[sssd] config_file_version = 2 # Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3 # if a backend is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, dp, pam ; domains = LOCAL,LDAP # SSSD will not start if you don't configure any domain. # Add new domains condifgurations as [domain/<NAME>] sections. # Then add the list of domains (in the order you want them to be # queried in the 'domains" attribute above and uncomment it [nss] # the following prevents sssd for searching for the root user/group in # all domains (you can add here a comma separated list of system accounts are # always going to be /etc/passwd users, or that you want to filter out) filter_groups = root filter_users = root reconnection_retries = 3 # The EntryCacheTimeout indicates the number of seconds to retain before # an entry in cache is considered stale and must block to refresh. # The EntryCacheNoWaitRefreshTimeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still # be returned from cache until the full EntryCacheTimeout). Setting this # value to 0 turns this feature off (default) ; entry_cache_timeout = 600 ; entry_cache_nowait_timeout = 300 [pam] reconnection_retries = 3 [dp] reconnection_retries = 3 # Example LOCAL domain that stores all users natively in the SSSD internal # directory. These local users and groups are not visibile in /etc/passwd, it # now contains only root and system accounts. ; [domain/LOCAL] ; description = LOCAL Users domain ; id_provider = local ; enumerate = true ; min_id = 500 ; max_id = 999 # Example native LDAP domain ; [domain/LDAP] ; id_provider = ldap ; auth_provider = ldap ; ldap_uri = ldap://ldap.mydomain.org ; ldap_user_search_base = dc=mydomain,dc=org ; ldap_tls_reqcert = demand ; cache_credentials = true ; enumerate = true # Example LDAP domain where the LDAP server is an Active Directory server. ; [domain/AD] ; description = LDAP domain with AD server ; enumerate = false ; min_id = 1000 ; ; id_provider = ldap ; auth_provider = ldap ; ldap_uri = ldap://your.ad.server.com ; ldap_schema = rfc2307bis ; ldap_user_search_base = cn=users,dc=example,dc=com ; ldap_group_search_base = cn=users,dc=example,dc=com ; ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ; ldap_default_authtok_type = password ; ldap_default_authtok = YOUR_PASSWORD ; ldap_user_object_class = person ; ldap_user_name = msSFU30Name ; ldap_user_uid_number = msSFU30UidNumber ; ldap_user_gid_number = msSFU30GidNumber ; ldap_user_home_directory = msSFU30HomeDirectory ; ldap_user_shell = msSFU30LoginShell ; ldap_user_principal = userPrincipalName ; ldap_group_object_class = group ; ldap_group_name = msSFU30Name ; ldap_group_gid_number = msSFU30GidNumber