[packages/openldap.git] / ldap.conf

# @(#)$Id$
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a 
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1

# The distinguished name of the search base.
base dc=my-domain,dc=com

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
#bindpw secret

# BEGIN PLD Linux specific options

# Enabling userconnect check feature allows you
# to make a connection to LDAP server using
# user DN and password given by application,
# but without fetching any data from LDAP server!
# If connect succeeds then we're authenticated.

# Enable support.
#userconnect_check yes

# The distinguished name to bind to the server with
# A_USER macro will be expanded into username.
#userdn cn=A_USER,dc=padl,dc=com

# END PLD Linux specific options

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy:
#  hard_open: reconnect to DSA with exponential backoff if
#             opening connection failed
#  hard_init: reconnect to DSA with exponential backoff if
#             initializing connection failed
#  hard:      alias for hard_open
#  soft:      return immediately on server failure
#bind_policy hard

# Connection policy:
#  persist:   DSA connections are kept open (default)
#  oneshot:   DSA connections destroyed after request
#nss_connect_policy persist

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Use paged rseults
#nss_paged_results yes

# Pagesize: when paged results enable, used to set the
# pagesize to a custom value
#pagesize 1000

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# Use backlinks for answering initgroups()
#nss_initgroups backlink

# Enable support for RFC2307bis (distinguished names in group
# members)
#nss_schema rfc2307bis

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX		base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd	ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd	ou=People,dc=padl,dc=com?one
#nss_base_shadow	ou=People,dc=padl,dc=com?one
#nss_base_group		ou=Group,dc=padl,dc=com?one
#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
#nss_base_services	ou=Services,dc=padl,dc=com?one
#nss_base_networks	ou=Networks,dc=padl,dc=com?one
#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute	rfc2307attribute	mapped_attribute
#nss_map_objectclass	rfc2307objectclass	mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# For pre-RFC2307bis automount schema
#nss_map_objectclass automountMap nisMap
#nss_map_attribute automountMapName nisMapName
#nss_map_objectclass automount nisObject
#nss_map_attribute automountKey cn
#nss_map_attribute automountInformation nisMapEntry

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/certs/ca-certificates.crt
#tls_cacertdir /etc/openssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
Commit	Line	Data
22a1867c	1	# @(#)$Id$
9d6f98cd JK	2	#
	3	# This is the configuration file for the LDAP nameservice
	4	# switch library and the LDAP PAM module.
	5	#
22a1867c JR	6	# PADL Software
22a1867c JR	7	# http://www.padl.com
9d6f98cd JK	8	#
9d6f98cd JK	9
22a1867c JR	10	# Your LDAP server. Must be resolvable without using LDAP.
	11	# Multiple hosts may be specified, each separated by a
	12	# space. How long nss_ldap takes to failover depends on
	13	# whether your LDAP client library supports configurable
	14	# network or connect timeouts (see bind_timelimit).
9d6f98cd JK	15	host 127.0.0.1
	16
	17	# The distinguished name of the search base.
34cb727f	18	base dc=my-domain,dc=com
9d6f98cd	19
22a1867c JR	20	# Another way to specify your LDAP server is to provide an
	21	# uri with the server name. This allows to use
	22	# Unix Domain Sockets to connect to a local LDAP Server.
	23	#uri ldap://127.0.0.1/
	24	#uri ldaps://127.0.0.1/
	25	#uri ldapi://%2fvar%2frun%2fldapi_sock/
	26	# Note: %2f encodes the '/' used as directory separator
	27
	28	# The LDAP version to use (defaults to 3
	29	# if supported by client library)
c50090b6	30	ldap_version 3
9d6f98cd	31
22a1867c JR	32	# The distinguished name to bind to the server with.
	33	# Optional: default is to bind anonymously.
	34	#binddn cn=proxyuser,dc=padl,dc=com
	35
	36	# The credentials to bind with.
	37	# Optional: default is no credential.
	38	#bindpw secret
	39
	40	# BEGIN PLD Linux specific options
	41
	42	# Enabling userconnect check feature allows you
	43	# to make a connection to LDAP server using
	44	# user DN and password given by application,
	45	# but without fetching any data from LDAP server!
	46	# If connect succeeds then we're authenticated.
	47
	48	# Enable support.
	49	#userconnect_check yes
	50
	51	# The distinguished name to bind to the server with
	52	# A_USER macro will be expanded into username.
	53	#userdn cn=A_USER,dc=padl,dc=com
	54
	55	# END PLD Linux specific options
	56
	57	# The distinguished name to bind to the server with
	58	# if the effective user ID is root. Password is
	59	# stored in /etc/ldap.secret (mode 600)
	60	#rootbinddn cn=manager,dc=padl,dc=com
	61
	62	# The port.
	63	# Optional: default is 389.
	64	#port 389
	65
	66	# The search scope.
	67	#scope sub
	68	#scope one
	69	#scope base
	70
	71	# Search timelimit
	72	#timelimit 30
	73
	74	# Bind/connect timelimit
	75	#bind_timelimit 30
	76
2fbbad31 JR	77	# Reconnect policy:
	78	# hard_open: reconnect to DSA with exponential backoff if
	79	# opening connection failed
	80	# hard_init: reconnect to DSA with exponential backoff if
	81	# initializing connection failed
	82	# hard: alias for hard_open
	83	# soft: return immediately on server failure
22a1867c JR	84	#bind_policy hard
22a1867c JR	85
2fbbad31 JR	86	# Connection policy:
	87	# persist: DSA connections are kept open (default)
	88	# oneshot: DSA connections destroyed after request
	89	#nss_connect_policy persist
	90
22a1867c JR	91	# Idle timelimit; client will close connections
	92	# (nss_ldap only) if the server has not been contacted
	93	# for the number of seconds specified below.
	94	#idle_timelimit 3600
	95
2fbbad31 JR	96	# Use paged rseults
	97	#nss_paged_results yes
	98
	99	# Pagesize: when paged results enable, used to set the
	100	# pagesize to a custom value
	101	#pagesize 1000
	102
9d6f98cd	103	# Filter to AND with uid=%s
22a1867c	104	#pam_filter objectclass=account
9d6f98cd JK	105
	106	# The user ID attribute (defaults to uid)
	107	pam_login_attribute uid
	108
	109	# Search the root DSE for the password policy (works
	110	# with Netscape Directory Server)
	111	#pam_lookup_policy yes
	112
22a1867c JR	113	# Check the 'host' attribute for access control
	114	# Default is no; if set to yes, and user has no
	115	# value for the host attribute, and pam_ldap is
	116	# configured for account management (authorization)
	117	# then the user will not be allowed to login.
	118	#pam_check_host_attr yes
	119
	120	# Check the 'authorizedService' attribute for access
	121	# control
	122	# Default is no; if set to yes, and the user has no
	123	# value for the authorizedService attribute, and
	124	# pam_ldap is configured for account management
	125	# (authorization) then the user will not be allowed
	126	# to login.
	127	#pam_check_service_attr yes
	128
9d6f98cd JK	129	# Group to enforce membership of
	130	#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
	131
	132	# Group member attribute
	133	#pam_member_attribute uniquemember
	134
22a1867c JR	135	# Specify a minium or maximum UID number allowed
	136	#pam_min_uid 0
	137	#pam_max_uid 0
	138
	139	# Template login attribute, default template user
	140	# (can be overriden by value of former attribute
	141	# in user's entry)
	142	#pam_login_attribute userPrincipalName
	143	#pam_template_login_attribute uid
	144	#pam_template_login nobody
	145
	146	# HEADS UP: the pam_crypt, pam_nds_passwd,
	147	# and pam_ad_passwd options are no
	148	# longer supported.
	149	#
22a1867c JR	150	# Do not hash the password at all; presume
	151	# the directory server will do it, if
	152	# necessary. This is the default.
	153	#pam_password clear
	154
9d6f98cd JK	155	# Hash password locally; required for University of
	156	# Michigan LDAP server, and works with Netscape
	157	# Directory Server if you're using the UNIX-Crypt
	158	# hash mechanism and not using the NT Synchronization
22a1867c JR	159	# service.
	160	pam_password crypt
	161
	162	# Remove old password first, then update in
	163	# cleartext. Necessary for use with Novell
	164	# Directory Services (NDS)
	165	#pam_password clear_remove_old
	166	#pam_password nds
	167
	168	# RACF is an alias for the above. For use with
	169	# IBM RACF
	170	#pam_password racf
	171
	172	# Update Active Directory password, by
	173	# creating Unicode password and updating
	174	# unicodePwd attribute.
	175	#pam_password ad
	176
	177	# Use the OpenLDAP password change
	178	# extended operation to update the password.
	179	#pam_password exop
	180
	181	# Redirect users to a URL or somesuch on password
	182	# changes.
	183	#pam_password_prohibit_message Please visit http://internal to change your password.
	184
2fbbad31 JR	185	# Use backlinks for answering initgroups()
	186	#nss_initgroups backlink
	187
	188	# Enable support for RFC2307bis (distinguished names in group
	189	# members)
	190	#nss_schema rfc2307bis
	191
22a1867c JR	192	# RFC2307bis naming contexts
	193	# Syntax:
	194	# nss_base_XXX base?scope?filter
	195	# where scope is {base,one,sub}
	196	# and filter is a filter to be &'d with the
	197	# default filter.
	198	# You can omit the suffix eg:
	199	# nss_base_passwd ou=People,
	200	# to append the default base DN but this
	201	# may incur a small performance impact.
	202	#nss_base_passwd ou=People,dc=padl,dc=com?one
	203	#nss_base_shadow ou=People,dc=padl,dc=com?one
	204	#nss_base_group ou=Group,dc=padl,dc=com?one
	205	#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
	206	#nss_base_services ou=Services,dc=padl,dc=com?one
	207	#nss_base_networks ou=Networks,dc=padl,dc=com?one
	208	#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
	209	#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
	210	#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
	211	#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
	212	#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
	213	#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
	214	#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
	215
	216	# attribute/objectclass mapping
	217	# Syntax:
	218	#nss_map_attribute rfc2307attribute mapped_attribute
	219	#nss_map_objectclass rfc2307objectclass mapped_objectclass
	220
	221	# configure --enable-nds is no longer supported.
	222	# NDS mappings
	223	#nss_map_attribute uniqueMember member
	224
	225	# Services for UNIX 3.5 mappings
	226	#nss_map_objectclass posixAccount User
	227	#nss_map_objectclass shadowAccount User
	228	#nss_map_attribute uid msSFU30Name
	229	#nss_map_attribute uniqueMember msSFU30PosixMember
	230	#nss_map_attribute userPassword msSFU30Password
	231	#nss_map_attribute homeDirectory msSFU30HomeDirectory
	232	#nss_map_attribute homeDirectory msSFUHomeDirectory
	233	#nss_map_objectclass posixGroup Group
	234	#pam_login_attribute msSFU30Name
	235	#pam_filter objectclass=User
	236	#pam_password ad
	237
	238	# configure --enable-mssfu-schema is no longer supported.
	239	# Services for UNIX 2.0 mappings
	240	#nss_map_objectclass posixAccount User
	241	#nss_map_objectclass shadowAccount user
	242	#nss_map_attribute uid msSFUName
	243	#nss_map_attribute uniqueMember posixMember
	244	#nss_map_attribute userPassword msSFUPassword
	245	#nss_map_attribute homeDirectory msSFUHomeDirectory
	246	#nss_map_attribute shadowLastChange pwdLastSet
	247	#nss_map_objectclass posixGroup Group
	248	#nss_map_attribute cn msSFUName
	249	#pam_login_attribute msSFUName
	250	#pam_filter objectclass=User
	251	#pam_password ad
	252
	253	# RFC 2307 (AD) mappings
	254	#nss_map_objectclass posixAccount user
	255	#nss_map_objectclass shadowAccount user
256	#nss_map_attribute uid sAMAccountName
257	#nss_map_attribute homeDirectory unixHomeDirectory
258	#nss_map_attribute shadowLastChange pwdLastSet
259	#nss_map_objectclass posixGroup group
260	#nss_map_attribute uniqueMember member
261	#pam_login_attribute sAMAccountName
262	#pam_filter objectclass=User
263	#pam_password ad
264
265	# configure --enable-authpassword is no longer supported
266	# AuthPassword mappings
267	#nss_map_attribute userPassword authPassword
268
269	# AIX SecureWay mappings
270	#nss_map_objectclass posixAccount aixAccount
271	#nss_base_passwd ou=aixaccount,?one
272	#nss_map_attribute uid userName
273	#nss_map_attribute gidNumber gid
274	#nss_map_attribute uidNumber uid
275	#nss_map_attribute userPassword passwordChar
276	#nss_map_objectclass posixGroup aixAccessGroup
277	#nss_base_group ou=aixgroup,?one
278	#nss_map_attribute cn groupName
279	#nss_map_attribute uniqueMember member
280	#pam_login_attribute userName
281	#pam_filter objectclass=aixAccount
282	#pam_password clear
283
2fbbad31 JR	284	# For pre-RFC2307bis automount schema
	285	#nss_map_objectclass automountMap nisMap
	286	#nss_map_attribute automountMapName nisMapName
	287	#nss_map_objectclass automount nisObject
	288	#nss_map_attribute automountKey cn
	289	#nss_map_attribute automountInformation nisMapEntry
	290
22a1867c JR	291	# Netscape SDK LDAPS
	292	#ssl on
	293
	294	# Netscape SDK SSL options
	295	#sslpath /etc/ssl/certs/cert7.db
	296
	297	# OpenLDAP SSL mechanism
	298	# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
	299	#ssl start_tls
	300	#ssl on
	301
	302	# OpenLDAP SSL options
	303	# Require and verify server certificate (yes/no)
	304	# Default is to use libldap's default behavior, which can be configured in
	305	# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
	306	# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
	307	#tls_checkpeer yes
	308
	309	# CA certificates for server certificate verification
	310	# At least one of these are required if tls_checkpeer is "yes"
9be9eb20 ER	311	#tls_cacertfile /etc/certs/ca-certificates.crt
9be9eb20 ER	312	#tls_cacertdir /etc/openssl/certs
22a1867c JR	313
	314	# Seed the PRNG if /dev/urandom is not provided
	315	#tls_randfile /var/run/egd-pool
	316
	317	# SSL cipher suite
	318	# See man ciphers for syntax
	319	#tls_ciphers TLSv1
	320
	321	# Client certificate and key
	322	# Use these, if your server requires client authentication.
	323	#tls_cert
	324	#tls_key
	325
	326	# Disable SASL security layers. This is needed for AD.
	327	#sasl_secprops maxssf=0
	328
	329	# Override the default Kerberos ticket cache location.
	330	#krb5_ccname FILE:/etc/.ldapcache
9d6f98cd	331
22a1867c JR	332	# SASL mechanism for PAM authentication - use is experimental
	333	# at present and does not support password policy control
	334	#pam_sasl_mech DIGEST-MD5