[sssd]
config_file_version = 2
services = nss, pam, ssh, sudo
domains = example.com

[nss]
filter_groups = root
filter_users = root

[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/example.com]
# Basic configuration for connecting to Active Directory
id_provider = ad
auth_provider = ad
access_provider = ad

# Enable Kerberos for authentication
krb5_realm = EXAMPLE.COM
krb5_server = ad.example.com
krb5_kpasswd = ad.example.com

# Active Directory server information
ad_domain = example.com
ad_server = ad.example.com
ad_hostname = linuxclient.example.com

# INSECURE PRACTICE: Hardcoding AD username and password in sssd.conf
# These values will expose the username and password in plaintext
ldap_default_bind_dn = cn=admin,cn=users,dc=example,dc=com
ldap_default_authtok = P@ssw0rd123

# Using the above configuration exposes credentials to anyone who can read this file

# User and group filtering (optional)
ldap_id_mapping = true

# Performance optimizations
cache_credentials = true
enumerate = false
use_fully_qualified_names = false

# Access Control (Optional: limit login to users in AD group 'LinuxAdmins')
access_provider = simple
simple_allow_groups = LinuxAdmins

# Security settings
min_id = 1000
fallback_homedir = /home/%u

# Timeout and retry settings for better AD stability
ldap_search_timeout = 10
ldap_connection_expire_timeout = 60

# Debugging options (uncomment for troubleshooting)
# debug_level = 9