Skip to content

System Security Services Daemon (SSSD)

Note

To clear the cache
systemctl stop sssd; rm /var/lib/sss/db/* /var/lib/sss/mc/* ; systemctl start sssd;

(root) /etc/sssd # cat sssd.conf
[sssd]
debug_level = 3
config_file_version = 2
reconnection_retries = 3
services = nss, pam
domains = Pandora


[nss]
debug_level = 3
reconnection_retries = 3
filter_users = backup,bastiontest,bastionprod,bastionmgmt,bin,colord,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,news,nobody,ntp,pcp,pollinate,postfix,postgres,proxy,redis,root,snmp,ssh_authkey,sshd,statd,sync,sys,syslog,uucp,www-data
filter_groups = adm,admin,audio,backup,bin,cdrom,colord,crontab,daemon,dialout,dip,disk,fax,floppy,fuse,games,gnats,incron,irc,kmem,libuuid,list,lp,mail,man,messagebus,mlocate,nac,netdev,news,nobody,nogroup,ntp,operator,pcp,plugdev,postdrop,postfix,postgres,proxy,redis,root,sasl,scanner,shadow,snmp,src,ssh,ssh_authkey,ssl-cert,staff,stapdev,stapsys,stapusr,sudo,sys,syslog,tape,tty,users,utempter,utmp,uucp,video,voice,www-data


[pam]
debug_level = 3
reconnection_retries = 3


[domain/Pandora]
debug_level = 3
id_provider = ldap
auth_provider = ldap
cache_credentials = true

autofs_provider = none
chpass_provider = none
hostid_provider = none
selinux_provider = none
subdomains_provider = none
sudo_provider = none
lookup_family_order = ipv4_only

ldap_uri = ldap://directory.pandora.test.netflix.net
ldap_search_base = OU=test,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net
#ldap_user_search_base = OU=netflix.com,OU=unstable,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net???OU=netflixcontractors.com,OU=unstable,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net??
#ldap_group_search_base = OU=Groups,OU=netflix.com,OU=unstable,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net
ldap_user_search_base = OU=Users,OU=netflix.com,OU=test,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net???OU=Users,OU=netflixcontractors.com,OU=test,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net??
ldap_group_search_base = OU=Groups,OU=netflix.com,OU=test,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net???OU=Groups,OU=netflixcontractors.com,OU=test,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net??
ldap_default_bind_dn = CN=svc-ldapauth,OU=Users,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = AAAgAK1zbJf87C5QHLbpqh1FJ6QkNeyDXXZdXX6j7j4Hfn+xub+qmePGV4jQenFfXiUBeB99x9vsbQMnSvHRiu8NR4knBC7ijA/XCIXVgaBgYwucAAECAw==

ldap_user_name = adminDisplayName
ldap_user_home_directory = unixHomeDirectory
ldap_group_name = adminDisplayName
ldap_schema = ad
ldap_id_mapping = false
ldap_purge_cache_timeout = 0
ldap_referrals = false
ldap_use_tokengroups = false
ldap_group_nesting_level = 0
ldap_access_order = expire
ldap_account_expire_policy = ad
ignore_group_members = true

ldap_schema can be set to "rfc2307", which stores group member names in the

"memberuid" attribute, or to "rfc2307bis", which stores group member DNs in

the "member" attribute. If you do not know this value, ask your LDAP

administrator.

ldap_schema = rfc2307

ldap_tls_reqcert = never

never = The client will not request or check any server certificate

allow = The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.

try = The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.

demand = The server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.

hard = Same as "demand"

Default: hard

ldap_tls_cacert (string) Specifies the file that contains certificates for all of the Certificate Authorities that sssd will recognize. Default: use OpenLDAP defaults, typically in /etc/openldap/ldap.conf

ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_gid_number = gidNumber ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid enumerate = True ldap_default_authtok_type = password ldap_default_authtok = secret ldap_default_bind_dn = LDAP(a)wdm.local

https://linux.die.net/man/5/sssd-ldap