Chapitre 5. Additional configuration for identity and authentication providers
The System Security Services Daemon (SSSD) is a system service to access remote directories and authentication mechanisms. The main configuration file for SSSD is /etc/sssd/sssd.conf. The following chapters outline how you can configure SSSD services and domains by modifying the /etc/sssd/sssd.conf file to:
- Adjust how SSSD interprets and prints full user names to enable offline authentication.
- Configure DNS Service Discovery, simple Access Provider Rules, and SSSD to apply an LDAP Access Filter.
5.1. Adjusting how SSSD interprets full user names
SSSD parses full user name strings into the user name and domain components. By default, SSSD interprets full user names in the format user_name@domain_name based on the following regular expression in Python syntax:
(?P<name>[^@]+)@?(?P<domain>[^@]*$)
For Identity Management and Active Directory providers, the default user name format is user_name@domain_name or NetBIOS_name\user_name.
You can adjust how SSSD interprets full user names by adding the re_expression option to the /etc/sssd/sssd.conf file and defining a custom regular expression.
-
To define the regular expression globally, add the regular expression to the
[sssd]section of thesssd.conffile as shown in the Defining regular expressions globally example. -
To define the regular expression for a particular domain, add the regular expression to the corresponding domain section (for example,
[domain/LDAP]) of thesssd.conffile as shown in the Defining regular expressions a particular domain example.
Conditions préalables
-
rootaccess
Procédure
-
Open the
/etc/sssd/sssd.conffile. Use the
re_expressionoption to define a custom regular expression.Exemple 5.1. Defining regular expressions globally
To define the regular expressions globally for all domains, add
re_expressionto the[sssd]section of thesssd.conffile.You can use the following global expression to define the username in the format of
domain\\usernameordomain@username:[sssd] [... file truncated ...] re_expression = (?P<domain>[^\\]*?)\\?(?P<name>[^\\]+$)
Exemple 5.2. Defining regular expressions a particular domain
To define the regular expressions individually for a particular domain, add
re_expressionto the corresponding domain section of thesssd.conffile.You can use the following global expression to define the username in the format of
domain\\usernameordomain@usernamefor the LDAP domain:[domain/LDAP] [... file truncated ...] re_expression = (?P<domain>[^\\]*?)\\?(?P<name>[^\\]+$)
For more details, see the descriptions for re_expression in the SPECIAL SECTIONS and DOMAIN SECTIONS parts of the sssd.conf(5) man page.
