30.4.2.2. LDAP Domain Example
The LDAP configuration is very flexible, depending on your specific environment and the SSSD behavior. These are some common examples of an LDAP domain, but the SSSD configuration is not limited to these examples.
Note
Along with creating the domain entry, add the new domain to the list of domains for SSSD to query in the
sssd.conf file. For example:
domains = LOCAL,LDAP1,AD,PROXYNIS
Example 30.1. A Basic LDAP Domain Configuration
An LDAP domain requires three things:
- An LDAP server
- The search base
- A way to establish a secure connection
The last item depends on the LDAP environment. SSSD requires a secure connection since it handles sensitive information. This connection can be a dedicated TLS/SSL connection or it can use Start TLS.
Using a dedicated TLS/SSL connection simply uses an LDAPS connection to connect to the server and is therefore set as part of the
ldap_uri option:
# An LDAP domain [domain/LDAP] enumerate = false cache_credentials = true id_provider = ldap auth_provider = ldap ldap_uri = ldaps://ldap.example.com:636 ldap_search_base = dc=example,dc=com
Using Start TLS requires a way to input the certificate information to establish a secure connection dynamically over an insecure port. This is done using the
ldap_id_use_start_tls option to use Start TLS and then ldap_tls_cacert to identify the CA certificate which issued the SSL server certificates.
# An LDAP domain [domain/LDAP] enumerate = false cache_credentials = true id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = true ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
