foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sssd: Disable unused services and enumeration

Browse source 
We are not using autofs or sudo via LDAP so disable them. Enumeration
doesn't seem to help getting all users via getent so disable it.
This commit is contained in:
Timo Makinen 2020-11-17 18:15:23 +00:00
parent f035101cce
commit 0ba135be52
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
roles/sssd/templates/sssd.conf.j2
View file

@ -11,6 +11,8 @@ domains = {{ kerberos_realm }}
id_provider = ldap id_provider = ldap
auth_provider = krb5 auth_provider = krb5
chpass_provider = ldap chpass_provider = ldap
autofs_provider = none
sudo_provider = none
ldap_uri = ldaps://{{ ldap_server[0] }} ldap_uri = ldaps://{{ ldap_server[0] }}
ldap_search_base = {{ ldap_basedn }} ldap_search_base = {{ ldap_basedn }}
ldap_schema = rfc2307bis ldap_schema = rfc2307bis
@ -23,5 +25,4 @@ ldap_sasl_mech = EXTERNAL
ldap_tls_cacert = {{ tls_bundle }} ldap_tls_cacert = {{ tls_bundle }}
ldap_tls_cert = {{ tls_certs }}/{{ inventory_hostname }}.crt ldap_tls_cert = {{ tls_certs }}/{{ inventory_hostname }}.crt
ldap_tls_key = {{ tls_private }}/{{ inventory_hostname }}.key ldap_tls_key = {{ tls_private }}/{{ inventory_hostname }}.key
enumerate = true
krb5_realm = {{ kerberos_realm }} krb5_realm = {{ kerberos_realm }}