73 lines
2.2 KiB
Plaintext
73 lines
2.2 KiB
Plaintext
WARNING: ldap_uri starts with ldapi:// - you should review this parameter in the sssd configuration
|
|
|
|
#
|
|
# sssd.conf
|
|
# Generated by 389 Directory Server - dsidm
|
|
#
|
|
# For more details see man sssd.conf and man sssd-ldap
|
|
# Be sure to review the content of this file to ensure it is secure and correct
|
|
# in your environment.
|
|
|
|
[domain/ldap]
|
|
# Uncomment this for more verbose logging.
|
|
# debug_level=3
|
|
|
|
# Cache hashes of user authentication for offline auth.
|
|
cache_credentials = True
|
|
id_provider = ldap
|
|
auth_provider = ldap
|
|
access_provider = ldap
|
|
chpass_provider = ldap
|
|
ldap_schema = rfc2307bis
|
|
ldap_search_base = dc=syscid,dc=com
|
|
ldap_uri = ldapi://%2fvar%2frun%2fslapd-syscid.socket
|
|
# If you have DNS SRV records, you can use the following instead. This derives
|
|
# from your ldap_search_base.
|
|
# ldap_uri = _srv_
|
|
|
|
ldap_tls_reqcert = demand
|
|
# To use cacert dir, place *.crt files in this path then run:
|
|
# /usr/bin/openssl rehash /etc/openldap/certs
|
|
# or (for older versions of openssl)
|
|
# /usr/bin/c_rehash /etc/openldap/certs
|
|
ldap_tls_cacertdir = /etc/openldap/certs
|
|
|
|
# Path to the cacert
|
|
# ldap_tls_cacert = /etc/openldap/certs/ca.crt
|
|
|
|
# Only users who match this filter can login and authorise to this machine. Note
|
|
# that users who do NOT match, will still have their uid/gid resolve, but they
|
|
# can't login.
|
|
# ldap_access_filter = (memberOf=<dn>)
|
|
|
|
enumerate = false
|
|
access_provider = ldap
|
|
ldap_user_member_of = memberof
|
|
ldap_user_gecos = cn
|
|
ldap_user_uuid = nsUniqueId
|
|
ldap_group_uuid = nsUniqueId
|
|
# This is really important as it allows SSSD to respect nsAccountLock
|
|
ldap_account_expire_policy = rhds
|
|
ldap_access_order = filter, expire
|
|
# Setup for ssh keys
|
|
# Inside /etc/ssh/sshd_config add the lines:
|
|
# AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
|
|
# AuthorizedKeysCommandUser nobody
|
|
# You can test with the command: sss_ssh_authorizedkeys <username>
|
|
ldap_user_ssh_public_key = nsSshPublicKey
|
|
|
|
# This prevents an issue where the Directory is recursively walked on group
|
|
# and user look ups. It makes the client faster and more responsive in almost
|
|
# every scenario.
|
|
ignore_group_members = False
|
|
|
|
[sssd]
|
|
services = nss, pam, ssh, sudo
|
|
config_file_version = 2
|
|
|
|
domains = ldap
|
|
[nss]
|
|
homedir_substring = /home
|
|
|
|
|