4.8.3. Managing local users and groups with SSSD¶

Though the SIMP team highly recommends using LDAP to centrally manage your users, you may also wish to manage users via the local system.

Note

Prior to SSSD 1.16 (:term:`EL 7+), there was a LOCAL provider. This has been fully deprecated as on :term:`EL 8 and should no longer be used.

If you still need to use this capability, please see the documentation for sssd::provider::local directly.

This section walks you through setting up local user and group support using the SIMP sssd module.

The following examples assume that you are using the site module to set up your users. The examples are easily extrapolated into defined types but are presented as classes for simplicity.

4.8.3.1. The Simple Method¶

If you just want SSSD to pull from /etc/passwd and /etc/group then you just need to set the following in Hiera:

---
sssd::enable_files_domain: true

4.8.3.2. Using Alternate Files¶

If you want to use your own files, as documented in the sssd-files(5) man page, then you will need to set up an explicit domain with the correct settings.

To do this, use the following puppet code.

Important

The module will not manage the target files for you. You must ensure that the files have the correct content and exist prior to restarting SSSD.

class site::sssd_local {

  sssd::provider::files { 'local':
    passwd_files => ['/usr/local/etc/passwd'],
    group_files  => ['/usr/local/etc/group']
  }

  sssd::domain { 'local':
    description   => 'Default Local Domain',
    id_provider   => 'files',
  }
}

In default.yaml:

simp::classes:
  - 'site::sssd_local'

In Hiera, you will need to add the local sssd domain to sssd::domains if it does not already exist.

If you wish to include the domain in all of $simp_options::trusted_nets, add sssd::domains variable to default.yaml, copy existing domains from simp_config_settings.yaml and add local to the list of domain id_providers.

In default.yaml:

sssd::domains:
  - 'local'
  - <existing domains, ex. LDAP>

Run puppet.

A local domain should be created and referenced in /etc/sssd/sssd.conf and the sssd service should be running.

4.8.4. Additional Resources¶

If you have any issues logging in, you may want to see the Troubleshooting Common Issues section of the documentation.