From 19ce0003e32cde587e2e2115f431e86e0c9adf76 Mon Sep 17 00:00:00 2001 From: David O'Brien Date: Wed, 19 May 2010 17:17:51 +1000 Subject: Copy-edit and format review sssd.conf Updated EntryCache*Timeout to the correct values. Fixed one missed EntryCacheTimeout Added notes about perf hit of using enumeration. --- src/examples/sssd.conf | 45 +++++++++++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 18 deletions(-) (limited to 'src/examples') diff --git a/src/examples/sssd.conf b/src/examples/sssd.conf index e93cf51b..f7b847d3 100644 --- a/src/examples/sssd.conf +++ b/src/examples/sssd.conf @@ -1,40 +1,49 @@ [sssd] config_file_version = 2 + # Number of times services should attempt to reconnect in the # event of a crash or restart before they give up reconnection_retries = 3 -# if a backend is particularly slow you can raise this timeout here + +# If a back end is particularly slow you can raise this timeout here sbus_timeout = 30 services = nss, pam -; domains = LOCAL,LDAP -# SSSD will not start if you don't configure any domain. -# Add new domains condifgurations as [domain/] sections. -# Then add the list of domains (in the order you want them to be -# queried in the 'domains" attribute above and uncomment it +# SSSD will not start if you do not configure any domains. +# Add new domain configurations as [domain/] sections, and +# then add the list of domains (in the order you want them to be +# queried) to the "domains" attribute below and uncomment it. +; domains = LOCAL,LDAP [nss] -# the following prevents sssd for searching for the root user/group in -# all domains (you can add here a comma separated list of system accounts are -# always going to be /etc/passwd users, or that you want to filter out) +# The following prevents SSSD from searching for the root user/group in +# all domains (you can add here a comma-separated list of system accounts that +# are always going to be /etc/passwd users, or that you want to filter out). filter_groups = root filter_users = root reconnection_retries = 3 -# The EntryCacheTimeout indicates the number of seconds to retain before -# an entry in cache is considered stale and must block to refresh. -# The EntryCacheNoWaitRefreshTimeout indicates the number of seconds to +# The entry_cache_timeout indicates the number of seconds to retain an +# entry in cache before it is considered stale and must block to refresh. +# The entry_cache_nowait_timeout indicates the number of seconds to # wait before updating the cache out-of-band. (NSS requests will still -# be returned from cache until the full EntryCacheTimeout). Setting this -# value to 0 turns this feature off (default) +# be returned from cache until the full entry_cache_timeout). Setting this +# value to 0 turns this feature off (default). ; entry_cache_timeout = 600 ; entry_cache_nowait_timeout = 300 [pam] reconnection_retries = 3 +# Example domain configurations +# Note that enabling enumeration in the following configurations will have a +# moderate performance impact while enumerations are actually running, and +# may increase the time necessary to detect network disconnection. +# Consequently, the default value for enumeration is FALSE. +# Refer to the sssd.conf man page for full details. + # Example LOCAL domain that stores all users natively in the SSSD internal -# directory. These local users and groups are not visibile in /etc/passwd, it +# directory. These local users and groups are not visible in /etc/passwd; it # now contains only root and system accounts. ; [domain/LOCAL] ; description = LOCAL Users domain @@ -44,9 +53,9 @@ reconnection_retries = 3 ; max_id = 999 # Example native LDAP domain -# ldap_schema can be set to 'rfc2307', which uses the 'memberuid' attribute -# for group membership, or to 'rfc2307bis', which uses the 'member' attribute -# to denote group membership. Changes to this setting affects only how we +# ldap_schema can be set to "rfc2307", which uses the "memberuid" attribute +# for group membership, or to "rfc2307bis", which uses the "member" attribute +# to denote group membership. Changes to this setting affect only how we # determine the groups a user belongs to and will have no negative effect on # data about the user itself. If you do not know this value, ask an # administrator. -- cgit