English Polish
Even if LDAP is not directly used through `pam_ldap` and `nss_ldap`, it is still useful to configure ldap.conf to configure openldap-libs and indirectly, e.g. LDAP tools such as `ldapsearch`.
{sysconfdir}/openldap/ldap.conf
# Set the default base dn
BASE dc=example,dc=com
# Set the default LDAP server
URI ldap://ldap.example.com ldap://ldap-master.example.com:666
KERBEROS
If you use Kerberos, the default Kerberos realm should be configured in order for krb5-libs and therefore tools such as `kinit` to work out of the box.
{sysconfdir}/krb5.conf
[libdefaults]
default_realm = MYREALM
[realms]
MYREALM = {
kdc = kdc.myrealm.org
}
[domain_realm]
myrealm.org = MYREALM
.myrealm.org = MYREALM
SSSD
Authselect encourages users to use SSSD wherever possible. There are many configuration options, see sssd.conf(5). This is a minimal configuration that creates one LDAP domain called `default`. The LDAP server is auto-discovered through DNS lookups.
{sysconfdir}/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = default
[domain/default]
id_provider = ldap
ldap_uri = _srv_
dns_discovery_domain = myrealm
And here is a configuration snippet for the same domain but now the authentication is done over Kerberos. The KDC server is auto-discovered through DNS lookups.
[domain/default]
id_provider = ldap
auth_provider = krb5
ldap_uri = _srv_
krb5_server = _srv_
krb5_realm = MYREALM
dns_discovery_domain = myrealm
If you want to configure SSSD for an IPA or Active Directory domain, use the `realm` tool. This will perform an initial setup which involves creating a Kerberos keytab and generating basic SSSD configuration. You can then tune it up by modifying {sysconfdir}/sssd/sssd.conf.
WINBIND
If you want to configure the machine to use Winbind, use `realm`. This will perform an initial setup which involves creating a Kerberos keytab and running `adcli` to join the domain. It also makes changes to `smb.conf`. You can then tune it up by modifying {sysconfdir}/samba/smb.conf.