Commit 4369fbd6 authored by John Harris's avatar John Harris

change sssd to add filtering by group

parent cc439615
## /etc/sssd/sssd.conf 21jun2018 0820
## comments for info and potential use
[sssd]
config_file_version = 2
services = nss, pam
......@@ -9,48 +11,51 @@ id_provider = ldap
auth_provider = ldap
access_provider = ldap
# access permit settings
## access permit settings
ldap_access_order = filter
ldap_access_filter = (uid=*)
ldap_access_filter = (memberOf=CN=LinuxAccess,OU=Security,OU=Groups,DC=cablelabs,DC=com)
##ldap_access_filter = (|(memberOf=CN=LinuxAccess,OU=Security,OU=Groups,DC=cablelabs,DC=com) (memberOf=CN=LinuxUser,OU=Security,OU=Groups,DC=cablelabs,DC=com))
# uri
## uri
ldap_uri = ldaps://cablelabs.com:636
# general search base
## general search base
##ldap_search_base = OU=IT,OU=Employees,OU=Internal,OU=community,dc=cablelabs,dc=com
ldap_search_base = dc=cablelabs,dc=com
##ldap_search_base = dc=cablelabs,dc=com?sub?|(&(objectclass=person) (memberOf=CN=LinuxAccess,OU=Security,OU=Groups,DC=cablelabs,DC=com))
# bind details
## bind details
ldap_default_bind_dn = CN=zz_LDAP,CN=users,dc=cablelabs,dc=REDACTED
ldap_default_authtok_type = password
ldap_default_authtok = REDACTED
ldap_default_authtok = REDACTED
# tls disable
#ldap_id_use_start_tls = false
#ldap_tls_reqcert = never
## tls disable
##ldap_id_use_start_tls = false
##ldap_tls_reqcert = never
# use tls for ldaps
## use tls for ldaps
ldap_id_use_start_tls = true
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/sssd/ad.cert
ldap_tls_cacertdir = /etc/sssd
# ldap general items
## ldap general items
ldap_id_mapping = false
ldap_schema = rfc2307bis
ldap_referrals = false
# cache and enumeraion
## cache and enumeraion
##cache_credentials = true
cache_credentials = false
enumerate = true
debug_level = 5
# user details
## user details
##ldap_user_search_base = OU=IT,OU=Employees,OU=Internal,OU=community,dc=cablelabs,dc=com
ldap_user_search_base = dc=cablelabs,dc=com
##ldap_user_search_base = dc=cablelabs,dc=com
ldap_user_search_base = dc=cablelabs,dc=com?sub?|(memberOf=CN=LinuxAccess,OU=Security,OU=Groups,DC=cablelabs,DC=com)
##ldap_user_search_base = dc=cablelabs,dc=com?sub?|(|(memberOf=CN=LinuxAccess,OU=Security,OU=Groups,DC=cablelabs,DC=com) (memberOf=CN=LinuxUser,OU=Security,OU=Groups,DC=cablelabs,DC=com))
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
......@@ -58,7 +63,7 @@ ldap_group_gid_number=gidNumber
ldap_user_uid_number=uid
ldap_user_principal = userPrincipalName
# group details
## group details
ldap_group_search_base = OU=Security,OU=Groups,dc=cablelabs,dc=com
ldap_group_object_class = group
ldap_group_name=cn
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment