[services] description = Local Service Configuration activeServices = nss, dp, pam # Number of times services should attempt to reconnect in the # event of a Data Provider crash or restart before they give up reconnection_retries = 3 [services/nss] description = NSS Responder Configuration # the following prevents sssd for searching for the root user/group in # all domains (you can add here a comma separated list of system accounts are # always going to be /etc/passwd users, or that you want to filter out) filterGroups = root filterUsers = root [services/dp] description = Data Provider Configuration [services/pam] description = PAM Responder Configuration [services/monitor] description = Service Monitor Configuration #if a backend is particularly slow you can raise this timeout here sbusTimeout = 30 [domains] description = Domains served by SSSD ; domains = LOCAL,LDAP # SSSD will not start if you don't configure any domain. # Add new domains condifgurations as [domains/<NAME>] sections. # Then add the list of domains (in the order you want them to be # queried in the 'domains" attribute above and uncomment it # Example LOCAL domain that proxies to /etc/passwd and /etc/group files # This configuration is meant mostly as a migration path to be able to store # additional information about users while still keeping /etc/passwd # authoritative. ; [domains/LOCAL] ; description = LOCAL migration domain ; enumerate = 3 ; minId = 500 ; magicPrivateGroups = FALSE ; legacy = TRUE ; ; provider = files # optionally a file named sssdproxylocal can be place in pam.d configured to # check pam_unix only and pam_sss can be used in the normal pam stack ; auth-module = proxy ; pam-target = sssdproxylocal # Example LOCAL domain that stores all users natively in the SSSD internal # directory. These local users and groups are not visibile in /etc/passwd, it # now contains only root and system accounts. ; [domains/LOCAL] ; description = LOCAL Users domain ; provider = local ; enumerate = 3 ; minId = 500 ; maxId = 999 ; legacy = FALSE ; magicPrivateGroups = TRUE # Example LDAP domain that uses the proxy backend and the standard nss_ldap # and pam_ldap modules (Useful until we have good working native ldap backends). # For this to work the /etc/ldap.conf file needs to be correctly configured just # like you would do when using nss_ldap in nsswitch.conf, but instead of setting # passwd: files ldap, set passwd: files, sss instead there. # Also consider using the following setting in /etc/ldap.conf to avoid needless # delays if the ldap server is offline: # timelimit 10 # bind_timelimit 5 # nss_reconnect_maxsleeptime 2 # nss_reconnect_sleeptime 1 ; [domains/LDAP] ; description = Proxy request to our LDAP server ; enumerate = 0 ; minId = 1000 ; legacy = TRUE ; ; provider = proxy ; libName = ldap ; #if a backend is particularly slow you can raise this timeout here ; timeout = 60 # Example LDAP domain where the LDAP server is an Active Directory server. ; [domains/AD] ; description = LDAP domain with AD server ; enumerate = 0 ; minId = 1000 ; ; provider = ldap ; auth-module = ldap ; ldapUri = ldap://your.ad.server.com ; userSearchBase = cn=users,dc=example,dc=com ; groupSearchBase = cn=users,dc=example,dc=com ; defaultBindDn = cn=Administrator,cn=Users,dc=example,dc=com ; defaultAuthtokType = password ; defaultAuthtok = YOUR_PASSWORD ; userObjectClass = person ; userName = msSFU30Name ; userUidNumber = msSFU30UidNumber ; userGidNumber = msSFU30GidNumber ; userHomeDirectory = msSFU30HomeDirectory ; userShell = msSFU30LoginShell ; userPrincipal = userPrincipalName ; groupObjectClass = group ; groupName = msSFU30Name ; groupGidNumber = msSFU30GidNumber