Red Hat Enterprise Linux 9 Essentials Book now available.
Purchase a copy of Red Hat Enterprise Linux 9 (RHEL 9) Essentials
Red Hat Enterprise Linux 9 Essentials Print and eBook (PDF) editions contain 34 chapters and 298 pages
8.2.4. Configuring Services
Individual pieces of SSSD functionality are provided by special SSSD services that are started and stopped together with SSSD. The services provided by SSSD have their own configuration sections. The [sssd] section also lists the services that are active and should be started when sssd starts within the services directive.
SSSD currently provides several services:
NSS — An NSS provider service that answers NSS requests from the sssd_nss module.
PAM — A PAM provider service that manages a PAM conversation through the sssd_pam PAM module.
monitor — A special service that monitors all other SSSD services, and starts or restarts them as needed. Its options are specified in the [sssd] section of the /etc/sssd/sssd.conf configuration file.
8.2.4.1. Configuration Options
The following sections cover the most important SSSD configuration options. Refer to the sssd.conf(5) manual page that ships with SSSD for information on all the available configuration options.
8.2.4.1.1. General Configuration Options
debug_level (integer)
Sets the debug level for a particular service. This is a per-service setting (that is, it can appear in any of the [service/<NAME>] sections in the SSSD configuration file).
reconnection_retries (integer)
In the event of a data provider crash or restart, this specifies the number of times that a service should attempt to reconnect.
Note
If a DNS lookup fails to return an IPv4 address for a hostname, SSSD attempts to look up an IPv6 address before returning a failure. Note that this only ensures that the async resolver identifies the correct address; there is currently a bug in the LDAP code that prevents SSSD from connecting to an LDAP server over IPv6. This is being investigated separately.
8.2.4.1.2. NSS Configuration Options
Use the following options to configure the Name Service Switch (NSS) service. Refer to the sssd.conf(5) manual page for full details about each option.
enum_cache_timeout (integer)
Specifies for how long (in seconds) sssd_nss should cache enumerations (requests for information about all users).
entry_cache_nowait_percentage (integer)
Specifies for how long sssd_nss should return cached entries before initiating an out-of-band cache refresh (0 disables this feature).
You can configure the entry cache to automatically update entries in the background if they are requested beyond a percentage of the entry_cache_timeout value for the domain.
Valid values for this option are 0-99, and represent a percentage of the entry_cache_timeout value for each domain.
entry_negative_timeout (integer)
Specifies for how long (in seconds) sssd_nss should cache negative cache hits (that is, queries for invalid database entries, such as nonexistent ones) before asking the back end again.
filter_users, filter_groups (string)
Exclude certain users from being fetched from the sss NSS database. This is particularly useful for system accounts such as root.
filter_users_in_groups (Boolean)
If set to TRUE, specifies that users listed in the filter_users list do not appear in group memberships when performing group lookups. If set to FALSE, group lookups return all users that are members of that group. If not specified, defaults to TRUE.
8.2.4.1.3. PAM Configuration Options
Use the following options to configure the Pluggable Authentication Module (PAM) service.
offline_credentials_expiration (integer)
If the authentication provider is offline, specifies for how long to allow cached log-ins (in days). This value is measured from the last successful online log-in. If not specified, defaults to 0 (no limit).
offline_failed_login_attempts (integer)
If the authentication provider is offline, specifies how many failed log in attempts are allowed. If not specified, defaults to 0 (no limit).
offline_failed_login_delay (integer)
Specifies the time in minutes after the value of offline_failed_login_attempts has been reached before a new log in attempt is possible.
If set to 0, the user cannot authenticate offline if the value of offline_failed_login_attempts has been reached. Only a successful online authentication can re-enable offline authentication. If not specified, defaults to 5.