authentik/docs/integrations/infrastructure/sssd/index.md

---
title: Integrate with sssd
sidebar_label: sssd
support_level: community
---

## What is sssd

> **SSSD** is an acronym for System Security Services Daemon. It is the client component of centralized identity management solutions such as FreeIPA, 389 Directory Server, Microsoft Active Directory, OpenLDAP and other directory servers. The client serves and caches the information stored in the remote directory server and provides identity, authentication and authorization services to the host machine.
>
> -- https://sssd.io/

Note that authentik supports _only_ user and group objects. As a consequence, it cannot be used to provide automount or sudo configuration, nor can it provide netgroups or services to `nss`. Kerberos is also not supported.

## Preparation

The following placeholders are used in this guide:

- `authentik.company` is the FQDN of the authentik LDAP outpost installation.
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
- `ldap.domain` is typically a fully qualified domain name (FQDN) representing your domain. It’s often derived from the components of your base DN. For example, if `ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io`, then the domain would be `ldap.goauthentik.io`.
- `ldap.searchGroup` refers to the "Search Group" that has permission to view all users and groups within authentik.
- `sssd.serviceAccount` is a service account created in authentik
- `sssd.serviceAccountToken` is the service account token generated by authentik.

:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::

:::warning
The provider configuration assumes that connections to the outpost use LDAPS, with properly configured certificates on both authentik and the host running sssd. LDAPS is the recommended protocol for secure communication. For details on setting up SSL and StartTLS on the outpost, refer to [authentik’s LDAP provider documentation](/docs/add-secure-apps/providers/ldap#ssl--starttls).
:::

## authentik configuration

Follow [official documentation](/docs/add-secure-apps/outposts/#create-and-configure-an-outpost) to create an **LDAP outpost**. If you already have an LDAP outpost configured, you can use it without additional setup. No further configuration in authentik is needed.

## sssd configuration

First, install the necessary sssd packages on your host. Very likely the package is just `sssd`.

:::note
This guide will help you configure the `sssd.conf` file for LDAP only. You will likely need to perform other tasks for a usable setup like setting up auto-mounted or auto-created home directories that are beyond the scope of this guide. See the "additional resources" section for some help.
:::

Create a file at `/etc/sssd/sssd.conf` with contents similar to the following:

```ini
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[sssd]
config_file_version = 2
reconnection_retries = 3
domains = ${ldap.domain}
services = nss, pam, ssh

[pam]
reconnection_retries = 3

[domain/${ldap.domain}]
cache_credentials = True
id_provider = ldap
chpass_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_uri = ldaps://${authentik.company}:636

ldap_schema = rfc2307bis
ldap_search_base = ${ldap.baseDN}
ldap_user_search_base = ou=users,${ldap.baseDN}
ldap_group_search_base = ${ldap.baseDN}

ldap_user_object_class = user
ldap_user_name = cn
ldap_group_object_class = group
ldap_group_name = cn

# Optionally, filter logins to only a specific group
#ldap_access_order = filter
#ldap_access_filter = memberOf=cn=authentik Admins,ou=groups,${ldap.baseDN}

ldap_default_bind_dn = cn=${sssd.serviceAccount},ou=users,${ldap.baseDN}
ldap_default_authtok = ${sssd.serviceAccountToken}
```

You should now be able to start sssd; however, the system may not yet be set up to use it. Depending on your platform, you might need to use `authconfig` or `pam-auth-update` to configure your system. See the additional resources section for details.

:::note
You can store SSH authorized keys in LDAP by adding the `sshPublicKey` attribute to any user with their public key as the value.

Please note that by default, sssd returns all user accounts; active and disabled. This means that disabled user accounts can still authenticate via `sshPublicKey`. To prevent this, you can filter out disabled user accounts by adding the following lines to the LDAP section of your `sssd.conf` file:

```ini
#ldap_access_order = filter
#ldap_access_filter = ak-active=true
```

:::

## Additional Resources

The setup of sssd might vary based on Linux distribution and version; here are some resources that can help you get this set up:

:::note
authentik is providing a simple LDAP server, not an Active Directory domain. Be sure you're looking at the correct sections in these guides.
:::

- [SSSD Docs - Quick Start LDAP](https://sssd.io/docs/quick-start.html#quick-start-ldap)
- [RedHat Docs - Configuring System Services for SSSD](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services)
- [Ubuntu Docs - Introduction to network user authentication with SSSD](https://ubuntu.com/server/docs/service-sssd)
- [Debian Manpages - SSSD LDAP provider](https://manpages.debian.org/unstable/sssd-ldap/sssd-ldap.5.en.html)
- [Arch Linux Wiki - LDAP authentication](https://wiki.archlinux.org/title/LDAP_authentication)