Red Hat Summit7.4. Additional Configuration for Identity and Authentication Providers
7.4.1. Adjusting User Name Formats
Copy linkLink copied to clipboard!
7.4.1.1. Defining the Regular Expression for Parsing Full User Names
Copy linkLink copied to clipboard!
SSSD parses full user name strings into the user name and domain components. By default, SSSD interprets full user names in the format
user_name@domain_name based on the following regular expression in Python syntax:
(?P<name>[^@]+)@?(?P<domain>[^@]*$)
(?P<name>[^@]+)@?(?P<domain>[^@]*$)Note
For Identity Management and Active Directory providers, the default user name format is
user_name@domain_name or NetBIOS_name\user_name.
To adjust how SSSD interprets full user names:
- Open the
/etc/sssd/sssd.conffile. - Use the
re_expressionoption to define a custom regular expression.- To define the regular expressions globally for all domains, add
re_expressionto the[sssd]section ofsssd.conf. - To define the regular expressions individually for a particular domain, add
re_expressionto the corresponding domain section ofsssd.conf.
For example, to configure a regular expression for the LDAP domain:
[domain/LDAP] [... file truncated ...] re_expression = (?P<domain>[^\\]*?)\\?(?P<name>[^\\]+$)
[domain/LDAP]
[... file truncated ...]
re_expression = (?P<domain>[^\\]*?)\\?(?P<name>[^\\]+$)
For details, see the descriptions for
re_expression in the SPECIAL SECTIONS and DOMAIN SECTIONS parts of the sssd.conf(5) man page.
7.4.1.2. Defining How SSSD Prints Full User Names
Copy linkLink copied to clipboard!
If the
use_fully_qualified_names option is enabled in the /etc/sssd/sssd.conf file, SSSD prints full user names in the format name@domain based on the following expansion by default:
%1$s@%2$s
%1$s@%2$sNote
If
use_fully_qualified_names is not set or is explicitly set to false for trusted domains, only the user name is printed, without the domain component.
To adjust the format in which SSSD prints full user names:
- Open the
/etc/sssd/sssd.conffile. - Use the
full_name_formatoption to define the expansion for the full user name format:- To define the expansion globally for all domains, add
full_name_formatto the[sssd]section ofsssd.conf. - To define the expansion individually for a particular domain, add
full_name_formatto the corresponding domain section ofsssd.conf.
For details, see the descriptions for
full_name_format in the SPECIAL SECTIONS and DOMAIN SECTIONS parts of the sssd.conf(5) man page.
In some name configurations, SSSD could strip the domain component of the name, which can cause authentication errors. Because of this, if you set
full_name_format to a non-standard value, a warning will prompt you to change it to a more standard format.
7.4.2. Enabling Offline Authentication
Copy linkLink copied to clipboard!
SSSD does not cache user credentials by default. When processing authentication requests, SSSD always contacts the identity provider. If the provider is unavailable, user authentication fails.
Important
SSSD never caches passwords in plain text. It stores only a hash of the password.
To ensure that users can authenticate even when the identity provider is unavailable, enable credential caching:
- Open the
/etc/sssd/sssd.conffile. - In a domain section, add the
cache_credentials = truesetting:[domain/domain_name] cache_credentials = true
[domain/domain_name] cache_credentials = trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Optional, but recommended. Configure a time limit for how long SSSD allows offline authentication if the identity provider is unavailable.
- Configure the PAM service to work with SSSD. See Section 7.5.2, “Configuring Services: PAM”.
- Use the
offline_credentials_expirationoption to specify the time limit. For example, to specify that users are able to authenticate offline for 3 days since the last successful login:[pam] offline_credentials_expiration = 3
[pam] offline_credentials_expiration = 3Copy to Clipboard Copied! Toggle word wrap Toggle overflow
For details on
offline_credentials_expiration, see the sssd.conf(5) man page.
7.4.3. Configuring DNS Service Discovery
Copy linkLink copied to clipboard!
If the identity or authentication server is not explicitly defined in the
/etc/sssd/sssd.conf file, SSSD can discover the server dynamically using DNS service discovery [1].
For example, if
sssd.conf includes the id_provider = ldap setting, but the ldap_uri option does not specify any host name or IP address, SSSD uses DNS service discovery to discover the server dynamically.
Note
SSSD cannot dynamically discover backup servers, only the primary server.
Configuring SSSD for DNS Service Discovery
- Open the
/etc/sssd/sssd.conffile. - Set the primary server value to
_srv_. For an LDAP provider, the primary server is set using theldap_urioption:[domain/domain_name] id_provider = ldap ldap_uri = _srv_
[domain/domain_name] id_provider = ldap ldap_uri = _srv_Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Enable service discovery in the password change provider by setting a service type:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Optional. By default, the service discovery uses the domain portion of the system host name as the domain name. To use a different DNS domain, specify the domain name in the
dns_discovery_domainoption. - Optional. By default, the service discovery scans for the LDAP service type. To use a different service type, specify the type in the
ldap_dns_service_nameoption. - Optional. By default, SSSD attempts to look up an IPv4 address. If the attempt fails, SSSD attempts to look up an IPv6 address. To customize this behavior, use the
lookup_family_orderoption. See the sssd.conf(5) man page for details. - For every service with which you want to use service discovery, add a DNS record to the DNS server:
_service._protocol._domain TTL priority weight port host_name
_service._protocol._domain TTL priority weight port host_nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow
7.4.4. Defining Access Control Using the simple Access Provider
Copy linkLink copied to clipboard!
The
simple access provider allows or denies access based on a list of user names or groups. It enables you to restrict access to specific machines.
For example, on company laptops, you can use the
simple access provider to restrict access to only a specific user or a specific group. Other users or groups will not be allowed to log in even if they authenticate successfully against the configured authentication provider.
Configuring simple Access Provider Rules
- Open the
/etc/sssd/sssd.conffile. - Set the
access_provideroption tosimple:[domain/domain_name] access_provider = simple
[domain/domain_name] access_provider = simpleCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Define the access control rules for users. Choose one of the following:
- To allow access to users, use the
simple_allow_usersoption. - To deny access to users, use the
simple_deny_usersoption.Important
Allowing access to specific users is considered safer than denying. If you deny access to specific users, you automatically allow access to everyone else.
- Define the access control rules for groups. Choose one of the following:
- To allow access to groups, use the
simple_allow_groupsoption. - To deny access to groups, use the
simple_deny_groupsoption.Important
Allowing access to specific groups is considered safer than denying. If you deny access to specific groups, you automatically allow access to everyone else.
The following example allows access to
user1, user2, and members of group1, while denying access to all other users.
[domain/domain_name] access_provider = simple simple_allow_users = user1, user2 simple_allow_groups = group1
[domain/domain_name]
access_provider = simple
simple_allow_users = user1, user2
simple_allow_groups = group1
For details, see the sssd-simple(5) man page.
7.4.5. Defining Access Control Using the LDAP Access Filter
Copy linkLink copied to clipboard!
When the
access_provider option is set in /etc/sssd/sssd.conf, SSSD uses the specified access provider to evaluate which users are granted access to the system. If the access provider you are using is an extension of the LDAP provider type, you can also specify an LDAP access control filter that a user must match in order to be allowed access to the system.
For example, when using an Active Directory (AD) server as the access provider, you can restrict access to the Linux system only to specified AD users. All other users that do not match the specified filter will be denied access.
Note
The access filter is applied on the LDAP user entry only. Therefore, using this type of access control on nested groups might not work. To apply access control on nested groups, see Section 7.4.4, “Defining Access Control Using the
simple Access Provider”.
Important
When using offline caching, SSSD checks if the user's most recent online login attempt was successful. Users who logged in successfully during the most recent online login will still be able to log in offline, even if they do not match the access filter.
Configuring SSSD to Apply an LDAP Access Filter
- Open the
/etc/sssd/sssd.conffile. - In the
[domain]section, specify the LDAP access control filter.- For an LDAP access provider, use the
ldap_access_filteroption. See the sssd-ldap(5) man page for details. - For an AD access provider, use the
ad_access_filteroption. See the sssd-ad(5) man page for details.
For example, to allow access only to AD users who belong to theadminsuser group and have aunixHomeDirectoryattribute set:[domain/AD_domain_name] access provider = ad [... file truncated ...] ad_access_filter = (&(memberOf=cn=admins,ou=groups,dc=example,dc=com)(unixHomeDirectory=*))
[domain/AD_domain_name] access provider = ad [... file truncated ...] ad_access_filter = (&(memberOf=cn=admins,ou=groups,dc=example,dc=com)(unixHomeDirectory=*))Copy to Clipboard Copied! Toggle word wrap Toggle overflow
SSSD can also check results by the
authorizedService or host attribute in an entry. In fact, all options — LDAP filter, authorizedService, and host — can be evaluated, depending on the user entry and the configuration. The ldap_access_order parameter lists all access control methods to use, in order of how they should be evaluated.
[domain/example.com] access_provider = ldap ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com ldap_access_order = filter, host, authorized_service
[domain/example.com]
access_provider = ldap
ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
ldap_access_order = filter, host, authorized_service
The attributes in the user entry to use to evaluate authorized services or allowed hosts can be customized. Additional access control parameters are listed in the
sssd-ldap(5) man page.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}