[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = LDAP 
certificate_verification = no_oscp
#certificate_verification = no_verification
debug_level = 6

[nss]
#filter_users = root,admin,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]
pam_cert_auth = True
pam_p11_allowed_services = +sddm, +sddm-helper, +kde, +sshd
p11_wait_for_card_timeout = 10
p11_child_timeout = 10
#debug_level = 6

[domain/files]
id_provider = files

# Example LDAP domain
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
ldap_schema = rfc2307
ldap_uri = ldap://example.com
ldap_search_base = dc=example,dc=com
#ldap_tls_reqcert = never
filter = "(&(objectClass=posixAccount)(uid=%s))" 
ldap_user_certificate = userCertificate;binary
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = true
# Allow offline logins by locally storing password hashes (default: false).
cache_credentials = true

[certmap/LDAP/bar]
#matchrule = <ISSUER>^C = FR, ST = France, O = Example, CN = Example Intermediate CA$
matchrule = <SUBJECT>^CN=bar,O=Example,ST=France,C=FR$ 
maprule = (userCertificate;binary={cert!bin})