summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/examples/sssd-example.conf100
1 files changed, 28 insertions, 72 deletions
diff --git a/src/examples/sssd-example.conf b/src/examples/sssd-example.conf
index e0b25637..b18c4049 100644
--- a/src/examples/sssd-example.conf
+++ b/src/examples/sssd-example.conf
@@ -1,95 +1,51 @@
[sssd]
config_file_version = 2
-
-# Number of times services should attempt to reconnect in the
-# event of a crash or restart before they give up
-reconnection_retries = 3
-
-# If a back end is particularly slow you can raise this timeout here
-sbus_timeout = 30
services = nss, pam
-
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
-; domains = LOCAL,LDAP
+; domains = LDAP
[nss]
-# The following prevents SSSD from searching for the root user/group in
-# all domains (you can add here a comma-separated list of system accounts that
-# are always going to be /etc/passwd users, or that you want to filter out).
-filter_groups = root
-filter_users = root
-reconnection_retries = 3
-
-# The entry_cache_nowait_percentage indicates the percentage of the
-# entry_cache_timeout to wait before updating the cache out-of-band.
-# (NSS requests will still be returned from cache until the full
-# entry_cache_timeout). Setting this value to 0 turns this feature
-# off (default).
-; entry_cache_nowait_percentage = 50
[pam]
-reconnection_retries = 3
-# Example domain configurations
-# Note that enabling enumeration in the following configurations will have a
-# moderate performance impact while enumerations are actually running, and
-# may increase the time necessary to detect network disconnection.
-# Consequently, the default value for enumeration is FALSE.
-# Refer to the sssd.conf man page for full details.
-
-# Example LOCAL domain that stores all users natively in the SSSD internal
-# directory. These local users and groups are not visible in /etc/passwd; it
-# now contains only root and system accounts.
-; [domain/LOCAL]
-; description = LOCAL Users domain
-; id_provider = local
-; enumerate = true
-; min_id = 500
-; max_id = 999
-
-# Example native LDAP domain
-# ldap_schema can be set to "rfc2307", which uses the "memberuid" attribute
-# for group membership, or to "rfc2307bis", which uses the "member" attribute
-# to denote group membership. Changes to this setting affect only how we
-# determine the groups a user belongs to and will have no negative effect on
-# data about the user itself. If you do not know this value, ask an
-# administrator.
+# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
+# ldap_schema can be set to "rfc2307", which stores group member names in the
+# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
+# the "member" attribute. If you do not know this value, ask your LDAP
+# administrator.
; ldap_schema = rfc2307
; ldap_uri = ldap://ldap.mydomain.org
; ldap_search_base = dc=mydomain,dc=org
-; ldap_tls_reqcert = demand
-; cache_credentials = true
-; enumerate = False
-; entry_cache_timeout = 5400
-
-# Example LDAP domain where the LDAP server is an Active Directory server.
+# Note that enabling enumeration will have a moderate performance impact.
+# Consequently, the default value for enumeration is FALSE.
+# Refer to the sssd.conf man page for full details.
+; enumerate = false
+# An example Active Directory domain. Please note that this configuration
+# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
+# compliant attribute names. To support UNIX clients with AD 2003 or older,
+# you must install Microsoft Services For Unix and map LDAP attributes onto
+# msSFU30* attribute names.
; [domain/AD]
-; description = LDAP domain with AD server
-; enumerate = false
-; min_id = 1000
-;
; id_provider = ldap
-; auth_provider = ldap
-; ldap_uri = ldap://your.ad.server.com
-; ldap_schema = rfc2307bis
-; ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
-; ldap_default_authtok_type = password
-; ldap_default_authtok = YOUR_PASSWORD
-; ldap_user_object_class = person
-; ldap_user_name = msSFU30Name
-; ldap_user_uid_number = msSFU30UidNumber
-; ldap_user_gid_number = msSFU30GidNumber
-; ldap_user_home_directory = msSFU30HomeDirectory
-; ldap_user_shell = msSFU30LoginShell
-; ldap_user_principal = userPrincipalName
+; auth_provider = krb5
+; chpass_provider = krb5
+;
+; ldap_uri = ldap://your.ad.example.com
+; ldap_search_base = dc=example,dc=com
+; ldap_sasl_mech = GSSAPI
+; ldap_sasl_authid = hostname$@EXAMPLE.COM
+; ldap_user_object_class = user
; ldap_group_object_class = group
-; ldap_group_name = msSFU30Name
-; ldap_group_gid_number = msSFU30GidNumber
+; ldap_user_home_directory = unixHomeDirectory
+; ldap_schema = rfc2307bis
; ldap_force_upper_case_realm = True
+;
+; krb5_server = your.ad.example.com
+; krb5_realm = EXAMPLE.COM