1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
[services]
description = Local Service Configuration
activeServices = nss, dp, pam
# Number of times services should attempt to reconnect in the
# event of a Data Provider crash or restart before they give up
reconnection_retries = 3
[services/nss]
description = NSS Responder Configuration
# the following prevents sssd for searching for the root user/group in
# all domains (you can add here a comma separated list of system accounts are
# always going to be /etc/passwd users, or that you want to filter out)
filterGroups = root
filterUsers = root
# The EntryCacheTimeout indicates the number of seconds to retain before
# an entry in cache is considered stale and must block to refresh.
# The EntryCacheNoWaitRefreshTimeout indicates the number of seconds to
# wait before updating the cache out-of-band. (NSS requests will still
# be returned from cache until the full EntryCacheTimeout). Setting this
# value to 0 turns this feature off (default)
; EntryCacheTimeout = 600
; EntryCacheNoWaitRefreshTimeout = 300
[services/dp]
description = Data Provider Configuration
[services/pam]
description = PAM Responder Configuration
[services/monitor]
description = Service Monitor Configuration
#if a backend is particularly slow you can raise this timeout here
sbusTimeout = 30
[domains]
description = Domains served by SSSD
; domains = LOCAL,LDAP
# SSSD will not start if you don't configure any domain.
# Add new domains condifgurations as [domains/<NAME>] sections.
# Then add the list of domains (in the order you want them to be
# queried in the 'domains" attribute above and uncomment it
# Example LOCAL domain that proxies to /etc/passwd and /etc/group files
# This configuration is meant mostly as a migration path to be able to store
# additional information about users while still keeping /etc/passwd
# authoritative.
; [domains/LOCAL]
; description = LOCAL migration domain
; enumerate = true
; minId = 500
;
; provider = files
# optionally a file named sssdproxylocal can be place in pam.d configured to
# check pam_unix only and pam_sss can be used in the normal pam stack
; auth-module = proxy
; pam-target = sssdproxylocal
# Example LOCAL domain that stores all users natively in the SSSD internal
# directory. These local users and groups are not visibile in /etc/passwd, it
# now contains only root and system accounts.
; [domains/LOCAL]
; description = LOCAL Users domain
; provider = local
; enumerate = true
; minId = 500
; maxId = 999
# Example LDAP domain that uses the proxy backend and the standard nss_ldap
# and pam_ldap modules (Useful until we have good working native ldap backends).
# For this to work the /etc/ldap.conf file needs to be correctly configured just
# like you would do when using nss_ldap in nsswitch.conf, but instead of setting
# passwd: files ldap, set passwd: files, sss instead there.
# Also consider using the following setting in /etc/ldap.conf to avoid needless
# delays if the ldap server is offline:
# timelimit 10
# bind_timelimit 5
# nss_reconnect_maxsleeptime 2
# nss_reconnect_sleeptime 1
; [domains/LDAP]
; description = Proxy request to our LDAP server
; enumerate = false
; minId = 1000
;
; provider = proxy
; libName = ldap
;
#if a backend is particularly slow you can raise this timeout here
; timeout = 60
# Example LDAP domain where the LDAP server is an Active Directory server.
; [domains/AD]
; description = LDAP domain with AD server
; enumerate = false
; minId = 1000
;
; provider = ldap
; auth-module = ldap
; ldapUri = ldap://your.ad.server.com
; ldapSchema = rfc2307bis
; userSearchBase = cn=users,dc=example,dc=com
; groupSearchBase = cn=users,dc=example,dc=com
; defaultBindDn = cn=Administrator,cn=Users,dc=example,dc=com
; defaultAuthtokType = password
; defaultAuthtok = YOUR_PASSWORD
; userObjectClass = person
; userName = msSFU30Name
; userUidNumber = msSFU30UidNumber
; userGidNumber = msSFU30GidNumber
; userHomeDirectory = msSFU30HomeDirectory
; userShell = msSFU30LoginShell
; userPrincipal = userPrincipalName
; groupObjectClass = group
; groupName = msSFU30Name
; groupGidNumber = msSFU30GidNumber
|