'\" t .\" Title: sssd-simple .\" Author: The SSSD upstream - https://github.com/SSSD/sssd/ .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 04/10/2024 .\" Manual: File Formats and Conventions .\" Source: SSSD .\" Language: English .\" .TH "SSSD\-SIMPLE" "5" "04/10/2024" "SSSD" "File Formats and Conventions" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" sssd-simple \- the configuration file for SSSD\*(Aqs \*(Aqsimple\*(Aq access\-control provider .SH "DESCRIPTION" .PP This manual page describes the configuration of the simple access\-control provider for \fBsssd\fR(8)\&. For a detailed syntax reference, refer to the \(lqFILE FORMAT\(rq section of the \fBsssd.conf\fR(5) manual page\&. .PP The simple access provider grants or denies access based on an access or deny list of user or group names\&. The following rules apply: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If all lists are empty, access is granted .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If any list is provided, the order of evaluation is allow,deny\&. This means that any matching deny rule will supersede any matched allow rule\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If either or both "allow" lists are provided, all users are denied unless they appear in the list\&. .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} If only "deny" lists are provided, all users are granted access unless they appear in the list\&. .RE .sp .SH "CONFIGURATION OPTIONS" .PP Refer to the section \(lqDOMAIN SECTIONS\(rq of the \fBsssd.conf\fR(5) manual page for details on the configuration of an SSSD domain\&. .PP simple_allow_users (string) .RS 4 Comma separated list of users who are allowed to log in\&. .RE .PP simple_deny_users (string) .RS 4 Comma separated list of users who are explicitly denied access\&. .RE .PP simple_allow_groups (string) .RS 4 Comma separated list of groups that are allowed to log in\&. This applies only to groups within this SSSD domain\&. Local groups are not evaluated\&. .RE .PP simple_deny_groups (string) .RS 4 Comma separated list of groups that are explicitly denied access\&. This applies only to groups within this SSSD domain\&. Local groups are not evaluated\&. .RE .PP Specifying no values for any of the lists is equivalent to skipping it entirely\&. Beware of this while generating parameters for the simple provider using automated scripts\&. .PP Please note that it is an configuration error if both, simple_allow_users and simple_deny_users, are defined\&. .SH "EXAMPLE" .PP The following example assumes that SSSD is correctly configured and example\&.com is one of the domains in the \fI[sssd]\fR section\&. This examples shows only the simple access provider\-specific options\&. .PP .if n \{\ .RS 4 .\} .nf [domain/example\&.com] access_provider = simple simple_allow_users = user1, user2 .fi .if n \{\ .RE .\} .sp .SH "NOTES" .PP The complete group membership hierarchy is resolved before the access check, thus even nested groups can be included in the access lists\&. Please be aware that the \(lqldap_group_nesting_level\(rq option may impact the results and should be set to a sufficient value\&. (\fBsssd-ldap\fR(5)) option\&. .SH "SEE ALSO" .PP \fBsssd\fR(8), \fBsssd.conf\fR(5), \fBsssd-ldap\fR(5), \fBsssd-ldap-attributes\fR(5), \fBsssd-krb5\fR(5), \fBsssd-simple\fR(5), \fBsssd-ipa\fR(5), \fBsssd-ad\fR(5), \fBsssd-files\fR(5), \fBsssd-sudo\fR(5), \fBsssd-session-recording\fR(5), \fBsss_cache\fR(8), \fBsss_debuglevel\fR(8), \fBsss_obfuscate\fR(8), \fBsss_seed\fR(8), \fBsssd_krb5_locator_plugin\fR(8), \fBsss_ssh_authorizedkeys\fR(8), \fBsss_ssh_knownhostsproxy\fR(8), \fBsssd-ifp\fR(5), \fBpam_sss\fR(8)\&. \fBsss_rpcidmapd\fR(5) \fBsssd-systemtap\fR(5) .SH "AUTHORS" .PP \fBThe SSSD upstream \- https://github\&.com/SSSD/sssd/\fR