From 821006747931165b5f8295b6026dfba4c92c76ac Mon Sep 17 00:00:00 2001
From: Dewi Roberts <dewi@goauthentik.io>
Date: Wed, 25 Jun 2025 17:01:23 +0100
Subject: [PATCH] website/integrations: add ssh active user filter to sssd
 integration doc (#15203)

* Update sssd integration doc

* Improve language

* Update website/integrations/services/sssd/index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/integrations/services/sssd/index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/integrations/services/sssd/index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/integrations/services/sssd/index.md

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Update website/integrations/services/sssd/index.md

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Minor changes

---------

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Dominic R <dominic@sdko.org>
---
 website/integrations/services/sssd/index.md | 61 ++++++++-------------
 1 file changed, 24 insertions(+), 37 deletions(-)

diff --git a/website/integrations/services/sssd/index.md b/website/integrations/services/sssd/index.md
index 75de2b58dd..509045aeb9 100644
--- a/website/integrations/services/sssd/index.md
+++ b/website/integrations/services/sssd/index.md
@@ -10,10 +10,7 @@ support_level: community
 >
 > -- https://sssd.io/
 
-Note that authentik supports _only_ user and group objects. As
-a consequence, it cannot be used to provide automount or sudo
-configuration nor can it provide netgroups or services to `nss`.
-Kerberos is also not supported.
+Note that authentik supports _only_ user and group objects. As a consequence, it cannot be used to provide automount or sudo configuration, nor can it provide netgroups or services to `nss`. Kerberos is also not supported.
 
 ## Preparation
 
@@ -21,15 +18,10 @@ The following placeholders are used in this guide:
 
 - `authentik.company` is the FQDN of the authentik LDAP outpost installation.
 - `ldap.baseDN` is the Base DN you configure in the LDAP provider.
-- `ldap.domain` is (typically) an FQDN for your domain. Usually
-  it is just the components of your base DN. For example, if
-  `ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
-  might be `ldap.goauthentik.io`.
-- `ldap.searchGroup` is the "Search Group" that can can see all
-  users and groups in authentik.
+- `ldap.domain` is typically a fully qualified domain name (FQDN) representing your domain. It’s often derived from the components of your base DN. For example, if `ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io`, then the domain would be `ldap.goauthentik.io`.
+- `ldap.searchGroup` refers to the "Search Group" that has permission to view all users and groups within authentik.
 - `sssd.serviceAccount` is a service account created in authentik
-- `sssd.serviceAccountToken` is the service account token generated
-  by authentik.
+- `sssd.serviceAccountToken` is the service account token generated by authentik.
 
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
@@ -45,19 +37,13 @@ Follow [official documentation](/docs/add-secure-apps/outposts/#create-and-confi
 
 ## sssd configuration
 
-First, install the necessary sssd packages on your host. Very likely
-the package is just `sssd`.
+First, install the necessary sssd packages on your host. Very likely the package is just `sssd`.
 
 :::note
-This guide well help you configure the `sssd.conf` for LDAP only. You
-will likely need to perform other tasks for a usable setup
-like setting up automounted or autocreated home directories that
-are beyond the scope of this guide. See the "additional resources"
-section for some help.
+This guide will help you configure the `sssd.conf` file for LDAP only. You will likely need to perform other tasks for a usable setup like setting up auto-mounted or auto-created home directories that are beyond the scope of this guide. See the "additional resources" section for some help.
 :::
 
-Create a file at `/etc/sssd/sssd.conf` with contents similar to
-the following:
+Create a file at `/etc/sssd/sssd.conf` with contents similar to the following:
 
 ```ini
 [nss]
@@ -100,29 +86,30 @@ ldap_default_bind_dn = cn=${sssd.serviceAccount},ou=users,${ldap.baseDN}
 ldap_default_authtok = ${sssd.serviceAccountToken}
 ```
 
-You should now be able to start sssd; however, the system may not
-yet be setup to use it. Depending on your platform, you may need to
-use `authconfig` or `pam-auth-update` to configure your system. See
-the additional resources section for details.
+You should now be able to start sssd; however, the system may not yet be set up to use it. Depending on your platform, you might need to use `authconfig` or `pam-auth-update` to configure your system. See the additional resources section for details.
 
 :::note
-You can store SSH authorized keys in LDAP by adding the
-`sshPublicKey` attribute to any user with their public key as
-the value.
+You can store SSH authorized keys in LDAP by adding the `sshPublicKey` attribute to any user with their public key as the value.
+
+Please note that by default, sssd returns all user accounts; active and disabled. This means that disabled user accounts can still authenticate via `sshPublicKey`. To prevent this, you can filter out disabled user accounts by adding the following lines to the LDAP section of your `sssd.conf` file:
+
+```ini
+#ldap_access_order = filter
+#ldap_access_filter = ak-active=true
+```
+
 :::
 
 ## Additional Resources
 
-The setup of sssd may vary based on Linux distribution and version,
-here are some resources that can help you get this setup:
+The setup of sssd might vary based on Linux distribution and version; here are some resources that can help you get this set up:
 
 :::note
-authentik is providing a simple LDAP server, not an Active Directory
-domain. Be sure you're looking at the correct sections in these guides.
+authentik is providing a simple LDAP server, not an Active Directory domain. Be sure you're looking at the correct sections in these guides.
 :::
 
-- https://sssd.io/docs/quick-start.html#quick-start-ldap
-- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services
-- https://ubuntu.com/server/docs/service-sssd
-- https://manpages.debian.org/unstable/sssd-ldap/sssd-ldap.5.en.html
-- https://wiki.archlinux.org/title/LDAP_authentication
+- [SSSD Docs - Quick Start LDAP](https://sssd.io/docs/quick-start.html#quick-start-ldap)
+- [RedHat Docs - Configuring System Services for SSSD](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services)
+- [Ubuntu Docs - Introduction to network user authentication with SSSD](https://ubuntu.com/server/docs/service-sssd)
+- [Debian Manpages - SSSD LDAP provider](https://manpages.debian.org/unstable/sssd-ldap/sssd-ldap.5.en.html)
+- [Arch Linux Wiki - LDAP authentication](https://wiki.archlinux.org/title/LDAP_authentication)