summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--server/examples/sssd.conf103
1 files changed, 71 insertions, 32 deletions
diff --git a/server/examples/sssd.conf b/server/examples/sssd.conf
index c5fd7e65..b9a421ea 100644
--- a/server/examples/sssd.conf
+++ b/server/examples/sssd.conf
@@ -1,50 +1,89 @@
[services]
description = Local Service Configuration
-activeServices = nss, dp, pam, info
+activeServices = nss, dp, pam
[services/nss]
description = NSS Responder Configuration
-timeout = 10
-filterGroups = root, foo@TEST
-filterUsers = root, bar@TEST
+# the following prevents sssd for searching for the root user/group in
+# all domains (you can add here a comma separated list of system accounts are
+# always going to be /etc/passwd users, or that you want to filter out)
+filterGroups = root
+filterUsers = root
[services/dp]
description = Data Provider Configuration
-timeout = 10
[services/pam]
description = PAM Responder Configuration
-timeout = 10
-
-[services/info]
-description = InfoPipe Configuration
-timeout = 10
[services/monitor]
description = Service Monitor Configuration
-sbusTimeout = 10
+#if a backend is particularly slow you can raise this timeout here
+sbusTimeout = 30
[domains]
description = Domains served by SSSD
-domains = LOCAL
-
-[domains/LOCAL]
-description = Reserved domain for local configurations
-enumerate = 3
-minId = 500
-maxId = 999
-legacy = TRUE
-libName = files
-libPath = /lib64/libnss_files.so.2
-magicPrivateGroups = FALSE
-provider = proxy
-auth-module = proxy
-pam-target = sssdproxylocal
-
-[domains/EXAMPLE.COM]
-description = Example LDAP domain
-basedn = dc=example,dc=com
-command = /usr/libexec/sssd/sssd_be --provider ldap --domain EXAMPLE.COM
-provider = ldap
-userSearchBase = ou=user,dc=example,dc=com
+; domains = LOCAL,LDAP
+
+# SSSD will not start if you don't configure any domain.
+# Add new domains condifgurations as [domains/<NAME>] sections.
+# Then add the list of domains (in the order you want them to be
+# queried in the 'domains" attribute above and uncomment it
+
+# Example LOCAL domain that proxies to /etc/passwd and /etc/group files
+# This configuration is meant mostly as a migration path to be able to store
+# additional information about users while still keeping /etc/passwd
+# authoritative.
+
+; [domains/LOCAL]
+; description = LOCAL migration domain
+; enumerate = 3
+; minId = 500
+; magicPrivateGroups = FALSE
+; legacy = TRUE
+;
+; provider = proxy
+; libName = files
+; libPath = libnss_files.so.2
+
+# optionally a file named sssdproxylocal can be place in pam.d configured to
+# check pam_unix only and pam_sss can be used in the normal pam stack
+; auth-module = proxy
+; pam-target = sssdproxylocal
+
+# Example LOCAL domain that stores all users natively in the SSSD internal
+# directory. These local users and groups are not visibile in /etc/passwd, it
+# now contains only root and system accounts.
+
+; [domains/LOCAL]
+; description = LOCAL Users domain
+; enumerate = 3
+; minId = 500
+; maxId = 999
+; legacy = FALSE
+; magicPrivateGroups = TRUE
+
+# Example LDAP domain that uses the proxy backend and the standard nss_ldap
+# and pam_ldap modules (Useful until we have good working native ldap backends).
+# For this to work the /etc/ldap.conf file needs to be correctly configured just
+# like you would do when using nss_ldap in nsswitch.conf, but instead of setting
+# passwd: files ldap, set passwd: files, sss instead there.
+# Also consider using the following setting in /etc/ldap.conf to avoid needless
+# delays if the ldap server is offline:
+# timelimit 10
+# bind_timelimit 5
+# nss_reconnect_maxsleeptime 2
+# nss_reconnect_sleeptime 1
+; [domains/LDAP]
+; description = Proxy request to our LDAP server
+; enumerate = 0
+; minId = 1000
+; legacy = TRUE
+;
+; provider = proxy
+; libName = ldap
+; libPath = libnss_ldap.so.2
+;
+#if a backend is particularly slow you can raise this timeout here
+; timeout = 60