system_configuration/root/etc/sssd/sssd.conf

#
# sssd.conf
# Generated by 389 Directory Server - dsidm
#
# For more details see man sssd.conf and man sssd-ldap
# Be sure to review the content of this file to ensure it is secure and correct
# in your environment.

[sssd]
services = pam, ssh, sudo, nss
config_file_version = 2

domains = jcolebrand.info
# default_domain_suffix = jcolebrand.info

debug_level = 3

[domain/jcolebrand.info]
# Uncomment this for more verbose logging.
debug_level = 3
timeout = 30

# ldap_library_debug_level = -1

ldap_default_bind_dn = cn=Directory Manager
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = AAAQAJeeqE270viqyDUDJXubnTdVXTEZfgWJBRBzF8Lwu5lq1h7xynnmwt9tNi2ZdQ5NDkF744QD6Vh0C4f+ypf3h2IAAQID

# Cache hashes of user authentication for offline auth.
cache_credentials = True
id_provider = ldap
# auth_provider = ldap
# access_provider = ldap
# chpass_provider = ldap
ldap_schema = rfc2307
ldap_search_base = dc=jcolebrand,dc=info
ldap_uri = ldaps://jcolebrand.info
# If you have DNS SRV records, you can use the following instead. This derives
# from your ldap_search_base.
# ldap_uri = _srv_

# ldap_tls_reqcert = demand
# To use cacert dir, place *.crt files in this path then run:
# /usr/bin/openssl rehash /etc/openldap/certs
# or (for older versions of openssl)
# /usr/bin/c_rehash /etc/openldap/certs
# ldap_tls_cacertdir = /etc/letsencrypt/live/medusa.jcolebrand.info/

# ldap_tls_cacertdir = /etc/dirsrv/slapd-medusa/
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ISRG_Root_X1.1.pem

# Path to the cacert
# ldap_tls_cacert = /etc/openldap/certs/cert.pem
#ldap_tls_reqcert = /etc/openldap/certs/cert.pem
# Only users who match this filter can login and authorise to this machine. Note
# that users who do NOT match, will still have their uid/gid resolve, but they
# can't login.
# ldap_access_filter = (memberOf=<dn>)
enumerate = False
ldap_user_member_of = memberof
#ldap_user_gecos = cn
#ldap_user_uuid = nsUniqueId
#ldap_group_uuid = nsUniqueId
# This is really important as it allows SSSD to respect nsAccountLock
#ldap_access_order = filter, expire
# Setup for ssh keys
# Inside /etc/ssh/sshd_config add the lines:
#   AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
#   AuthorizedKeysCommandUser nobody
# You can test with the command: sss_ssh_authorizedkeys <username>
ldap_user_ssh_public_key = nsSshPublicKey

# This prevents an issue where the Directory is recursively walked on group
# and user look ups. It makes the client faster and more responsive in almost
# every scenario.
ignore_group_members = False

#ldap_user_search_base = ou=people,dc=jcolebrand,dc=info
ldap_service_search_base = ou=services,dc=jcolebrand,dc=info
ldap_sudo_search_base = ou=SUDOers,dc=jcolebrand,dc=info
ldap_sudo_use_host_filter = False
ldap_id_mapping = false
re_expression = (?P<name>[^@]+$)

access_provider = permit
sudo_provider = ldap
auth_provider = ldap
autofs_provider = ldap
resolver_provider = ldap

case_sensitive = false

auto_private_groups = hybrid
use_fully_qualified_names = False
domain_type = posix
cache_credentials = True
lookup_family_order = ipv4_only

chpass_provider = ldap

[nss]
debug_level = 3

homedir_substring = /home
override_homedir = /home/%u
fallback_homedir = /home/%u
override_shell = /opt/microsoft/powershell/7/pwsh
shell_fallback = /opt/microsoft/powershell/7/pwsh
default_shell = /opt/microsoft/powershell/7/pwsh

[pam]

debug_level = 3

pam_verbosity = 3
#          0: do not show any message
#          1: show only important messages
#          2: show informational messages
#          3: show all messages and debug information

pam_account_expired_message = Account expired in PAM
pam_account_locked_message = Account locked in PAM
# (path to a file with trusted CA certificates in PEM format)
# pam_cert_db_path = /etc/sssd/pki/sssd_auth_ca_db.pem

# Default: no_session
pam_initgroups_scheme = never