ansible/roles/ipsilon/templates/sssd.conf

[domain/{{ env_prefix }}fedoraproject.org]
id_provider = ipa
dns_discovery_domain = {{ env_prefix }}fedoraproject.org
ipa_server = _srv_, {{ ipa_server }}
ipa_domain = {{ env_prefix }}fedoraproject.org
ipa_hostname = {{ ansible_fqdn }}
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
ldap_deref_threshold = 0
sudo_provider = ipa
autofs_provider = ipa
subdomains_provider = ipa
session_provider = ipa
hostid_provider = ipa
# Ipsilon needs these attributes to forward them to applications
ldap_user_extra_attrs = mail, street, locality, st, postalCode, telephoneNumber, givenname, sn, fasTimeZone, fasLocale, fasIRCNick, fasGPGKeyId, fasCreationTime, fasStatusNote, fasRHBZEmail, fasGitHubUsername, fasGitLabUsername, fasWebsiteURL, fasIsPrivate, fasPronoun, ipaSshPubKey

[sssd]
services = nss, pam, ssh, sudo, ifp
domains = {{ env_prefix }}fedoraproject.org

[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]
# Allow ipsilon to request user attributes
allowed_uids = ipsilon, root
# Ipsilon needs these attributes to forward them to applications
user_attributes = +mail, +street, +locality, +st, +postalCode, +telephoneNumber, +givenname, +sn, +fasTimeZone, +fasLocale, +fasIRCNick, +fasGPGKeyId, +fasCreationTime, +fasStatusNote, +fasRHBZEmail, +fasGitHubUsername, +fasGitLabUsername, +fasWebsiteURL, +fasIsPrivate, +fasPronoun, +ipaSshPubKey

[secrets]

[session_recording]