On (22/09/16 08:53), Lachlan Musicman wrote: >My translations of your comments are in line, if you could correct, I'd >appreciate that. > >On 20 September 2016 at 17:11, Lukas Slebodnik <lsleb...@redhat.com> wrote: > >> >---------------------- >> >[domain/unixdev.etc] >> >ignore_group_members = True >> It was probably set as a result of performance tuning. >> >> >ldap_purge_cache_timeout = 0 >> That's default since 1.13.0 >> >> >subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout >> that's specific option for sssd on IPA server >> > > >I presume your comment suggests ignore_group_members is no longer needed, >and since the lpct=0 is now default, then subdomain_inherit is also >superfluous? > I have no idea why the option ignore_group_members was set. My assumption is that you wanted to reduce loading data from IPA/AD because they were many members in groups and it was slow.
> > >> >selinux_provider = none >> It was probably set as a workaround of bug which have been already >> fixed. >> > >We set this because of an error in libsemanage, but I think that was an >upstream (selinux) issue? >https://www.redhat.com/archives/freeipa-users/2016-July/msg00244.html > >Not sure if I should disable just yet - was this fixed? It should be fixed if not file a bug. >> >> >ipa_server_mode = True >> that's specific option for sssd on IPA server >> >> >I take it that this means it's still used. > yes, but it is used only on in sssd which is on IPA server. > >> >sudo_provider = ldap >> >ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au >> >ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au >> >ldap_sasl_mech = GSSAPI >> >ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au >> >ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU >> >krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au >> Previous 7 options are not required since sssd-1.10 >> > >Yep, I added those because of disconnect between the different info sources >made it hard to tell what was canonical, so I followed the red hat guide: > >https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html > >mostly because I didn't quite understand the sssd-sudo man page (because >sometimes I find man pages obtuse), but also there was an inconsistency >with the local man page and the die.net mirror >https://linux.die.net/man/5/sssd-sudo and this howto >https://blog-rcritten.rhcloud.com/?p=52 > The best is to check version of man page sssd-sudo on the machine But as I wrote "sudo_provider = ldap" is not required for ipa client since sssd-1.10 and most of current distributions has newer version of sssd. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project