summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--contrib/sssd.spec.in6
-rw-r--r--server/examples/sssd.conf132
2 files changed, 60 insertions, 78 deletions
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 771f1900a..5dc45d28d 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -154,8 +154,10 @@ rm -rf $RPM_BUILD_ROOT
%post
/sbin/ldconfig
/sbin/chkconfig --add %{servicename}
-# a one-time upgrade from confdb v1 to v2
-python %{_libexecdir}/%{servicename}/upgrade_config.py
+if [ $1 -ge 2 ] ; then
+# a one-time upgrade from confdb v1 to v2, only if upgrading
+ python %{_libexecdir}/%{servicename}/upgrade_config.py
+fi
%preun
if [ $1 = 0 ]; then
diff --git a/server/examples/sssd.conf b/server/examples/sssd.conf
index 894dc753e..ad2213339 100644
--- a/server/examples/sssd.conf
+++ b/server/examples/sssd.conf
@@ -1,17 +1,25 @@
-[services]
-description = Local Service Configuration
-activeServices = nss, dp, pam
+[sssd]
+config_file_version = 2
# Number of times services should attempt to reconnect in the
-# event of a Data Provider crash or restart before they give up
+# event of a crash or restart before they give up
reconnection_retries = 3
+# if a backend is particularly slow you can raise this timeout here
+sbus_timeout = 30
+services = nss, dp, pam
+; domains = LOCAL,LDAP
+# SSSD will not start if you don't configure any domain.
+# Add new domains condifgurations as [domain/<NAME>] sections.
+# Then add the list of domains (in the order you want them to be
+# queried in the 'domains" attribute above and uncomment it
+
-[services/nss]
-description = NSS Responder Configuration
+[nss]
# the following prevents sssd for searching for the root user/group in
# all domains (you can add here a comma separated list of system accounts are
# always going to be /etc/passwd users, or that you want to filter out)
-filterGroups = root
-filterUsers = root
+filter_groups = root
+filter_users = root
+reconnection_retries = 3
# The EntryCacheTimeout indicates the number of seconds to retain before
# an entry in cache is considered stale and must block to refresh.
@@ -19,86 +27,58 @@ filterUsers = root
# wait before updating the cache out-of-band. (NSS requests will still
# be returned from cache until the full EntryCacheTimeout). Setting this
# value to 0 turns this feature off (default)
-; EntryCacheTimeout = 600
-; EntryCacheNoWaitRefreshTimeout = 300
+; entry_cache_timeout = 600
+; entry_cache_nowait_timeout = 300
-[services/dp]
-description = Data Provider Configuration
-
-[services/pam]
-description = PAM Responder Configuration
-
-[services/monitor]
-description = Service Monitor Configuration
-#if a backend is particularly slow you can raise this timeout here
-sbusTimeout = 30
-
-[domains]
-description = Domains served by SSSD
-; domains = LOCAL,LDAP
+[pam]
+reconnection_retries = 3
-# SSSD will not start if you don't configure any domain.
-# Add new domains condifgurations as [domains/<NAME>] sections.
-# Then add the list of domains (in the order you want them to be
-# queried in the 'domains" attribute above and uncomment it
+[dp]
+reconnection_retries = 3
# Example LOCAL domain that stores all users natively in the SSSD internal
# directory. These local users and groups are not visibile in /etc/passwd, it
# now contains only root and system accounts.
-
-; [domains/LOCAL]
+; [domain/LOCAL]
; description = LOCAL Users domain
-; provider = local
+; id_provider = local
; enumerate = true
-; minId = 500
-; maxId = 999
+; min_id = 500
+; max_id = 999
-# Example LDAP domain that uses the proxy backend and the standard nss_ldap
-# and pam_ldap modules (Useful until we have good working native ldap backends).
-# For this to work the /etc/ldap.conf file needs to be correctly configured just
-# like you would do when using nss_ldap in nsswitch.conf, but instead of setting
-# passwd: files ldap, set passwd: files, sss instead there.
-# Also consider using the following setting in /etc/ldap.conf to avoid needless
-# delays if the ldap server is offline:
-# timelimit 10
-# bind_timelimit 5
-# nss_reconnect_maxsleeptime 2
-# nss_reconnect_sleeptime 1
-
-; [domains/LDAP]
-; description = Proxy request to our LDAP server
-; enumerate = false
-; minId = 1000
-;
-; provider = proxy
-; libName = ldap
-;
-#if a backend is particularly slow you can raise this timeout here
-; timeout = 60
+# Example native LDAP domain
+; [domain/LDAP]
+; id_provider = ldap
+; auth_provider = ldap
+; ldap_uri = ldap://ldap.mydomain.org
+; ldap_user_search_base = dc=mydomain,dc=org
+; ldap_tls_reqcert = demand
+; cache_credentials = true
+; enumerate = true
# Example LDAP domain where the LDAP server is an Active Directory server.
-; [domains/AD]
+; [domain/AD]
; description = LDAP domain with AD server
; enumerate = false
-; minId = 1000
+; min_id = 1000
;
-; provider = ldap
-; auth-module = ldap
-; ldapUri = ldap://your.ad.server.com
-; ldapSchema = rfc2307bis
-; userSearchBase = cn=users,dc=example,dc=com
-; groupSearchBase = cn=users,dc=example,dc=com
-; defaultBindDn = cn=Administrator,cn=Users,dc=example,dc=com
-; defaultAuthtokType = password
-; defaultAuthtok = YOUR_PASSWORD
-; userObjectClass = person
-; userName = msSFU30Name
-; userUidNumber = msSFU30UidNumber
-; userGidNumber = msSFU30GidNumber
-; userHomeDirectory = msSFU30HomeDirectory
-; userShell = msSFU30LoginShell
-; userPrincipal = userPrincipalName
-; groupObjectClass = group
-; groupName = msSFU30Name
-; groupGidNumber = msSFU30GidNumber
+; id_provider = ldap
+; auth_provider = ldap
+; ldap_uri = ldap://your.ad.server.com
+; ldap_schema = rfc2307bis
+; ldap_user_search_base = cn=users,dc=example,dc=com
+; ldap_group_search_base = cn=users,dc=example,dc=com
+; ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
+; ldap_default_authtok_type = password
+; ldap_default_authtok = YOUR_PASSWORD
+; ldap_user_object_class = person
+; ldap_user_name = msSFU30Name
+; ldap_user_uid_number = msSFU30UidNumber
+; ldap_user_gid_number = msSFU30GidNumber
+; ldap_user_home_directory = msSFU30HomeDirectory
+; ldap_user_shell = msSFU30LoginShell
+; ldap_user_principal = userPrincipalName
+; ldap_group_object_class = group
+; ldap_group_name = msSFU30Name
+; ldap_group_gid_number = msSFU30GidNumber