Sssd

From Halfface
Jump to navigation Jump to search

clear cache

sss_cache -E

allow cert

ldap_tls_reqcert = never

debug ldap

ldap_library_debug_level = -1
  1. SSSD Status:
sssctl domain-list                # List available domains
sssctl domain-status $SSSD_DOMAIN # Print information about domain
sssctl user-checks $SSSD_USER     # Print information about a user and check authentication
  1. Information about cached content:
sssctl user-show $SSSD_USER       # Information about cached user
sssctl group-show $SSSD_USER      # Information about cached group
  1. Local data tools:
sssctl cache-expire       # Invalidate cached objects
  1. Log files tools:
sssctl logs-remove        # Remove existing SSSD log files
sssctl logs-fetch         # Archive SSSD log files in tarball
sssctl debug-level        # Change SSSD debug level
  1. Configuration files tools:
sssctl config-check       # Perform static analysis of SSSD configuration
  1. Certificate related tools:
sssctl cert-show          # Print information about the certificate
sssctl cert-map           # Show users mapped to the certificate

Install sssd

dnf install sssd-common  oddjob-mkhomedir sssd-ldap sssd-tools
systemctl enable --now oddjobd.service

Enable sssd as source for login.

authselect select sssd with-mkhomedir --force

sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
reconnection_retries = 3
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = LDAP
#debug_level = 9

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3  

[domain/LDAP]
auth_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
cache_credentials = True
krb5_realm = HALFFACE.SE
ldap_search_base = dc=halfface,dc=se
id_provider = ldap
ldap_uri = ldaps://www.halfface.se
krb5_server = www.halfface.se
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = never