SSSD recognizes domains, which are entries within the SSSD configuration file associated with different, external data sources. Domains are a combination of an identity provider (for user information) and, optionally, other providers such as authentication (for authentication requests) and for other operations, such as password changes. (The identity provider can also be used for all operations, if all operations are performed within a single domain or server.)
SSSD works with different LDAP identity providers (including OpenLDAP, Red Hat Directory Server, and Microsoft Active Directory) and can use native LDAP authentication, Kerberos authentication, or provider-specific authentication protocols (such as Active Directory).
A domain configuration defines the identity provider, the authentication provider, and any specific configuration to access the information in those providers. There are several types of identity and authentication providers:
LDAP, for general LDAP servers
Active Directory (an extension of the LDAP provider type)
Identity Management (an extension of the LDAP provider type)
Local, for the local SSSD database
Kerberos (authentication provider only)
Table 13.6. Identity Store and Authentication Type Combinations
| Identification Provider || Authentication Provider |
| Identity Management (LDAP) || Identity Management (LDAP) |
| Active Directory (LDAP) || Active Directory (LDAP) |
| Active Directory (LDAP) || Kerberos |
| LDAP || LDAP |
| LDAP || Kerberos |
| proxy || LDAP |
| proxy || Kerberos |
| proxy || proxy |
Along with the domain entry itself, the domain name must be added to the list of domains that SSSD will query. For example:
domains = LOCAL,Name
id_provider = type
auth_provider = type
provider_specific = value
global = value
global attributes are available to any type of domain, such as cache and time out settings. Each identity and authentication provider has its own set of required and optional configuration parameters.
Table 13.7. General [domain] Configuration Parameters
| Parameter || Value Format || Description |
| id_provider ||string || Specifies the data back end to use for this domain. The supported identity back ends are:
ipa (Identity Management in Red Hat Enterprise Linux)
ad (Microsoft Active Directory)
proxy, for a legacy NSS provider, such as
nss_nis. Using a proxy ID provider also requires specifying the legacy NSS library to load to start successfully, set in the
local, the SSSD internal local provider
| auth_provider ||string || Sets the authentication provider used for the domain. The default value for this option is the value of |
id_provider. The supported authentication providers are ldap, ipa, ad, krb5 (Kerberos), proxy, and none.
| min_id,max_id ||integer || Optional. Specifies the UID and GID range for the domain. If a domain contains entries that are outside that range, they are ignored. The default value for |
1; the default value for
0, which is unlimited.
min_id value is the same for all types of identity provider. If LDAP directories are using UID numbers that start at one, it could cause conflicts with users in the local
/etc/passwd file. To avoid these conflicts, set
1000 or higher as possible.
| cache_credentials ||Boolean || Optional. Specifies whether to store user credentials in the local SSSD domain database cache. The default value for this parameter is |
false. Set this value to
true for domains other than the LOCAL domain to enable offline authentication.
| entry_cache_timeout ||integer || Optional. Specifies how long, in seconds, SSSD should cache positive cache hits. A positive cache hit is a successful query. |
| use_fully_qualified_names ||Boolean || Optional. Specifies whether requests to this domain require fully qualified domain names. If set to |
true, all requests to this domain must use fully qualified domain names. It also means that the output from the request displays the fully-qualified name. Restricting requests to fully qualified user names allows SSSD to differentiate between domains with users with conflicting user names.
use_fully_qualified_names is set to
false, it is possible to use the fully-qualified name in the requests, but only the simplified version is displayed in the output.
SSSD can only parse names based on the domain name, not the realm name. The same name can be used for both domains and realms, however.