Version 4 (modified by brose, 10 years ago) (diff)


Here is an SSSD configuration that is working in production against OIT LDAP. You will still need to manage certificates properly to use this in a secure manner. While you are testing, you can add "ldap_tls_reqcert = allow" as a line under the domain definition. This will help you debug by ruling out any certificate issues. DO NOT use that line in production!

The only real deviations from a standard config is the addition of "min_id = 1", as OIT has group IDs in the 10s-20s. "enumerate = true" will create a local precache, and allows tools such as finger to operate normally.

config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = oit

filter_groups = root
filter_users = root
reconnection_retries = 3

reconnection_retries = 3

auth_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
cache_credentials = True
krb5_realm = EXAMPLE.COM
ldap_search_base = o=Princeton University,c=US
id_provider = ldap
ldap_uri = ldap://
krb5_kdcip =
ldap_tls_cacertdir = /etc/pki/tls/certs
min_id = 1
enumerate = true

Someone else once wrote this:

For authentication only (no user database) make sure you have nss-pam-ldapd rpm installed and then run:

authconfig --enableldapauth --ldapserver=ldaps:// --ldapbasedn="o=Princeton University,c=US" --ldaploadcacert=file:///etc/pki/tls/certs/ca-bundle.crt --disablesssdauth --disablesssd --updateall --enableforcelegacy