~ubuntu-branches/ubuntu/precise/nss-pam-ldapd/precise-security

« back to all changes in this revision

Viewing changes to man/nslcd.conf.5.xml

Committer: Package Import Robot
Author(s): Arthur de Jong
Date: 2011-09-04 21:00:00 UTC
mfrom: (14.1.4 experimental)
Revision ID: package-import@ubuntu.com-20110904210000-pe3u91iga88vtr16

Tags: 0.8.4

http://bugs.debian.org/638872

http://bugs.debian.org/637132

http://bugs.debian.org/637863

http://bugs.debian.org/640185

http://bugs.debian.org/637751

http://bugs.debian.org/637756

http://bugs.debian.org/637759

http://bugs.debian.org/638195

http://bugs.debian.org/639026

http://bugs.debian.org/639107

http://bugs.debian.org/639236

* Upload to unstable
* switch to using the member attribute by default instead of
  uniqueMember (backwards incompatible change)
* only return "x" as a password hash when the object has the shadowAccount
  objectClass and nsswitch.conf is configured to do shadow lookups using
  LDAP (this avoids some problems with pam_unix)
* fix problem with partial attribute name matches in DN (thanks Timothy
  White)
* fix a problem with objectSid mappings with recent versions of OpenLDAP
  (patch by Wesley Mason)
* set the socket timeout in a connection callback to avoid timeout
  issues during the SSL handshake (patch by Stefan Völkel)
* check for unknown variables in pam_authz_search
* only check password expiration when authenticating, only check account
  expiration when doing authorisation
* make buffer sizes consistent and grow all buffers holding string
  representations of numbers to be able to hold 64-bit numbers
* update AX_PTHREAD from autoconf-archive
* support querying DNS SRV records from a different domain than the current
  one (based on a patch by James M. Leddy)
* fix a problem with uninitialised memory while parsing the tls_ciphers
  option (closes: #638872) (but doesn't work yet due to #640384)
* implement bounds checking of numeric values read from LDAP (patch by
  Jakub Hrozek)
* correctly support large uid and gid values from LDAP (patch by Jakub
  Hrozek)
* improvements to the configure script (patch by Jakub Hrozek)
* switch to dh for debian/rules and bump debhelper compatibility to 8
* build Debian packages with multiarch support
* ship shlibs (but still no symbol files) for libnss-ldapd since that was
  the easiest way to support multiarch
* fix output in init script when restarting nslcd (closes: #637132)
* correctly handle leading and trailing spaces in preseeded debconf uri
  option (patch by Andreas B. Mundt) (closes: #637863)
* support spaces around database names in /etc/nsswitch.conf while
  configuring package (closes: #640185)
* updated Russian debconf translation by Yuri Kozlov (closes: #637751)
* updated French debconf translation by Christian Perrier (closes: #637756)
* added Slovak debconf translation by Slavko (closes: #637759)
* updated Danish debconf translation by Joe Hansen (closes :#637763)
* updated Brazilian Portuguese debconf translation by Denis Doria
* updated Portuguese debconf translation by Américo Monteiro
* updated Japanese debconf translation by Kenshi Muto (closes: #638195)
* updated Czech debconf translation by Miroslav Kure (closes: #639026)
* updated German debconf translation by Chris Leick (closes: #639107)
* updated Spanish debconf translation by Francisco Javier Cuadrado
  (closes: #639236)
* updated Dutch debconf translation by Arthur de Jong with help from Paul
  Gevers and Jeroen Schot

files added:
ChangeLog-2009

ChangeLog-2010

compat/strndup.c

compat/strndup.h

debian/pam-configs

debian/pam-configs/ldap

debian/po/sk.po

debian/source/lintian-overrides

nslcd/nsswitch.c

nss/bsdnss.c

nss/exports.freebsd

nss/exports.glibc

nss/exports.solaris

nss/solnss.c

py-compile

pynslcd

pynslcd/Makefile.am

pynslcd/Makefile.in

pynslcd/alias.py

pynslcd/cfg.py

pynslcd/common.py

pynslcd/config.py.in

pynslcd/ether.py

pynslcd/group.py

pynslcd/host.py

pynslcd/mypidfile.py

pynslcd/netgroup.py

pynslcd/network.py

pynslcd/pam.py

pynslcd/passwd.py

pynslcd/pynslcd.py

pynslcd/shadow.py

pynslcd/tio.py

tests/common.h

tests/in_testenv.sh

tests/test_pamcmds.expect

tests/test_pamcmds.sh

files removed:
debian/libpam-ldapd.pam-auth-update

nss/nss_ldap.map

tests/test_aliases.c

tests/test_ethers.c

tests/test_group.c

tests/test_hosts.c

tests/test_netgroup.c

tests/test_networks.c

tests/test_nslcd_group.c

tests/test_passwd.c

tests/test_protocols.c

tests/test_rpc.c

tests/test_services.c

tests/test_shadow.c

files modified:
AUTHORS

ChangeLog

HACKING

Makefile.am

Makefile.in

NEWS

README

TODO

aclocal.m4

common/Makefile.in

common/dict.c

common/dict.h

common/expr.c

common/expr.h

common/nslcd-prot.c

common/set.c

common/set.h

common/tio.c

compat/Makefile.am

compat/Makefile.in

compat/daemon.h

compat/ether.c

compat/ether.h

compat/getpeercred.c

compat/ldap_compat.h

compat/ldap_passwd_s.c

compat/nss_compat.h

compat/pam_compat.h

compat/pam_get_authtok.c

config.guess

config.h.in

config.sub

configure

configure.ac

debian/changelog

debian/compat

debian/control

debian/copyright

debian/libnss-ldapd.config

debian/libnss-ldapd.install

debian/libnss-ldapd.lintian-overrides

debian/libnss-ldapd.postinst

debian/libnss-ldapd.postrm

debian/libpam-ldapd.install

debian/libpam-ldapd.postinst

debian/nslcd.config

debian/nslcd.init

debian/nslcd.install

debian/nslcd.postinst

debian/nslcd.templates

debian/po/ca.po

debian/po/cs.po

debian/po/da.po

debian/po/de.po

debian/po/es.po

debian/po/fi.po

debian/po/fr.po

debian/po/gl.po

debian/po/it.po

debian/po/ja.po

debian/po/nb.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/ru.po

debian/po/sv.po

debian/po/templates.pot

debian/po/vi.po

debian/po/zh_CN.po

debian/rules

m4/ax_pthread.m4

man/Makefile.am

man/Makefile.in

man/nslcd.8

man/nslcd.8.xml

man/nslcd.conf.5

man/nslcd.conf.5.xml

man/pam_ldap.8

man/pam_ldap.8.xml

nslcd.conf

nslcd.h

nslcd/Makefile.am

nslcd/Makefile.in

nslcd/alias.c

nslcd/attmap.c

nslcd/attmap.h

nslcd/cfg.c

nslcd/cfg.h

nslcd/common.c

nslcd/common.h

nslcd/ether.c

nslcd/group.c

nslcd/host.c

nslcd/log.c

nslcd/log.h

nslcd/myldap.c

nslcd/myldap.h

nslcd/netgroup.c

nslcd/network.c

nslcd/nslcd.c

nslcd/pam.c

nslcd/passwd.c

nslcd/protocol.c

nslcd/rpc.c

nslcd/service.c

nslcd/shadow.c

nss/Makefile.am

nss/Makefile.in

nss/aliases.c

nss/common.h

nss/ethers.c

nss/group.c

nss/hosts.c

nss/netgroup.c

nss/networks.c

nss/passwd.c

nss/protocols.c

nss/prototypes.h

nss/rpc.c

nss/services.c

nss/shadow.c

pam/Makefile.am

pam/Makefile.in

pam/common.h

pam/pam.c

tests/Makefile.am

tests/Makefile.in

tests/README

tests/nslcd-test.conf

tests/test_cfg.c

tests/test_common.c

tests/test_dict.c

tests/test_expr.c

tests/test_getpeercred.c

tests/test_myldap.c

tests/test_nsscmds.sh

tests/test_set.c

tests/test_tio.c

Show diffs side-by-side

added added

removed removed

man/nslcd.conf.5.xml

nslcd.conf.5.xml - docbook manual page for nslcd.conf

This library is free software; you can redistribute it and/or

modify it under the terms of the GNU Lesser General Public

<refentrytitle>nslcd.conf</refentrytitle>

<refmiscinfo class="version">Version 0.7.13</refmiscinfo>

<refmiscinfo class="version">Version 0.8.4</refmiscinfo>

<refmiscinfo class="manual">System Manager's Manual</refmiscinfo>

</refmeta>

<title>Runtime options</title>

<term><option>threads</option> <replaceable>NUM</replaceable></term>

<para>

</listitem>

</varlistentry>

<para>

</listitem>

</varlistentry>

100

101

102

<para>

116

<title>General connection options</title>

117

118

119

119

120

121

122

<para>

127

<acronym>LDAP</acronym> over <acronym>TCP</acronym>,

128

<acronym>ICP</acronym> or <acronym>SSL</acronym> respectively (if

129

supported by the <acronym>LDAP</acronym> library).

130

</para>

131

<para>

130

132

Alternatively, the value <literal>DNS</literal> may be

131

133

used to try to lookup the server using <acronym>DNS</acronym>

132

134

<acronym>SRV</acronym> records.

135

By default the current domain is used but another domain can

136

be queried by using the

137

<literal>DNS:</literal><replaceable>DOMAIN</replaceable> syntax.

133

138

</para>

134

139

<para>

135

140

When using the ldapi scheme, %2f should be used to escape slashes

149

154

</listitem>

150

155

</varlistentry>

151

156

152

157

153

158

<term><option>ldap_version</option> <replaceable>VERSION</replaceable></term>

154

159

155

160

<para>

159

164

</listitem>

160

165

</varlistentry>

161

166

162

167

163

168

<term><option>binddn</option> <replaceable>DN</replaceable></term>

164

169

165

170

<para>

170

175

</listitem>

171

176

</varlistentry>

172

177

173

178

174

179

<term><option>bindpw</option> <replaceable>PASSWORD</replaceable></term>

175

180

176

181

<para>

177

Specifies the clear text credentials with which to bind.

182

Specifies the credentials with which to bind.

178

183

This option is only applicable when used with <option>binddn</option> above.

179

184

If you set this option you should consider changing the permissions

180

185

of the <filename>nslcd.conf</filename> file to only grant access to

187

192

</listitem>

188

193

</varlistentry>

189

194

190

195

191

196

<term><option>rootpwmoddn</option> <replaceable>DN</replaceable></term>

192

197

193

198

<para>

194

199

Specifies the distinguished name to use when the root user tries to

195

modify a user's password using the PAM module. The PAM module prompts

196

the user for the admin password instead of the user's password.

200

modify a user's password using the PAM module.

201

</para>

202

</listitem>

203

</varlistentry>

204

205

206

<term><option>rootpwmodpw</option> <replaceable>PASSWORD</replaceable></term>

207

208

<para>

209

Specifies the credentials with which to bind if the root

210

user tries to change a user's password.

211

This option is only applicable when used with

212

<option>rootpwmoddn</option> above.

213

If this option is not specified the PAM module prompts the user for

214

this password.

215

If you set this option you should consider changing the permissions

216

of the <filename>nslcd.conf</filename> file to only grant access to

217

the root user.

197

218

</para>

198

219

</listitem>

199

220

</varlistentry>

205

226

<title><acronym>SASL</acronym> authentication options</title>

206

227

207

228

208

229

209

230

<term><option>sasl_mech</option> <replaceable>MECHANISM</replaceable></term>

210

231

211

232

<para>

215

236

</listitem>

216

237

</varlistentry>

217

238

218

239

219

240

<term><option>sasl_realm</option> <replaceable>REALM</replaceable></term>

220

241

221

242

<para>

225

246

</listitem>

226

247

</varlistentry>

227

248

228

249

229

250

<term><option>sasl_authcid</option> <replaceable>AUTHCID</replaceable></term>

230

251

231

252

<para>

235

256

</listitem>

236

257

</varlistentry>

237

258

238

259

239

260

<term><option>sasl_authzid</option> <replaceable>AUTHZID</replaceable></term>

240

261

241

262

<para>

247

268

</listitem>

248

269

</varlistentry>

249

270

250

271

251

272

<term><option>sasl_secprops</option> <replaceable>PROPERTIES</replaceable></term>

252

273

253

274

<para>

266

287

<title>Kerberos authentication options</title>

267

288

268

289

269

290

270

291

<term><option>krb5_ccname</option> <replaceable>NAME</replaceable></term>

271

292

272

293

<para>

282

303

<title>Search/mapping options</title>

283

304

284

305

285

306

286

307

287

308

288

309

311

332

</listitem>

312

333

</varlistentry>

313

334

314

335

315

336

<term><option>scope</option>

316

337

317

338

sub<optional>tree</optional>|one<optional>level</optional>|base</term>

324

345

</listitem>

325

346

</varlistentry>

326

347

327

348

328

349

<term><option>deref</option> never|searching|finding|always</term>

329

350

330

351

<para>

334

355

</listitem>

335

356

</varlistentry>

336

357

337

358

338

359

<term><option>referrals</option> yes|no</term>

339

360

340

361

<para>

344

365

</listitem>

345

366

</varlistentry>

346

367

347

368

348

369

<term><option>filter</option>

349

370

350

371

<replaceable>FILTER</replaceable></term>

359

380

</listitem>

360

381

</varlistentry>

361

382

362

383

363

384

364

385

365

386

<replaceable>ATTRIBUTE</replaceable>

372

393

the supported maps below.

373

394

The <replaceable>ATTRIBUTE</replaceable> is the one as

374

395

used in <acronym>RFC</acronym> 2307 (e.g. <literal>userPassword</literal>,

375

<literal>ipProtocolNumber</literal> or <literal>macAddress</literal>).

396

<literal>ipProtocolNumber</literal>, <literal>macAddress</literal>, etc.).

376

397

The <replaceable>NEWATTRIBUTE</replaceable> may be any attribute

377

398

as it is available in the directory.

378

399

</para>

383

404

See the section on attribute mapping expressions below for more details.

384

405

</para>

385

406

<para>

386

Only some attributes for passwd and shadow entries may be mapped with

387

an expression (because other attributes may be used in search

407

Only some attributes for group, passwd and shadow entries may be mapped

408

with an expression (because other attributes may be used in search

388

409

filters).

410

For group entries only the <literal>userPassword</literal> attribute

411

may be mapped with an expression.

389

412

For passwd entries the following attributes may be mapped with an

390

expression: <literal>gidNumber</literal>, <literal>gecos</literal>,

391

<literal>homeDirectory</literal> and <literal>loginShell</literal>.

413

expression: <literal>userPassword</literal>, <literal>gidNumber</literal>,

414

<literal>gecos</literal>, <literal>homeDirectory</literal> and

415

<literal>loginShell</literal>.

392

416

For shadow entries the following attributes may be mapped with an

393

expression: <literal>shadowLastChange</literal>, <literal>shadowMin</literal>,

394

<literal>shadowMax</literal>, <literal>shadowWarning</literal>,

395

<literal>shadowInactive</literal>, <literal>shadowExpire</literal> and

396

<literal>shadowFlag</literal>.

417

expression: <literal>userPassword</literal>, <literal>shadowLastChange</literal>,

418

<literal>shadowMin</literal>, <literal>shadowMax</literal>,

419

<literal>shadowWarning</literal>, <literal>shadowInactive</literal>,

420

<literal>shadowExpire</literal> and <literal>shadowFlag</literal>.

421

</para>

422

<para>

423

The <literal>uidNumber</literal> and <literal>gidNumber</literal>

424

attributes in the <literal>passwd</literal> and <literal>group</literal>

425

maps may be mapped to the <literal>objectSid</literal> followed by

426

the domain SID to derive numeric user and group ids from the SID

427

(e.g. <literal>objectSid:S-1-5-21-3623811015-3361044348-30300820</literal>).

428

</para>

429

<para>

430

By default all <literal>userPassword</literal> attributes are mapped

431

to the unmatchable password ("*") to avoid accidentally leaking

432

password information.

397

433

</para>

398

434

</listitem>

399

435

</varlistentry>

405

441

<title>Timing/reconnect options</title>

406

442

407

443

408

444

409

445

<term><option>bind_timelimit</option> <replaceable>SECONDS</replaceable></term>

410

446

411

447

<para>

420

456

</listitem>

421

457

</varlistentry>

422

458

423

459

424

460

<term><option>timelimit</option> <replaceable>SECONDS</replaceable></term>

425

461

426

462

<para>

432

468

</listitem>

433

469

</varlistentry>

434

470

435

471

436

472

<term><option>idle_timelimit</option> <replaceable>SECONDS</replaceable></term>

437

473

438

474

<para>

443

479

</listitem>

444

480

</varlistentry>

445

481

446

482

447

483

<term><option>reconnect_sleeptime</option> <replaceable>SECONDS</replaceable></term>

448

484

449

485

<para>

455

491

</listitem>

456

492

</varlistentry>

457

493

458

494

459

495

<term><option>reconnect_retrytime</option> <replaceable>SECONDS</replaceable></term>

460

496

461

497

<para>

487

523

<title><acronym>SSL</acronym>/<acronym>TLS</acronym> options</title>

488

524

489

525

490

526

491

527

<term><option>ssl</option> on|off|start_tls</term>

492

528

493

529

<para>

500

536

</listitem>

501

537

</varlistentry>

502

538

503

539

504

540

<term><option>tls_reqcert</option> never|allow|try|demand|hard</term>

505

541

506

542

<para>

515

551

</listitem>

516

552

</varlistentry>

517

553

518

554

519

555

<term><option>tls_cacertdir</option> <replaceable>PATH</replaceable></term>

520

556

521

557

<para>

522

558

Specifies the directory containing X.509 certificates for peer

523

559

authentication.

560

This parameter is ignored when using GnuTLS.

561

On Debian OpenLDAP is linked against GnuTLS.

524

562

</para>

525

563

</listitem>

526

564

</varlistentry>

527

565

528

566

529

567

<term><option>tls_cacertfile</option> <replaceable>PATH</replaceable></term>

530

568

531

569

<para>

534

572

</listitem>

535

573

</varlistentry>

536

574

537

575

538

576

<term><option>tls_randfile</option> <replaceable>PATH</replaceable></term>

539

577

540

578

<para>

541

579

Specifies the path to an entropy source.

580

This parameter is ignored when using GnuTLS.

581

On Debian OpenLDAP is linked against GnuTLS.

542

582

</para>

543

583

</listitem>

544

584

</varlistentry>

545

585

546

586

547

587

<term><option>tls_ciphers</option> <replaceable>CIPHERS</replaceable></term>

548

588

549

589

<para>

554

594

</listitem>

555

595

</varlistentry>

556

596

557

597

558

598

559

599

560

600

<para>

564

604

</listitem>

565

605

</varlistentry>

566

606

567

607

568

608

569

609

570

610

<para>

582

622

583

623

584

624

<!-- do not document this option for now as support it is not finalized

585

625

586

626

<term><option>restart</option> yes|no</term>

587

627

588

628

<para>

596

636

</varlistentry>

597

637

-->

598

638

599

639

600

640

<term><option>pagesize</option> <replaceable>NUMBER</replaceable></term>

601

641

602

642

<para>

615

655

</listitem>

616

656

</varlistentry>

617

657

618

658

619

659

<term><option>nss_initgroups_ignoreusers</option> user1,user2,...</term>

620

660

621

661

<para>

632

672

</listitem>

633

673

</varlistentry>

634

674

635

675

676

677

678

<para>

679

This option ensures that <acronym>LDAP</acronym> users with a numeric

680

user id lower than the specified value are ignored. Also requests for

681

users with a lower user id are ignored.

682

</para>

683

</listitem>

684

</varlistentry>

685

686

687

<term><option>validnames</option> <replaceable>REGEX</replaceable></term>

688

689

<para>

690

This option can be used to specify how user and group names are

691

verified within the system. This pattern is used to check all user and

692

group names that are requested and returned from <acronym>LDAP</acronym>.

693

</para>

694

<para>

695

The regular expression should be specified as a POSIX extended regular

696

expression. The expression itself needs to be separated by slash (/)

697

characters and the 'i' flag may be appended at the end to indicate

698

that the match should be case-insensetive.

699

The default value is

700

701

</para>

702

</listitem>

703

</varlistentry>

704

705

636

706

<term><option>pam_authz_search</option>

637

707

<replaceable>FILTER</replaceable></term>

638

708

646

716

<literal>$username</literal>, <literal>$service</literal>,

647

717

<literal>$ruser</literal>, <literal>$rhost</literal>,

648

718

<literal>$tty</literal>, <literal>$hostname</literal>,

719

<literal>$fqdn</literal>,

649

720

<literal>$dn</literal>, and <literal>$uid</literal>.

650

721

These references are substituted in the search filter using the

651

722

same syntax as described in the section on attribute mapping

652

723

expressions below.

653

724

</para>

654

725

<para>

655

For example, to check that the user has a proper authorizedService

656

value if the attribute is present:

657

<literal>(&(objectClass=posixAccount)(uid=$username)

658

(|(authorizedService=$service)(!(authorizedService=*))))</literal>

726

For example, to check that the user has a proper <literal>authorizedService</literal>

727

value if the attribute is present (this almost emulates the

728

<option>pam_check_service_attr</option> option in PADL's pam_ldap):

729

<literallayout><literal>(&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))</literal></literallayout>

730

</para>

731

<para>

732

The <option>pam_check_host_attr</option> option can be emulated with:

733

<literallayout><literal>(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))</literal></literallayout>

659

734

</para>

660

735

<para>

661

736

The default behaviour is not to do this extra search and always

732

807

<title>Attribute mapping expressions</title>

733

808

<para>

734

809

For some attributes a mapping expression may be used to construct the

735

resulting value. This is currently only possible for attributes that do

810

resulting value.

811

This is currently only possible for attributes that do

736

812

not need to be used in search filters.

737

</para>

738

<para>

739

813

The expressions are a subset of the double quoted string expressions in the

740

814

Bourne (POSIX) shell.

741

815

Instead of variable substitution, attribute lookups are done on the current

765

839

</varlistentry>

766

840

</variablelist>

767

841

<para>

842

Quote (<literal>"</literal>), dollar (<literal>$</literal>) or

843

backslash (<literal>\</literal>) characters should be escaped with a

844

backslash (<literal>\</literal>).

845

</para>

846

<para>

768

847

The <command>nslcd</command> daemon checks the expressions to figure

769

848

out which attributes to fetch from <acronym>LDAP</acronym>.

770

849

Some examples to demonstrate how these expressions may be used in

Older »