From 311fe79b6e6aa0aba0c0cce09c5fd8328f88e2b6 Mon Sep 17 00:00:00 2001
From: Alex Iribarren <alex.iribarren@cern.ch>
Date: Tue, 21 Jan 2025 16:37:49 +0100
Subject: [PATCH] Fix sssd config
---
docs/docs/account-mgmt.md | 67 ++++---------------------------------
docs/docs/sssd.conf.example | 1 +
2 files changed, 7 insertions(+), 61 deletions(-)
diff --git a/docs/docs/account-mgmt.md b/docs/docs/account-mgmt.md
index 639832be0..3b29087a5 100644
--- a/docs/docs/account-mgmt.md
+++ b/docs/docs/account-mgmt.md
@@ -36,74 +36,19 @@ to connect to multiple different account sources as well as D-Bus interface.
The <tt>/etc/sssd/sssd.conf</tt> configuration describes the CERN configuration.
<p>
Note on CS8 and newer, it's possible that the package 'cern-krb5-conf' is installed.
-This package provides a base minimum for kerberos configuration, but the example below is more feature complete
-<p>
-If you are using CS8 or newer, you may want to consider deploying configuration into a separate file in /etc/sssd/conf.d/ rather than using /etc/sssd/sssd.conf to avoid conflicts with the 'cern-krb5-conf' package.
-
-<pre>
-[sssd]
-services = nss, pam
-domains = LOCAL_CERN.CH, CERN.CH
-
-[domain/LOCAL_CERN.CH]
-id_provider = files
-auth_provider = krb5
-krb5_realm = CERN.CH
-krb5_server = cerndc.cern.ch
-
-[domain/CERN.CH]
-id_provider = ldap
-ignore_group_members = True
-access_provider = ldap
-ldap_schema = AD
-
-ldap_uri = ldap://xldap.cern.ch:389, ldap://xldap.cern.ch:389, ldap://xldap.cern.ch:389
-
-ldap_referrals = False
-ldap_id_use_start_tls = False
-ldap_search_base = DC=cern,DC=ch
-ldap_user_search_base = OU=Users,OU=Organic Units,DC=cern,DC=ch
-ldap_user_search_scope = one
-ldap_user_object_class = person
-ldap_user_name = sAMAccountName
-ldap_user_home_directory = unixHomeDirectory
-
-ldap_group_search_base = OU=Unix,OU=Workgroups,DC=cern,DC=ch
-ldap_group_search_scope = one
-ldap_group_object_class = group
-
-# Allowing users * : (&(objectClass=user) (cn=*))
-ldap_access_filter = (&(objectClass=user) (cn=*))
-
-# GID
-# ldap_access_filter = (&(objectClass=user) (gidNumber=1160))
-# Egroup
-# ldap_access_filter = (&(objectClass=user) (memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
-# Filter disabled AD accounts:
-# ldap_access_filter = (&;(|(|(&(objectClass=user) (cn=*))))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
-
-ldap_force_upper_case_realm = True
-
-krb5_realm = CERN.CH
-krb5_server = cerndc.cern.ch
-
-auth_provider = krb5
-chpass_provider = krb5
-cache_credentials = True
-ldap_tls_cacertdir = /etc/openldap/cacerts
-</pre>
+This package provides a base minimum for kerberos configuration, but <a href="/docs/sssd.conf.example">this example</a> is more feature complete.
You can install it by following this recipe as root :
<pre>
-# curl -o /etc/sssd/sssd.conf https://linux.web.cern.ch/docs/sssd.conf.example
-# chown root:root /etc/sssd/sssd.conf
-# chmod 0600 /etc/sssd/sssd.conf
-# restorecon /etc/sssd/sssd.conf
+# curl -o /etc/sssd/conf.d/10_sssd.conf https://linux.web.cern.ch/docs/sssd.conf.example
+# chown root:root /etc/sssd/conf.d/10_sssd.conf
+# chmod 0600 /etc/sssd/conf.d/10_sssd.conf
+# restorecon /etc/sssd/conf.d/10_sssd.conf
</pre>
In the following section we will explain how it can be tweaked.
<h3>General options</h3>
-This section describes the main options to be configured in <tt>/etc/sssd/sssd.conf</tt>.
+This section describes the main options to be configured in <tt>/etc/sssd/conf.d/10_sssd.conf</tt>.
<ul>
<li><tt>services</tt> is a comma separated list of services that are started when sssd itself starts. Supported services: nss, pam , sudo, autofs, ssh, pac, ifp</li>
<li><tt>domain</tt> is a database containing user information.SSSD can use more domains at the same time.</li>
diff --git a/docs/docs/sssd.conf.example b/docs/docs/sssd.conf.example
index 713272d29..21cced072 100644
--- a/docs/docs/sssd.conf.example
+++ b/docs/docs/sssd.conf.example
@@ -30,6 +30,7 @@ ldap_user_search_scope = one
ldap_user_object_class = person
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
+ldap_user_principal = nosuchattr
ldap_group_search_base = OU=Unix,OU=Workgroups,DC=cern,DC=ch
ldap_group_search_scope = one
--
GitLab