[sssd]
config_file_version = 2
services = nss, pam
domains = {{ kerberos_realm }}

[nss]

[pam]

[domain/{{ kerberos_realm }}]
autofs_provider = none
sudo_provider = none

id_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://{{ ldap_server[0] }}
ldap_search_base = {{ ldap_basedn }}
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
ldap_user_uuid = entryUUID
ldap_group_uuid = entryUUID
ldap_id_use_start_tls = False
ldap_tls_reqcert = demand
ldap_sasl_mech = EXTERNAL
ldap_tls_cacert = {{ tls_bundle }}
ldap_tls_cert = {{ tls_certs }}/{{ inventory_hostname }}.crt
ldap_tls_key = {{ tls_private }}/{{ inventory_hostname }}.key

auth_provider = krb5
krb5_realm = {{ kerberos_realm }}
{% if sssd_allow_groups is defined %}

access_provider = simple
simple_allow_groups = {{ sssd_allow_groups | join(',') }}
{% endif %}