| 1 | | Work in progress. |
| | 1 | Here is an SSSD configuration that is working in production against OIT LDAP. You will still need to manage certificates properly to use this in a secure manner. While you are testing, you can add "ldap_tls_reqcert = allow" as a line under the domain definition. This will help you debug by ruling out any certificate issues. DO NOT use that line in production! |
| | 2 | |
| | 3 | The only real deviations from a standard config is the addition of "min_id = 1", as OIT has group IDs in the 10s-20s. "enumerate = true" will create a local precache, and allows tools such as finger to operate normally. |
| | 4 | |
| | 5 | {{{ |
| | 6 | [sssd] |
| | 7 | config_file_version = 2 |
| | 8 | reconnection_retries = 3 |
| | 9 | sbus_timeout = 30 |
| | 10 | services = nss, pam |
| | 11 | domains = oit |
| | 12 | |
| | 13 | [nss] |
| | 14 | filter_groups = root |
| | 15 | filter_users = root |
| | 16 | reconnection_retries = 3 |
| | 17 | |
| | 18 | [pam] |
| | 19 | reconnection_retries = 3 |
| | 20 | |
| | 21 | [domain/oit] |
| | 22 | auth_provider = ldap |
| | 23 | ldap_id_use_start_tls = True |
| | 24 | chpass_provider = ldap |
| | 25 | cache_credentials = True |
| | 26 | krb5_realm = EXAMPLE.COM |
| | 27 | ldap_search_base = o=Princeton University,c=US |
| | 28 | id_provider = ldap |
| | 29 | ldap_uri = ldap://ldap.princeton.edu/ |
| | 30 | krb5_kdcip = kerberos.example.com |
| | 31 | ldap_tls_cacertdir = /etc/pki/tls/certs |
| | 32 | min_id = 1 |
| | 33 | enumerate = true |
| | 34 | }}} |
| | 35 | |
| | 36 | |
| | 37 | Someone else once wrote this: |
