wilpig/sssd.conf

## sssd.conf
# managed by CFEngine 3

[sssd]
config_file_version = 2
services = nss, pam
reconnection_retries = 3
domains = {{ansible_local.ad.domain|default('VANDERBILT')}}
sbus_timeout = 30
debug_level = 1

[nss]
reconnection_retries = 3
filter_groups = root
filter_users = apache,avahi,daemon,dbus,gdm,haldaemon,hpsmh,ldap,mysql,named,nobody,nrpe,ntp,oracle,rpc,rpcuser,root,smmsp
override_homedir = {{ansible_local.auth.method.homedir|default(homedir)}}/%u

[pam]
offline_credentials_expiration = 1

[domain/VANDERBILT]
entry_cache_timeout = 3600
cache_credentials = True
account_cache_expiration = 2

id_provider = ldap
access_provider = ldap

ldap_uri = ldap://ds.vanderbilt.edu
ldap_search_base = dc=ds,dc=vanderbilt,dc=edu
ldap_schema = rfc2307bis

ldap_default_bind_dn = cn={{ svc_username }},cn=users,dc=ds,dc=vanderbilt,dc=edu
ldap_default_authtok_type = password
ldap_default_authtok = {{ svc_password }}

ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_force_upper_case_realm = True
ldap_group_object_class = group

ldap_tls_cacert = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
ldap_id_use_start_tls = True

ldap_referrals = False
ldap_account_expire_policy = ad
ldap_access_order = expire

ldap_user_search_base = cn=users,dc=ds,dc=vanderbilt,dc=edu
ldap_group_search_base = ou=AI Unix,ou=Information Management,ou=Organizational Units,dc=ds,dc=vanderbilt,dc=edu

[domain/VUMC]
case_sensitive = false
entry_cache_timeout = 3600
cache_credentials = True
account_cache_expiration = 2

id_provider = ldap
access_provider = ldap

ldap_uri = ldap://ds.vumc.io
ldap_search_base = dc=ds,dc=vumc,dc=io
ldap_schema = rfc2307bis

ldap_default_bind_dn = cn={{ svc_username }},cn=users,dc=ds,dc=vumc,dc=io
ldap_default_authtok_type = password
ldap_default_authtok = {{ svc_password }}

ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_force_upper_case_realm = True
ldap_group_object_class = group

ldap_tls_cacert = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
ldap_id_use_start_tls = True

ldap_referrals = False
ldap_account_expire_policy = ad
ldap_access_order = expire

ldap_user_search_base = cn=users,dc=ds,dc=vumc,dc=io
ldap_group_search_base = OU=Linux GID,OU=Managed Groups,OU=Org Units,DC=ds,DC=vumc,DC=io
	# managed by CFEngine 3

	[sssd]
	config_file_version = 2
	services = nss, pam
	reconnection_retries = 3
	domains = {{ansible_local.ad.domain\|default('VANDERBILT')}}
	sbus_timeout = 30
	debug_level = 1

	[nss]
	reconnection_retries = 3
	filter_groups = root
	filter_users = apache,avahi,daemon,dbus,gdm,haldaemon,hpsmh,ldap,mysql,named,nobody,nrpe,ntp,oracle,rpc,rpcuser,root,smmsp
	override_homedir = {{ansible_local.auth.method.homedir\|default(homedir)}}/%u

	[pam]
	offline_credentials_expiration = 1

	[domain/VANDERBILT]
	entry_cache_timeout = 3600
	cache_credentials = True
	account_cache_expiration = 2

	id_provider = ldap
	access_provider = ldap

	ldap_uri = ldap://ds.vanderbilt.edu
	ldap_search_base = dc=ds,dc=vanderbilt,dc=edu
	ldap_schema = rfc2307bis

	ldap_default_bind_dn = cn={{ svc_username }},cn=users,dc=ds,dc=vanderbilt,dc=edu
	ldap_default_authtok_type = password
	ldap_default_authtok = {{ svc_password }}

	ldap_user_object_class = user
	ldap_user_name = sAMAccountName
	ldap_force_upper_case_realm = True
	ldap_group_object_class = group

	ldap_tls_cacert = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
	ldap_id_use_start_tls = True

	ldap_referrals = False
	ldap_account_expire_policy = ad
	ldap_access_order = expire

	ldap_user_search_base = cn=users,dc=ds,dc=vanderbilt,dc=edu
	ldap_group_search_base = ou=AI Unix,ou=Information Management,ou=Organizational Units,dc=ds,dc=vanderbilt,dc=edu

	[domain/VUMC]
	case_sensitive = false
	entry_cache_timeout = 3600
	cache_credentials = True
	account_cache_expiration = 2

	id_provider = ldap
	access_provider = ldap

	ldap_uri = ldap://ds.vumc.io
	ldap_search_base = dc=ds,dc=vumc,dc=io
	ldap_schema = rfc2307bis

	ldap_default_bind_dn = cn={{ svc_username }},cn=users,dc=ds,dc=vumc,dc=io
	ldap_default_authtok_type = password
	ldap_default_authtok = {{ svc_password }}

	ldap_user_object_class = user
	ldap_user_name = sAMAccountName
	ldap_force_upper_case_realm = True
	ldap_group_object_class = group

	ldap_tls_cacert = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
	ldap_id_use_start_tls = True

	ldap_referrals = False
	ldap_account_expire_policy = ad
	ldap_access_order = expire

	ldap_user_search_base = cn=users,dc=ds,dc=vumc,dc=io
	ldap_group_search_base = OU=Linux GID,OU=Managed Groups,OU=Org Units,DC=ds,DC=vumc,DC=io