Download etc-ldap.conf-ORIG.bak
1: # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ 2: # 3: # This is the configuration file for the LDAP nameservice 4: # switch library and the LDAP PAM module. 5: # 6: # The man pages for this file are nss_ldap(5) and pam_ldap(5) 7: # 8: # PADL Software 9: # http://www.padl.com 10: # 11: 12: # Your LDAP server. Must be resolvable without using LDAP. 13: # Multiple hosts may be specified, each separated by a 14: # space. How long nss_ldap takes to failover depends on 15: # whether your LDAP client library supports configurable 16: # network or connect timeouts (see bind_timelimit). 17: #host 127.0.0.1 18: 19: # The distinguished name of the search base. 20: base dc=example,dc=com 21: 22: # Another way to specify your LDAP server is to provide an 23: # uri with the server name. This allows to use 24: # Unix Domain Sockets to connect to a local LDAP Server. 25: #uri ldap://127.0.0.1/ 26: #uri ldaps://127.0.0.1/ 27: #uri ldapi://%2fvar%2frun%2fldapi_sock/ 28: # Note: %2f encodes the '/' used as directory separator 29: 30: # The LDAP version to use (defaults to 3 31: # if supported by client library) 32: #ldap_version 3 33: 34: # The distinguished name to bind to the server with. 35: # Optional: default is to bind anonymously. 36: #binddn cn=proxyuser,dc=example,dc=com 37: 38: # The credentials to bind with. 39: # Optional: default is no credential. 40: #bindpw secret 41: 42: # The distinguished name to bind to the server with 43: # if the effective user ID is root. Password is 44: # stored in /etc/ldap.secret (mode 600) 45: #rootbinddn cn=manager,dc=example,dc=com 46: 47: # The port. 48: # Optional: default is 389. 49: #port 389 50: 51: # The search scope. 52: #scope sub 53: #scope one 54: #scope base 55: 56: # Search timelimit 57: #timelimit 30 58: timelimit 120 59: 60: # Bind/connect timelimit 61: #bind_timelimit 30 62: bind_timelimit 120 63: 64: # Reconnect policy: hard (default) will retry connecting to 65: # the software with exponential backoff, soft will fail 66: # immediately. 67: #bind_policy hard 68: 69: # Idle timelimit; client will close connections 70: # (nss_ldap only) if the server has not been contacted 71: # for the number of seconds specified below. 72: #idle_timelimit 3600 73: idle_timelimit 3600 74: 75: # Filter to AND with uid=%s 76: #pam_filter objectclass=account 77: 78: # The user ID attribute (defaults to uid) 79: #pam_login_attribute uid 80: 81: # Search the root DSE for the password policy (works 82: # with Netscape Directory Server) 83: #pam_lookup_policy yes 84: 85: # Check the 'host' attribute for access control 86: # Default is no; if set to yes, and user has no 87: # value for the host attribute, and pam_ldap is 88: # configured for account management (authorization) 89: # then the user will not be allowed to login. 90: #pam_check_host_attr yes 91: 92: # Check the 'authorizedService' attribute for access 93: # control 94: # Default is no; if set to yes, and the user has no 95: # value for the authorizedService attribute, and 96: # pam_ldap is configured for account management 97: # (authorization) then the user will not be allowed 98: # to login. 99: #pam_check_service_attr yes 100: 101: # Group to enforce membership of 102: #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com 103: 104: # Group member attribute 105: #pam_member_attribute uniquemember 106: 107: # Specify a minium or maximum UID number allowed 108: #pam_min_uid 0 109: #pam_max_uid 0 110: 111: # Template login attribute, default template user 112: # (can be overriden by value of former attribute 113: # in user's entry) 114: #pam_login_attribute userPrincipalName 115: #pam_template_login_attribute uid 116: #pam_template_login nobody 117: 118: # HEADS UP: the pam_crypt, pam_nds_passwd, 119: # and pam_ad_passwd options are no 120: # longer supported. 121: # 122: # Do not hash the password at all; presume 123: # the directory server will do it, if 124: # necessary. This is the default. 125: #pam_password clear 126: 127: # Hash password locally; required for University of 128: # Michigan LDAP server, and works with Netscape 129: # Directory Server if you're using the UNIX-Crypt 130: # hash mechanism and not using the NT Synchronization 131: # service. 132: #pam_password crypt 133: 134: # Remove old password first, then update in 135: # cleartext. Necessary for use with Novell 136: # Directory Services (NDS) 137: #pam_password clear_remove_old 138: #pam_password nds 139: 140: # RACF is an alias for the above. For use with 141: # IBM RACF 142: #pam_password racf 143: 144: # Update Active Directory password, by 145: # creating Unicode password and updating 146: # unicodePwd attribute. 147: #pam_password ad 148: 149: # Use the OpenLDAP password change 150: # extended operation to update the password. 151: #pam_password exop 152: 153: # Redirect users to a URL or somesuch on password 154: # changes. 155: #pam_password_prohibit_message Please visit http://internal to change your password. 156: 157: # RFC2307bis naming contexts 158: # Syntax: 159: # nss_base_XXX base?scope?filter 160: # where scope is {base,one,sub} 161: # and filter is a filter to be &'d with the 162: # default filter. 163: # You can omit the suffix eg: 164: # nss_base_passwd ou=People, 165: # to append the default base DN but this 166: # may incur a small performance impact. 167: #nss_base_passwd ou=People,dc=example,dc=com?one 168: #nss_base_shadow ou=People,dc=example,dc=com?one 169: #nss_base_group ou=Group,dc=example,dc=com?one 170: #nss_base_hosts ou=Hosts,dc=example,dc=com?one 171: #nss_base_services ou=Services,dc=example,dc=com?one 172: #nss_base_networks ou=Networks,dc=example,dc=com?one 173: #nss_base_protocols ou=Protocols,dc=example,dc=com?one 174: #nss_base_rpc ou=Rpc,dc=example,dc=com?one 175: #nss_base_ethers ou=Ethers,dc=example,dc=com?one 176: #nss_base_netmasks ou=Networks,dc=example,dc=com?ne 177: #nss_base_bootparams ou=Ethers,dc=example,dc=com?one 178: #nss_base_aliases ou=Aliases,dc=example,dc=com?one 179: #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one 180: 181: # Just assume that there are no supplemental groups for these named users 182: nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser 183: 184: # attribute/objectclass mapping 185: # Syntax: 186: #nss_map_attribute rfc2307attribute mapped_attribute 187: #nss_map_objectclass rfc2307objectclass mapped_objectclass 188: 189: # configure --enable-nds is no longer supported. 190: # NDS mappings 191: #nss_map_attribute uniqueMember member 192: 193: # Services for UNIX 3.5 mappings 194: #nss_map_objectclass posixAccount User 195: #nss_map_objectclass shadowAccount User 196: #nss_map_attribute uid msSFU30Name 197: #nss_map_attribute uniqueMember msSFU30PosixMember 198: #nss_map_attribute userPassword msSFU30Password 199: #nss_map_attribute homeDirectory msSFU30HomeDirectory 200: #nss_map_attribute homeDirectory msSFUHomeDirectory 201: #nss_map_objectclass posixGroup Group 202: #pam_login_attribute msSFU30Name 203: #pam_filter objectclass=User 204: #pam_password ad 205: 206: # configure --enable-mssfu-schema is no longer supported. 207: # Services for UNIX 2.0 mappings 208: #nss_map_objectclass posixAccount User 209: #nss_map_objectclass shadowAccount user 210: #nss_map_attribute uid msSFUName 211: #nss_map_attribute uniqueMember posixMember 212: #nss_map_attribute userPassword msSFUPassword 213: #nss_map_attribute homeDirectory msSFUHomeDirectory 214: #nss_map_attribute shadowLastChange pwdLastSet 215: #nss_map_objectclass posixGroup Group 216: #nss_map_attribute cn msSFUName 217: #pam_login_attribute msSFUName 218: #pam_filter objectclass=User 219: #pam_password ad 220: 221: # RFC 2307 (AD) mappings 222: #nss_map_objectclass posixAccount user 223: #nss_map_objectclass shadowAccount user 224: #nss_map_attribute uid sAMAccountName 225: #nss_map_attribute homeDirectory unixHomeDirectory 226: #nss_map_attribute shadowLastChange pwdLastSet 227: #nss_map_objectclass posixGroup group 228: #nss_map_attribute uniqueMember member 229: #pam_login_attribute sAMAccountName 230: #pam_filter objectclass=User 231: #pam_password ad 232: 233: # configure --enable-authpassword is no longer supported 234: # AuthPassword mappings 235: #nss_map_attribute userPassword authPassword 236: 237: # AIX SecureWay mappings 238: #nss_map_objectclass posixAccount aixAccount 239: #nss_base_passwd ou=aixaccount,?one 240: #nss_map_attribute uid userName 241: #nss_map_attribute gidNumber gid 242: #nss_map_attribute uidNumber uid 243: #nss_map_attribute userPassword passwordChar 244: #nss_map_objectclass posixGroup aixAccessGroup 245: #nss_base_group ou=aixgroup,?one 246: #nss_map_attribute cn groupName 247: #nss_map_attribute uniqueMember member 248: #pam_login_attribute userName 249: #pam_filter objectclass=aixAccount 250: #pam_password clear 251: 252: # Netscape SDK LDAPS 253: #ssl on 254: 255: # Netscape SDK SSL options 256: #sslpath /etc/ssl/certs 257: 258: # OpenLDAP SSL mechanism 259: # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 260: #ssl start_tls 261: #ssl on 262: 263: # OpenLDAP SSL options 264: # Require and verify server certificate (yes/no) 265: # Default is to use libldap's default behavior, which can be configured in 266: # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for 267: # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". 268: #tls_checkpeer yes 269: 270: # CA certificates for server certificate verification 271: # At least one of these are required if tls_checkpeer is "yes" 272: #tls_cacertfile /etc/ssl/ca.cert 273: #tls_cacertdir /etc/ssl/certs 274: 275: # Seed the PRNG if /dev/urandom is not provided 276: #tls_randfile /var/run/egd-pool 277: 278: # SSL cipher suite 279: # See man ciphers for syntax 280: #tls_ciphers TLSv1 281: 282: # Client certificate and key 283: # Use these, if your server requires client authentication. 284: #tls_cert 285: #tls_key 286: 287: # Disable SASL security layers. This is needed for AD. 288: #sasl_secprops maxssf=0 289: 290: # Override the default Kerberos ticket cache location. 291: #krb5_ccname FILE:/etc/.ldapcache 292: 293: # SASL mechanism for PAM authentication - use is experimental 294: # at present and does not support password policy control 295: #pam_sasl_mech DIGEST-MD5 296: uri ldap://127.0.0.1/ 297: ssl no 298: tls_cacertdir /etc/openldap/cacerts 299: pam_password md5