Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

7.5. Configuring System Services for SSSD

SSSD provides interfaces towards several system services. Most notably:
Name Service Switch (NSS)
See Section 7.5.1, “Configuring Services: NSS”.
Pluggable Authentication Modules (PAM)
See Section 7.5.2, “Configuring Services: PAM”.
OpenSSH
See Configuring SSSD to Provide a Cache for the OpenSSH Services in the Linux Domain Identity, Authentication, and Policy Guide.
autofs
See Section 7.5.3, “Configuring Services: autofs.
sudo
See Section 7.5.4, “Configuring Services: sudo.

7.5.1. Configuring Services: NSS
Copy link

How SSSD Works with NSS

The Name Service Switch (NSS) service maps system identities and services with configuration sources: it provides a central configuration store where services can look up sources for various configuration and name resolution mechanisms.
SSSD can use NSS as a provider for several types of NSS maps. Most notably:
  • User information (the passwd map)
  • Groups (the groups map)
  • Netgroups (the netgroups map)
  • Services (the services map)

Prerequisites

  • Install SSSD. 
    # yum install sssd
    Copy to Clipboard Toggle word wrap

Configure NSS Services to Use SSSD

  1. Use the authconfig utility to enable SSSD: 
    [root@server ~]# authconfig --enablesssd --update
    Copy to Clipboard Toggle word wrap
    This updates the /etc/nsswitch.conf file to enable the following NSS maps to use SSSD: 
    passwd:     files sss
shadow:     files sss
group:      files sss

netgroup:   files sss
    Copy to Clipboard Toggle word wrap
  2. Open /etc/nsswitch.conf and add sss to the services map line: 
    services: files sss
    Copy to Clipboard Toggle word wrap

Configure SSSD to work with NSS

  1. Open the /etc/sssd/sssd.conf file.
  2. In the [sssd] section, make sure that NSS is listed as one of the services that works with SSSD. 
    [sssd]
[... file truncated ...]
services = nss, pam
    Copy to Clipboard Toggle word wrap
  3. In the [nss] section, configure how SSSD interacts with NSS. For example: 
    [nss]
filter_groups = root
filter_users = root
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
    Copy to Clipboard Toggle word wrap
    For a complete list of available options, see NSS configuration options in the sssd.conf(5) man page.
  4. Restart SSSD. 
    # systemctl restart sssd.service
    Copy to Clipboard Toggle word wrap

Test That the Integration Works Correctly

Display information about a user with these commands:
  • id user
  • getent passwd user

7.5.2. Configuring Services: PAM
Copy link

Warning

A mistake in the PAM configuration file can lock users out of the system completely. Always back up the configuration files before performing any changes, and keep a session open so that you can revert any changes.

Configure PAM to Use SSSD

  • Use the authconfig utility to enable SSSD: 
    # authconfig --enablesssdauth --update
    Copy to Clipboard Toggle word wrap
    This updates the PAM configuration to reference the SSSD modules, usually in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files. For example: 
    [... file truncated ...]
auth		required	pam_env.so
auth		sufficient	pam_unix.so nullok try_first_pass
auth		requisite	pam_succeed_if.so uid >= 500 quiet
auth        	sufficient	pam_sss.so use_first_pass
auth		required	pam_deny.so
[... file truncated ...]
    Copy to Clipboard Toggle word wrap
For details, see the pam.conf(5) or pam(8) man pages.

Configure SSSD to work with PAM

  1. Open the /etc/sssd/sssd.conf file.
  2. In the [sssd] section, make sure that PAM is listed as one of the services that works with SSSD. 
    [sssd]
[... file truncated ...]
services = nss, pam
    Copy to Clipboard Toggle word wrap
  3. In the [pam] section, configure how SSSD interacts with PAM. For example: 
    [pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
    Copy to Clipboard Toggle word wrap
    For a complete list of available options, see PAM configuration options in the sssd.conf(5) man page.
  4. Restart SSSD. 
    # systemctl restart sssd.service
    Copy to Clipboard Toggle word wrap

Test That the Integration Works Correctly

  • Try logging in as a user.
  • Use the sssctl user-checks user_name auth command to check your SSSD configuration. For details, use the sssctl user-checks --help command.

7.5.3. Configuring Services: autofs
Copy link

How SSSD Works with automount

The automount utility can mount and unmount NFS file systems automatically (on-demand mounting), which saves system resources. For details on automount, see autofs in the Storage Administration Guide.
You can configure automount to point to SSSD. In this setup:
  1. When a user attempts to mount a directory, SSSD contacts LDAP to obtain the required information about the current automount configuration.
  2. SSSD stores the information required by automount in a cache, so that users can mount directories even when the LDAP server is offline.

Configure autofs to Use SSSD

  1. Install the autofs package. 
    # yum install autofs
    Copy to Clipboard Toggle word wrap
  2. Open the /etc/nsswitch.conf file.
  3. On the automount line, change the location where to look for the automount map information from ldap to sss: 
    automount: files sss
    Copy to Clipboard Toggle word wrap

Configure SSSD to work with autofs

  1. Open the /etc/sssd/sssd.conf file.
  2. In the [sssd] section, add autofs to the list of services that SSSD manages. 
    [sssd]
services = nss,pam,autofs
    Copy to Clipboard Toggle word wrap
  3. Create a new [autofs] section. You can leave it empty. 
    [autofs]
    Copy to Clipboard Toggle word wrap
    For a list of available options, see AUTOFS configuration options in the sssd.conf(5) man page.
  4. Make sure an LDAP domain is available in sssd.conf, so that SSSD can read the automount information from LDAP. See Section 7.3.2, “Configuring an LDAP Domain for SSSD”.
    The [domain] section of sssd.conf accepts several autofs-related options. For example: 
    [domain/LDAP]
[... file truncated ...]
autofs_provider=ldap
ldap_autofs_search_base=cn=automount,dc=example,dc=com
ldap_autofs_map_object_class=automountMap
ldap_autofs_entry_object_class=automount
ldap_autofs_map_name=automountMapName
ldap_autofs_entry_key=automountKey
ldap_autofs_entry_value=automountInformation
    Copy to Clipboard Toggle word wrap
    For a complete list of available options, see DOMAIN SECTIONS in the sssd.conf(5) man page.
    If you do not provide additional autofs options, the configuration depends on the identity provider settings.
  5. Restart SSSD. 
    # systemctl restart sssd.service
    Copy to Clipboard Toggle word wrap

Test the Configuration

  • Use the automount -m command to print the maps from SSSD.

7.5.4. Configuring Services: sudo
Copy link

How SSSD Works with sudo

The sudo utility gives administrative access to specified users. For more information about sudo, see The sudo utility documentation in the System Administrator's Guide.
You can configure sudo to point to SSSD. In this setup:
  1. When a user attempts a sudo operation, SSSD contacts LDAP or AD to obtain the required information about the current sudo configuration.
  2. SSSD stores the sudo information in a cache, so that users can perform sudo operations even when the LDAP or AD server is offline.
SSSD only caches sudo rules which apply to the local system, depending on the value of the sudoHost attribute. See the sssd-sudo(5) man page for details.

Configure sudo to Use SSSD

  1. Open the /etc/nsswitch.conf file.
  2. Add SSSD to the list on the sudoers line. 
    sudoers: files sss
    Copy to Clipboard Toggle word wrap

Configure SSSD to work with sudo

  1. Open the /etc/sssd/sssd.conf file.
  2. In the [sssd] section, add sudo to the list of services that SSSD manages. 
    [sssd]
services = nss,pam,sudo
    Copy to Clipboard Toggle word wrap
  3. Create a new [sudo] section. You can leave it empty. 
    [sudo]
    Copy to Clipboard Toggle word wrap
    For a list of available options, see SUDO configuration options in the sssd.conf(5) man page.
  4. Make sure an LDAP or AD domain is available in sssd.conf, so that SSSD can read the sudo information from the directory. For details, see:
    The [domain] section for the LDAP or AD domain must include these sudo-related parameters: 
    [domain/LDAP_or_AD_domain]
...
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
    Copy to Clipboard Toggle word wrap

    Note

    Setting Identity Management or AD as the ID provider automatically enables the sudo provider. In this situation, it is not necessary to specify the sudo_provider parameter.
    For a complete list of available options, see DOMAIN SECTIONS in the sssd.conf(5) man page.
    For options available for a sudo provider, see the sssd-ldap(5) man page.
  5. Restart SSSD. 
    # systemctl restart sssd.service
    Copy to Clipboard Toggle word wrap
If you use AD as the provider, you must extend the AD schema to support sudo rules. For details, see the sudo documentation.
For details about providing sudo rules in LDAP or AD, see the sudoers.ldap(5) man page.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat