[sssd]
debug_level = 10
config_file_version = 2
services = nss,pam,ssh
domains = jumpcloud

[nss]
debug_level = 10
# Exclude root user/group from being fetched from the sss NSS DB
filter_groups = root
filter_users = root,nobody

# Set a default template for a user's home directory, ignore what is in LDAP
override_homedir = /home/%u

[pam]
debug_level = 10

[domain/jumpcloud]

# debug log level explanation here:
# http://manpages.ubuntu.com/manpages/wily/man5/sssd.conf.5.html
# log all minor (and more severe) errors
debug_level = 10

id_provider = ldap
enumerate=true
auth_provider=ldap
cache_credentials=true
ldap_user_ssh_public_key=sshKey

# If this is a base, bastion, salt or jenkins server we will enforce LDAP + DUO
# Otherwise the user will only get prompted for their password
# NOTE: This file is created during base install and modified on boot so we
# default to the most secure method

ldap_uri = ldaps://ldap.jumpcloud.com
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt


ldap_search_base = ou=Users,o=redacted,dc=jumpcloud,dc=com
ldap_default_bind_dn = uid=redacted,ou=Users,o=redacted,dc=jumpcloud,dc=com
ldap_default_authtok = redacted
ldap_group_search_base = ou=Users,o=redacted,dc=jumpcloud,dc=com

sudo_provider = none

# Specifies a timeout (in seconds) after which calls to synchronous
# LDAP APIs will abort if no response is received (default: 6 sec)
# We allow 60 sec to complete DUO auth
ldap_opt_timeout = 60