English
# apply filter on domain called dom1 only:
dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)

# apply filter on domain called dom2 only:
DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)

# apply filter on forest called EXAMPLE.COM only:
FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)

# apply filter for a member of a nested group in dom1:
DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
...
auth sufficient pam_sss_gss.so
...
auth sufficient pam_sss.so allow_missing_name
auto_private_groups
batch
Built-in
By default, SSSD will attempt to use inotify to monitor configuration files changes and will fall back to polling every five seconds if inotify cannot be used.
cache_credentials (bool)
cache_first
case_sensitive
{cert[!(bin|base64)]}
certificate_verification
[certmap/my.domain/rule_name]
matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
maprule = (userCertificate;binary={cert!bin})
domains = my.domain, your.domain
priority = 10

[certmap/files/myname]
matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$<SUBJECT>^CN=User.Name,DC=MY,DC=DOMAIN$
<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</command> for host key authentication by using the following directives for <citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></citerefentry> configuration: <placeholder type="programlisting" id="0"/>
<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-files</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase condition="with_sudo"> <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition="with_ssh"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, </phrase> <phrase condition="with_ifp"> <citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> <refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> <phrase condition="with_stap"> <citerefentry> <refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> </phrase>
ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:
ckent:superman::::::
clientAuth
client_idle_timeout