sssd-ldap 5 File Formats and Conventions sssd-ldap the configuration file for SSSD This manual page describes the configuration of LDAP domains for sssd 8 . For detailed syntax reference, please refer to sssd.conf 5 manual page, section FILE FORMAT There can be more than one LDAP domain configured with SSSD. All the common configuration options for SSSD domains apply for LDAP domains, too. See the sssd.conf 5 manual page, section DOMAIN SECTIONS ldapUri (string) Specifies the URI of the LDAP server to which SSSD should connect. Default: ldap://localhost ldapSchema (string) Specifies the Schema Type in use on the target LDAP server. Depending on the selected schema the default attribute names retrieved from the servers may vary. Also the way some attributes are handled may differ. There are currently 2 schema types supported: rfc2307 rfc2307bis The main difference between these 2 schema types is how group memberships are recorder in the server. With rfc2307 group members are listed by name in an attribute called memberUid. With rfc2307bis grpoup members are listed by DN and stored in an attribute called member. Default: rfc2307 defaultBindDn (string) The default bind DN to use for performing LDAP operations. defaultAuthtokType (string) The type of the authentication token of the default bind DN. So far "password" is the only supported value. defaultAuthtok (string) The authentication token of the default bind DN. So far only a clear text password is supported. userSearchBase (string) The default base DN to use for performing LDAP user operations. userObjectClass (string) The object class of a user entry in LDAP. Default: posixAccount userName (string) The LDAP attribute that corresponds to user's login name. Default: uid userUidNumber (string) The LDAP attribute that corresponds to user's id. Default: uidNumber userGidNumber (string) The LDAP attribute that corresponds to user's primary group id. Default: gidNumber userGecos (string) The LDAP attribute that corresponds to user's gecos field. Default: gecos userHomeDirectory (string) The LDAP attribute that contains the name of the home directory of a user. Default: homeDirectory userShell (string) The LDAP attribute that contains the path of the user's default shell. Default: loginShell userUUID (string) The LDAP attribute that contains the UUID/GUID of a LDAP user object. Default: nsUniqueId userPrincipal (string) The LDAP attribute that contains the Kerberos User Principle Name (UPN) of the user. Default: krbPrincipalName force_upper_case_realm (boolean) Some directory servers, for example Active Directory, might deliver the realm part of the UPN lower case which may cause the authentication to fail. Set this option to a non-zero value, if you want to use an upper case realm. Default: false userFullname (string) The LDAP attribute that corresponds to full name of the user. Default: cn userMemberOf (string) The LDAP attribute that list the user's group memberships. Default: memberOf groupSearchBase (string) The default base DN to use for performing LDAP group operations. groupObjectClass (string) The object class of a group entry in LDAP. Default: posixGroup groupName (string) The LDAP attribute that corresponds to the group name. Default: cn groupGidNumber (string) The LDAP attribute that corresponds to group's id. Default: gidNumber groupMember (string) The LDAP attribute that contains the names of the members of the group. Default: memberuid (rfc2307) / member (rfc2307bis) groupUUID (string) The LDAP attribute that contains the UUID/GUID of a LDAP group object. Default: nsUniqueId network_timeout (integer) Specifies the timeout (in seconds) after which the poll 2 / select 2 following a connect 2 returns in case of no activity. Default: 5 opt_timeout (integer) Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received. Default: 5 tls_reqcert (string) Specifies what checks to perform on server certificates in a TLS session, if any. It can be specified as one of the following values: never = The client will not request or check any server certificate. allow = The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally. try = The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated. demand = The server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. hard = Same as demand The following example assumes that SSSD is correctly configured and LDAP is set set one of the domains in the [domains] section. [domains/LDAP] auth-module = ldap ldapUri = ldap://ldap.mydomain.org userSearchBase = dc=mydomain,dc=org Description of some of the configuration options in this manual page is based on ldap.conf 5 manual page from the OpenLDAP 2.4 distribution. sssd.conf5 , sssd8