From 63739aaa1f9e12c65fd47dd8690cbe227ec1a660 Mon Sep 17 00:00:00 2001 From: Ben Morrice Date: Wed, 6 Jul 2022 14:16:21 +0200 Subject: [PATCH 01/10] Update sssd doc to ensure local users can continue to auth --- docs/docs/account-mgmt.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/docs/docs/account-mgmt.md b/docs/docs/account-mgmt.md index d2dddfd3..1b63885c 100644 --- a/docs/docs/account-mgmt.md +++ b/docs/docs/account-mgmt.md @@ -38,18 +38,16 @@ The /etc/sssd/sssd.conf configuration describes the CERN configuration: 
 [sssd]
-config_file_version = 2
-services = nss, pam
-domains = CERN
+    services = nss, pam
+    domains = LOCAL_CERN.CH, CERN.CH
 
-[nss]
-filter_groups = sshd,apache,root
-filter_users = sshd,apache,root
-
-[pam]
-pam_id_timeout = 600
+[domain/LOCAL_CERN.CH]
+id_provider = files
+auth_provider = krb5
+krb5_realm = CERN.CH
+krb5_server = cerndc.cern.ch
 
-[domain/CERN]
+[domain/CERN.CH]
 id_provider = ldap
 ignore_group_members = True
 access_provider = ldap
-- 
GitLab


From 4b4ccb5df0a5cf155b55b9c8273262c5663fb915 Mon Sep 17 00:00:00 2001
From: Ben Morrice 
Date: Wed, 6 Jul 2022 14:29:10 +0200
Subject: [PATCH 02/10] remove redundant information

---
 docs/docs/account-mgmt.md | 379 +-------------------------------------
 1 file changed, 6 insertions(+), 373 deletions(-)

diff --git a/docs/docs/account-mgmt.md b/docs/docs/account-mgmt.md
index 1b63885c..bad42be0 100644
--- a/docs/docs/account-mgmt.md
+++ b/docs/docs/account-mgmt.md
@@ -27,7 +27,6 @@ account information for all AFS users, and the membership of the CERN E-groups.
 

 The xldap.cern.ch LDAP service is described here
 
-
CERN CentOS 7

 
What is sssd ?

 SSSD provides a set of daemons to manage access to remote directories and authentication
 mechanisms. It provides an NSS and PAM interface toward the system and a pluggable backend system
@@ -152,15 +151,18 @@ All available settings can be found in the manual
     
  • If you have to deal with old user ID < 1000 you can use "min_id/max_id" in the [domain/CERN] section
    • 
 
 
    Enable sssd
    
+
    CERN CentOS 7
    
 
     # authconfig --enablesssd --enablesssdauth --update
 
    
+
    CS8 onwards
    
+
    +# authselect select sssd with-silent-lastlog --force
+
    
 The /etc/nsswitch.conf configuration file describes the order in
-which password-file lookups are performed. It should have these entries
-configured by the previous command :
+which password-file lookups are performed. This file should not need to be ever changed, and should always contain content such as:
 
     passwd:     files sss
-shadow:     files sss
 group:      files sss
 
    
 
@@ -187,370 +189,6 @@ authorized CERN user :
 
     # getent passwd login
 
    
-
    Scientific Linux CERN
    
-
-
    Configuring /etc/nsswitch.conf
    
-
-The /etc/nsswitch.conf configuration file describes the order in
-which password-file lookups are performed. To make sure that local accounts
-take precedence over LDAP accounts, it should have these entries:
-
    -passwd:     files ldap
-shadow:     files
-group:      files ldap
-
    
-
    
-Run man nsswitch.conf for more information.
-
-
    [SLC5] Configuring /etc/ldap.conf
    
-
-The /etc/ldap.conf configuration file is used to set system-wide
-defaults to be applied when running ldap clients. This mechanism is available
-on SLC5 and SLC4, the SLC6-specific mechanism is described below.
-
    
-This section describes the options that are relevant to configure account
-lookups in the xldap.cern.ch LDAP service. An example configure
-file containing the options described below is can be found
-here. Please edit it to suit your needs - in
-particular the nss_base_passwd option!
-
    
-Please make sure that the nss_ldap RPM is installed on your client
-machine. Run yum install nss_ldap if this RPM is not installed.
-
    
-For more information, run man ldap.conf and/or man nss_ldap.
-
    
-Please note the recipes below have not been extensively tested on SLC4.
-
-
    General options
    
-
-This section describes the main options to be configured in /etc/ldap.conf.
-
-
      
-
    •  Set the distinguished name of the search base:
-
      -# The distinguished name of the search base.
-base dc=cern,dc=ch
-
      
-
    •  Use the uri directive to specify the LDAP service. Note that
-we specify the server multiple times, to allow failover between different
-servers behind the DNS alias xldap.cern.ch:
-
      -# Another way to specify your LDAP server is to provide an
-# uri with the server name. This allows to use
-# Unix Domain Sockets to connect to a local LDAP Server.
-uri ldap://xldap.cern.ch/ ldap://xldap.cern.ch/ ldap://xldap.cern.ch/
-
      
-
    •  The xldap.cern.ch LDAP service is a frontend to Active Directory,
-and we need to map the services accordingly:
-
      -# Services for UNIX 3.5 mappings
-nss_map_objectclass posixAccount User
-nss_map_objectclass shadowAccount User
-nss_map_attribute uid sAMAccountName
-nss_map_attribute uniqueMember Member
-#nss_map_attribute userPassword msSFU30Password
-nss_map_attribute homeDirectory unixHomeDirectory
-nss_map_objectclass posixGroup Group
-pam_login_attribute sAMAccountName
-#pam_filter objectclass=User
-#pam_password ad
-
      
-
    •  Configure basic result filtering:
-
      -# RFC2307bis naming contexts
-# Syntax:
-# nss_base_XXX          base?scope?filter
-# where scope is {base,one,sub}
-# and filter is a filter to be &'d with the
-# default filter.
-# You can omit the suffix eg:
-# nss_base_passwd       ou=People,
-# to append the default base DN but this
-# may incur a small performance impact.
-nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one
-nss_base_group OU=Workgroups,DC=cern,DC=ch?sub?gidNumber=*
-
      
-This limits the search results to all Unix accounts in Active Directory.
-
      
-More sophisticated filters are described in the next section.
-
    •  By default, the server will return only the first 1000 results. If you
-expect more results, you should enable support for paged results:
-
      -# Enable support for paged results
-nss_paged_results yes
-
      
-
    •  Using SSL to verify the identity of the xldap.cern.ch
-     
      
-     Work in progress - to be released and documented in the near future
-
-
    •  Should you need to debug your configuation, you can set the following
-options:
-
      -# Enable debugging
-logdir /var/log
-debug 255
-
      
-
    
-
-
    Filtering the results
    
-
-With the general options above, your machine now has allows access from
-all accounts in the LDAP service. That is probable not what you want...
-This section gives some examples of filters that you can set to restrict
-the results to some useful sets of accounts.
-
-
      
-
    •  How to give access to all users of some Unix groups?
-    
        
-    
      •  Only allow the users of Unix group xx (gid 1160):
-         
        nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?gidNumber=1160
        
-    
      •  Allow users from Unix groups t3 and zp (gid's 1081 and 1307):
-         
        nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?|(gidNumber=1081)(gidNumber=1307)
        
-         Alternatively, using the fact that these filters are added to the default search filter, we can
-         specify two separate lines:
-         
        -nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?gidNumber=1081
-nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?gidNumber=1307
        
-    
      
-
    •  How to give access to all members of an e-group?
-    
        
-    
      •  Allows members of lxsoft-admins (non-recursive) e-group:
-         
        nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch
        
-    
      •  Note: the above does not work for "recursive e-groups", where some
-         members are e-groups themselves. To support such e-groups, you can modify the filter:
-         
        nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?memberOf:1.2.840.113556.1.4.1941:=CN=info-experiments,OU=e-groups,OU=Workgroups,DC=cern,DC=ch
        
-         But beware: full password file lookups (getent passwd) take a performance hit. This
-         seems to be a limitation of the Active Directory LDAP server, we are contacting
-         Microsoft about this.
-    
      
-
    •  How to deny access to users with disabled accounts?
-    
        
-    
      •  Accounts that are disabled in Active Directory can be filtered out like this:
-         
        nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?!(userAccountControl:1.2.840.113556.1.4.803:=2)
        
-         For an explanation, please go the Microsoft Knowledge Base
-    
      
-
    
-
    
-Note that filters can be combined! For example: to allow all CMS users with enabled accounts:
-
    -nss_base_passwd OU=Users,OU=Organic Units,DC=cern,DC=ch?one?&(gidNumber=1399)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
-
    
-
-
    Overriding attribute values
    
-
-nss_ldap allows to override certain attribute values, like the login shell or the
-use home directory. This may be useful on certain server machines. Examples:
-
-
    -# Set the user homedirectory to /dev/null
-nss_override_attribute_value unixHomeDirectory /dev/null
-# Set the login shell to /sbin/nologin
-nss_override_attribute_value loginShell /sbin/nologin
-
    
-
-Note that these values are applied on all results of the LDAP filtering.
-
-
-
-
     [SLC6] Configuring /etc/nslcd.conf
    
-
-The /etc/nslcd.conf configuration file is used to set system-wide
-defaults to be applied when running ldap clients. This mechanism is available
-on SLC6, the SLC5- and SLC4-specific mechanism is described above.
-
    
-This section describes the options that are relevant to configure account
-lookups in the xldap.cern.ch LDAP service. An example configure
-file containing the options described below is can be found
-here. Please edit it to suit your needs - in
-particular the filter passwd entry!
-
    
-Please make sure that the nss-pam-ldapd RPM is installed on your client
-machine. Run yum install nss-pam-ldapd if this RPM is not installed.
-
    
-Then, make sure that the nslcd runs, and gets started at boot time:
-
    -/sbin/service nslcd restart
-/sbin/chkconfig --level 345 nslcd on
-
    
-Note: the nslcd service must be restarted after changes to the /etc/nslcd.conf
-have been made!
-
    
-For more information, run man nslcd.conf and/or man nslcd.
-
    
-
    NOTE: Due to a bug, please add a line to /etc/sysconfig/network
    
-
    -NETWORKWAIT=1
-
    
-
    General options
    
-This section describes the main options to be configured in /etc/nslcd.conf.
-
-
      
-
    •  Set the distinguished name of the search base:
-
      -# The distinguished name of the search base.
-base dc=cern,dc=ch
-
      
-
    •  Use the uri directive to specify the LDAP service. Note that
-we specify the server multiple times, to allow failover between different
-servers behind the DNS alias xldap.cern.ch:
-
      -# The uri pointing to the LDAP server to use for name lookups.
-# Multiple entries may be specified. The address that is used
-# here should be resolvable without using LDAP (obviously).
-uri ldap://xldap.cern.ch ldap://xldap.cern.ch ldap://xldap.cern.ch
-
      
-
-
    •  Configure search bases:
-
      -# The distinguished name of the search base.
-base   dc=cern,dc=ch
-
      
-and
-
      -# Customize certain database lookups.
-base   group  ou=Workgroups,dc=cern,dc=ch
-base   passwd ou=Users,ou=Organic Units,dc=cern,dc=ch
-
      
-
-
    •  The xldap.cern.ch LDAP service is a frontend to Active Directory,
-and we need to map the services accordingly. The snippet below defines the
-mappings, and sets the filters to return all user accounts found in Active
-Directory. In addition, it sets the number of paged result to limit the number
-of results per query.
-
      -# Mappings for Active Directory
-pagesize 1000
-referrals off
-filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*))
-map    passwd uid              sAMAccountName
-map    passwd homeDirectory    unixHomeDirectory
-map    passwd gecos            displayName
-
-filter shadow (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*))
-map    shadow uid              sAMAccountName
-map    shadow shadowLastChange pwdLastSet
-
-filter group  (objectClass=group)
-map    group  uniqueMember     member
-
      
-More sophisticated filters are described in the next section.
-
-
-
    •  Set the search timelimit to allow recursive queries to finish
-
      -# Search timelimit.
-timelimit 30
-
      
-
-
    •  To verify the identity of the xldap.cern.ch server:
-     
        
-     
      •  Make sure the CERN Certificate Authority certificates are installed:
-
        -yum install CERN-CA-certs
-
        
-     
      •  Enable start_tls in /etc/nslcd.conf:
-
        -# Use StartTLS without verifying the server certificate.
-#ssl no
-ssl start_tls
-#tls_reqcert never
-
-# CA certificates for server certificate verification
-#tls_cacertdir /etc/ssl/certs
-tls_cacertdir /etc/pki/tls/certs/
-
        
-      
      
-
-
    
-
-
    Filtering the results
    
-
-With the general options above, your machine now has allows access from
-all accounts in the LDAP service. That is probable not what you want...
-This section gives some examples of filters that you can set to restrict
-the results to some useful sets of accounts.
-
-
      
-
    •  How to give access to all users of some Unix groups?
-    
        
-    
      •  Only allow the users of Unix group xx (gid 1160):
-         
        filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(gidNumber=1160))
        
-    
      •  Allow users from Unix groups t3 and zp (gid's 1081 and 1307):
-         
        filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(|(gidNumber=1081)(gidNumber=1307)))
        
-    
      
-
    •  How to give access to all members of an e-group?
-    
        
-    
      •  Allows members of lxsoft-admins (non-recursive) e-group:
-         
        filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
        
-    
      •  Note: the above does not work for "recursive e-groups", where some
-         members are e-groups themselves. To support such e-groups, you can modify the filter:
-         
        filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(memberOf:1.2.840.113556.1.4.1941:=CN=info-experiments,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
        
-         But beware: full password file lookups (getent passwd) take a performance hit. This
-         seems to be a limitation of the Active Directory LDAP server, we are contacting
-         Microsoft about this.
-    
      
-
    •  How to deny access to users with disabled accounts?
-    
        
-    
      •  Accounts that are disabled in Active Directory can be filtered out like this:
-         
        filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
        
-         For an explanation, please go the Microsoft Knowledge Base
-    
      
-
    
-
    
-Note that filters can be combined! For example: to allow all CMS users with enabled accounts:
-
    -filter passwd (&(objectClass=user)(uidNumber=*)(unixHomeDirectory=*)(&(gidNumber=1399)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))
-
    
-
-
    Overriding attribute values
    
-
-nslcd.conf allows to override certain attribute values, like the login shell or the
-use home directory. This may be useful on certain server machines. Examples:
-
-
    -# Set the user homedirectory to /home/$USER
-map    passwd homeDirectory    "/home/$sAMAccountName"
-# Set the login shell to /sbin/nologin
-map    passwd loginShell       "/sbin/nologin"
-
    
-
-Note that these values are applied on all results of the LDAP filtering.
-
-
 
 
    References
    
 
@@ -563,8 +201,3 @@ NSCD
 
 Please send feedback and comments on this document to
 Linux support.
-
-
-
-
-
-- 
GitLab


From f7dcdc5503e86017f3f4422df0b71a68b7b68d55 Mon Sep 17 00:00:00 2001
From: Ben Morrice 
Date: Wed, 6 Jul 2022 14:32:59 +0200
Subject: [PATCH 03/10] Add reference to cern-krb5-conf on CS8+

---
 docs/docs/account-mgmt.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/docs/account-mgmt.md b/docs/docs/account-mgmt.md
index bad42be0..e0e48b97 100644
--- a/docs/docs/account-mgmt.md
+++ b/docs/docs/account-mgmt.md
@@ -33,7 +33,11 @@ mechanisms. It provides an NSS and PAM interface toward the system and a pluggab
 to connect to multiple different account sources as well as D-Bus interface.
 
    Configuring sssd
    
 
-The /etc/sssd/sssd.conf configuration describes the CERN configuration:
+The /etc/sssd/sssd.conf configuration describes the CERN configuration.
+
+Note on CS8 and newer, it's possible that the package 'cern-krb5-conf' is installed.
+This package provides a base minimum for kerberos configuration, but the example below is more feature complete
+If you are using CS8 or newer, you may want to consider deploying configuration into a separate file in /etc/sssd/conf.d/ rather than using /etc/sssd/sssd.conf to avoid conflicts with the 'cern-krb5-conf' package.
 
 
     [sssd]
-- 
GitLab


From 05f6b49a20085ceb527b9f4177febe6ac0e2f563 Mon Sep 17 00:00:00 2001
From: Ben Morrice 
Date: Wed, 6 Jul 2022 14:45:53 +0200
Subject: [PATCH 04/10] Tweak html

---
 docs/docs/account-mgmt.md | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/docs/docs/account-mgmt.md b/docs/docs/account-mgmt.md
index e0e48b97..c574bf2d 100644
--- a/docs/docs/account-mgmt.md
+++ b/docs/docs/account-mgmt.md
@@ -34,7 +34,7 @@ to connect to multiple different account sources as well as D-Bus interface.
 
    Configuring sssd
    
 
 The /etc/sssd/sssd.conf configuration describes the CERN configuration.
-
+
    
 Note on CS8 and newer, it's possible that the package 'cern-krb5-conf' is installed.
 This package provides a base minimum for kerberos configuration, but the example below is more feature complete
 If you are using CS8 or newer, you may want to consider deploying configuration into a separate file in /etc/sssd/conf.d/ rather than using /etc/sssd/sssd.conf to avoid conflicts with the 'cern-krb5-conf' package.
@@ -155,12 +155,10 @@ All available settings can be found in the manual
     
  • If you have to deal with old user ID < 1000 you can use "min_id/max_id" in the [domain/CERN] section
    • 
 
 
    Enable sssd
    
-
    CERN CentOS 7
    
 
    +# ## FOR CC7 ONLY ##
 # authconfig --enablesssd --enablesssdauth --update
-
    
-
    CS8 onwards
    
-
    +# ## FOR CS8 AND NEWER ##
 # authselect select sssd with-silent-lastlog --force
 
    
 The /etc/nsswitch.conf configuration file describes the order in
-- 
GitLab


From ed95a532fd14b80ba384adaf8719d5669c9f623f Mon Sep 17 00:00:00 2001
From: Ben Morrice 
Date: Wed, 6 Jul 2022 14:47:50 +0200
Subject: [PATCH 05/10] remove final SL references on account-mgmt page

---
 docs/docs/account-mgmt.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/docs/account-mgmt.md b/docs/docs/account-mgmt.md
index c574bf2d..b72ce84e 100644
--- a/docs/docs/account-mgmt.md
+++ b/docs/docs/account-mgmt.md
@@ -2,14 +2,14 @@
 # Advanced user account management using LDAP
 
    How to configure LDAP to access user account information
    
 
-There are different ways to configure user accounts on SLC and CC machines at CERN.
+There are different ways to configure user accounts at CERN.
 If you only need to create a few AFS accounts, you should simply use
 the useraddcern command.
 
    
 If you need to give access to larger groups of accounts, that are centrally
 managed in FIM / Active Directory, read on...
 
    
-This document describes how to configure a client CC or SLC machine to use
+This document describes how to configure a client machine to use
 the central LDAP service xldap.cern.ch to give access to AFS user
 groups. Examples:
 
      
-- 
GitLab


From e97980686faf1fbd9645f82e1dd3665f6c278ab4 Mon Sep 17 00:00:00 2001
From: Ben Morrice 
Date: Wed, 6 Jul 2022 14:56:03 +0200
Subject: [PATCH 06/10] Clean up docs/index.md

---
 docs/docs/index.md | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/docs/docs/index.md b/docs/docs/index.md
index f39a854e..6520749d 100644
--- a/docs/docs/index.md
+++ b/docs/docs/index.md
@@ -36,21 +36,16 @@
 
    • 
 Printing from Linux clients at CERN
 
      • 
- 
    • 
- Advanced user account management using LDAP
 
    • 
-
+Advanced user account management using LDAP
 
    • 
-Red Hat support
-	site
+Red Hat support site
 
      • 
 
-
 
    • 
 Red Hat Linux Support Knowledgebase
 
      • 
 
-
 
      Deprecated / historical documentation
      
 
 
        
-- 
GitLab


From 1d1b3a5ec1eca5fb37761ebbd977395d23e99d87 Mon Sep 17 00:00:00 2001
From: Ben Morrice 
Date: Wed, 6 Jul 2022 15:00:40 +0200
Subject: [PATCH 07/10] Tweak sssd config further

---
 docs/docs/account-mgmt.md   |  9 ++++++++-
 docs/docs/sssd.conf.example | 26 +++++++++-----------------
 2 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/docs/docs/account-mgmt.md b/docs/docs/account-mgmt.md
index b72ce84e..91a9c5da 100644
--- a/docs/docs/account-mgmt.md
+++ b/docs/docs/account-mgmt.md
@@ -72,9 +72,16 @@ ldap_group_search_base = OU=Unix,OU=Workgroups,DC=cern,DC=ch
 ldap_group_search_scope = one
 ldap_group_object_class = group
 
-# allow users
+# Allowing users * : (&(objectClass=user) (cn=*))
 ldap_access_filter = (&(objectClass=user) (cn=*))
 
+# GID
+# ldap_access_filter = (&(objectClass=user) (gidNumber=1160))
+# Egroup
+# ldap_access_filter = (&(objectClass=user) (memberOf=CN=lxsoft-admins,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))
+# Filter disabled AD accounts:
+# ldap_access_filter = (&;(|(|(&(objectClass=user) (cn=*))))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
+
 ldap_force_upper_case_realm = True
 
 krb5_realm = CERN.CH
diff --git a/docs/docs/sssd.conf.example b/docs/docs/sssd.conf.example
index a9147c08..f8d2e24f 100644
--- a/docs/docs/sssd.conf.example
+++ b/docs/docs/sssd.conf.example
@@ -4,26 +4,22 @@
 # man sssd.conf
 
 [sssd]
-config_file_version = 2
-services = nss, pam
-domains = CERN
+    services = nss, pam
+    domains = LOCAL_CERN.CH, CERN.CH
 
-[nss]
-filter_groups = sshd,apache,root
-filter_users = sshd,apache,root
-
-[pam]
-pam_id_timeout = 600
+[domain/LOCAL_CERN.CH]
+id_provider = files
+auth_provider = krb5
+krb5_realm = CERN.CH
+krb5_server = cerndc.cern.ch
 
-[domain/CERN]
-# Support for old user id < 1000 ; WARN may conflict with system users.
-# min_id = 101
-# max_id = 4294967294
+[domain/CERN.CH]
 id_provider = ldap
 ignore_group_members = True
 access_provider = ldap
 ldap_schema = AD
 ldap_initgroups_use_matching_rule_in_chain = True
+
 ldap_uri = ldap://xldap.cern.ch:389, ldap://xldap.cern.ch:389, ldap://xldap.cern.ch:389
 
 ldap_referrals = False
@@ -35,14 +31,10 @@ ldap_user_object_class = person
 ldap_user_name = sAMAccountName
 ldap_user_home_directory = unixHomeDirectory
 
-ldap_user_principal = extensionAttribute4
-
 ldap_group_search_base = OU=Unix,OU=Workgroups,DC=cern,DC=ch
 ldap_group_search_scope = one
 ldap_group_object_class = group
 
-# allow users
-
 # Allowing users * : (&(objectClass=user) (cn=*))
 
 ldap_access_filter = (&(objectClass=user) (cn=*))
-- 
GitLab


From 7d6db0e8e3b5f58f43d7f43cd319b7fd6b85f2d0 Mon Sep 17 00:00:00 2001
From: Ben Morrice 
Date: Wed, 6 Jul 2022 15:12:36 +0200
Subject: [PATCH 08/10] s/wget/curl/ in account-mgmt doc

---
 docs/docs/account-mgmt.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/docs/account-mgmt.md b/docs/docs/account-mgmt.md
index 91a9c5da..9995a752 100644
--- a/docs/docs/account-mgmt.md
+++ b/docs/docs/account-mgmt.md
@@ -95,7 +95,7 @@ ldap_tls_cacertdir = /etc/openldap/cacerts
 
 You can install it by following this recipe as root :
 
        -# wget http://linux.web.cern.ch/docs/sssd.conf.example -O /etc/sssd/sssd.conf
+# curl -o /etc/sssd/sssd.conf https://linux.web.cern.ch/docs/sssd.conf.example
 # chown root:root /etc/sssd/sssd.conf
 # chmod 0600 /etc/sssd/sssd.conf
 # restorecon /etc/sssd/sssd.conf
-- 
GitLab


From 41c32d1eeb668af20495411e423957c72083a8e8 Mon Sep 17 00:00:00 2001
From: Ben Morrice 
Date: Wed, 6 Jul 2022 15:17:04 +0200
Subject: [PATCH 09/10] HTML formatting

---
 docs/docs/account-mgmt.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/docs/account-mgmt.md b/docs/docs/account-mgmt.md
index 9995a752..8484a1c6 100644
--- a/docs/docs/account-mgmt.md
+++ b/docs/docs/account-mgmt.md
@@ -37,6 +37,7 @@ The /etc/sssd/sssd.conf configuration describes the CERN configuration.
 
        
 Note on CS8 and newer, it's possible that the package 'cern-krb5-conf' is installed.
 This package provides a base minimum for kerberos configuration, but the example below is more feature complete
+
        
 If you are using CS8 or newer, you may want to consider deploying configuration into a separate file in /etc/sssd/conf.d/ rather than using /etc/sssd/sssd.conf to avoid conflicts with the 'cern-krb5-conf' package.
 
 
        -- 
GitLab


From 5b4adcbbe4cd7a851476ba67096f555367850868 Mon Sep 17 00:00:00 2001
From: Ben Morrice 
Date: Wed, 6 Jul 2022 15:21:02 +0200
Subject: [PATCH 10/10] Final config formatting tweak

---
 docs/docs/account-mgmt.md   | 4 ++--
 docs/docs/sssd.conf.example | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/docs/account-mgmt.md b/docs/docs/account-mgmt.md
index 8484a1c6..4b8c6378 100644
--- a/docs/docs/account-mgmt.md
+++ b/docs/docs/account-mgmt.md
@@ -42,8 +42,8 @@ If you are using CS8 or newer, you may want to consider deploying configuration
 
 
         [sssd]
-    services = nss, pam
-    domains = LOCAL_CERN.CH, CERN.CH
+services = nss, pam
+domains = LOCAL_CERN.CH, CERN.CH
 
 [domain/LOCAL_CERN.CH]
 id_provider = files
diff --git a/docs/docs/sssd.conf.example b/docs/docs/sssd.conf.example
index f8d2e24f..713272d2 100644
--- a/docs/docs/sssd.conf.example
+++ b/docs/docs/sssd.conf.example
@@ -4,8 +4,8 @@
 # man sssd.conf
 
 [sssd]
-    services = nss, pam
-    domains = LOCAL_CERN.CH, CERN.CH
+services = nss, pam
+domains = LOCAL_CERN.CH, CERN.CH
 
 [domain/LOCAL_CERN.CH]
 id_provider = files
-- 
GitLab