1
@(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
3
# This is the configuration file for the LDAP nameservice
4
# switch library and the LDAP PAM module.
10
# Your LDAP server. Must be resolvable without using LDAP.
11
# Multiple hosts may be specified, each separated by a
12
# space. How long nss_ldap takes to failover depends on
13
# whether your LDAP client library supports configurable
14
# network or connect timeouts (see bind_timelimit).
17
# The distinguished name of the search base.
20
# Another way to specify your LDAP server is to provide an
21
# uri with the server name. This allows to use
22
# Unix Domain Sockets to connect to a local LDAP Server.
23
#uri ldap://127.0.0.1/
24
#uri ldaps://127.0.0.1/
25
#uri ldapi://%2fvar%2frun%2fldapi_sock/
26
# Note: %2f encodes the '/' used as directory separator
28
# The LDAP version to use (defaults to 3
29
# if supported by client library)
32
# The distinguished name to bind to the server with.
33
# Optional: default is to bind anonymously.
34
# Please do not put double quotes around it as they
35
# would be included literally.
36
#binddn cn=proxyuser,dc=padl,dc=com
38
# The credentials to bind with.
39
# Optional: default is no credential.
42
# The distinguished name to bind to the server with
43
# if the effective user ID is root. Password is
44
# stored in /etc/ldap.secret (mode 600)
45
# Use 'echo -n "mypassword" > /etc/ldap.secret' instead
46
# of an editor to create the file.
47
#rootbinddn cn=manager,dc=padl,dc=com
50
# Optional: default is 389.
61
# Bind/connect timelimit
65
# hard_open: reconnect to DSA with exponential backoff if
66
# opening connection failed
67
# hard_init: reconnect to DSA with exponential backoff if
68
# initializing connection failed
69
# hard: alias for hard_open
70
# soft: return immediately on server failure
74
# persist: DSA connections are kept open (default)
75
# oneshot: DSA connections destroyed after request
76
#nss_connect_policy persist
78
# Idle timelimit; client will close connections
79
# (nss_ldap only) if the server has not been contacted
80
# for the number of seconds specified below.
84
#nss_paged_results yes
86
# Pagesize: when paged results enable, used to set the
87
# pagesize to a custom value
90
# Filter to AND with uid=%s
91
#pam_filter objectclass=account
93
# The user ID attribute (defaults to uid)
94
#pam_login_attribute uid
96
# Search the root DSE for the password policy (works
97
# with Netscape Directory Server)
98
#pam_lookup_policy yes
100
# Check the 'host' attribute for access control
101
# Default is no; if set to yes, and user has no
102
# value for the host attribute, and pam_ldap is
103
# configured for account management (authorization)
104
# then the user will not be allowed to login.
105
#pam_check_host_attr yes
107
# Check the 'authorizedService' attribute for access
109
# Default is no; if set to yes, and the user has no
110
# value for the authorizedService attribute, and
111
# pam_ldap is configured for account management
112
# (authorization) then the user will not be allowed
114
#pam_check_service_attr yes
116
# Group to enforce membership of
117
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
119
# Group member attribute
120
#pam_member_attribute uniquemember
122
# Specify a minium or maximum UID number allowed
126
# Template login attribute, default template user
127
# (can be overriden by value of former attribute
129
#pam_login_attribute userPrincipalName
130
#pam_template_login_attribute uid
131
#pam_template_login nobody
133
# HEADS UP: the pam_crypt, pam_nds_passwd,
134
# and pam_ad_passwd options are no
137
# Do not hash the password at all; presume
138
# the directory server will do it, if
139
# necessary. This is the default.
142
# Hash password locally; required for University of
143
# Michigan LDAP server, and works with Netscape
144
# Directory Server if you're using the UNIX-Crypt
145
# hash mechanism and not using the NT Synchronization
149
# Remove old password first, then update in
150
# cleartext. Necessary for use with Novell
151
# Directory Services (NDS)
154
# RACF is an alias for the above. For use with
158
# Update Active Directory password, by
159
# creating Unicode password and updating
160
# unicodePwd attribute.
163
# Use the OpenLDAP password change
164
# extended operation to update the password.
167
# Redirect users to a URL or somesuch on password
169
#pam_password_prohibit_message Please visit http://internal to change your password.
171
# Use backlinks for answering initgroups()
172
#nss_initgroups backlink
174
# Enable support for RFC2307bis (distinguished names in group
176
#nss_schema rfc2307bis
178
# RFC2307bis naming contexts
180
# nss_base_XXX base?scope?filter
181
# where scope is {base,one,sub}
182
# and filter is a filter to be &'d with the
184
# You can omit the suffix eg:
185
# nss_base_passwd ou=People,
186
# to append the default base DN but this
187
# may incur a small performance impact.
188
#nss_base_passwd ou=People,dc=padl,dc=com?one
189
#nss_base_shadow ou=People,dc=padl,dc=com?one
190
#nss_base_group ou=Group,dc=padl,dc=com?one
191
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
192
#nss_base_services ou=Services,dc=padl,dc=com?one
193
#nss_base_networks ou=Networks,dc=padl,dc=com?one
194
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
195
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
196
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
197
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
198
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
199
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
200
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
202
# attribute/objectclass mapping
204
#nss_map_attribute rfc2307attribute mapped_attribute
205
#nss_map_objectclass rfc2307objectclass mapped_objectclass
207
# configure --enable-nds is no longer supported.
209
#nss_map_attribute uniqueMember member
211
# Services for UNIX 3.5 mappings
212
#nss_map_objectclass posixAccount User
213
#nss_map_objectclass shadowAccount User
214
#nss_map_attribute uid msSFU30Name
215
#nss_map_attribute uniqueMember msSFU30PosixMember
216
#nss_map_attribute userPassword msSFU30Password
217
#nss_map_attribute homeDirectory msSFU30HomeDirectory
218
#nss_map_attribute homeDirectory msSFUHomeDirectory
219
#nss_map_objectclass posixGroup Group
220
#pam_login_attribute msSFU30Name
221
#pam_filter objectclass=User
224
# configure --enable-mssfu-schema is no longer supported.
225
# Services for UNIX 2.0 mappings
226
#nss_map_objectclass posixAccount User
227
#nss_map_objectclass shadowAccount user
228
#nss_map_attribute uid msSFUName
229
#nss_map_attribute uniqueMember posixMember
230
#nss_map_attribute userPassword msSFUPassword
231
#nss_map_attribute homeDirectory msSFUHomeDirectory
232
#nss_map_attribute shadowLastChange pwdLastSet
233
#nss_map_objectclass posixGroup Group
234
#nss_map_attribute cn msSFUName
235
#pam_login_attribute msSFUName
236
#pam_filter objectclass=User
239
# RFC 2307 (AD) mappings
240
#nss_map_objectclass posixAccount user
241
#nss_map_objectclass shadowAccount user
242
#nss_map_attribute uid sAMAccountName
243
#nss_map_attribute homeDirectory unixHomeDirectory
244
#nss_map_attribute shadowLastChange pwdLastSet
245
#nss_map_objectclass posixGroup group
246
#nss_map_attribute uniqueMember member
247
#pam_login_attribute sAMAccountName
248
#pam_filter objectclass=User
251
# configure --enable-authpassword is no longer supported
252
# AuthPassword mappings
253
#nss_map_attribute userPassword authPassword
255
# AIX SecureWay mappings
256
#nss_map_objectclass posixAccount aixAccount
257
#nss_base_passwd ou=aixaccount,?one
258
#nss_map_attribute uid userName
259
#nss_map_attribute gidNumber gid
260
#nss_map_attribute uidNumber uid
261
#nss_map_attribute userPassword passwordChar
262
#nss_map_objectclass posixGroup aixAccessGroup
263
#nss_base_group ou=aixgroup,?one
264
#nss_map_attribute cn groupName
265
#nss_map_attribute uniqueMember member
266
#pam_login_attribute userName
267
#pam_filter objectclass=aixAccount
270
# For pre-RFC2307bis automount schema
271
#nss_map_objectclass automountMap nisMap
272
#nss_map_attribute automountMapName nisMapName
273
#nss_map_objectclass automount nisObject
274
#nss_map_attribute automountKey cn
275
#nss_map_attribute automountInformation nisMapEntry
280
# Netscape SDK SSL options
281
#sslpath /etc/ssl/certs
283
# OpenLDAP SSL mechanism
284
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
288
# OpenLDAP SSL options
289
# Require and verify server certificate (yes/no)
290
# Default is to use libldap's default behavior, which can be configured in
291
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
292
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
295
# CA certificates for server certificate verification
296
# At least one of these are required if tls_checkpeer is "yes"
297
#tls_cacertfile /etc/ssl/ca.cert
298
#tls_cacertdir /etc/ssl/certs
300
# Seed the PRNG if /dev/urandom is not provided
301
#tls_randfile /var/run/egd-pool
304
# See man ciphers for syntax
307
# Client certificate and key
308
# Use these, if your server requires client authentication.
312
# Disable SASL security layers. This is needed for AD.
313
#sasl_secprops maxssf=0
315
# Override the default Kerberos ticket cache location.
316
#krb5_ccname FILE:/etc/.ldapcache