1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
[sssd]
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# If a back end is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LOCAL,LDAP
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
# The entry_cache_timeout indicates the number of seconds to retain an
# entry in cache before it is considered stale and must block to refresh.
# The entry_cache_nowait_timeout indicates the number of seconds to
# wait before updating the cache out-of-band. (NSS requests will still
# be returned from cache until the full entry_cache_timeout). Setting this
# value to 0 turns this feature off (default).
; entry_cache_timeout = 600
; entry_cache_nowait_timeout = 300
[pam]
reconnection_retries = 3
# Example domain configurations
# Note that enabling enumeration in the following configurations will have a
# moderate performance impact while enumerations are actually running, and
# may increase the time necessary to detect network disconnection.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
# Example LOCAL domain that stores all users natively in the SSSD internal
# directory. These local users and groups are not visible in /etc/passwd; it
# now contains only root and system accounts.
; [domain/LOCAL]
; description = LOCAL Users domain
; id_provider = local
; enumerate = true
; min_id = 500
; max_id = 999
# Example native LDAP domain
# ldap_schema can be set to "rfc2307", which uses the "memberuid" attribute
# for group membership, or to "rfc2307bis", which uses the "member" attribute
# to denote group membership. Changes to this setting affect only how we
# determine the groups a user belongs to and will have no negative effect on
# data about the user itself. If you do not know this value, ask an
# administrator.
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
; ldap_schema = rfc2307
; ldap_uri = ldap://ldap.mydomain.org
; ldap_search_base = dc=mydomain,dc=org
; ldap_tls_reqcert = demand
; cache_credentials = true
; enumerate = False
# Example LDAP domain where the LDAP server is an Active Directory server.
; [domain/AD]
; description = LDAP domain with AD server
; enumerate = false
; min_id = 1000
;
; id_provider = ldap
; auth_provider = ldap
; ldap_uri = ldap://your.ad.server.com
; ldap_schema = rfc2307bis
; ldap_user_search_base = cn=users,dc=example,dc=com
; ldap_group_search_base = cn=users,dc=example,dc=com
; ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
; ldap_default_authtok_type = password
; ldap_default_authtok = YOUR_PASSWORD
; ldap_user_object_class = person
; ldap_user_name = msSFU30Name
; ldap_user_uid_number = msSFU30UidNumber
; ldap_user_gid_number = msSFU30GidNumber
; ldap_user_home_directory = msSFU30HomeDirectory
; ldap_user_shell = msSFU30LoginShell
; ldap_user_principal = userPrincipalName
; ldap_group_object_class = group
; ldap_group_name = msSFU30Name
; ldap_group_gid_number = msSFU30GidNumber
|