#KEY STEP >>> service sssd stop ; rm -f /var/lib/sss/db/* ; service sssd start
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = BRCD,BSNSERVICE

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 600
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
pam_id_timeout  = 600

[domain/BRCD]
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
ldap_use_tokengroups = True
ldap_group_nesting_level = 1
ldap_groups_use_matching_rule_in_chain = True
ldap_initgroups_use_matching_rule_in_chain = True
ignore_group_members = True

debug_level = 9
#cache_credentials = false
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
enumerate = false
id_provider = ldap
auth_provider = ldap
chpass_provider = none
access_provider = ldap
ldap_pwd_policy = none
ldap_schema = ad
ldap_user_name = sAMAccountName
ldap_user_object_class = person
ldap_group_object_class = group
ldap_id_mapping = True
case_sensitive = false
auto_private_groups = true

case_sensitive = false
auto_private_groups = true
ldap_use_tokengroups=false
ldap_user_member_of=msSFU30PosixMemberOf
ldap_group_member=msSFU30PosixMember
ldap_group_gid_number=gidNumber
ldap_user_uid_number=uidNumber
ldap_group_name = cn
ldap_group_object_class = posixGroup
#override_shell = /bin/bash
override_homedir = /home/%u
# Connection Properties
ldap_uri = ldaps://domain.net
# Temporary measure until I can get a hold of a proper certificate
ldap_tls_reqcert = never

ldap_search_base = OU=Users,****,DC=domain,DC=net
ldap_group_search_base = OU=groups,****,DC=domain,DC=net
ldap_default_bind_dn = CN=LDAP,****,DC=domain,DC=net
ldap_default_authtok_type = password
ldap_default_authtok = *******

ldap_access_filter = (&(objectClass=person)(division=BSN))
ldap_tls_cacertdir = /etc/openldap/cacerts

[domain/BSNSERVICE]
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
ldap_use_tokengroups = True
ldap_group_nesting_level = 1
ldap_groups_use_matching_rule_in_chain = True
ldap_initgroups_use_matching_rule_in_chain = True
ignore_group_members = True

debug_level = 9 #0-9(max)
#Next line is required if you get the error: Could not convert objectSID
#ldap_idmap_range_size = 2000000
enumerate = false
#cache_credentials = true
cache_credentials = false
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = simple
#access_provider = ldap
ldap_pwd_policy = none
ldap_schema = ad
ldap_user_name = sAMAccountName
ldap_user_object_class = person
ldap_group_object_class = group
ldap_id_mapping = True
case_sensitive = false
auto_private_groups = true
ldap_use_tokengroups=false
ldap_user_member_of=msSFU30PosixMemberOf
ldap_group_member=msSFU30PosixMember
ldap_group_gid_number=gidNumber
ldap_user_uid_number=uidNumber
ldap_group_name = cn
ldap_group_object_class = posixGroup

#override_shell = /bin/bash
override_homedir = /home/%u
# Connection Properties
ldap_uri = ldaps://domain.net

# Temporary measure until I can get a hold of a proper certificate
ldap_tls_reqcert = never

ldap_search_base = OU=ServiceAccounts,****,DC=domain,DC=net?sub?(|(sAMAccountName=fvt-user)(sAMAccountName=service-bsn))
ldap_group_search_base = OU=groups,****,DC=domain,DC=net
ldap_default_bind_dn = CN=LDAP,****,DC=domain,DC=net
ldap_default_authtok_type = password
ldap_default_authtok = *******
ldap_access_filter = (objectClass=person)
ldap_tls_cacertdir = /etc/openldap/cacerts