etc-ldap.conf-ORIG

Download etc-ldap.conf-ORIG

  1: # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
  2: #
  3: # This is the configuration file for the LDAP nameservice
  4: # switch library and the LDAP PAM module.
  5: #
  6: # The man pages for this file are nss_ldap(5) and pam_ldap(5)
  7: #
  8: # PADL Software
  9: # http://www.padl.com
 10: #
 11: 
 12: # Your LDAP server. Must be resolvable without using LDAP.
 13: # Multiple hosts may be specified, each separated by a
 14: # space. How long nss_ldap takes to failover depends on
 15: # whether your LDAP client library supports configurable
 16: # network or connect timeouts (see bind_timelimit).
 17: #host 127.0.0.1
 18: 
 19: # The distinguished name of the search base.
 20: base dc=example,dc=com
 21: 
 22: # Another way to specify your LDAP server is to provide an
 23: # uri with the server name. This allows to use
 24: # Unix Domain Sockets to connect to a local LDAP Server.
 25: #uri ldap://127.0.0.1/
 26: #uri ldaps://127.0.0.1/
 27: #uri ldapi://%2fvar%2frun%2fldapi_sock/
 28: # Note: %2f encodes the '/' used as directory separator
 29: 
 30: # The LDAP version to use (defaults to 3
 31: # if supported by client library)
 32: #ldap_version 3
 33: 
 34: # The distinguished name to bind to the server with.
 35: # Optional: default is to bind anonymously.
 36: #binddn cn=proxyuser,dc=example,dc=com
 37: 
 38: # The credentials to bind with.
 39: # Optional: default is no credential.
 40: #bindpw secret
 41: 
 42: # The distinguished name to bind to the server with
 43: # if the effective user ID is root. Password is
 44: # stored in /etc/ldap.secret (mode 600)
 45: #rootbinddn cn=manager,dc=example,dc=com
 46: 
 47: # The port.
 48: # Optional: default is 389.
 49: #port 389
 50: 
 51: # The search scope.
 52: #scope sub
 53: #scope one
 54: #scope base
 55: 
 56: # Search timelimit
 57: #timelimit 30
 58: timelimit 120
 59: 
 60: # Bind/connect timelimit
 61: #bind_timelimit 30
 62: bind_timelimit 120
 63: 
 64: # Reconnect policy: hard (default) will retry connecting to
 65: # the software with exponential backoff, soft will fail
 66: # immediately.
 67: #bind_policy hard
 68: 
 69: # Idle timelimit; client will close connections
 70: # (nss_ldap only) if the server has not been contacted
 71: # for the number of seconds specified below.
 72: #idle_timelimit 3600
 73: idle_timelimit 3600
 74: 
 75: # Filter to AND with uid=%s
 76: #pam_filter objectclass=account
 77: 
 78: # The user ID attribute (defaults to uid)
 79: #pam_login_attribute uid
 80: 
 81: # Search the root DSE for the password policy (works
 82: # with Netscape Directory Server)
 83: #pam_lookup_policy yes
 84: 
 85: # Check the 'host' attribute for access control
 86: # Default is no; if set to yes, and user has no
 87: # value for the host attribute, and pam_ldap is
 88: # configured for account management (authorization)
 89: # then the user will not be allowed to login.
 90: #pam_check_host_attr yes
 91: 
 92: # Check the 'authorizedService' attribute for access
 93: # control
 94: # Default is no; if set to yes, and the user has no
 95: # value for the authorizedService attribute, and
 96: # pam_ldap is configured for account management
 97: # (authorization) then the user will not be allowed
 98: # to login.
 99: #pam_check_service_attr yes
100: 
101: # Group to enforce membership of
102: #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
103: 
104: # Group member attribute
105: #pam_member_attribute uniquemember
106: 
107: # Specify a minium or maximum UID number allowed
108: #pam_min_uid 0
109: #pam_max_uid 0
110: 
111: # Template login attribute, default template user
112: # (can be overriden by value of former attribute
113: # in user's entry)
114: #pam_login_attribute userPrincipalName
115: #pam_template_login_attribute uid
116: #pam_template_login nobody
117: 
118: # HEADS UP: the pam_crypt, pam_nds_passwd,
119: # and pam_ad_passwd options are no
120: # longer supported.
121: #
122: # Do not hash the password at all; presume
123: # the directory server will do it, if
124: # necessary. This is the default.
125: #pam_password clear
126: 
127: # Hash password locally; required for University of
128: # Michigan LDAP server, and works with Netscape
129: # Directory Server if you're using the UNIX-Crypt
130: # hash mechanism and not using the NT Synchronization
131: # service.
132: #pam_password crypt
133: 
134: # Remove old password first, then update in
135: # cleartext. Necessary for use with Novell
136: # Directory Services (NDS)
137: #pam_password clear_remove_old
138: #pam_password nds
139: 
140: # RACF is an alias for the above. For use with
141: # IBM RACF
142: #pam_password racf
143: 
144: # Update Active Directory password, by
145: # creating Unicode password and updating
146: # unicodePwd attribute.
147: #pam_password ad
148: 
149: # Use the OpenLDAP password change
150: # extended operation to update the password.
151: #pam_password exop
152: 
153: # Redirect users to a URL or somesuch on password
154: # changes.
155: #pam_password_prohibit_message Please visit http://internal to change your password.
156: 
157: # RFC2307bis naming contexts
158: # Syntax:
159: # nss_base_XXX		base?scope?filter
160: # where scope is {base,one,sub}
161: # and filter is a filter to be &'d with the
162: # default filter.
163: # You can omit the suffix eg:
164: # nss_base_passwd	ou=People,
165: # to append the default base DN but this
166: # may incur a small performance impact.
167: #nss_base_passwd	ou=People,dc=example,dc=com?one
168: #nss_base_shadow	ou=People,dc=example,dc=com?one
169: #nss_base_group		ou=Group,dc=example,dc=com?one
170: #nss_base_hosts		ou=Hosts,dc=example,dc=com?one
171: #nss_base_services	ou=Services,dc=example,dc=com?one
172: #nss_base_networks	ou=Networks,dc=example,dc=com?one
173: #nss_base_protocols	ou=Protocols,dc=example,dc=com?one
174: #nss_base_rpc		ou=Rpc,dc=example,dc=com?one
175: #nss_base_ethers	ou=Ethers,dc=example,dc=com?one
176: #nss_base_netmasks	ou=Networks,dc=example,dc=com?ne
177: #nss_base_bootparams	ou=Ethers,dc=example,dc=com?one
178: #nss_base_aliases	ou=Aliases,dc=example,dc=com?one
179: #nss_base_netgroup	ou=Netgroup,dc=example,dc=com?one
180: 
181: # Just assume that there are no supplemental groups for these named users
182: nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser
183: 
184: # attribute/objectclass mapping
185: # Syntax:
186: #nss_map_attribute	rfc2307attribute	mapped_attribute
187: #nss_map_objectclass	rfc2307objectclass	mapped_objectclass
188: 
189: # configure --enable-nds is no longer supported.
190: # NDS mappings
191: #nss_map_attribute uniqueMember member
192: 
193: # Services for UNIX 3.5 mappings
194: #nss_map_objectclass posixAccount User
195: #nss_map_objectclass shadowAccount User
196: #nss_map_attribute uid msSFU30Name
197: #nss_map_attribute uniqueMember msSFU30PosixMember
198: #nss_map_attribute userPassword msSFU30Password
199: #nss_map_attribute homeDirectory msSFU30HomeDirectory
200: #nss_map_attribute homeDirectory msSFUHomeDirectory
201: #nss_map_objectclass posixGroup Group
202: #pam_login_attribute msSFU30Name
203: #pam_filter objectclass=User
204: #pam_password ad
205: 
206: # configure --enable-mssfu-schema is no longer supported.
207: # Services for UNIX 2.0 mappings
208: #nss_map_objectclass posixAccount User
209: #nss_map_objectclass shadowAccount user
210: #nss_map_attribute uid msSFUName
211: #nss_map_attribute uniqueMember posixMember
212: #nss_map_attribute userPassword msSFUPassword
213: #nss_map_attribute homeDirectory msSFUHomeDirectory
214: #nss_map_attribute shadowLastChange pwdLastSet
215: #nss_map_objectclass posixGroup Group
216: #nss_map_attribute cn msSFUName
217: #pam_login_attribute msSFUName
218: #pam_filter objectclass=User
219: #pam_password ad
220: 
221: # RFC 2307 (AD) mappings
222: #nss_map_objectclass posixAccount user
223: #nss_map_objectclass shadowAccount user
224: #nss_map_attribute uid sAMAccountName
225: #nss_map_attribute homeDirectory unixHomeDirectory
226: #nss_map_attribute shadowLastChange pwdLastSet
227: #nss_map_objectclass posixGroup group
228: #nss_map_attribute uniqueMember member
229: #pam_login_attribute sAMAccountName
230: #pam_filter objectclass=User
231: #pam_password ad
232: 
233: # configure --enable-authpassword is no longer supported
234: # AuthPassword mappings
235: #nss_map_attribute userPassword authPassword
236: 
237: # AIX SecureWay mappings
238: #nss_map_objectclass posixAccount aixAccount
239: #nss_base_passwd ou=aixaccount,?one
240: #nss_map_attribute uid userName
241: #nss_map_attribute gidNumber gid
242: #nss_map_attribute uidNumber uid
243: #nss_map_attribute userPassword passwordChar
244: #nss_map_objectclass posixGroup aixAccessGroup
245: #nss_base_group ou=aixgroup,?one
246: #nss_map_attribute cn groupName
247: #nss_map_attribute uniqueMember member
248: #pam_login_attribute userName
249: #pam_filter objectclass=aixAccount
250: #pam_password clear
251: 
252: # Netscape SDK LDAPS
253: #ssl on
254: 
255: # Netscape SDK SSL options
256: #sslpath /etc/ssl/certs
257: 
258: # OpenLDAP SSL mechanism
259: # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
260: #ssl start_tls
261: #ssl on
262: 
263: # OpenLDAP SSL options
264: # Require and verify server certificate (yes/no)
265: # Default is to use libldap's default behavior, which can be configured in
266: # /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
267: # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
268: #tls_checkpeer yes
269: 
270: # CA certificates for server certificate verification
271: # At least one of these are required if tls_checkpeer is "yes"
272: #tls_cacertfile /etc/ssl/ca.cert
273: #tls_cacertdir /etc/ssl/certs
274: 
275: # Seed the PRNG if /dev/urandom is not provided
276: #tls_randfile /var/run/egd-pool
277: 
278: # SSL cipher suite
279: # See man ciphers for syntax
280: #tls_ciphers TLSv1
281: 
282: # Client certificate and key
283: # Use these, if your server requires client authentication.
284: #tls_cert
285: #tls_key
286: 
287: # Disable SASL security layers. This is needed for AD.
288: #sasl_secprops maxssf=0
289: 
290: # Override the default Kerberos ticket cache location.
291: #krb5_ccname FILE:/etc/.ldapcache
292: 
293: # SASL mechanism for PAM authentication - use is experimental
294: # at present and does not support password policy control
295: #pam_sasl_mech DIGEST-MD5
296: uri ldap://127.0.0.1/
297: ssl no
298: tls_cacertdir /etc/openldap/cacerts
299: pam_password md5