diff options
-rw-r--r-- | server/examples/sssd.conf | 103 |
1 files changed, 71 insertions, 32 deletions
diff --git a/server/examples/sssd.conf b/server/examples/sssd.conf index c5fd7e65..b9a421ea 100644 --- a/server/examples/sssd.conf +++ b/server/examples/sssd.conf @@ -1,50 +1,89 @@ [services] description = Local Service Configuration -activeServices = nss, dp, pam, info +activeServices = nss, dp, pam [services/nss] description = NSS Responder Configuration -timeout = 10 -filterGroups = root, foo@TEST -filterUsers = root, bar@TEST +# the following prevents sssd for searching for the root user/group in +# all domains (you can add here a comma separated list of system accounts are +# always going to be /etc/passwd users, or that you want to filter out) +filterGroups = root +filterUsers = root [services/dp] description = Data Provider Configuration -timeout = 10 [services/pam] description = PAM Responder Configuration -timeout = 10 - -[services/info] -description = InfoPipe Configuration -timeout = 10 [services/monitor] description = Service Monitor Configuration -sbusTimeout = 10 +#if a backend is particularly slow you can raise this timeout here +sbusTimeout = 30 [domains] description = Domains served by SSSD -domains = LOCAL - -[domains/LOCAL] -description = Reserved domain for local configurations -enumerate = 3 -minId = 500 -maxId = 999 -legacy = TRUE -libName = files -libPath = /lib64/libnss_files.so.2 -magicPrivateGroups = FALSE -provider = proxy -auth-module = proxy -pam-target = sssdproxylocal - -[domains/EXAMPLE.COM] -description = Example LDAP domain -basedn = dc=example,dc=com -command = /usr/libexec/sssd/sssd_be --provider ldap --domain EXAMPLE.COM -provider = ldap -userSearchBase = ou=user,dc=example,dc=com +; domains = LOCAL,LDAP + +# SSSD will not start if you don't configure any domain. +# Add new domains condifgurations as [domains/<NAME>] sections. +# Then add the list of domains (in the order you want them to be +# queried in the 'domains" attribute above and uncomment it + +# Example LOCAL domain that proxies to /etc/passwd and /etc/group files +# This configuration is meant mostly as a migration path to be able to store +# additional information about users while still keeping /etc/passwd +# authoritative. + +; [domains/LOCAL] +; description = LOCAL migration domain +; enumerate = 3 +; minId = 500 +; magicPrivateGroups = FALSE +; legacy = TRUE +; +; provider = proxy +; libName = files +; libPath = libnss_files.so.2 + +# optionally a file named sssdproxylocal can be place in pam.d configured to +# check pam_unix only and pam_sss can be used in the normal pam stack +; auth-module = proxy +; pam-target = sssdproxylocal + +# Example LOCAL domain that stores all users natively in the SSSD internal +# directory. These local users and groups are not visibile in /etc/passwd, it +# now contains only root and system accounts. + +; [domains/LOCAL] +; description = LOCAL Users domain +; enumerate = 3 +; minId = 500 +; maxId = 999 +; legacy = FALSE +; magicPrivateGroups = TRUE + +# Example LDAP domain that uses the proxy backend and the standard nss_ldap +# and pam_ldap modules (Useful until we have good working native ldap backends). +# For this to work the /etc/ldap.conf file needs to be correctly configured just +# like you would do when using nss_ldap in nsswitch.conf, but instead of setting +# passwd: files ldap, set passwd: files, sss instead there. +# Also consider using the following setting in /etc/ldap.conf to avoid needless +# delays if the ldap server is offline: +# timelimit 10 +# bind_timelimit 5 +# nss_reconnect_maxsleeptime 2 +# nss_reconnect_sleeptime 1 +; [domains/LDAP] +; description = Proxy request to our LDAP server +; enumerate = 0 +; minId = 1000 +; legacy = TRUE +; +; provider = proxy +; libName = ldap +; libPath = libnss_ldap.so.2 +; +#if a backend is particularly slow you can raise this timeout here +; timeout = 60 |