[Freeipa-users] sssd.conf - the server and host-client relationship
Lachlan Musicman
datakid at gmail.com
Wed Sep 21 22:53:12 UTC 2016
My translations of your comments are in line, if you could correct, I'd
appreciate that.
On 20 September 2016 at 17:11, Lukas Slebodnik <lslebodn at redhat.com> wrote:
> >----------------------
> >[domain/unixdev.etc]
> >ignore_group_members = True
> It was probably set as a result of performance tuning.
>
> >ldap_purge_cache_timeout = 0
> That's default since 1.13.0
>
> >subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
> that's specific option for sssd on IPA server
>
I presume your comment suggests ignore_group_members is no longer needed,
and since the lpct=0 is now default, then subdomain_inherit is also
superfluous?
> >selinux_provider = none
> It was probably set as a workaround of bug which have been already
> fixed.
>
We set this because of an error in libsemanage, but I think that was an
upstream (selinux) issue?
https://www.redhat.com/archives/freeipa-users/2016-July/msg00244.html
Not sure if I should disable just yet - was this fixed?
>
> >ipa_server_mode = True
> that's specific option for sssd on IPA server
>
>
I take it that this means it's still used.
> >sudo_provider = ldap
> >ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au
> >ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au
> >ldap_sasl_mech = GSSAPI
> >ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au
> >ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU
> >krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au
> Previous 7 options are not required since sssd-1.10
>
Yep, I added those because of disconnect between the different info sources
made it hard to tell what was canonical, so I followed the red hat guide:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html
mostly because I didn't quite understand the sssd-sudo man page (because
sometimes I find man pages obtuse), but also there was an inconsistency
with the local man page and the die.net mirror
https://linux.die.net/man/5/sssd-sudo and this howto
https://blog-rcritten.rhcloud.com/?p=52
> >
> >[sssd]
> >config_file_version = 2
> >domains = unixdev.etc
> >
> >[nss]
> >memcache_timeout = 600
> This option is se by ipa-*-install on ipa server mode.
>
These I will leave.
Cheers
L.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160922/b1c3f8f3/attachment.htm>
More information about the Freeipa-users
mailing list