system/sssd/client_sssd.generated.conf

WARNING: ldap_uri starts with ldapi:// - you should review this parameter in the sssd configuration

#
# sssd.conf
# Generated by 389 Directory Server - dsidm
#
# For more details see man sssd.conf and man sssd-ldap
# Be sure to review the content of this file to ensure it is secure and correct
# in your environment.

[domain/ldap]
# Uncomment this for more verbose logging.
# debug_level=3

# Cache hashes of user authentication for offline auth.
cache_credentials = True
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=syscid,dc=com
ldap_uri = ldapi://%2fvar%2frun%2fslapd-syscid.socket
# If you have DNS SRV records, you can use the following instead. This derives
# from your ldap_search_base.
# ldap_uri = _srv_

ldap_tls_reqcert = demand
# To use cacert dir, place *.crt files in this path then run:
# /usr/bin/openssl rehash /etc/openldap/certs
# or (for older versions of openssl)
# /usr/bin/c_rehash /etc/openldap/certs
ldap_tls_cacertdir = /etc/openldap/certs

# Path to the cacert
# ldap_tls_cacert = /etc/openldap/certs/ca.crt

# Only users who match this filter can login and authorise to this machine. Note
# that users who do NOT match, will still have their uid/gid resolve, but they
# can't login.
# ldap_access_filter = (memberOf=<dn>)

enumerate = false
access_provider = ldap
ldap_user_member_of = memberof
ldap_user_gecos = cn
ldap_user_uuid = nsUniqueId
ldap_group_uuid = nsUniqueId
# This is really important as it allows SSSD to respect nsAccountLock
ldap_account_expire_policy = rhds
ldap_access_order = filter, expire
# Setup for ssh keys
# Inside /etc/ssh/sshd_config add the lines:
#   AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
#   AuthorizedKeysCommandUser nobody
# You can test with the command: sss_ssh_authorizedkeys <username>
ldap_user_ssh_public_key = nsSshPublicKey

# This prevents an issue where the Directory is recursively walked on group
# and user look ups. It makes the client faster and more responsive in almost
# every scenario.
ignore_group_members = False

[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2

domains = ldap
[nss]
homedir_substring = /home
Init directory client configurations Signed-off-by: Georg <georg@lysergic.dev> 2021-08-30 21:57:59 +02:00			`WARNING: ldap_uri starts with ldapi:// - you should review this parameter in the sssd configuration`

			`#`
			`# sssd.conf`
			`# Generated by 389 Directory Server - dsidm`
			`#`
			`# For more details see man sssd.conf and man sssd-ldap`
			`# Be sure to review the content of this file to ensure it is secure and correct`
			`# in your environment.`

			`[domain/ldap]`
			`# Uncomment this for more verbose logging.`
			`# debug_level=3`

			`# Cache hashes of user authentication for offline auth.`
			`cache_credentials = True`
			`id_provider = ldap`
			`auth_provider = ldap`
			`access_provider = ldap`
			`chpass_provider = ldap`
			`ldap_schema = rfc2307bis`
			`ldap_search_base = dc=syscid,dc=com`
			`ldap_uri = ldapi://%2fvar%2frun%2fslapd-syscid.socket`
			`# If you have DNS SRV records, you can use the following instead. This derives`
			`# from your ldap_search_base.`
			`# ldap_uri = _srv_`

			`ldap_tls_reqcert = demand`
			`# To use cacert dir, place *.crt files in this path then run:`
			`# /usr/bin/openssl rehash /etc/openldap/certs`
			`# or (for older versions of openssl)`
			`# /usr/bin/c_rehash /etc/openldap/certs`
			`ldap_tls_cacertdir = /etc/openldap/certs`

			`# Path to the cacert`
			`# ldap_tls_cacert = /etc/openldap/certs/ca.crt`

			`# Only users who match this filter can login and authorise to this machine. Note`
			`# that users who do NOT match, will still have their uid/gid resolve, but they`
			`# can't login.`
			`# ldap_access_filter = (memberOf=<dn>)`

			`enumerate = false`
			`access_provider = ldap`
			`ldap_user_member_of = memberof`
			`ldap_user_gecos = cn`
			`ldap_user_uuid = nsUniqueId`
			`ldap_group_uuid = nsUniqueId`
			`# This is really important as it allows SSSD to respect nsAccountLock`
			`ldap_account_expire_policy = rhds`
			`ldap_access_order = filter, expire`
			`# Setup for ssh keys`
			`# Inside /etc/ssh/sshd_config add the lines:`
			`# AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys`
			`# AuthorizedKeysCommandUser nobody`
			`# You can test with the command: sss_ssh_authorizedkeys <username>`
			`ldap_user_ssh_public_key = nsSshPublicKey`

			`# This prevents an issue where the Directory is recursively walked on group`
			`# and user look ups. It makes the client faster and more responsive in almost`
			`# every scenario.`
			`ignore_group_members = False`

			`[sssd]`
			`services = nss, pam, ssh, sudo`
			`config_file_version = 2`

			`domains = ldap`
			`[nss]`
			`homedir_substring = /home`