diff options
-rw-r--r-- | src/examples/sssd-example.conf | 100 |
1 files changed, 28 insertions, 72 deletions
diff --git a/src/examples/sssd-example.conf b/src/examples/sssd-example.conf index e0b25637..b18c4049 100644 --- a/src/examples/sssd-example.conf +++ b/src/examples/sssd-example.conf @@ -1,95 +1,51 @@ [sssd] config_file_version = 2 - -# Number of times services should attempt to reconnect in the -# event of a crash or restart before they give up -reconnection_retries = 3 - -# If a back end is particularly slow you can raise this timeout here -sbus_timeout = 30 services = nss, pam - # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. -; domains = LOCAL,LDAP +; domains = LDAP [nss] -# The following prevents SSSD from searching for the root user/group in -# all domains (you can add here a comma-separated list of system accounts that -# are always going to be /etc/passwd users, or that you want to filter out). -filter_groups = root -filter_users = root -reconnection_retries = 3 - -# The entry_cache_nowait_percentage indicates the percentage of the -# entry_cache_timeout to wait before updating the cache out-of-band. -# (NSS requests will still be returned from cache until the full -# entry_cache_timeout). Setting this value to 0 turns this feature -# off (default). -; entry_cache_nowait_percentage = 50 [pam] -reconnection_retries = 3 -# Example domain configurations -# Note that enabling enumeration in the following configurations will have a -# moderate performance impact while enumerations are actually running, and -# may increase the time necessary to detect network disconnection. -# Consequently, the default value for enumeration is FALSE. -# Refer to the sssd.conf man page for full details. - -# Example LOCAL domain that stores all users natively in the SSSD internal -# directory. These local users and groups are not visible in /etc/passwd; it -# now contains only root and system accounts. -; [domain/LOCAL] -; description = LOCAL Users domain -; id_provider = local -; enumerate = true -; min_id = 500 -; max_id = 999 - -# Example native LDAP domain -# ldap_schema can be set to "rfc2307", which uses the "memberuid" attribute -# for group membership, or to "rfc2307bis", which uses the "member" attribute -# to denote group membership. Changes to this setting affect only how we -# determine the groups a user belongs to and will have no negative effect on -# data about the user itself. If you do not know this value, ask an -# administrator. +# Example LDAP domain ; [domain/LDAP] ; id_provider = ldap ; auth_provider = ldap +# ldap_schema can be set to "rfc2307", which stores group member names in the +# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in +# the "member" attribute. If you do not know this value, ask your LDAP +# administrator. ; ldap_schema = rfc2307 ; ldap_uri = ldap://ldap.mydomain.org ; ldap_search_base = dc=mydomain,dc=org -; ldap_tls_reqcert = demand -; cache_credentials = true -; enumerate = False -; entry_cache_timeout = 5400 - -# Example LDAP domain where the LDAP server is an Active Directory server. +# Note that enabling enumeration will have a moderate performance impact. +# Consequently, the default value for enumeration is FALSE. +# Refer to the sssd.conf man page for full details. +; enumerate = false +# An example Active Directory domain. Please note that this configuration +# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis +# compliant attribute names. To support UNIX clients with AD 2003 or older, +# you must install Microsoft Services For Unix and map LDAP attributes onto +# msSFU30* attribute names. ; [domain/AD] -; description = LDAP domain with AD server -; enumerate = false -; min_id = 1000 -; ; id_provider = ldap -; auth_provider = ldap -; ldap_uri = ldap://your.ad.server.com -; ldap_schema = rfc2307bis -; ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com -; ldap_default_authtok_type = password -; ldap_default_authtok = YOUR_PASSWORD -; ldap_user_object_class = person -; ldap_user_name = msSFU30Name -; ldap_user_uid_number = msSFU30UidNumber -; ldap_user_gid_number = msSFU30GidNumber -; ldap_user_home_directory = msSFU30HomeDirectory -; ldap_user_shell = msSFU30LoginShell -; ldap_user_principal = userPrincipalName +; auth_provider = krb5 +; chpass_provider = krb5 +; +; ldap_uri = ldap://your.ad.example.com +; ldap_search_base = dc=example,dc=com +; ldap_sasl_mech = GSSAPI +; ldap_sasl_authid = hostname$@EXAMPLE.COM +; ldap_user_object_class = user ; ldap_group_object_class = group -; ldap_group_name = msSFU30Name -; ldap_group_gid_number = msSFU30GidNumber +; ldap_user_home_directory = unixHomeDirectory +; ldap_schema = rfc2307bis ; ldap_force_upper_case_realm = True +; +; krb5_server = your.ad.example.com +; krb5_realm = EXAMPLE.COM |