[services] description = Local Service Configuration activeServices = nss, dp, pam # Number of times services should attempt to reconnect in the # event of a Data Provider crash or restart before they give up reconnection_retries = 3 [services/nss] description = NSS Responder Configuration # the following prevents sssd for searching for the root user/group in # all domains (you can add here a comma separated list of system accounts are # always going to be /etc/passwd users, or that you want to filter out) filterGroups = root filterUsers = root # The EntryCacheTimeout indicates the number of seconds to retain before # an entry in cache is considered stale and must block to refresh. # The EntryCacheNoWaitRefreshTimeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still # be returned from cache until the full EntryCacheTimeout). Setting this # value to 0 turns this feature off (default) ; EntryCacheTimeout = 600 ; EntryCacheNoWaitRefreshTimeout = 300 [services/dp] description = Data Provider Configuration [services/pam] description = PAM Responder Configuration [services/monitor] description = Service Monitor Configuration #if a backend is particularly slow you can raise this timeout here sbusTimeout = 30 [domains] description = Domains served by SSSD ; domains = LOCAL,LDAP # SSSD will not start if you don't configure any domain. # Add new domains condifgurations as [domains/] sections. # Then add the list of domains (in the order you want them to be # queried in the 'domains" attribute above and uncomment it # Example LOCAL domain that stores all users natively in the SSSD internal # directory. These local users and groups are not visibile in /etc/passwd, it # now contains only root and system accounts. ; [domains/LOCAL] ; description = LOCAL Users domain ; provider = local ; enumerate = true ; minId = 500 ; maxId = 999 # Example LDAP domain that uses the proxy backend and the standard nss_ldap # and pam_ldap modules (Useful until we have good working native ldap backends). # For this to work the /etc/ldap.conf file needs to be correctly configured just # like you would do when using nss_ldap in nsswitch.conf, but instead of setting # passwd: files ldap, set passwd: files, sss instead there. # Also consider using the following setting in /etc/ldap.conf to avoid needless # delays if the ldap server is offline: # timelimit 10 # bind_timelimit 5 # nss_reconnect_maxsleeptime 2 # nss_reconnect_sleeptime 1 ; [domains/LDAP] ; description = Proxy request to our LDAP server ; enumerate = false ; minId = 1000 ; ; provider = proxy ; libName = ldap ; #if a backend is particularly slow you can raise this timeout here ; timeout = 60 # Example LDAP domain where the LDAP server is an Active Directory server. ; [domains/AD] ; description = LDAP domain with AD server ; enumerate = false ; minId = 1000 ; ; provider = ldap ; auth-module = ldap ; ldapUri = ldap://your.ad.server.com ; ldapSchema = rfc2307bis ; userSearchBase = cn=users,dc=example,dc=com ; groupSearchBase = cn=users,dc=example,dc=com ; defaultBindDn = cn=Administrator,cn=Users,dc=example,dc=com ; defaultAuthtokType = password ; defaultAuthtok = YOUR_PASSWORD ; userObjectClass = person ; userName = msSFU30Name ; userUidNumber = msSFU30UidNumber ; userGidNumber = msSFU30GidNumber ; userHomeDirectory = msSFU30HomeDirectory ; userShell = msSFU30LoginShell ; userPrincipal = userPrincipalName ; groupObjectClass = group ; groupName = msSFU30Name ; groupGidNumber = msSFU30GidNumber