6
6
nslcd.conf.5.xml - docbook manual page for nslcd.conf
8
8
Copyright (C) 1997-2005 Luke Howard
9
Copyright (C) 2007, 2008, 2009, 2010 Arthur de Jong
9
Copyright (C) 2007, 2008, 2009, 2010, 2011 Arthur de Jong
11
11
This library is free software; you can redistribute it and/or
12
12
modify it under the terms of the GNU Lesser General Public
37
37
<refentrytitle>nslcd.conf</refentrytitle>
38
38
<manvolnum>5</manvolnum>
39
<refmiscinfo class="version">Version 0.7.13</refmiscinfo>
39
<refmiscinfo class="version">Version 0.8.4</refmiscinfo>
40
40
<refmiscinfo class="manual">System Manager's Manual</refmiscinfo>
41
<refmiscinfo class="date">Dec 2010</refmiscinfo>
41
<refmiscinfo class="date">Sep 2011</refmiscinfo>
44
44
<refnamediv id="name">
127
127
<acronym>LDAP</acronym> over <acronym>TCP</acronym>,
128
128
<acronym>ICP</acronym> or <acronym>SSL</acronym> respectively (if
129
129
supported by the <acronym>LDAP</acronym> library).
130
132
Alternatively, the value <literal>DNS</literal> may be
131
133
used to try to lookup the server using <acronym>DNS</acronym>
132
134
<acronym>SRV</acronym> records.
135
By default the current domain is used but another domain can
136
be queried by using the
137
<literal>DNS:</literal><replaceable>DOMAIN</replaceable> syntax.
135
140
When using the ldapi scheme, %2f should be used to escape slashes
178
<varlistentry id="bindpw">
174
179
<term><option>bindpw</option> <replaceable>PASSWORD</replaceable></term>
177
Specifies the clear text credentials with which to bind.
182
Specifies the credentials with which to bind.
178
183
This option is only applicable when used with <option>binddn</option> above.
179
184
If you set this option you should consider changing the permissions
180
185
of the <filename>nslcd.conf</filename> file to only grant access to
195
<varlistentry id="rootpwmoddn">
191
196
<term><option>rootpwmoddn</option> <replaceable>DN</replaceable></term>
194
199
Specifies the distinguished name to use when the root user tries to
195
modify a user's password using the PAM module. The PAM module prompts
196
the user for the admin password instead of the user's password.
200
modify a user's password using the PAM module.
205
<varlistentry id="rootpwmodpw">
206
<term><option>rootpwmodpw</option> <replaceable>PASSWORD</replaceable></term>
209
Specifies the credentials with which to bind if the root
210
user tries to change a user's password.
211
This option is only applicable when used with
212
<option>rootpwmoddn</option> above.
213
If this option is not specified the PAM module prompts the user for
215
If you set this option you should consider changing the permissions
216
of the <filename>nslcd.conf</filename> file to only grant access to
372
393
the supported maps below.
373
394
The <replaceable>ATTRIBUTE</replaceable> is the one as
374
395
used in <acronym>RFC</acronym> 2307 (e.g. <literal>userPassword</literal>,
375
<literal>ipProtocolNumber</literal> or <literal>macAddress</literal>).
396
<literal>ipProtocolNumber</literal>, <literal>macAddress</literal>, etc.).
376
397
The <replaceable>NEWATTRIBUTE</replaceable> may be any attribute
377
398
as it is available in the directory.
383
404
See the section on attribute mapping expressions below for more details.
386
Only some attributes for passwd and shadow entries may be mapped with
387
an expression (because other attributes may be used in search
407
Only some attributes for group, passwd and shadow entries may be mapped
408
with an expression (because other attributes may be used in search
410
For group entries only the <literal>userPassword</literal> attribute
411
may be mapped with an expression.
389
412
For passwd entries the following attributes may be mapped with an
390
expression: <literal>gidNumber</literal>, <literal>gecos</literal>,
391
<literal>homeDirectory</literal> and <literal>loginShell</literal>.
413
expression: <literal>userPassword</literal>, <literal>gidNumber</literal>,
414
<literal>gecos</literal>, <literal>homeDirectory</literal> and
415
<literal>loginShell</literal>.
392
416
For shadow entries the following attributes may be mapped with an
393
expression: <literal>shadowLastChange</literal>, <literal>shadowMin</literal>,
394
<literal>shadowMax</literal>, <literal>shadowWarning</literal>,
395
<literal>shadowInactive</literal>, <literal>shadowExpire</literal> and
396
<literal>shadowFlag</literal>.
417
expression: <literal>userPassword</literal>, <literal>shadowLastChange</literal>,
418
<literal>shadowMin</literal>, <literal>shadowMax</literal>,
419
<literal>shadowWarning</literal>, <literal>shadowInactive</literal>,
420
<literal>shadowExpire</literal> and <literal>shadowFlag</literal>.
423
The <literal>uidNumber</literal> and <literal>gidNumber</literal>
424
attributes in the <literal>passwd</literal> and <literal>group</literal>
425
maps may be mapped to the <literal>objectSid</literal> followed by
426
the domain SID to derive numeric user and group ids from the SID
427
(e.g. <literal>objectSid:S-1-5-21-3623811015-3361044348-30300820</literal>).
430
By default all <literal>userPassword</literal> attributes are mapped
431
to the unmatchable password ("*") to avoid accidentally leaking
432
password information.
554
<varlistentry id="tls_cacertdir">
519
555
<term><option>tls_cacertdir</option> <replaceable>PATH</replaceable></term>
522
558
Specifies the directory containing X.509 certificates for peer
560
This parameter is ignored when using GnuTLS.
561
On Debian OpenLDAP is linked against GnuTLS.
566
<varlistentry id="tls_cacertfile">
529
567
<term><option>tls_cacertfile</option> <replaceable>PATH</replaceable></term>
575
<varlistentry id="tls_randfile">
538
576
<term><option>tls_randfile</option> <replaceable>PATH</replaceable></term>
541
579
Specifies the path to an entropy source.
580
This parameter is ignored when using GnuTLS.
581
On Debian OpenLDAP is linked against GnuTLS.
586
<varlistentry id="tls_ciphers">
547
587
<term><option>tls_ciphers</option> <replaceable>CIPHERS</replaceable></term>
675
<varlistentry id="nss_min_uid">
676
<term><option>nss_min_uid</option> <replaceable>UID</replaceable></term>
679
This option ensures that <acronym>LDAP</acronym> users with a numeric
680
user id lower than the specified value are ignored. Also requests for
681
users with a lower user id are ignored.
686
<varlistentry id="validnames">
687
<term><option>validnames</option> <replaceable>REGEX</replaceable></term>
690
This option can be used to specify how user and group names are
691
verified within the system. This pattern is used to check all user and
692
group names that are requested and returned from <acronym>LDAP</acronym>.
695
The regular expression should be specified as a POSIX extended regular
696
expression. The expression itself needs to be separated by slash (/)
697
characters and the 'i' flag may be appended at the end to indicate
698
that the match should be case-insensetive.
700
<literal>/^[a-z0-9._@$][a-z0-9._@$ \\~-]*[a-z0-9._@$~-]$/i</literal>
705
<varlistentry id="pam_authz_search">
636
706
<term><option>pam_authz_search</option>
637
707
<replaceable>FILTER</replaceable></term>
646
716
<literal>$username</literal>, <literal>$service</literal>,
647
717
<literal>$ruser</literal>, <literal>$rhost</literal>,
648
718
<literal>$tty</literal>, <literal>$hostname</literal>,
719
<literal>$fqdn</literal>,
649
720
<literal>$dn</literal>, and <literal>$uid</literal>.
650
721
These references are substituted in the search filter using the
651
722
same syntax as described in the section on attribute mapping
652
723
expressions below.
655
For example, to check that the user has a proper authorizedService
656
value if the attribute is present:
657
<literal>(&(objectClass=posixAccount)(uid=$username)
658
(|(authorizedService=$service)(!(authorizedService=*))))</literal>
726
For example, to check that the user has a proper <literal>authorizedService</literal>
727
value if the attribute is present (this almost emulates the
728
<option>pam_check_service_attr</option> option in PADL's pam_ldap):
729
<literallayout><literal>(&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))</literal></literallayout>
732
The <option>pam_check_host_attr</option> option can be emulated with:
733
<literallayout><literal>(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))</literal></literallayout>
661
736
The default behaviour is not to do this extra search and always
732
807
<title>Attribute mapping expressions</title>
734
809
For some attributes a mapping expression may be used to construct the
735
resulting value. This is currently only possible for attributes that do
811
This is currently only possible for attributes that do
736
812
not need to be used in search filters.
739
813
The expressions are a subset of the double quoted string expressions in the
740
814
Bourne (POSIX) shell.
741
815
Instead of variable substitution, attribute lookups are done on the current
842
Quote (<literal>"</literal>), dollar (<literal>$</literal>) or
843
backslash (<literal>\</literal>) characters should be escaped with a
844
backslash (<literal>\</literal>).
768
847
The <command>nslcd</command> daemon checks the expressions to figure
769
848
out which attributes to fetch from <acronym>LDAP</acronym>.
770
849
Some examples to demonstrate how these expressions may be used in