SSSD Configuration - files /etc/sssd/sssd.conf and /etc/sssd.conf.d/*

SSSD configuration files are in INI format.

Example

[sssd] services = nss, sudo domains = test

[sudo] debug_level = 0xfff0

[domain/test] id_provider = ldap ldap_uri = ldap://ldap.test

SSSDConf - file /etc/sssd/sssd.conf

SSSDConfd - files under /etc/sssd/conf.d/*.conf

class insights.parsers.sssd_conf.SSSDConf(context)[source]

Bases: IniConfigFile

Parse the content of the /etc/sssd/sssd.conf.

The file format is standard ini file.

getboolean(section, option)[source]
Returns:

Returns boolean form based on the data from get.

Return type:

bool

class insights.parsers.sssd_conf.SSSDConfd(context)[source]

Bases: SSSDConf

Parse the content of configuration snippet under /etc/sssd/conf.d/*.conf.

The file format is standard ini file.

class insights.parsers.sssd_conf.SSSD_Config(context)[source]

Bases: IniConfigFile

Parse the content of the /etc/sssd/sssd.config file.

The ‘sssd’ section must always exist. Within that, the ‘domains’ parameter is usually defined to give a comma-separated list of the domains that sssd is to manage.

The ‘sssd’ section will define one or more active domains, which are then configured in the ‘domain/{domain}’ section of the configuration. These domains are then available via the ‘domains’ method, and the configuration of a domain can be fetched as a dictionary using the ‘domain_config’ method.

Sample configuration:

[sssd]
config_file_version = 2

# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3

# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam

# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LOCAL,LDAP
domains = example.com
debug_level = 9

[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/example.com]
id_provider = ldap
lookup_family_order = ipv4_only
ldap_uri = ldap://ldap.example.com/
ldap_search_base = dc=example,dc=com
enumerate = False
hbase_directory= /home
create_homedir = True
override_homedir = /home/%u
auth_provider = krb5
krb5_server = kerberos.example.com
krb5_realm = EXAMPLE.COM

Example

>>> type(conf)
<class 'insights.parsers.sssd_conf.SSSD_Config'>
>>> conf.get('nss', 'filter_users')
'root'
>>> conf.getint('pam', 'reconnection_retries')
3
>>> conf.domains
['example.com']
>>> domain = conf.domain_config('example.com')
>>> 'ldap_uri' in domain
True
domain_config(domain)[source]

Return the configuration dictionary for a specific domain, given as the raw name as listed in the ‘domains’ property of the sssd section. This then looks for the equivalent ‘domain/{domain}’ section of the config file.

property domains

Returns the list of domains defined in the ‘sssd’ section. This is used to refer to the domain-specific sections of the configuration.