etc-ldap.conf
Download etc-ldap.conf
1: # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
2: #
3: # This is the configuration file for the LDAP nameservice
4: # switch library and the LDAP PAM module.
5: #
6: # The man pages for this file are nss_ldap(5) and pam_ldap(5)
7: #
8: # PADL Software
9: # http://www.padl.com
10: #
11:
12: # Your LDAP server. Must be resolvable without using LDAP.
13: # Multiple hosts may be specified, each separated by a
14: # space. How long nss_ldap takes to failover depends on
15: # whether your LDAP client library supports configurable
16: # network or connect timeouts (see bind_timelimit).
17: #host 127.0.0.1
18:
19: # The distinguished name of the search base.
20: base dc=gcaw,dc=org
21:
22: # Another way to specify your LDAP server is to provide an
23: # uri with the server name. This allows to use
24: # Unix Domain Sockets to connect to a local LDAP Server.
25: #uri ldap://127.0.0.1/
26: #uri ldaps://127.0.0.1/
27: #uri ldapi://%2fvar%2frun%2fldapi_sock/
28: # Note: %2f encodes the '/' used as directory separator
29:
30: # The LDAP version to use (defaults to 3
31: # if supported by client library)
32: #ldap_version 3
33:
34: # The distinguished name to bind to the server with.
35: # Optional: default is to bind anonymously.
36: #binddn cn=proxyuser,dc=example,dc=com
37:
38: # The credentials to bind with.
39: # Optional: default is no credential.
40: #bindpw secret
41:
42: # The distinguished name to bind to the server with
43: # if the effective user ID is root. Password is
44: # stored in /etc/ldap.secret (mode 600)
45: #rootbinddn cn=manager,dc=example,dc=com
46:
47: # The port.
48: # Optional: default is 389.
49: #port 389
50:
51: # The search scope.
52: #scope sub
53: #scope one
54: #scope base
55:
56: # Search timelimit
57: #timelimit 30
58: timelimit 120
59:
60: # Bind/connect timelimit
61: #bind_timelimit 30
62: bind_timelimit 120
63:
64: # Reconnect policy: hard (default) will retry connecting to
65: # the software with exponential backoff, soft will fail
66: # immediately.
67: #bind_policy hard
68:
69: # Idle timelimit; client will close connections
70: # (nss_ldap only) if the server has not been contacted
71: # for the number of seconds specified below.
72: #idle_timelimit 3600
73: idle_timelimit 3600
74:
75: # Filter to AND with uid=%s
76: #pam_filter objectclass=account
77:
78: # The user ID attribute (defaults to uid)
79: #pam_login_attribute uid
80:
81: # Search the root DSE for the password policy (works
82: # with Netscape Directory Server)
83: #pam_lookup_policy yes
84:
85: # Check the 'host' attribute for access control
86: # Default is no; if set to yes, and user has no
87: # value for the host attribute, and pam_ldap is
88: # configured for account management (authorization)
89: # then the user will not be allowed to login.
90: #pam_check_host_attr yes
91:
92: # Check the 'authorizedService' attribute for access
93: # control
94: # Default is no; if set to yes, and the user has no
95: # value for the authorizedService attribute, and
96: # pam_ldap is configured for account management
97: # (authorization) then the user will not be allowed
98: # to login.
99: #pam_check_service_attr yes
100:
101: # Group to enforce membership of
102: #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
103:
104: # Group member attribute
105: #pam_member_attribute uniquemember
106:
107: # Specify a minium or maximum UID number allowed
108: #pam_min_uid 0
109: #pam_max_uid 0
110:
111: # Template login attribute, default template user
112: # (can be overriden by value of former attribute
113: # in user's entry)
114: #pam_login_attribute userPrincipalName
115: #pam_template_login_attribute uid
116: #pam_template_login nobody
117:
118: # HEADS UP: the pam_crypt, pam_nds_passwd,
119: # and pam_ad_passwd options are no
120: # longer supported.
121: #
122: # Do not hash the password at all; presume
123: # the directory server will do it, if
124: # necessary. This is the default.
125: #pam_password clear
126:
127: # Hash password locally; required for University of
128: # Michigan LDAP server, and works with Netscape
129: # Directory Server if you're using the UNIX-Crypt
130: # hash mechanism and not using the NT Synchronization
131: # service.
132: #pam_password crypt
133:
134: # Remove old password first, then update in
135: # cleartext. Necessary for use with Novell
136: # Directory Services (NDS)
137: #pam_password clear_remove_old
138: #pam_password nds
139:
140: # RACF is an alias for the above. For use with
141: # IBM RACF
142: #pam_password racf
143:
144: # Update Active Directory password, by
145: # creating Unicode password and updating
146: # unicodePwd attribute.
147: #pam_password ad
148:
149: # Use the OpenLDAP password change
150: # extended operation to update the password.
151: #pam_password exop
152:
153: # Redirect users to a URL or somesuch on password
154: # changes.
155: #pam_password_prohibit_message Please visit http://internal to change your password.
156:
157: # RFC2307bis naming contexts
158: # Syntax:
159: # nss_base_XXX base?scope?filter
160: # where scope is {base,one,sub}
161: # and filter is a filter to be &'d with the
162: # default filter.
163: # You can omit the suffix eg:
164: # nss_base_passwd ou=People,
165: # to append the default base DN but this
166: # may incur a small performance impact.
167: #nss_base_passwd ou=People,dc=example,dc=com?one
168: #nss_base_shadow ou=People,dc=example,dc=com?one
169: #nss_base_group ou=Group,dc=example,dc=com?one
170: #nss_base_hosts ou=Hosts,dc=example,dc=com?one
171: #nss_base_services ou=Services,dc=example,dc=com?one
172: #nss_base_networks ou=Networks,dc=example,dc=com?one
173: #nss_base_protocols ou=Protocols,dc=example,dc=com?one
174: #nss_base_rpc ou=Rpc,dc=example,dc=com?one
175: #nss_base_ethers ou=Ethers,dc=example,dc=com?one
176: #nss_base_netmasks ou=Networks,dc=example,dc=com?ne
177: #nss_base_bootparams ou=Ethers,dc=example,dc=com?one
178: #nss_base_aliases ou=Aliases,dc=example,dc=com?one
179: #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
180:
181: # Just assume that there are no supplemental groups for these named users
182: nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser
183:
184: # attribute/objectclass mapping
185: # Syntax:
186: #nss_map_attribute rfc2307attribute mapped_attribute
187: #nss_map_objectclass rfc2307objectclass mapped_objectclass
188:
189: # configure --enable-nds is no longer supported.
190: # NDS mappings
191: #nss_map_attribute uniqueMember member
192:
193: # Services for UNIX 3.5 mappings
194: #nss_map_objectclass posixAccount User
195: #nss_map_objectclass shadowAccount User
196: #nss_map_attribute uid msSFU30Name
197: #nss_map_attribute uniqueMember msSFU30PosixMember
198: #nss_map_attribute userPassword msSFU30Password
199: #nss_map_attribute homeDirectory msSFU30HomeDirectory
200: #nss_map_attribute homeDirectory msSFUHomeDirectory
201: #nss_map_objectclass posixGroup Group
202: #pam_login_attribute msSFU30Name
203: #pam_filter objectclass=User
204: #pam_password ad
205:
206: # configure --enable-mssfu-schema is no longer supported.
207: # Services for UNIX 2.0 mappings
208: #nss_map_objectclass posixAccount User
209: #nss_map_objectclass shadowAccount user
210: #nss_map_attribute uid msSFUName
211: #nss_map_attribute uniqueMember posixMember
212: #nss_map_attribute userPassword msSFUPassword
213: #nss_map_attribute homeDirectory msSFUHomeDirectory
214: #nss_map_attribute shadowLastChange pwdLastSet
215: #nss_map_objectclass posixGroup Group
216: #nss_map_attribute cn msSFUName
217: #pam_login_attribute msSFUName
218: #pam_filter objectclass=User
219: #pam_password ad
220:
221: # RFC 2307 (AD) mappings
222: #nss_map_objectclass posixAccount user
223: #nss_map_objectclass shadowAccount user
224: #nss_map_attribute uid sAMAccountName
225: #nss_map_attribute homeDirectory unixHomeDirectory
226: #nss_map_attribute shadowLastChange pwdLastSet
227: #nss_map_objectclass posixGroup group
228: #nss_map_attribute uniqueMember member
229: #pam_login_attribute sAMAccountName
230: #pam_filter objectclass=User
231: #pam_password ad
232:
233: # configure --enable-authpassword is no longer supported
234: # AuthPassword mappings
235: #nss_map_attribute userPassword authPassword
236:
237: # AIX SecureWay mappings
238: #nss_map_objectclass posixAccount aixAccount
239: #nss_base_passwd ou=aixaccount,?one
240: #nss_map_attribute uid userName
241: #nss_map_attribute gidNumber gid
242: #nss_map_attribute uidNumber uid
243: #nss_map_attribute userPassword passwordChar
244: #nss_map_objectclass posixGroup aixAccessGroup
245: #nss_base_group ou=aixgroup,?one
246: #nss_map_attribute cn groupName
247: #nss_map_attribute uniqueMember member
248: #pam_login_attribute userName
249: #pam_filter objectclass=aixAccount
250: #pam_password clear
251:
252: # Netscape SDK LDAPS
253: #ssl on
254:
255: # Netscape SDK SSL options
256: #sslpath /etc/ssl/certs
257:
258: # OpenLDAP SSL mechanism
259: # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
260: #ssl start_tls
261: #ssl on
262:
263: # OpenLDAP SSL options
264: # Require and verify server certificate (yes/no)
265: # Default is to use libldap's default behavior, which can be configured in
266: # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
267: # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
268: #tls_checkpeer yes
269:
270: # CA certificates for server certificate verification
271: # At least one of these are required if tls_checkpeer is "yes"
272: #tls_cacertfile /etc/ssl/ca.cert
273: #tls_cacertdir /etc/ssl/certs
274:
275: # Seed the PRNG if /dev/urandom is not provided
276: #tls_randfile /var/run/egd-pool
277:
278: # SSL cipher suite
279: # See man ciphers for syntax
280: #tls_ciphers TLSv1
281:
282: # Client certificate and key
283: # Use these, if your server requires client authentication.
284: #tls_cert
285: #tls_key
286:
287: # Disable SASL security layers. This is needed for AD.
288: #sasl_secprops maxssf=0
289:
290: # Override the default Kerberos ticket cache location.
291: #krb5_ccname FILE:/etc/.ldapcache
292:
293: # SASL mechanism for PAM authentication - use is experimental
294: # at present and does not support password policy control
295: #pam_sasl_mech DIGEST-MD5
296: uri ldap://127.0.0.1/
297: ssl no
298: tls_cacertdir /etc/openldap/cacerts
299: pam_password md5