Chapitre 5. Additional configuration for identity and authentication providers
The System Security Services Daemon (SSSD) is a system service to access remote directories and authentication mechanisms. The main configuration file for SSSD is /etc/sssd/sssd.conf
. The following chapters outline how you can configure SSSD services and domains by modifying the /etc/sssd/sssd.conf
file to:
- Adjust how SSSD interprets and prints full user names to enable offline authentication.
- Configure DNS Service Discovery, simple Access Provider Rules, and SSSD to apply an LDAP Access Filter.
5.1. Adjusting how SSSD interprets full user names
SSSD parses full user name strings into the user name and domain components. By default, SSSD interprets full user names in the format user_name@domain_name
based on the following regular expression in Python syntax:
(?P<name>[^@]+)@?(?P<domain>[^@]*$)
For Identity Management and Active Directory providers, the default user name format is user_name@domain_name
or NetBIOS_name\user_name
.
You can adjust how SSSD interprets full user names by adding the re_expression
option to the /etc/sssd/sssd.conf
file and defining a custom regular expression.
-
To define the regular expression globally, add the regular expression to the
[sssd]
section of thesssd.conf
file as shown in the Defining regular expressions globally example. -
To define the regular expression for a particular domain, add the regular expression to the corresponding domain section (for example,
[domain/LDAP]
) of thesssd.conf
file as shown in the Defining regular expressions a particular domain example.
Conditions préalables
-
root
access
Procédure
-
Open the
/etc/sssd/sssd.conf
file. Use the
re_expression
option to define a custom regular expression.Exemple 5.1. Defining regular expressions globally
To define the regular expressions globally for all domains, add
re_expression
to the[sssd]
section of thesssd.conf
file.You can use the following global expression to define the username in the format of
domain\\username
ordomain@username
:[sssd] [... file truncated ...] re_expression = (?P<domain>[^\\]*?)\\?(?P<name>[^\\]+$)
Exemple 5.2. Defining regular expressions a particular domain
To define the regular expressions individually for a particular domain, add
re_expression
to the corresponding domain section of thesssd.conf
file.You can use the following global expression to define the username in the format of
domain\\username
ordomain@username
for the LDAP domain:[domain/LDAP] [... file truncated ...] re_expression = (?P<domain>[^\\]*?)\\?(?P<name>[^\\]+$)
For more details, see the descriptions for re_expression
in the SPECIAL SECTIONS
and DOMAIN SECTIONS
parts of the sssd.conf(5)
man page.