168                     <listitem>
 3169                         <para>
 3170                             The provider which should handle hosts and networks
 3171                             lookups. Supported resolver providers are:
 3172                         </para>
 3173                         <para>
 3174                             <quote>proxy</quote> to forward lookups to another
 3175                             NSS library. See <quote>proxy_resolver_lib_name</quote>
 3176                         </para>
 3177                         <para>
 3178                             <quote>ldap</quote> to fetch hosts and networks stored in LDAP. See
 3179                             <citerefentry>
 3180                                 <refentrytitle>sssd-ldap</refentrytitle>
 3181                                 <manvolnum>5</manvolnum>
 3182                             </citerefentry> for more information on configuring LDAP.
 3183                         </para>
 3184                         <para>
 3185                             <quote>ad</quote> to fetch hosts and networks stored in AD. See
 3186                             <citerefentry>
 3187                                 <refentrytitle>sssd-ad</refentrytitle>
 3188                                 <manvolnum>5</manvolnum>
 3189                             </citerefentry> for more information on configuring
 3190                             the AD provider.
 3191                         </para>
 3192                         <para>
 3193                             <quote>none</quote> disallows fetching hosts and networks explicitly.
 3194                         </para>
 3195                         <para>
 3196                             Default: The value of <quote>id_provider</quote> is used if it
 3197                             is set.
 3198                         </para>
 3199                     </listitem>
 3200                 </varlistentry>
 3201 
 3202                 <varlistentry>
 3203                     <term>re_expression (string)</term>
 3204                     <listitem>
 3205                         <para>
 3206                             Regular expression for this domain that describes
 3207                             how to parse the string containing user name and
 3208                             domain into these components.
 3209                             The "domain" can match either the SSSD
 3210                             configuration domain name, or, in the case
 3211                             of IPA trust subdomains and Active Directory
 3212                             domains, the flat (NetBIOS) name of the domain.
 3213                         </para>
 3214                         <para>
 3215                             Default for the AD and IPA provider:
 3216                             <quote>(((?P&lt;domain&gt;[^\\]+)\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?P&lt;name&gt;[^@\\]+)$))</quote>
 3217                             which allows three different styles for user names:
 3218                             <itemizedlist>
 3219                                 <listitem>
 3220                                     <para>username</para>
 3221                                 </listitem>
 3222                                 <listitem>
 3223                                     <para>username@domain.name</para>
 3224                                 </listitem>
 3225                                 <listitem>
 3226                                     <para>domain\username</para>
 3227                                 </listitem>
 3228                             </itemizedlist>
 3229                             While the first two correspond to the general
 3230                             default the third one is introduced to allow easy
 3231                             integration of users from Windows domains.
 3232                         </para>
 3233                         <para>
 3234                             Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote>
 3235                             which translates to "the name is everything up to
 3236                             the <quote>@</quote> sign, the domain everything
 3237                             after that"
 3238                         </para>
 3239                         <para>
 3240                             NOTE: Some Active Directory groups, typically
 3241                             those used for MS Exchange contain an
 3242                             <quote>@</quote> sign in the name, which
 3243                             clashes with the default re_expression value for
 3244                             the AD and IPA providers. To support these groups,
 3245                             consider changing the re_expression value to:
 3246                             <quote>((?P&lt;name&gt;.+)@(?P&lt;domain&gt;[^@]+$))</quote>.
 3247                         </para>
 3248                     </listitem>
 3249                 </varlistentry>
 3250                 <varlistentry>
 3251                     <term>full_name_format (string)</term>
 3252                     <listitem>
 3253                         <para>
 3254                             A <citerefentry>
 3255                                 <refentrytitle>printf</refentrytitle>
 3256                                 <manvolnum>3</manvolnum>
 3257                             </citerefentry>-compatible format that describes how to
 3258                             compose a fully qualified name from user name
 3259                             and domain name components.
 3260                         </para>
 3261                         <para>
 3262                             The following expansions are supported:
 3263                             <variablelist>
 3264                                 <varlistentry>
 3265                                     <term>%1$s</term>
 3266                                     <listitem><para>user name</para></listitem>
 3267                                 </varlistentry>
 3268                                 <varlistentry>
 3269                                     <term>%2$s</term>
 3270                                     <listitem>
 3271                                         <para>
 3272                                             domain name as specified in the
 3273                                             SSSD config file.
 3274                                         </para>
 3275                                     </listitem>
 3276                                 </varlistentry>
 3277                                 <varlistentry>
 3278                                     <term>%3$s</term>
 3279                                     <listitem>
 3280                                         <para>
 3281                                             domain flat name. Mostly usable
 3282                                             for Active Directory domains, both
 3283                                             directly configured or discovered
 3284                                             via IPA trusts.
 3285                                         </para>
 3286                                     </listitem>
 3287                                 </varlistentry>
 3288                             </variablelist>
 3289                         </para>
 3290                         <para>
 3291                             Default: <quote>%1$s@%2$s</quote>.
 3292                         </para>
 3293                     </listitem>
 3294                 </varlistentry>
 3295 
 3296                 <varlistentry>
 3297                     <term>lookup_family_order (string)</term>
 3298                     <listitem>
 3299                         <para>
 3300                             Provides the ability to select preferred address family
 3301                             to use when performing DNS lookups.
 3302                         </para>
 3303                         <para>
 3304                             Supported values:
 3305                         </para>
 3306                         <para>
 3307                             ipv4_first: Try looking up IPv4 address, if that fails, try IPv6
 3308                         </para>
 3309                         <para>
 3310                             ipv4_only: Only attempt to resolve hostnames to IPv4 addresses.
 3311                         </para>
 3312                         <para>
 3313                             ipv6_first: Try looking up IPv6 address, if that fails, try IPv4
 3314                         </para>
 3315                         <para>
 3316                             ipv6_only: Only attempt to resolve hostnames to IPv6 addresses.
 3317                         </para>
 3318                         <para>
 3319                             Default: ipv4_first
 3320                         </para>
 3321                     </listitem>
 3322                 </varlistentry>
 3323 
 3324                 <varlistentry>
 3325                     <term>dns_resolver_timeout (integer)</term>
 3326                     <listitem>
 3327                         <para>
 3328                             Defines the amount of time (in seconds) to
 3329                             wait for a reply from the internal fail over
 3330                             service before assuming that the service is
 3331                             unreachable. If this timeout is reached, the
 3332                             domain will continue to operate in offline mode.
 3333                         </para>
 3334                         <para>
 3335                             Please see the section <quote>FAILOVER</quote>
 3336                             for more information about the service
 3337                             resolution.
 3338                         </para>
 3339                         <para>
 3340                             Default: 6
 3341                         </para>
 3342                     </listitem>
 3343                 </varlistentry>
 3344 
 3345                 <varlistentry>
 3346                     <term>dns_discovery_domain (string)</term>
 3347                     <listitem>
 3348                         <para>
 3349                             If service discovery is used in the back end, specifies
 3350                             the domain part of the service discovery DNS query.
 3351                         </para>
 3352                         <para>
 3353                             Default: Use the domain part of machine's hostname
 3354                         </para>
 3355                     </listitem>
 3356                 </varlistentry>
 3357 
 3358                 <varlistentry>
 3359                     <term>override_gid (integer)</term>
 3360                     <listitem>
 3361                         <para>
 3362                             Override the primary GID value with the one specified.
 3363                         </para>
 3364                     </listitem>
 3365                 </varlistentry>
 3366 
 3367                 <varlistentry>
 3368                     <term>case_sensitive (string)</term>
 3369                     <listitem>
 3370                         <para>
 3371                             Treat user and group names as case sensitive.
 3372                             <phrase condition="enable_local_provider">
 3373                                 At the moment, this option is not supported in
 3374                                 the local provider.
 3375                             </phrase>
 3376                             Possible option values are:
 3377                         <variablelist>
 3378                             <varlistentry>
 3379                                 <term>True</term>
 3380                                 <listitem>
 3381                                     <para>
 3382                                         Case sensitive. This value is invalid
 3383                                         for AD provider.
 3384                                     </para>
 3385                                 </listitem>
 3386                             </varlistentry>
 3387                             <varlistentry>
 3388                                 <term>False</term>
 3389                                 <listitem>
 3390                                     <para>Case insensitive.</para>
 3391                                 </listitem>
 3392                             </varlistentry>
 3393                             <varlistentry>
 3394                                 <term>Preserving</term>
 3395                                 <listitem>
 3396                                     <para>
 3397                                         Same as False (case insensitive), but
 3398                                         does not lowercase names in the result
 3399                                         of NSS operations. Note that name
 3400                                         aliases (and in case of services also
 3401                                         protocol names) are still lowercased in
 3402                                         the output.
 3403                                     </para>
 3404                                     <para>
 3405                                         If you want to set this value for
 3406                                         trusted domain with IPA provider, you
 3407                                         need to set it on both the client and
 3408                                         SSSD on the server.
 3409                                     </para>
 3410                                 </listitem>
 3411                             </varlistentry>
 3412                         </variablelist>
 3413                         </para>
 3414                         <para>
 3415                             This option can be also set per subdomain or
 3416                             inherited via
 3417                             <emphasis>subdomain_inherit</emphasis>.
 3418                         </para>
 3419                         <para>
 3420                             Default: True (False for AD provider)
 3421                         </para>
 3422                     </listitem>
 3423                 </varlistentry>
 3424 
 3425                 <varlistentry>
 3426                     <term>subdomain_inherit (string)</term>
 3427                     <listitem>
 3428                         <para>
 3429                             Specifies a list of configuration parameters that
 3430                             should be inherited by a subdomain. Please note
 3431                             that only selected parameters can be inherited.
 3432                             Currently the following options can be inherited:
 3433                         </para>
 3434                         <para>
 3435                             ignore_group_members
 3436                         </para>
 3437                         <para>
 3438                             ldap_purge_cache_timeout
 3439                         </para>
 3440                         <para>
 3441                             ldap_use_tokengroups
 3442                         </para>
 3443                         <para>
 3444                             ldap_user_principal
 3445                         </para>
 3446                         <para>
 3447                             ldap_krb5_keytab (the value of krb5_keytab will be
 3448                             used if ldap_krb5_keytab is not set explicitly)
 3449                         </para>
 3450                         <para>
 3451                             auto_private_groups
 3452                         </para>
 3453                         <para>
 3454                             case_sensitive
 3455                         </para>
 3456                         <para>
 3457                             Example:
 3458                             <programlisting>
 3459 subdomain_inherit = ldap_purge_cache_timeout
 3460                             </programlisting>
 3461                         </para>
 3462                         <para>
 3463                             Default: none
 3464                         </para>
 3465                         <para>
 3466                             Note: This option only works with the IPA and
 3467                             AD provider.
 3468                         </para>
 3469                     </listitem>
 3470                 </varlistentry>
 3471 
 3472                 <varlistentry>
 3473                     <term>subdomain_homedir (string)</term>
 3474                     <listitem>
 3475                         <para>
 3476                             Use this homedir as default value for all subdomains
 3477                             within this domain in IPA AD trust.
 3478                             See <emphasis>override_homedir</emphasis>
 3479                             for info about possible values. In addition to those, the
 3480                             expansion below can only be used with
 3481                             <emphasis>subdomain_homedir</emphasis>.
 3482                             <variablelist>
 3483                                 <varlistentry>
 3484                                     <term>%F</term>
 3485                                     <listitem><para>flat (NetBIOS) name of a subdomain.</para></listitem>
 3486                                 </varlistentry>
 3487                             </variablelist>
 3488                         </para>
 3489                         <para>
 3490                             The value can be overridden by
 3491                             <emphasis>override_homedir</emphasis> option.
 3492                         </para>
 3493                         <para>
 3494                             Default: <filename>/home/%d/%u</filename>
 3495                         </para>
 3496                     </listitem>
 3497                 </varlistentry>
 3498                 <varlistentry>
 3499                     <term>realmd_tags (string)</term>
 3500                     <listitem>
 3501                         <para>
 3502                             Various tags stored by the realmd configuration service
 3503                             for this domain.
 3504                         </para>
 3505                     </listitem>
 3506                 </varlistentry>
 3507                 <varlistentry>
 3508                     <term>cached_auth_timeout (int)</term>
 3509                     <listitem>
 3510                         <para>
 3511                             Specifies time in seconds since last successful
 3512                             online authentication for which user will be
 3513                             authenticated using cached credentials while
 3514                             SSSD is in the online mode. If the credentials
 3515                             are incorrect, SSSD falls back to online
 3516                             authentication.
 3517                         </para>
 3518                         <para>
 3519                             This option's value is inherited by all trusted
 3520                             domains. At the moment it is not possible to set
 3521                             a different value per trusted domain.
 3522                         </para>
 3523                         <para>
 3524                             Special value 0 implies that this feature is
 3525                             disabled.
 3526                         </para>
 3527                         <para>
 3528                             Please note that if <quote>cached_auth_timeout</quote>
 3529                             is longer than <quote>pam_id_timeout</quote> then the
 3530                             back end could be called to handle
 3531                             <quote>initgroups.</quote>
 3532                         </para>
 3533                         <para>
 3534                             Default: 0
 3535                         </para>
 3536                     </listitem>
 3537                 </varlistentry>
 3538                 <varlistentry>
 3539                     <term>auto_private_groups (string)</term>
 3540                     <listitem>
 3541                         <para>
 3542                             This option takes any of three available values:
 3543                             <variablelist>
 3544                                 <varlistentry>
 3545                                     <term>true</term>
 3546                                     <listitem>
 3547                                         <para>
 3548                                             Create user's private group unconditionally from user's UID number.
 3549                                             The GID number is ignored in this case.
 3550                                         </para>
 3551                                         <para>
 3552                                             NOTE: Because the GID number and the user private group
 3553                                             are inferred from the UID number, it is not supported
 3554                                             to have multiple entries with the same UID or GID number
 3555                                             with this option. In other words, enabling this option
 3556                                             enforces uniqueness across the ID space.
 3557                                         </para>
 3558                                     </listitem>
 3559                                 </varlistentry>
 3560                                 <varlistentry>
 3561                                     <term>false</term>
 3562                                     <listitem>
 3563                                         <para>
 3564                                             Always use the user's primary GID number. The GID number must refer
 3565                                             to a group object in the LDAP database.
 3566                                         </para>
 3567                                     </listitem>
 3568                                 </varlistentry>
 3569                                 <varlistentry>
 3570                                     <term>hybrid</term>
 3571                                     <listitem>
 3572                                         <para>
 3573                                             A primary group is autogenerated
 3574                                             for user entries whose UID
 3575                                             and GID numbers have the same
 3576                                             value and at the same time the
 3577                                             GID number does not correspond
 3578                                             to a real group object in LDAP.
 3579                                             If the values are the same, but
 3580                                             the primary GID in the user entry
 3581                                             is also used by a group object,
 3582                                             the primary GID of the user resolves
 3583                                             to that group object.
 3584                                         </para>
 3585                                         <para>
 3586                                             If the UID and GID of a user
 3587                                             are different, then the GID
 3588                                             must correspond to a group
 3589                                             entry, otherwise the GID is
 3590                                             simply not resolvable.
 3591                                         </para>
 3592                                         <para>
 3593                                             This feature is useful for
 3594                                             environments that wish to stop
 3595                                             maintaining a separate group
 3596                                             objects for the user private
 3597                                             groups, but also wish to retain
 3598                                             the existing user private groups.
 3599                                         </para>
 3600                                     </listitem>
 3601                                 </varlistentry>
 3602                             </variablelist>
 3603                         </para>
 3604                         <para>
 3605                             For subdomains, the default value is False for
 3606                             subdomains that use assigned POSIX IDs and True
 3607                             for subdomains that use automatic ID-mapping.
 3608                         </para>
 3609                         <para>
 3610                             The value of auto_private_groups can either be set per subdomains
 3611                             in a subsection, for example:
 3612 <programlisting>
 3613 [domain/forest.domain/sub.domain]
 3614 auto_private_groups = false
 3615 </programlisting>
 3616                             or globally for all subdomains in the main domain section
 3617                             using the subdomain_inherit option:
 3618 <programlisting>
 3619 [domain/forest.domain]
 3620 subdomain_inherit = auto_private_groups
 3621 auto_private_groups = false
 3622 </programlisting>
 3623                         </para>
 3624                     </listitem>
 3625                 </varlistentry>
 3626             </variablelist>
 3627         </para>
 3628 
 3629         <para>
 3630             Options valid for proxy domains.
 3631 
 3632             <variablelist>
 3633                 <varlistentry>
 3634                     <term>proxy_pam_target (string)</term>
 3635                     <listitem>
 3636                         <para>
 3637                             The proxy target PAM proxies to.
 3638                         </para>
 3639                         <para>
 3640                             Default: not set by default, you have to take an
 3641                             existing pam configuration or create a new one and
 3642                             add the service name here.
 3643                         </para>
 3644                     </listitem>
 3645                 </varlistentry>
 3646 
 3647                 <varlistentry>
 3648                     <term>proxy_lib_name (string)</term>
 3649                     <listitem>
 3650                         <para>
 3651                             The name of the NSS library to use in proxy
 3652                             domains. The NSS functions searched for in the
 3653                             library are in the form of
 3654                             _nss_$(libName)_$(function), for example
 3655                             _nss_files_getpwent.
 3656                         </para>
 3657                     </listitem>
 3658                 </varlistentry>
 3659 
 3660                 <varlistentry>
 3661                     <term>proxy_resolver_lib_name (string)</term>
 3662                     <listitem>
 3663                         <para>
 3664                             The name of the NSS library to use for hosts and
 3665                             networks lookups in proxy domains. The NSS
 3666                             functions searched for in the
 3667                             library are in the form of
 3668                             _nss_$(libName)_$(function), for example
 3669                             _nss_dns_gethostbyname2_r.
 3670                         </para>
 3671                     </listitem>
 3672                 </varlistentry>
 3673 
 3674                 <varlistentry>
 3675                     <term>proxy_fast_alias (boolean)</term>
 3676                     <listitem>
 3677                         <para>
 3678                             When a user or group is looked up by name in
 3679                             the proxy provider, a second lookup by ID is
 3680                             performed to "canonicalize" the name in case
 3681                             the requested name was an alias. Setting this
 3682                             option to true would cause the SSSD to perform
 3683                             the ID lookup from cache for performance reasons.
 3684                         </para>
 3685                         <para>
 3686                             Default: false
 3687                         </para>
 3688                     </listitem>
 3689                 </varlistentry>
 3690 
 3691                 <varlistentry>
 3692                     <term>proxy_max_children (integer)</term>
 3693                     <listitem>
 3694                         <para>
 3695                             This option specifies the number of pre-forked
 3696                             proxy children. It is useful for high-load SSSD
 3697                             environments where sssd may run out of available
 3698                             child slots, which would cause some issues due to
 3699                             the requests being queued.
 3700                         </para>
 3701                         <para>
 3702                             Default: 10
 3703                         </para>
 3704                     </listitem>
 3705                 </varlistentry>
 3706 
 3707             </variablelist>
 3708         </para>
 3709 
 3710         <refsect2 id='app_domains'>
 3711             <title>Application domains</title>
 3712             <para>
 3713                 SSSD, with its D-Bus interface (see
 3714                 <citerefentry>
 3715                     <refentrytitle>sssd-ifp</refentrytitle>
 3716                     <manvolnum>5</manvolnum>
 3717                 </citerefentry>) is appealing to applications
 3718                 as a gateway to an LDAP directory where users and groups
 3719                 are stored. However, contrary to the traditional SSSD
 3720                 deployment where all users and groups either have POSIX
 3721                 attributes or those attributes can be inferred from the
 3722                 Windows SIDs, in many cases the users and groups in the
 3723                 application support scenario have no POSIX attributes.
 3724                 Instead of setting a
 3725                 <quote>[domain/<replaceable>NAME</replaceable>]</quote>
 3726                 section, the administrator can set up an
 3727                 <quote>[application/<replaceable>NAME</replaceable>]</quote>
 3728                 section that internally represents a domain with type
 3729                 <quote>application</quote> optionally inherits settings
 3730                 from a tradition SSSD domain.
 3731             </para>
 3732             <para>
 3733                 Please note that the application domain must still be
 3734                 explicitly enabled in the <quote>domains</quote> parameter
 3735                 so that the lookup order between the application domain
 3736                 and its POSIX sibling domain is set correctly.
 3737             </para>
 3738             <variablelist>
 3739                 <title>Application domain parameters</title>
 3740                 <varlistentry>
 3741                     <term>inherit_from (string)</term>
 3742                     <listitem>
 3743                         <para>
 3744                             The SSSD POSIX-type domain the application
 3745                             domain inherits all settings from. The
 3746                             application domain can moreover add its own
 3747                             settings to the application settings that augment
 3748                             or override the <quote>sibling</quote>
 3749                             domain settings.
 3750                         </para>
 3751                         <para>
 3752                             Default: Not set
 3753                         </para>
 3754                     </listitem>
 3755                 </varlistentry>
 3756             </variablelist>
 3757             <para>
 3758                 The following example illustrates the use of an application
 3759                 domain. In this setup, the POSIX domain is connected to an LDAP
 3760                 server and is used by the OS through the NSS responder. In addition,
 3761                 the application domain also requests the telephoneNumber attribute,
 3762                 stores it as the phone attribute in the cache and makes the phone
 3763                 attribute reachable through the D-Bus interface.
 3764             </para>
 3765 <programlisting>
 3766 [sssd]
 3767 domains = appdom, posixdom
 3768 
 3769 [ifp]
 3770 user_attributes = +phone
 3771 
 3772 [domain/posixdom]
 3773 id_provider = ldap
 3774 ldap_uri = ldap://ldap.example.com
 3775 ldap_search_base = dc=example,dc=com
 3776 
 3777 [application/appdom]
 3778 inherit_from = posixdom
 3779 ldap_user_extra_attrs = phone:telephoneNumber
 3780 </programlisting>
 3781         </refsect2>
 3782 
 3783         <refsect2 id='local_domain' condition="enable_local_provider">
 3784             <title>The local domain section</title>
 3785             <para>
 3786                 This section contains settings for domain that stores users and
 3787                 groups in SSSD native database, that is, a domain that uses
 3788                 <replaceable>id_provider=local</replaceable>.
 3789             </para>
 3790             <variablelist>
 3791                 <title>Section parameters</title>
 3792                 <varlistentry>
 3793                     <term>default_shell (string)</term>
 3794                     <listitem>
 3795                         <para>
 3796                             The default shell for users created
 3797                             with SSSD userspace tools.
 3798                         </para>
 3799                         <para>
 3800                             Default: <filename>/bin/bash</filename>
 3801                         </para>
 3802                     </listitem>
 3803                 </varlistentry>
 3804                 <varlistentry>
 3805                     <term>base_directory (string)</term>
 3806                     <listitem>
 3807                         <para>
 3808                             The tools append the login name to
 3809                             <replaceable>base_directory</replaceable> and
 3810                             use that as the home directory.
 3811                         </para>
 3812                         <para>
 3813                             Default: <filename>/home</filename>
 3814                         </para>
 3815                     </listitem>
 3816                 </varlistentry>
 3817                 <varlistentry>
 3818                     <term>create_homedir (bool)</term>
 3819                     <listitem>
 3820                         <para>
 3821                             Indicate if a home directory should be created by default for new users.
 3822                             Can be overridden on command line.
 3823                         </para>
 3824                         <para>
 3825                             Default: TRUE
 3826                         </para>
 3827                     </listitem>
 3828                 </varlistentry>
 3829                 <varlistentry>
 3830                     <term>remove_homedir (bool)</term>
 3831                     <listitem>
 3832                         <para>
 3833                             Indicate if a home directory should be removed by default for deleted users.
 3834                             Can be overridden on command line.
 3835                         </para>
 3836                         <para>
 3837                             Default: TRUE
 3838                         </para>
 3839                     </listitem>
 3840                 </varlistentry>
 3841                 <varlistentry>
 3842                     <term>homedir_umask (integer)</term>
 3843                     <listitem>
 3844                         <para>
 3845                             Used by
 3846                             <citerefentry>
 3847                                 <refentrytitle>sss_useradd</refentrytitle>
 3848                                 <manvolnum>8</manvolnum>
 3849                             </citerefentry> to specify the default permissions on a newly created
 3850                             home directory.
 3851                         </para>
 3852                         <para>
 3853                             Default: 077
 3854                         </para>
 3855                     </listitem>
 3856                 </varlistentry>
 3857                 <varlistentry>
 3858                     <term>skel_dir (string)</term>
 3859                     <listitem>
 3860                         <para>
 3861                             The skeleton directory, which contains files
 3862                             and directories to be copied in the user's
 3863                             home directory, when the home directory is
 3864                             created by
 3865                             <citerefentry>
 3866                                 <refentrytitle>sss_useradd</refentrytitle>
 3867                                 <manvolnum>8</manvolnum>
 3868                             </citerefentry>
 3869                         </para>
 3870                         <para>
 3871                             Default: <filename>/etc/skel</filename>
 3872                         </para>
 3873                     </listitem>
 3874                 </varlistentry>
 3875                 <varlistentry>
 3876                     <term>mail_dir (string)</term>
 3877                     <listitem>
 3878                         <para>
 3879                             The mail spool directory. This is needed to
 3880                             manipulate the mailbox when its corresponding
 3881                             user account is modified or deleted.
 3882                             If not specified, a default
 3883                             value is used.
 3884                         </para>
 3885                         <para>
 3886                             Default: <filename>/var/mail</filename>
 3887                         </para>
 3888                     </listitem>
 3889                 </varlistentry>
 3890                 <varlistentry>
 3891                     <term>userdel_cmd (string)</term>
 3892                     <listitem>
 3893                         <para>
 3894                             The command that is run after a user is removed.
 3895                             The command us passed the username of the user being
 3896                             removed as the first and only parameter. The return
 3897                             code of the command is not taken into account.
 3898                         </para>
 3899                         <para>
 3900                             Default: None, no command is run
 3901                         </para>
 3902                     </listitem>
 3903                 </varlistentry>
 3904             </variablelist>
 3905         </refsect2>
 3906 
 3907     </refsect1>
 3908 
 3909     <refsect1 id='trusted-domains'>
 3910         <title>TRUSTED DOMAIN SECTION</title>
 3911         <para>
 3912             Some options used in the domain section can also be used in the
 3913             trusted domain section, that is, in a section called
 3914             <quote>[domain/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</replaceable>]</quote>.
 3915             Where DOMAIN_NAME is the actual joined-to base domain. Please refer
 3916             to examples below for explanation.
 3917             Currently supported options in the trusted domain section are:
 3918         </para>
 3919             <para>ldap_search_base,</para>
 3920             <para>ldap_user_search_base,</para>
 3921             <para>ldap_group_search_base,</para>
 3922             <para>ldap_netgroup_search_base,</para>
 3923             <para>ldap_service_search_base,</para>
 3924             <para>ldap_sasl_mech,</para>
 3925             <para>ad_server,</para>
 3926             <para>ad_backup_server,</para>
 3927             <para>ad_site,</para>
 3928             <para>use_fully_qualified_names</para>
 3929             <para>pam_gssapi_services</para>
 3930             <para>pam_gssapi_check_upn</para>
 3931         <para>
 3932             For more details about these options see their individual description
 3933             in the manual page.
 3934         </para>
 3935     </refsect1>
 3936 
 3937     <refsect1 id='certmap'>
 3938         <title>CERTIFICATE MAPPING SECTION</title>
 3939         <para>
 3940             To allow authentication with Smartcards and certificates SSSD must
 3941             be able to map certificates to users. This can be done by adding the
 3942             full certificate to the LDAP object of the user or to a local
 3943             override. While using the full certificate is required to use the
 3944             Smartcard authentication feature of SSH (see
 3945                 <citerefentry>
 3946                     <refentrytitle>sss_ssh_authorizedkeys</refentrytitle>
 3947                     <manvolnum>8</manvolnum>
 3948                 </citerefentry>
 3949             for details) it might be cumbersome or not even possible to do this
 3950             for the general case where local services use PAM for
 3951             authentication.
 3952         </para>
 3953         <para>
 3954             To make the mapping more flexible mapping and matching rules were
 3955             added to SSSD (see
 3956                 <citerefentry>
 3957                     <refentrytitle>sss-certmap</refentrytitle>
 3958                     <manvolnum>5</manvolnum>
 3959                 </citerefentry>
 3960             for details).
 3961         </para>
 3962         <para>
 3963             A mapping and matching rule can be added to the SSSD configuration
 3964             in a section on its own with a name like
 3965             <quote>[certmap/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</replaceable>]</quote>.
 3966             In this section the following options are allowed:
 3967         </para>
 3968         <variablelist>
 3969             <varlistentry>
 3970                 <term>matchrule (string)</term>
 3971                 <listitem>
 3972                     <para>
 3973                         Only certificates from the Smartcard which matches this
 3974                         rule will be processed, all others are ignored.
 3975                     </para>
 3976                     <para>
 3977                         Default: KRB5:&lt;EKU&gt;clientAuth, i.e. only
 3978                         certificates which have the Extended Key Usage
 3979                         <quote>clientAuth</quote>
 3980                     </para>
 3981                 </listitem>
 3982             </varlistentry>
 3983             <varlistentry>
 3984                 <term>maprule (string)</term>
 3985                 <listitem>
 3986                     <para>
 3987                         Defines how the user is found for a given certificate.
 3988                     </para>
 3989                     <para>
 3990                         Default:
 3991                         <itemizedlist>
 3992                             <listitem>
 3993                                 <para>LDAP:(userCertificate;binary={cert!bin})
 3994                                 for LDAP based providers like
 3995                                 <quote>ldap</quote>, <quote>AD</quote> or
 3996                                 <quote>ipa</quote>.</para>
 3997                             </listitem>
 3998                             <listitem>
 3999                                 <para>The RULE_NAME for the <quote>files</quote>
 4000                                 provider which tries to find a user with the
 4001                                 same name.</para>
 4002                             </listitem>
 4003                         </itemizedlist>
 4004                     </para>
 4005                 </listitem>
 4006             </varlistentry>
 4007             <varlistentry>
 4008                 <term>domains (string)</term>
 4009                 <listitem>
 4010                     <para>
 4011                         Comma separated list of domain names the rule should be
 4012                         applied. By default a rule is only valid in the domain
 4013                         configured in sssd.conf. If the provider supports
 4014                         subdomains this option can be used to add the rule to
 4015                         subdomains as well.
 4016                     </para>
 4017                     <para>
 4018                         Default: the configured domain in sssd.conf
 4019                     </para>
 4020                 </listitem>
 4021             </varlistentry>
 4022             <varlistentry>
 4023                 <term>priority (integer)</term>
 4024                 <listitem>
 4025                     <para>
 4026                         Unsigned integer value defining the priority of the
 4027                         rule. The higher the number the lower the priority.
 4028                         <quote>0</quote> stands for the highest priority while
 4029                         <quote>4294967295</quote> is the lowest.
 4030                     </para>
 4031                     <para>
 4032                         Default: the lowest priority
 4033                     </para>
 4034                 </listitem>
 4035             </varlistentry>
 4036         </variablelist>
 4037         <para>
 4038             To make the configuration simple and reduce the amount of
 4039             configuration options the <quote>files</quote> provider has some
 4040             special properties:
 4041             <itemizedlist>
 4042                 <listitem>
 4043                     <para>
 4044                         if maprule is not set the RULE_NAME name is assumed to
 4045                         be the name of the matching user
 4046                     </para>
 4047                 </listitem>
 4048                 <listitem>
 4049                     <para>
 4050                         if a maprule is used both a single user name or a
 4051                         template like
 4052                         <quote>{subject_rfc822_name.short_name}</quote> must
 4053                         be in braces like e.g. <quote>(username)</quote> or
 4054                         <quote>({subject_rfc822_name.short_name})</quote>
 4055                     </para>
 4056                 </listitem>
 4057                 <listitem>
 4058                     <para>
 4059                         the <quote>domains</quote> option is ignored
 4060                     </para>
 4061                 </listitem>
 4062             </itemizedlist>
 4063         </para>
 4064     </refsect1>
 4065 
 4066     <refsect1 id='prompting_configuration'>
 4067         <title>PROMPTING CONFIGURATION SECTION</title>
 4068         <para>
 4069             If a special file
 4070             (<filename>/var/lib/sss/pubconf/pam_preauth_available</filename>)
 4071             exists SSSD's PAM module pam_sss will ask SSSD to figure out which
 4072             authentication methods are available for the user trying to log in.
 4073             Based on the results pam_sss will prompt the user for appropriate
 4074             credentials.
 4075         </para>
 4076         <para>
 4077             With the growing number of authentication methods and the
 4078             possibility that there are multiple ones for a single user the
 4079             heuristic used by pam_sss to select the prompting might not be
 4080             suitable for all use cases. The following options should provide a
 4081             better flexibility here.
 4082         </para>
 4083         <para>
 4084             Each supported authentication method has its own configuration
 4085             subsection under <quote>[prompting/...]</quote>. Currently there
 4086             are:
 4087         <variablelist>
 4088             <varlistentry>
 4089                 <term>[prompting/password]</term>
 4090                 <listitem>
 4091                     <para>to configure password prompting, allowed options are:
 4092                     <variablelist><varlistentry><term>password_prompt</term>
 4093                         <listitem><para>to change the string of the password
 4094                         prompt</para></listitem></varlistentry></variablelist>
 4095                     </para>
 4096                 </listitem>
 4097             </varlistentry>
 4098         </variablelist>
 4099         <variablelist>
 4100             <varlistentry>
 4101                 <term>[prompting/2fa]</term>
 4102                 <listitem>
 4103                     <para>to configure two-factor authentication prompting,
 4104                     allowed options are:
 4105                     <variablelist><varlistentry><term>first_prompt</term>
 4106                         <listitem><para>to change the string of the prompt for
 4107                         the first factor </para></listitem>
 4108                         </varlistentry>
 4109                         <varlistentry><term>second_prompt</term>
 4110                         <listitem><para>to change the string of the prompt for
 4111                         the second factor </para></listitem>
 4112                         </varlistentry>
 4113                         <varlistentry><term>single_prompt</term>
 4114                         <listitem><para>boolean value, if True there will be
 4115                         only a single prompt using the value of first_prompt
 4116                         where it is expected that both factors are entered as a
 4117                         single string</para></listitem>
 4118                         </varlistentry>
 4119                     </variablelist>
 4120                     </para>
 4121                 </listitem>
 4122             </varlistentry>
 4123         </variablelist>
 4124         </para>
 4125         <para>
 4126             It is possible to add a subsection for specific PAM services,
 4127             e.g. <quote>[prompting/password/sshd]</quote> to individual change
 4128             the prompting for this service.
 4129         </para>
 4130     </refsect1>
 4131 
 4132     <refsect1 id='example'>
 4133         <title>EXAMPLES</title>
 4134         <para>
 4135             1. The following example shows a typical SSSD config. It does
 4136             not describe configuration of the domains themselves - refer to
 4137             documentation on configuring domains for more details.
 4138 <programlisting>
 4139 [sssd]
 4140 domains = LDAP
 4141 services = nss, pam
 4142 config_file_version = 2
 4143 
 4144 [nss]
 4145 filter_groups = root
 4146 filter_users = root
 4147 
 4148 [pam]
 4149 
 4150 [domain/LDAP]
 4151 id_provider = ldap
 4152 ldap_uri = ldap://ldap.example.com
 4153 ldap_search_base = dc=example,dc=com
 4154 
 4155 auth_provider = krb5
 4156 krb5_server = kerberos.example.com
 4157 krb5_realm = EXAMPLE.COM
 4158 cache_credentials = true
 4159 
 4160 min_id = 10000
 4161 max_id = 20000
 4162 enumerate = False
 4163 </programlisting>
 4164         </para>
 4165         <para>
 4166             2. The following example shows configuration of IPA AD trust where
 4167             the AD forest consists of two domains in a parent-child structure.
 4168             Suppose IPA domain (ipa.com) has trust with AD domain(ad.com).
 4169             ad.com has child domain (child.ad.com). To enable shortnames in
 4170             the child domain the following configuration should be used.
 4171 <programlisting>
 4172 [domain/ipa.com/child.ad.com]
 4173 use_fully_qualified_names = false
 4174 </programlisting>
 4175         </para>
 4176         <para>
 4177             3. The following example shows the configuration for two certificate
 4178             mapping rules. The first is valid for the configured domain
 4179             <quote>my.domain</quote> and additionally for the subdomains
 4180             <quote>your.domain</quote> and uses the full certificate in the
 4181             search filter. The second example is valid for the domain
 4182             <quote>files</quote> where it is assumed the files provider is used
 4183             for this domain and contains a matching rule for the local user
 4184             <quote>myname</quote>.
 4185 <programlisting>
 4186 [certmap/my.domain/rule_name]
 4187 matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$
 4188 maprule = (userCertificate;binary={cert!bin})
 4189 domains = my.domain, your.domain
 4190 priority = 10
 4191 
 4192 [certmap/files/myname]
 4193 matchrule = &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$&lt;SUBJECT&gt;^CN=User.Name,DC=MY,DC=DOMAIN$
 4194 </programlisting>
 4195         </para>
 4196     </refsect1>
 4197 
 4198     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
 4199 
 4200 </refentry>
 4201 </reference>