Language and Page Formatting Options
30.3. Configuring SSSD to Work with System Services
SSSD worked with specialized services that run in tandem with the SSSD process itself. SSSD and its associated services are configured in the
sssd.conffile. on sections. The
[sssd]section also lists the services that are active and should be started when
sssdstarts within the
SSSD currently provides several services:
- A Name Service Switch (NSS) provider service that answers name service requests from the
sssd_nssmodule. This is configured in the
[nss]section of the SSSD configuration.
- A PAM provider service that manages a PAM conversation through the
sssd_pammodule. This is configured in the
[pam]section of the configuration.
monitor, a special service that monitors and starts or restarts all other SSSD services. Its options are specified in the
[sssd]section of the
If a DNS lookup fails to return an IPv4 address for a hostname, SSSD attempts to look up an IPv6 address before returning a failure. This only ensures that the asynchronous resolver identifies the correct address.
The hostname resolution behavior is configured in the
lookup family orderoption in the
30.3.1. Configuring NSS Services
SSSD provides an NSS module,
sssd_nss, which instructs the system to use SSSD to retrieve user information. The NSS configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with NSS.
220.127.116.11. About NSS Service Maps and SSSD
The Name Service Switch (NSS) provides a central configuration for services to look up a number of configuration and name resolution services. NSS provides one method of mapping system identities and services with configuration sources.
SSSD works with NSS as a provider services for several types of NSS maps:
- Passwords (
- User groups (
- Groups (
- Netgroups (
18.104.22.168. Configuring NSS Services to Use SSSD
NSS can use multiple identity and configuration providers for any and all of its service maps. The default is to use system files for services; for SSSD to be included, the
nss_sssmodule has to be included for the desired service type.
Use the Authentication Configuration tool to enable SSSD. This automatically configured the
nsswitch.conffile to use SSSD as a provider.
[root@server ~]# authconfig --enablesssd --update
This automatically configures the password, shadow, group, and netgroups services maps to use the SSSD module:
passwd: files sss shadow: files sss group: files sss netgroup: files sss
22.214.171.124. Configuring SSSD to Work with NSS
The options and configuration that SSSD uses to service NSS requests are configured in the SSSD configuration file, in the
- Open the
[root@server ~]# vim /etc/sssd/sssd.conf
- Make sure that NSS is listed as one of the services that works with SSSD.
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services =
- In the
[nss]section, change any of the NSS parameters. These are listed in Table 30.1, “SSSD [nss] Configuration Parameters”.
[nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
- Restart SSSD.
[root@server ~]# service sssd restart
Table 30.1. SSSD [nss] Configuration Parameters
|Parameter||Value Format||[root@server ~] Description|
|enum_cache_timeout||integer|| Specifies how long, in seconds, |
|entry_cache_nowait_percentage||integer|| Specifies how long |
This configures the entry cache to update entries in the background automatically if they are requested if the time before the next update is a certain percentage of the next interval. For example, if the interval is 300 seconds and the cache percentage is 75, then the entry cache will begin refreshing when a request comes in at 225 seconds — 75% of the interval.
The allowed values for this option are 0 to 99, which sets the percentage based on the
|entry_negative_timeout||integer|| Specifies how long, in seconds, |
|filter_users, filter_groups||string|| Tells SSSD to exclude certain users from being fetched from the NSS database. This is particularly useful for system accounts such as |
|filter_users_in_groups||Boolean|| Sets whether users listed in the |