[sssd] config_file_version = 2 # Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3 # If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. ; domains = LOCAL,LDAP domains = default [nss] # The following prevents SSSD from searching for the root user/group in # all domains (you can add here a comma-separated list of system accounts that # are always going to be /etc/passwd users, or that you want to filter out). filter_groups = root filter_users = root reconnection_retries = 3 # The entry_cache_timeout indicates the number of seconds to retain an # entry in cache before it is considered stale and must block to refresh. # The entry_cache_nowait_timeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still # be returned from cache until the full entry_cache_timeout). Setting this # value to 0 turns this feature off (default). ; entry_cache_timeout = 600 ; entry_cache_nowait_timeout = 300 [pam] reconnection_retries = 3 # Example domain configurations # Note that enabling enumeration in the following configurations will have a # moderate performance impact while enumerations are actually running, and # may increase the time necessary to detect network disconnection. # Consequently, the default value for enumeration is FALSE. # Refer to the sssd.conf man page for full details. # Example LOCAL domain that stores all users natively in the SSSD internal # directory. These local users and groups are not visible in /etc/passwd; it # now contains only root and system accounts. ; [domain/LOCAL] ; description = LOCAL Users domain ; id_provider = local ; enumerate = true ; min_id = 500 ; max_id = 999 # Example native LDAP domain # ldap_schema can be set to "rfc2307", which uses the "memberuid" attribute # for group membership, or to "rfc2307bis", which uses the "member" attribute # to denote group membership. Changes to this setting affect only how we # determine the groups a user belongs to and will have no negative effect on # data about the user itself. If you do not know this value, ask an # administrator. ; [domain/LDAP] ; id_provider = ldap ; auth_provider = ldap ; ldap_schema = rfc2307 ; ldap_uri = ldap://ldap.mydomain.org ; ldap_search_base = dc=mydomain,dc=org ; ldap_tls_reqcert = demand ; cache_credentials = true ; enumerate = False # Example LDAP domain where the LDAP server is an Active Directory server. ; [domain/AD] ; description = LDAP domain with AD server ; enumerate = false ; min_id = 1000 ; debug_level = 0x0770 ; ; id_provider = ldap ; auth_provider = ldap ; ldap_uri = ldaps://example.com:636 ; ldap_tls_reqcert = allow ; ldap_schema = rfc2307bis ; ldap_search_base = dc=example,dc=com ; ldap_default_bind_dn = cn=mcronenworth,cn=Users,dc=example,dc=com ; ldap_default_authtok_type = password ; ldap_default_authtok = MY_PASSWORD ; ldap_user_object_class = person ; ldap_user_name = msSFU30Name ; ldap_user_uid_number = msSFU30UidNumber ; ldap_user_gid_number = msSFU30GidNumber ; ldap_user_home_directory = msSFU30HomeDirectory ; ldap_user_shell = msSFU30LoginShell ; ldap_user_principal = userPrincipalName ; ldap_group_object_class = group ; ldap_group_name = msSFU30Name ; ldap_group_gid_number = msSFU30GidNumber ; ldap_force_upper_case_realm = True [domain/default] # debug_level = 9 ldap_id_use_start_tls = False ldap_group_uuid = objectGUID ldap_user_uuid = objectGUID ldap_group_member = member ldap_user_member_of = memberOf ldap_user_krb_last_pwd_change = pwdLastSet ldap_user_uid_number = uidNumber chpass_provider = krb5 ldap_group_nesting_level = 1 krb5_auth_timeout = 5 krb5_renew_interval = 15 enumerate = True cache_credentials = True ldap_force_upper_case_realm = True ldap_user_principal = userPrincipalName ldap_user_object_class = user ldap_user_gid_number = gidNumber ldap_group_modify_timestamp = whenChanged ldap_group_object_class = group ldap_group_name = cn ldap_user_name = sAMAccountName ldap_ns_account_lock = userAccountControl auth_provider = krb5 ldap_search_timeout = 2 krb5_realm = FOOBAR.COM ldap_sasl_mech = gssapi ldap_krb5_ticket_lifetime = 86400 id_provider = ldap ldap_user_ad_account_expires = userAccountControl ldap_user_shell = loginShell ldap_schema = rfc2307bis ldap_network_timeout = 2 ldap_krb5_init_creds = True ldap_search_base = dc=foobar,dc=com ldap_user_home_directory = unixHomeDirectory ldap_user_modify_timestamp = whenChanged ldap_group_gid_number = gidNumber ldap_referrals = false ldap_group_nesting_level = 0