[sssd]config_file_version = 2# Number of times services should attempt to

1. [sssd]
2. config_file_version = 2
3.  
4. # Number of times services should attempt to reconnect in the
5. # event of a crash or restart before they give up
6. reconnection_retries = 3
7.  
8. # If a back end is particularly slow you can raise this timeout here
9. sbus_timeout = 30
10. services = nss, pam
11.  
12. # SSSD will not start if you do not configure any domains.
13. # Add new domain configurations as [domain/<NAME>] sections, and
14. # then add the list of domains (in the order you want them to be
15. # queried) to the "domains" attribute below and uncomment it.
16. domains = REALM
17.  
18. [nss]
19. # The following prevents SSSD from searching for the root user/group in
20. # all domains (you can add here a comma-separated list of system accounts that
21. # are always going to be /etc/passwd users, or that you want to filter out).
22. filter_groups = root,sshd,zabbix,www-data,puppet,snmp,nobody,adm
23. filter_users = root,sshd,zabbix,www-data,puppet,snmp,nogroup
24. reconnection_retries = 3
25.  
26. # The entry_cache_timeout indicates the number of seconds to retain an
27. # entry in cache before it is considered stale and must block to refresh.
28. # The entry_cache_nowait_timeout indicates the number of seconds to
29. # wait before updating the cache out-of-band. (NSS requests will still
30. # be returned from cache until the full entry_cache_timeout). Setting this
31. # value to 0 turns this feature off (default).
32. entry_cache_timeout = 43200
33. entry_cache_nowait_timeout = 300
34.  
35. [pam]
36. reconnection_retries = 3
37.  
38.  
39.  
40. [domain/REALM]
41. description = LDAP domain with AD server
42. enumerate = true
43.  
44. min_id = 1000
45. cache_credentials = true
46.  
47. id_provider = ldap
48. auth_provider = krb5
49. chpass_provider = krb5
50.  
51. krb5_realm = REALM
52. krb5_kdcip = IP
53. ldap_pwd_policy = none
54.  
55. ldap_id_use_start_tls = false
56. ldap_tls_reqcert = never
57.  
58. ldap_uri = LDAPURI
59. ldap_schema = rfc2307bis
60. ldap_default_bind_dn = LDAPBINDDN
61. ldap_default_authtok_type = password
62. ldap_default_authtok = LDAPBINDPW
63.  
64.  
65. ldap_user_search_base = LDAPSEARCHBASE
66. ldap_user_object_class = user
67. ldap_user_uid_number = uidNumber
68. ldap_user_gid_number = GIDNumber
69. ldap_user_home_directory = unixHomeDirectory
70. ldap_user_shell = loginShell
71. ldap_user_principal = userPrincipalName
72. ldap_user_name = sAMAccountName
73. ldap_user_gecos = displayName
74. ldap_user_uuid = objectGUID
75. ldap_access_filter = LDAPFILTER
76.  
77. ldap_group_search_base = LDAPSEARCHBASEGROUP
78. ldap_group_object_class = group
79. ldap_group_name = Name
80. ldap_group_gid_number = GidNumber
81. ldap_force_upper_case_realm = True