Sssd
clear cache
sss_cache -E
allow cert
ldap_tls_reqcert = never
debug ldap
ldap_library_debug_level = -1
- SSSD Status:
sssctl domain-list # List available domains sssctl domain-status $SSSD_DOMAIN # Print information about domain sssctl user-checks $SSSD_USER # Print information about a user and check authentication
- Information about cached content:
sssctl user-show $SSSD_USER # Information about cached user sssctl group-show $SSSD_USER # Information about cached group
- Local data tools:
sssctl cache-expire # Invalidate cached objects
- Log files tools:
sssctl logs-remove # Remove existing SSSD log files sssctl logs-fetch # Archive SSSD log files in tarball sssctl debug-level # Change SSSD debug level
- Configuration files tools:
sssctl config-check # Perform static analysis of SSSD configuration
- Certificate related tools:
sssctl cert-show # Print information about the certificate sssctl cert-map # Show users mapped to the certificate
Install sssd
dnf install sssd-common oddjob-mkhomedir sssd-ldap sssd-tools systemctl enable --now oddjobd.service
Enable sssd as source for login.
authselect select sssd with-mkhomedir --force
sssd.conf
[sssd] config_file_version = 2 services = nss, pam reconnection_retries = 3 # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. domains = LDAP #debug_level = 9 [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/LDAP] auth_provider = ldap ldap_id_use_start_tls = True chpass_provider = ldap cache_credentials = True krb5_realm = HALFFACE.SE ldap_search_base = dc=halfface,dc=se id_provider = ldap ldap_uri = ldaps://www.halfface.se krb5_server = www.halfface.se ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never