sssd-simple - the configuration file for SSSD's 'simple' access-control provider
This manual page describes the configuration of the simple access-control
provider for sssd(8). For a detailed syntax reference, refer to the
“FILE FORMAT” section of the sssd.conf(5) manual page.
The simple access provider grants or denies access based on an
access or deny list of user or group names. The following rules apply:
•If all lists are empty, access is granted
•If any list is provided, the order of evaluation
is allow,deny. This means that any matching deny rule will supersede any
matched allow rule.
•If either or both "allow" lists are
provided, all users are denied unless they appear in the list.
•If only "deny" lists are provided, all
users are granted access unless they appear in the list.
Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5)
manual page for details on the configuration of an SSSD domain.
Comma separated list of users who are allowed to log
Comma separated list of users who are explicitly denied
Comma separated list of groups that are allowed to log
in. This applies only to groups within this SSSD domain. Local groups are not
Comma separated list of groups that are explicitly denied
access. This applies only to groups within this SSSD domain. Local groups are
Specifying no values for any of the lists is equivalent to
skipping it entirely. Beware of this while generating parameters for the
simple provider using automated scripts.
Please note that it is an configuration error if both,
simple_allow_users and simple_deny_users, are defined.
The following example assumes that SSSD is correctly configured and example.com
is one of the domains in the [sssd] section. This examples shows only
the simple access provider-specific options.
The complete group membership hierarchy is resolved before the access check,
thus even nested groups can be included in the access lists. Please be aware
that the “ldap_group_nesting_level” option may impact the
results and should be set to a sufficient value. (sssd-ldap(5)) option.
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5),
sssd-simple(5), sssd-ipa(5), sssd-ad(5),
sssd-files(5), sssd-sudo(5), sssd-session-recording(5),
sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
access_provider = simple
simple_allow_users = user1, user2