Sssd: Difference between revisions
Jump to navigation
Jump to search
| (2 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
=debug ldap= | =debug ldap= | ||
ldap_library_debug_level = -1 | ldap_library_debug_level = -1 | ||
# SSSD Status: | |||
sssctl domain-list # List available domains | |||
sssctl domain-status $SSSD_DOMAIN # Print information about domain | |||
sssctl user-checks $SSSD_USER # Print information about a user and check authentication | |||
# Information about cached content: | |||
sssctl user-show $SSSD_USER # Information about cached user | |||
sssctl group-show $SSSD_USER # Information about cached group | |||
# Local data tools: | |||
sssctl cache-expire # Invalidate cached objects | |||
# Log files tools: | |||
sssctl logs-remove # Remove existing SSSD log files | |||
sssctl logs-fetch # Archive SSSD log files in tarball | |||
sssctl debug-level # Change SSSD debug level | |||
# Configuration files tools: | |||
sssctl config-check # Perform static analysis of SSSD configuration | |||
# Certificate related tools: | |||
sssctl cert-show # Print information about the certificate | |||
sssctl cert-map # Show users mapped to the certificate | |||
=Install sssd= | |||
dnf install sssd-common oddjob-mkhomedir sssd-ldap sssd-tools | |||
systemctl enable --now oddjobd.service | |||
Enable sssd as source for login. | |||
authselect select sssd with-mkhomedir --force | |||
==sssd.conf== | |||
[sssd] | |||
config_file_version = 2 | |||
services = nss, pam | |||
reconnection_retries = 3 | |||
# SSSD will not start if you do not configure any domains. | |||
# Add new domain configurations as [domain/<NAME>] sections, and | |||
# then add the list of domains (in the order you want them to be | |||
# queried) to the "domains" attribute below and uncomment it. | |||
domains = LDAP | |||
#debug_level = 9 | |||
[nss] | |||
filter_groups = root | |||
filter_users = root | |||
reconnection_retries = 3 | |||
[pam] | |||
reconnection_retries = 3 | |||
[domain/LDAP] | |||
auth_provider = ldap | |||
ldap_id_use_start_tls = True | |||
chpass_provider = ldap | |||
cache_credentials = True | |||
krb5_realm = HALFFACE.SE | |||
ldap_search_base = dc=halfface,dc=se | |||
id_provider = ldap | |||
ldap_uri = ldaps://www.halfface.se | |||
krb5_server = www.halfface.se | |||
ldap_tls_cacertdir = /etc/openldap/cacerts | |||
ldap_tls_reqcert = never | |||
Latest revision as of 21:49, 26 November 2022
clear cache
sss_cache -E
allow cert
ldap_tls_reqcert = never
debug ldap
ldap_library_debug_level = -1
- SSSD Status:
sssctl domain-list # List available domains sssctl domain-status $SSSD_DOMAIN # Print information about domain sssctl user-checks $SSSD_USER # Print information about a user and check authentication
- Information about cached content:
sssctl user-show $SSSD_USER # Information about cached user sssctl group-show $SSSD_USER # Information about cached group
- Local data tools:
sssctl cache-expire # Invalidate cached objects
- Log files tools:
sssctl logs-remove # Remove existing SSSD log files sssctl logs-fetch # Archive SSSD log files in tarball sssctl debug-level # Change SSSD debug level
- Configuration files tools:
sssctl config-check # Perform static analysis of SSSD configuration
- Certificate related tools:
sssctl cert-show # Print information about the certificate sssctl cert-map # Show users mapped to the certificate
Install sssd
dnf install sssd-common oddjob-mkhomedir sssd-ldap sssd-tools systemctl enable --now oddjobd.service
Enable sssd as source for login.
authselect select sssd with-mkhomedir --force
sssd.conf
[sssd] config_file_version = 2 services = nss, pam reconnection_retries = 3 # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. domains = LDAP #debug_level = 9 [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/LDAP] auth_provider = ldap ldap_id_use_start_tls = True chpass_provider = ldap cache_credentials = True krb5_realm = HALFFACE.SE ldap_search_base = dc=halfface,dc=se id_provider = ldap ldap_uri = ldaps://www.halfface.se krb5_server = www.halfface.se ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never