Our LDAP does not include the POSIX schema, so we made a couple of entries in sssd.conf to
attempt to work around that.
Here is our complete (slightly redacted) sssd.conf:
[domain/mydomain]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_uri =
ldaps://mydomain.my.edu
ldap_search_base = ou=people,ou=primary,ou=eid,dc=my,dc=edu
ldap_default_bind_dn = cn=my-proxy,ou=proxies,dc=my,dc=edu
ldap_default_authtok = REDACTED
ldap_access_filter = uid=*
ldap_schema = rfc2307
cache_credentials = false
ldap_user_object_class = inetorgperson
ldap_id_mapping = false
ldap_user_uid_number = uid
#proxy_pam_target = sssd-shadowutils
ldap_id_use_start_tls = false
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/mydomain_my_edu_interm.cer
ldap_tls_cert = /etc/openldap/certs/mydomain_my_edu_cert.cer
ldap_tls_reqcert = never
entry_cache_timeout = 5
debug_level = 9
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = mydomain
debug_level = 9
certificate_verification = no_verification
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
pam_verbosity = 3
debug_level = 9
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 9
Thanks for looking,
Jane