Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 5. Additional configuration for identity and authentication providers

The System Security Services Daemon (SSSD) is a system service to access remote directories and authentication mechanisms. The main configuration file for SSSD is /etc/sssd/sssd.conf. The following chapters outline how you can configure SSSD services and domains by modifying the /etc/sssd/sssd.conf file to:

  • Adjust how SSSD interprets and prints full user names to enable offline authentication.
  • Configure DNS Service Discovery, simple Access Provider Rules, and SSSD to apply an LDAP Access Filter.

5.1. Adjusting how SSSD interprets full user names
Copia collegamento

SSSD parses full user name strings into the user name and domain components. By default, SSSD interprets full user names in the format <user_name>@<domain_name> based on the following regular expression in Python syntax: 

(?P_<name>_[^@]+)@?(?P_<domain>_[^@]*$)
Copy to Clipboard Toggle word wrap
Note

For Identity Management and Active Directory providers, the default user name format is <user_name>@<domain_name> or <NetBIOS_name>\<user_name>.

You can adjust how SSSD interprets full user names by adding the re_expression option to the /etc/sssd/sssd.conf file and defining a custom regular expression.

Prerequisites

  • root access

Procedure

  1. Open the /etc/sssd/sssd.conf file.

  2. Use the re_expression option to define a custom regular expression.

    Example 5.1. Defining regular expressions globally

    To define the regular expressions globally for all domains, add re_expression to the [sssd] section of the sssd.conf file.

    You can use the following global expression to define the username in the format of <domain>\_<username>_ or <domain>@<user_name>: 

    [sssd]
[... file truncated ...]
re_expression = (?P_<domain>_[^\\]*?)\\?(?P_<name>_[^\\]+$)
    Copy to Clipboard Toggle word wrap

    Example 5.2. Defining regular expressions a particular domain

    To define the regular expressions individually for a particular domain, add re_expression to the corresponding domain section of the sssd.conf file.

    You can use the following global expression to define the username in the format of <domain>\_<username>_ or <domain>@<user_name> for the LDAP domain: 

    [domain/LDAP]
[... file truncated ...]
re_expression = (?P_<domain>_[^\\]*?)\\?(?P_<name>_[^\\]+$)
    Copy to Clipboard Toggle word wrap

5.2. Adjusting how SSSD prints full user names
Copia collegamento

If the use_fully_qualified_names option is enabled in the /etc/sssd/sssd.conf file, SSSD prints full user names in the format <name>@<domain> based on the following expansion by default: 

%1$s@%2$s
Copy to Clipboard Toggle word wrap
Note

If use_fully_qualified_names is not set or is explicitly set to false for trusted domains, it only prints the user name without the domain component.

You can adjust the format in which SSSD prints full user names by adding the full_name_format option to the /etc/sssd/sssd.conf file and defining a custom expansion.

Prerequisites

  • root access

Procedure

  1. As root, open the /etc/sssd/sssd.conf file.

  2. To define the expansion globally for all domains, add full_name_format to the [sssd] section of sssd.conf. 

    [sssd]
[... file truncated ...]
full_name_format = %1$s@%2$s
    Copy to Clipboard Toggle word wrap

    In this case the user name is displayed as user@domain.test.

  3. To define the user name printing format for a particular domain, add full_name_format to the corresponding domain section of sssd.conf.

    • To configure the expansion for the Active Directory (AD) domain using %2$s\%1$s: 

      [domain/ad.domain]
[... file truncated ...]
full_name_format = %2$s\%1$s
      Copy to Clipboard Toggle word wrap

      In this case the user name is displayed as ad.domain\user.

    • To configure the expansion for the Active Directory (AD) domain using %3$s\%1$s: 

      [domain/ad.domain]
[... file truncated ...]
full_name_format = %3$s\%1$s
      Copy to Clipboard Toggle word wrap

      In this case the user name is displayed as AD\user if the flat domain name of the Active Directory domain is set to AD.

Note

SSSD can strip the domain component of the name in some name configurations, which can cause authentication errors. If you set full_name_format to a non-standard value, you will get a warning prompting you to change it to a standard format.

5.3. Enabling offline authentication
Copia collegamento

SSSD does not cache user credentials by default. When processing authentication requests, SSSD always contacts the identity provider. If the provider is unavailable, user authentication fails.

To ensure that users can authenticate even when the identity provider is unavailable, you can enable credential caching by setting cache_credentials to true in the /etc/sssd/sssd.conf file. Cached credentials refer to passwords and the first authentication factor if two-factor authentication is used. Note that for smart card authentication, you do not need to set cache_credentials to true or set any additional configuration; it is expected to work offline as long as a successful online authentication is recorded in the cache.

Important

SSSD never caches passwords in plain text. It stores only a hash of the password.

While credentials are stored as a salted SHA-512 hash, this potentially poses a security risk in case an attacker manages to access the cache file and break a password using a brute force attack. Accessing a cache file requires privileged access, which is the default on RHEL.

Prerequisites

  • root access

Procedure

  1. Open the /etc/sssd/sssd.conf file.

  2. In a domain section, add the cache_credentials = true setting: 

    [domain/<domain_name>]
cache_credentials = true
    Copy to Clipboard Toggle word wrap

  3. Optional, but recommended: Configure a time limit for how long SSSD allows offline authentication if the identity provider is unavailable:

    1. Configure the PAM service to work with SSSD.

    2. Use the offline_credentials_expiration option to specify the time limit.

      Note that the limit is set in days.

      For example, to specify that users are able to authenticate offline for 3 days since the last successful login, use: 

      [pam]
offline_credentials_expiration = 3
      Copy to Clipboard Toggle word wrap

5.4. Configuring DNS Service Discovery
Copia collegamento

DNS service discovery enables applications to check the SRV records in a given domain for certain services of a certain type, and then returns any servers that match the required type. If the identity or authentication server is not explicitly defined in the /etc/sssd/sssd.conf file, SSSD can discover the server dynamically using DNS service discovery.

For example, if sssd.conf includes the id_provider = ldap setting, but the ldap_uri option does not specify any host name or IP address, SSSD uses DNS service discovery to discover the server dynamically.

Note

SSSD cannot dynamically discover backup servers, only the primary server.

Prerequisites

  • root access

Procedure

  1. Open the /etc/sssd/sssd.conf file.

  2. Set the primary server value to _srv_.

    For an LDAP provider, the primary server is set using the ldap_uri option: 

    [domain/<ldap_domain_name>]
id_provider = ldap
ldap_uri = _srv_
    Copy to Clipboard Toggle word wrap

  3. Enable service discovery in the password change provider by setting a service type: 

    [domain/<ldap_domain_name>]
id_provider = ldap
ldap_uri = _srv_

chpass_provider = ldap
ldap_chpass_dns_service_name = ldap
    Copy to Clipboard Toggle word wrap
  4. Optional: By default, the service discovery uses the domain portion of the system host name as the domain name. To use a different DNS domain, specify the domain name by using the dns_discovery_domain option.
  5. Optional: By default, the service discovery scans for the LDAP service type. To use a different service type, specify the type by using the ldap_dns_service_name option.
  6. Optional: By default, SSSD attempts to look up an IPv4 address. If the attempt fails, SSSD attempts to look up an IPv6 address. To customize this behavior, use the lookup_family_order option.

  7. For every service with which you want to use service discovery, add a DNS record to the DNS server: 

    _<service_name>.<protocol>.<domain_name> <TTL> <priority> <weight> <port_number> <hostname>_
    Copy to Clipboard Toggle word wrap

5.5. Configuring simple Access Provider Rules
Copia collegamento

The simple access provider allows or denies access based on a list of user names or groups. It enables you to restrict access to specific machines.

For example, you can use the simple access provider to restrict access to a specific user or group. Other users or groups will not be allowed to log in even if they authenticate successfully against the configured authentication provider.

Prerequisites

  • root access

Procedure

  1. Open the /etc/sssd/sssd.conf file.

  2. Set the access_provider option to simple: 

    [domain/<domain_name>]
access_provider = simple
    Copy to Clipboard Toggle word wrap

  3. Define the access control rules for users.

    1. To allow access to users, use the simple_allow_users option.

    2. To deny access to users, use the simple_deny_users option.

      Important

      If you deny access to specific users, you automatically allow access to everyone else. Allowing access to specific users is considered safer than denying.

  4. Define the access control rules for groups. Choose one of the following:

    1. To allow access to groups, use the simple_allow_groups option.

    2. To deny access to groups, use the simple_deny_groups option.

      Important

      If you deny access to specific groups, you automatically allow access to everyone else. Allowing access to specific groups is considered safer than denying.

      Example 5.3. Allowing access to specific users and groups

      The following example allows access to alice, bob, and members of engineers group, while denying access to all other users: 

      [domain/<domain_name>]
access_provider = simple
simple_allow_users = alice, bob
simple_allow_groups = engineers
      Copy to Clipboard Toggle word wrap
Important

Keeping the deny list empty can lead to allowing access to everyone.

Note

If you are adding a trusted AD user to the simple_allow_users list, ensure that you use the fully qualified domain name (FQDN) format, for example, aduser@ad.example.com. As short names in different domains can be the same, this prevents issues with the access control configuration.

5.6. Configuring SSSD to apply an LDAP access filter
Copia collegamento

When the access_provider option is set in /etc/sssd/sssd.conf, SSSD uses the specified access provider to evaluate which users are granted access to the system. If the access provider you are using is an extension of the LDAP provider type, you can also specify an LDAP access control filter that a user must match to be allowed access to the system.

For example, when using the Active Directory (AD) server as the access provider, you can restrict access to the Linux system only to specified AD users. All other users that do not match the specified filter have access denied.

Note

The access filter is applied on the LDAP user entry only. Therefore, using this type of access control on nested groups might not work. To apply access control on nested groups, see Configuring simple access provider rules.

Important

When using offline caching, SSSD checks if the user’s most recent online login attempt was successful. Users who logged in successfully during the most recent online login will still be able to log in offline, even if they do not match the access filter.

Prerequisites

  • root access

Procedure

  1. Open the /etc/sssd/sssd.conf file.

  2. In the [domain] section, specify the access control filter.

    • For an LDAP, use the ldap_access_filter option.

    • For an AD, use the ad_access_filter option. Additionally, you must disable the GPO-based access control by setting the ad_gpo_access_control option to disabled.

      Example 5.4. Allowing access to specific AD users

      For example, to allow access only to AD users who belong to the admins user group and have a unixHomeDirectory attribute set, use: 

      [domain/<ad_domain_name>]
access provider = ad
[... file truncated ...]
ad_access_filter = (&(memberOf=cn=admins,ou=groups,dc=example,dc=com)(unixHomeDirectory=*))
ad_gpo_access_control = disabled
      Copy to Clipboard Toggle word wrap

SSSD can also check results by the authorizedService or host attribute in an entry. In fact, all options MDASH LDAP filter, authorizedService, and host MDASH can be evaluated, depending on the user entry and the configuration. The ldap_access_order parameter lists all access control methods to use, ordered as how they should be evaluated. 

[domain/example.com]
access_provider = ldap
ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com
ldap_access_order = filter, host, authorized_service
Copy to Clipboard Toggle word wrap
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat