130 lines
3.8 KiB
Plaintext
130 lines
3.8 KiB
Plaintext
|
|
#
|
|
# sssd.conf
|
|
# Generated by 389 Directory Server - dsidm
|
|
#
|
|
# For more details see man sssd.conf and man sssd-ldap
|
|
# Be sure to review the content of this file to ensure it is secure and correct
|
|
# in your environment.
|
|
|
|
[sssd]
|
|
services = pam, ssh, sudo, nss
|
|
config_file_version = 2
|
|
|
|
domains = jcolebrand.info
|
|
# default_domain_suffix = jcolebrand.info
|
|
|
|
debug_level = 3
|
|
|
|
[domain/jcolebrand.info]
|
|
# Uncomment this for more verbose logging.
|
|
debug_level = 3
|
|
timeout = 30
|
|
|
|
# ldap_library_debug_level = -1
|
|
|
|
ldap_default_bind_dn = cn=Directory Manager
|
|
ldap_default_authtok_type = obfuscated_password
|
|
ldap_default_authtok = AAAQAJeeqE270viqyDUDJXubnTdVXTEZfgWJBRBzF8Lwu5lq1h7xynnmwt9tNi2ZdQ5NDkF744QD6Vh0C4f+ypf3h2IAAQID
|
|
|
|
# Cache hashes of user authentication for offline auth.
|
|
cache_credentials = True
|
|
id_provider = ldap
|
|
# auth_provider = ldap
|
|
# access_provider = ldap
|
|
# chpass_provider = ldap
|
|
ldap_schema = rfc2307
|
|
ldap_search_base = dc=jcolebrand,dc=info
|
|
ldap_uri = ldaps://jcolebrand.info
|
|
# If you have DNS SRV records, you can use the following instead. This derives
|
|
# from your ldap_search_base.
|
|
# ldap_uri = _srv_
|
|
|
|
# ldap_tls_reqcert = demand
|
|
# To use cacert dir, place *.crt files in this path then run:
|
|
# /usr/bin/openssl rehash /etc/openldap/certs
|
|
# or (for older versions of openssl)
|
|
# /usr/bin/c_rehash /etc/openldap/certs
|
|
# ldap_tls_cacertdir = /etc/letsencrypt/live/medusa.jcolebrand.info/
|
|
|
|
# ldap_tls_cacertdir = /etc/dirsrv/slapd-medusa/
|
|
ldap_tls_reqcert = demand
|
|
ldap_tls_cacert = /etc/ssl/certs/ISRG_Root_X1.1.pem
|
|
|
|
# Path to the cacert
|
|
# ldap_tls_cacert = /etc/openldap/certs/cert.pem
|
|
#ldap_tls_reqcert = /etc/openldap/certs/cert.pem
|
|
# Only users who match this filter can login and authorise to this machine. Note
|
|
# that users who do NOT match, will still have their uid/gid resolve, but they
|
|
# can't login.
|
|
# ldap_access_filter = (memberOf=<dn>)
|
|
enumerate = False
|
|
ldap_user_member_of = memberof
|
|
#ldap_user_gecos = cn
|
|
#ldap_user_uuid = nsUniqueId
|
|
#ldap_group_uuid = nsUniqueId
|
|
# This is really important as it allows SSSD to respect nsAccountLock
|
|
#ldap_access_order = filter, expire
|
|
# Setup for ssh keys
|
|
# Inside /etc/ssh/sshd_config add the lines:
|
|
# AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
|
|
# AuthorizedKeysCommandUser nobody
|
|
# You can test with the command: sss_ssh_authorizedkeys <username>
|
|
ldap_user_ssh_public_key = nsSshPublicKey
|
|
|
|
# This prevents an issue where the Directory is recursively walked on group
|
|
# and user look ups. It makes the client faster and more responsive in almost
|
|
# every scenario.
|
|
ignore_group_members = False
|
|
|
|
#ldap_user_search_base = ou=people,dc=jcolebrand,dc=info
|
|
ldap_service_search_base = ou=services,dc=jcolebrand,dc=info
|
|
ldap_sudo_search_base = ou=SUDOers,dc=jcolebrand,dc=info
|
|
ldap_sudo_use_host_filter = False
|
|
ldap_id_mapping = false
|
|
re_expression = (?P<name>[^@]+$)
|
|
|
|
access_provider = permit
|
|
sudo_provider = ldap
|
|
auth_provider = ldap
|
|
autofs_provider = ldap
|
|
resolver_provider = ldap
|
|
|
|
case_sensitive = false
|
|
|
|
auto_private_groups = hybrid
|
|
use_fully_qualified_names = False
|
|
domain_type = posix
|
|
cache_credentials = True
|
|
lookup_family_order = ipv4_only
|
|
|
|
chpass_provider = ldap
|
|
|
|
[nss]
|
|
debug_level = 3
|
|
|
|
homedir_substring = /home
|
|
override_homedir = /home/%u
|
|
fallback_homedir = /home/%u
|
|
override_shell = /opt/microsoft/powershell/7/pwsh
|
|
shell_fallback = /opt/microsoft/powershell/7/pwsh
|
|
default_shell = /opt/microsoft/powershell/7/pwsh
|
|
|
|
[pam]
|
|
|
|
debug_level = 3
|
|
|
|
pam_verbosity = 3
|
|
# 0: do not show any message
|
|
# 1: show only important messages
|
|
# 2: show informational messages
|
|
# 3: show all messages and debug information
|
|
|
|
pam_account_expired_message = Account expired in PAM
|
|
pam_account_locked_message = Account locked in PAM
|
|
# (path to a file with trusted CA certificates in PEM format)
|
|
# pam_cert_db_path = /etc/sssd/pki/sssd_auth_ca_db.pem
|
|
|
|
# Default: no_session
|
|
pam_initgroups_scheme = never
|