39 lines
1.2 KiB
Plaintext
39 lines
1.2 KiB
Plaintext
[sssd]
|
|
config_file_version = 2
|
|
domains = default
|
|
|
|
[domain/default]
|
|
id_provider = ldap
|
|
auth_provider = ldap
|
|
chpass_provider = ldap
|
|
|
|
ldap_uri = ldaps://{{ldap_host}}
|
|
ldap_search_base = {{ldap_base_dn}}
|
|
ldap_id_use_start_tls = true
|
|
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
|
|
|
|
ldap_bind_dn = {{ldap_bind_dn}}
|
|
ldap_bind_pw = {{ldap_bind_password}}
|
|
|
|
# Sudo settings
|
|
sudo_provider = ldap
|
|
ldap_sudo_search_base = {{ldap_base_dn}}
|
|
# Filter for sudo access: global host_admin OR host-specific admin
|
|
ldap_sudo_full_refresh_interval = 900
|
|
ldap_sudo_smart_refresh_interval = 300
|
|
ldap_sudo_search_filter = (|(memberOf=cn=host_admin,ou=groups,dc=theta42,dc=com)(memberOf=cn=host_{hostname}_admin,ou=groups,dc=theta42,dc=com))
|
|
|
|
# Access control: only allow users in host_access or host_{hostname}_access
|
|
access_provider = ldap
|
|
ldap_access_order = filter
|
|
ldap_access_filter = (|(memberof=cn=host_access,ou=groups,{{ldap_base_dn}})(memberof=cn=host_{{current_host}}_access,ou=groups,{{ldap_base_dn}}))
|
|
|
|
# Mapping
|
|
ldap_user_search_base = ou=people,{{ldap_base_dn}}
|
|
ldap_group_search_base = ou=groups,{{ldap_base_dn}}
|
|
ldap_user_member_of = memberOf
|
|
|
|
# Cache settings
|
|
cache_credentials = True
|
|
enumerate = False
|