# sssd 1.9.4 configuration

[sssd]

config_file_version = 2

services = nss, pam, sudo

reconnection_retries = 3
try_inotify = true

domains = MY-LDAP, LOCAL
debug_level = 10

[nss]

filter_users = root
filter_groups = root
filter_users_in_groups = false

entry_cache_timeout = 600
entry_cache_nowait_timeout = 300

[pam]

offline_credentials_expiration = 0
offline_failed_login_attempts = 0

[sudo]

sudo_timed = false

[domain/LOCAL]

id_provider = local
auth_provider = local
sudo_provider = local

[domain/MY-LDAP]

id_provider = ldap
auth_provider = ldap
sudo_provider = ldap

min_id = 1000

enumerate = true
cache_credentials = true
account_cache_expiration = 0

ldap_group_search_base = ou=groups,o=Example
ldap_sudo_search_base = ou=sudo,o=Example
ldap_search_base = o=Example

ldap_schema = rfc2307bis
ldap_user_uuid = entryUUID
ldap_group_uuid = entryUUID
ldap_user_member_of = memberOf
ldap_group_member = member
ldap_group_nesting_level = 0

# LDAP URL for contacting load-balancer address
ldap_uri = ldaps://ldap.example.com

ldap_default_bind_dn = cn=server1,ou=hosts,o=Example
ldap_default_authtok = *password*

ldap_pwd_policy = none
ldap_referrals = false

ldap_sudo_use_host_filter = false

#the tls_reqcert option has to be 'allow' if you want to use self signed certs
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/my_cacerts.crt