Skip to content
Snippets Groups Projects

Fix sssd config

Merged Fix sssd config
sssd into master
Merged Alex Iribarren requested to merge sssd into master
Compare
and
2 files
+ 7
61
Compare changes
  • Side-by-side
  • Inline
Files
2
docs/docs/account-mgmt.md
+ 6
61
@@ -36,74 +36,19 @@ to connect to multiple different account sources as well as D-Bus interface.
The <tt>/etc/sssd/sssd.conf</tt> configuration describes the CERN configuration.
<p>
Note on CS8 and newer, it's possible that the package 'cern-krb5-conf' is installed.
This package provides a base minimum for kerberos configuration, but the example below is more feature complete
<p>
If you are using CS8 or newer, you may want to consider deploying configuration into a separate file in /etc/sssd/conf.d/ rather than using /etc/sssd/sssd.conf to avoid conflicts with the 'cern-krb5-conf' package.
<pre>
[sssd]
services = nss, pam
domains = LOCAL_CERN.CH, CERN.CH
[domain/LOCAL_CERN.CH]
id_provider = files
auth_provider = krb5
krb5_realm = CERN.CH
krb5_server = cerndc.cern.ch
[domain/CERN.CH]
id_provider = ldap
ignore_group_members = True
access_provider = ldap
ldap_schema = AD
ldap_uri = ldap://xldap.cern.ch:389, ldap://xldap.cern.ch:389, ldap://xldap.cern.ch:389
ldap_referrals = False
ldap_id_use_start_tls = False
ldap_search_base = DC=cern,DC=ch
ldap_user_search_base = OU=Users,OU=Organic Units,DC=cern,DC=ch
ldap_user_search_scope = one
ldap_user_object_class = person
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_group_search_base = OU=Unix,OU=Workgroups,DC=cern,DC=ch
ldap_group_search_scope = one
ldap_group_object_class = group
&#35; Allowing users * : (&(objectClass=user) (cn=*))
ldap_access_filter = (&(objectClass=user) (cn=*))
&#35; GID
&#35; ldap_access_filter = (&(objectClass=user) (gidNumber=1160))
&#35; Egroup
&#35; ldap_access_filter = (&(objectClass=user) (memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
&#35; Filter disabled AD accounts:
&#35; ldap_access_filter = (&;(|(|(&(objectClass=user) (cn=*))))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
ldap_force_upper_case_realm = True
krb5_realm = CERN.CH
krb5_server = cerndc.cern.ch
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
</pre>
This package provides a base minimum for kerberos configuration, but <a href="/docs/sssd.conf.example">this example</a> is more feature complete.
You can install it by following this recipe as root :
<pre>
&#35; curl -o /etc/sssd/sssd.conf https://linux.web.cern.ch/docs/sssd.conf.example
&#35; chown root:root /etc/sssd/sssd.conf
&#35; chmod 0600 /etc/sssd/sssd.conf
&#35; restorecon /etc/sssd/sssd.conf
&#35; curl -o /etc/sssd/conf.d/10_sssd.conf https://linux.web.cern.ch/docs/sssd.conf.example
&#35; chown root:root /etc/sssd/conf.d/10_sssd.conf
&#35; chmod 0600 /etc/sssd/conf.d/10_sssd.conf
&#35; restorecon /etc/sssd/conf.d/10_sssd.conf
</pre>
In the following section we will explain how it can be tweaked.
<h3>General options</h3>
This section describes the main options to be configured in <tt>/etc/sssd/sssd.conf</tt>.
This section describes the main options to be configured in <tt>/etc/sssd/conf.d/10_sssd.conf</tt>.
<ul>
<li><tt>services</tt> is a comma separated list of services that are started when sssd itself starts. Supported services: nss, pam , sudo, autofs, ssh, pac, ifp</li>
<li><tt>domain</tt> is a database containing user information.SSSD can use more domains at the same time.</li>