# # sssd.conf # Generated by 389 Directory Server - dsidm # # For more details see man sssd.conf and man sssd-ldap # Be sure to review the content of this file to ensure it is secure and correct # in your environment. [sssd] services = pam, ssh, sudo, nss config_file_version = 2 domains = jcolebrand.info # default_domain_suffix = jcolebrand.info debug_level = 3 [domain/jcolebrand.info] # Uncomment this for more verbose logging. debug_level = 3 timeout = 30 # ldap_library_debug_level = -1 ldap_default_bind_dn = cn=Directory Manager ldap_default_authtok_type = obfuscated_password ldap_default_authtok = AAAQAJeeqE270viqyDUDJXubnTdVXTEZfgWJBRBzF8Lwu5lq1h7xynnmwt9tNi2ZdQ5NDkF744QD6Vh0C4f+ypf3h2IAAQID # Cache hashes of user authentication for offline auth. cache_credentials = True id_provider = ldap # auth_provider = ldap # access_provider = ldap # chpass_provider = ldap ldap_schema = rfc2307 ldap_search_base = dc=jcolebrand,dc=info ldap_uri = ldaps://jcolebrand.info # If you have DNS SRV records, you can use the following instead. This derives # from your ldap_search_base. # ldap_uri = _srv_ # ldap_tls_reqcert = demand # To use cacert dir, place *.crt files in this path then run: # /usr/bin/openssl rehash /etc/openldap/certs # or (for older versions of openssl) # /usr/bin/c_rehash /etc/openldap/certs # ldap_tls_cacertdir = /etc/letsencrypt/live/medusa.jcolebrand.info/ # ldap_tls_cacertdir = /etc/dirsrv/slapd-medusa/ ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/ISRG_Root_X1.1.pem # Path to the cacert # ldap_tls_cacert = /etc/openldap/certs/cert.pem #ldap_tls_reqcert = /etc/openldap/certs/cert.pem # Only users who match this filter can login and authorise to this machine. Note # that users who do NOT match, will still have their uid/gid resolve, but they # can't login. # ldap_access_filter = (memberOf=) enumerate = False ldap_user_member_of = memberof #ldap_user_gecos = cn #ldap_user_uuid = nsUniqueId #ldap_group_uuid = nsUniqueId # This is really important as it allows SSSD to respect nsAccountLock #ldap_access_order = filter, expire # Setup for ssh keys # Inside /etc/ssh/sshd_config add the lines: # AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys # AuthorizedKeysCommandUser nobody # You can test with the command: sss_ssh_authorizedkeys ldap_user_ssh_public_key = nsSshPublicKey # This prevents an issue where the Directory is recursively walked on group # and user look ups. It makes the client faster and more responsive in almost # every scenario. ignore_group_members = False #ldap_user_search_base = ou=people,dc=jcolebrand,dc=info ldap_service_search_base = ou=services,dc=jcolebrand,dc=info ldap_sudo_search_base = ou=SUDOers,dc=jcolebrand,dc=info ldap_sudo_use_host_filter = False ldap_id_mapping = false re_expression = (?P[^@]+$) access_provider = permit sudo_provider = ldap auth_provider = ldap autofs_provider = ldap resolver_provider = ldap case_sensitive = false auto_private_groups = hybrid use_fully_qualified_names = False domain_type = posix cache_credentials = True lookup_family_order = ipv4_only chpass_provider = ldap [nss] debug_level = 3 homedir_substring = /home override_homedir = /home/%u fallback_homedir = /home/%u override_shell = /opt/microsoft/powershell/7/pwsh shell_fallback = /opt/microsoft/powershell/7/pwsh default_shell = /opt/microsoft/powershell/7/pwsh [pam] debug_level = 3 pam_verbosity = 3 # 0: do not show any message # 1: show only important messages # 2: show informational messages # 3: show all messages and debug information pam_account_expired_message = Account expired in PAM pam_account_locked_message = Account locked in PAM # (path to a file with trusted CA certificates in PEM format) # pam_cert_db_path = /etc/sssd/pki/sssd_auth_ca_db.pem # Default: no_session pam_initgroups_scheme = never