System Security Services Daemon (SSSD)¶
Note
To clear the cache
systemctl stop sssd; rm /var/lib/sss/db/* /var/lib/sss/mc/* ; systemctl start sssd;
(root) /etc/sssd # cat sssd.conf
[sssd]
debug_level = 3
config_file_version = 2
reconnection_retries = 3
services = nss, pam
domains = Pandora
[nss]
debug_level = 3
reconnection_retries = 3
filter_users = backup,bastiontest,bastionprod,bastionmgmt,bin,colord,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,news,nobody,ntp,pcp,pollinate,postfix,postgres,proxy,redis,root,snmp,ssh_authkey,sshd,statd,sync,sys,syslog,uucp,www-data
filter_groups = adm,admin,audio,backup,bin,cdrom,colord,crontab,daemon,dialout,dip,disk,fax,floppy,fuse,games,gnats,incron,irc,kmem,libuuid,list,lp,mail,man,messagebus,mlocate,nac,netdev,news,nobody,nogroup,ntp,operator,pcp,plugdev,postdrop,postfix,postgres,proxy,redis,root,sasl,scanner,shadow,snmp,src,ssh,ssh_authkey,ssl-cert,staff,stapdev,stapsys,stapusr,sudo,sys,syslog,tape,tty,users,utempter,utmp,uucp,video,voice,www-data
[pam]
debug_level = 3
reconnection_retries = 3
[domain/Pandora]
debug_level = 3
id_provider = ldap
auth_provider = ldap
cache_credentials = true
autofs_provider = none
chpass_provider = none
hostid_provider = none
selinux_provider = none
subdomains_provider = none
sudo_provider = none
lookup_family_order = ipv4_only
ldap_uri = ldap://directory.pandora.test.netflix.net
ldap_search_base = OU=test,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net
#ldap_user_search_base = OU=netflix.com,OU=unstable,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net???OU=netflixcontractors.com,OU=unstable,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net??
#ldap_group_search_base = OU=Groups,OU=netflix.com,OU=unstable,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net
ldap_user_search_base = OU=Users,OU=netflix.com,OU=test,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net???OU=Users,OU=netflixcontractors.com,OU=test,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net??
ldap_group_search_base = OU=Groups,OU=netflix.com,OU=test,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net???OU=Groups,OU=netflixcontractors.com,OU=test,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net??
ldap_default_bind_dn = CN=svc-ldapauth,OU=Users,OU=Pandora,DC=directory,DC=pandora,DC=test,DC=netflix,DC=net
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = AAAgAK1zbJf87C5QHLbpqh1FJ6QkNeyDXXZdXX6j7j4Hfn+xub+qmePGV4jQenFfXiUBeB99x9vsbQMnSvHRiu8NR4knBC7ijA/XCIXVgaBgYwucAAECAw==
ldap_user_name = adminDisplayName
ldap_user_home_directory = unixHomeDirectory
ldap_group_name = adminDisplayName
ldap_schema = ad
ldap_id_mapping = false
ldap_purge_cache_timeout = 0
ldap_referrals = false
ldap_use_tokengroups = false
ldap_group_nesting_level = 0
ldap_access_order = expire
ldap_account_expire_policy = ad
ignore_group_members = true
ldap_schema can be set to "rfc2307", which stores group member names in the¶
"memberuid" attribute, or to "rfc2307bis", which stores group member DNs in¶
the "member" attribute. If you do not know this value, ask your LDAP¶
administrator.¶
ldap_schema = rfc2307
ldap_tls_reqcert = never
never = The client will not request or check any server certificate¶
allow = The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.¶
try = The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.
demand = The server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
hard = Same as "demand"
Default: hard
ldap_tls_cacert (string) Specifies the file that contains certificates for all of the Certificate Authorities that sssd will recognize. Default: use OpenLDAP defaults, typically in /etc/openldap/ldap.conf
ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_gid_number = gidNumber ldap_user_uuid = entryuuid ldap_group_uuid = entryuuid enumerate = True ldap_default_authtok_type = password ldap_default_authtok = secret ldap_default_bind_dn = LDAP(a)wdm.local