]>
Commit | Line | Data |
---|---|---|
22a1867c | 1 | # @(#)$Id$ |
9d6f98cd JK |
2 | # |
3 | # This is the configuration file for the LDAP nameservice | |
4 | # switch library and the LDAP PAM module. | |
5 | # | |
22a1867c JR |
6 | # PADL Software |
7 | # http://www.padl.com | |
9d6f98cd JK |
8 | # |
9 | ||
22a1867c JR |
10 | # Your LDAP server. Must be resolvable without using LDAP. |
11 | # Multiple hosts may be specified, each separated by a | |
12 | # space. How long nss_ldap takes to failover depends on | |
13 | # whether your LDAP client library supports configurable | |
14 | # network or connect timeouts (see bind_timelimit). | |
9d6f98cd JK |
15 | host 127.0.0.1 |
16 | ||
17 | # The distinguished name of the search base. | |
34cb727f | 18 | base dc=my-domain,dc=com |
9d6f98cd | 19 | |
22a1867c JR |
20 | # Another way to specify your LDAP server is to provide an |
21 | # uri with the server name. This allows to use | |
22 | # Unix Domain Sockets to connect to a local LDAP Server. | |
23 | #uri ldap://127.0.0.1/ | |
24 | #uri ldaps://127.0.0.1/ | |
25 | #uri ldapi://%2fvar%2frun%2fldapi_sock/ | |
26 | # Note: %2f encodes the '/' used as directory separator | |
27 | ||
28 | # The LDAP version to use (defaults to 3 | |
29 | # if supported by client library) | |
c50090b6 | 30 | ldap_version 3 |
9d6f98cd | 31 | |
22a1867c JR |
32 | # The distinguished name to bind to the server with. |
33 | # Optional: default is to bind anonymously. | |
34 | #binddn cn=proxyuser,dc=padl,dc=com | |
35 | ||
36 | # The credentials to bind with. | |
37 | # Optional: default is no credential. | |
38 | #bindpw secret | |
39 | ||
40 | # BEGIN PLD Linux specific options | |
41 | ||
42 | # Enabling userconnect check feature allows you | |
43 | # to make a connection to LDAP server using | |
44 | # user DN and password given by application, | |
45 | # but without fetching any data from LDAP server! | |
46 | # If connect succeeds then we're authenticated. | |
47 | ||
48 | # Enable support. | |
49 | #userconnect_check yes | |
50 | ||
51 | # The distinguished name to bind to the server with | |
52 | # A_USER macro will be expanded into username. | |
53 | #userdn cn=A_USER,dc=padl,dc=com | |
54 | ||
55 | # END PLD Linux specific options | |
56 | ||
57 | # The distinguished name to bind to the server with | |
58 | # if the effective user ID is root. Password is | |
59 | # stored in /etc/ldap.secret (mode 600) | |
60 | #rootbinddn cn=manager,dc=padl,dc=com | |
61 | ||
62 | # The port. | |
63 | # Optional: default is 389. | |
64 | #port 389 | |
65 | ||
66 | # The search scope. | |
67 | #scope sub | |
68 | #scope one | |
69 | #scope base | |
70 | ||
71 | # Search timelimit | |
72 | #timelimit 30 | |
73 | ||
74 | # Bind/connect timelimit | |
75 | #bind_timelimit 30 | |
76 | ||
2fbbad31 JR |
77 | # Reconnect policy: |
78 | # hard_open: reconnect to DSA with exponential backoff if | |
79 | # opening connection failed | |
80 | # hard_init: reconnect to DSA with exponential backoff if | |
81 | # initializing connection failed | |
82 | # hard: alias for hard_open | |
83 | # soft: return immediately on server failure | |
22a1867c JR |
84 | #bind_policy hard |
85 | ||
2fbbad31 JR |
86 | # Connection policy: |
87 | # persist: DSA connections are kept open (default) | |
88 | # oneshot: DSA connections destroyed after request | |
89 | #nss_connect_policy persist | |
90 | ||
22a1867c JR |
91 | # Idle timelimit; client will close connections |
92 | # (nss_ldap only) if the server has not been contacted | |
93 | # for the number of seconds specified below. | |
94 | #idle_timelimit 3600 | |
95 | ||
2fbbad31 JR |
96 | # Use paged rseults |
97 | #nss_paged_results yes | |
98 | ||
99 | # Pagesize: when paged results enable, used to set the | |
100 | # pagesize to a custom value | |
101 | #pagesize 1000 | |
102 | ||
9d6f98cd | 103 | # Filter to AND with uid=%s |
22a1867c | 104 | #pam_filter objectclass=account |
9d6f98cd JK |
105 | |
106 | # The user ID attribute (defaults to uid) | |
107 | pam_login_attribute uid | |
108 | ||
109 | # Search the root DSE for the password policy (works | |
110 | # with Netscape Directory Server) | |
111 | #pam_lookup_policy yes | |
112 | ||
22a1867c JR |
113 | # Check the 'host' attribute for access control |
114 | # Default is no; if set to yes, and user has no | |
115 | # value for the host attribute, and pam_ldap is | |
116 | # configured for account management (authorization) | |
117 | # then the user will not be allowed to login. | |
118 | #pam_check_host_attr yes | |
119 | ||
120 | # Check the 'authorizedService' attribute for access | |
121 | # control | |
122 | # Default is no; if set to yes, and the user has no | |
123 | # value for the authorizedService attribute, and | |
124 | # pam_ldap is configured for account management | |
125 | # (authorization) then the user will not be allowed | |
126 | # to login. | |
127 | #pam_check_service_attr yes | |
128 | ||
9d6f98cd JK |
129 | # Group to enforce membership of |
130 | #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com | |
131 | ||
132 | # Group member attribute | |
133 | #pam_member_attribute uniquemember | |
134 | ||
22a1867c JR |
135 | # Specify a minium or maximum UID number allowed |
136 | #pam_min_uid 0 | |
137 | #pam_max_uid 0 | |
138 | ||
139 | # Template login attribute, default template user | |
140 | # (can be overriden by value of former attribute | |
141 | # in user's entry) | |
142 | #pam_login_attribute userPrincipalName | |
143 | #pam_template_login_attribute uid | |
144 | #pam_template_login nobody | |
145 | ||
146 | # HEADS UP: the pam_crypt, pam_nds_passwd, | |
147 | # and pam_ad_passwd options are no | |
148 | # longer supported. | |
149 | # | |
22a1867c JR |
150 | # Do not hash the password at all; presume |
151 | # the directory server will do it, if | |
152 | # necessary. This is the default. | |
153 | #pam_password clear | |
154 | ||
9d6f98cd JK |
155 | # Hash password locally; required for University of |
156 | # Michigan LDAP server, and works with Netscape | |
157 | # Directory Server if you're using the UNIX-Crypt | |
158 | # hash mechanism and not using the NT Synchronization | |
22a1867c JR |
159 | # service. |
160 | pam_password crypt | |
161 | ||
162 | # Remove old password first, then update in | |
163 | # cleartext. Necessary for use with Novell | |
164 | # Directory Services (NDS) | |
165 | #pam_password clear_remove_old | |
166 | #pam_password nds | |
167 | ||
168 | # RACF is an alias for the above. For use with | |
169 | # IBM RACF | |
170 | #pam_password racf | |
171 | ||
172 | # Update Active Directory password, by | |
173 | # creating Unicode password and updating | |
174 | # unicodePwd attribute. | |
175 | #pam_password ad | |
176 | ||
177 | # Use the OpenLDAP password change | |
178 | # extended operation to update the password. | |
179 | #pam_password exop | |
180 | ||
181 | # Redirect users to a URL or somesuch on password | |
182 | # changes. | |
183 | #pam_password_prohibit_message Please visit http://internal to change your password. | |
184 | ||
2fbbad31 JR |
185 | # Use backlinks for answering initgroups() |
186 | #nss_initgroups backlink | |
187 | ||
188 | # Enable support for RFC2307bis (distinguished names in group | |
189 | # members) | |
190 | #nss_schema rfc2307bis | |
191 | ||
22a1867c JR |
192 | # RFC2307bis naming contexts |
193 | # Syntax: | |
194 | # nss_base_XXX base?scope?filter | |
195 | # where scope is {base,one,sub} | |
196 | # and filter is a filter to be &'d with the | |
197 | # default filter. | |
198 | # You can omit the suffix eg: | |
199 | # nss_base_passwd ou=People, | |
200 | # to append the default base DN but this | |
201 | # may incur a small performance impact. | |
202 | #nss_base_passwd ou=People,dc=padl,dc=com?one | |
203 | #nss_base_shadow ou=People,dc=padl,dc=com?one | |
204 | #nss_base_group ou=Group,dc=padl,dc=com?one | |
205 | #nss_base_hosts ou=Hosts,dc=padl,dc=com?one | |
206 | #nss_base_services ou=Services,dc=padl,dc=com?one | |
207 | #nss_base_networks ou=Networks,dc=padl,dc=com?one | |
208 | #nss_base_protocols ou=Protocols,dc=padl,dc=com?one | |
209 | #nss_base_rpc ou=Rpc,dc=padl,dc=com?one | |
210 | #nss_base_ethers ou=Ethers,dc=padl,dc=com?one | |
211 | #nss_base_netmasks ou=Networks,dc=padl,dc=com?ne | |
212 | #nss_base_bootparams ou=Ethers,dc=padl,dc=com?one | |
213 | #nss_base_aliases ou=Aliases,dc=padl,dc=com?one | |
214 | #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one | |
215 | ||
216 | # attribute/objectclass mapping | |
217 | # Syntax: | |
218 | #nss_map_attribute rfc2307attribute mapped_attribute | |
219 | #nss_map_objectclass rfc2307objectclass mapped_objectclass | |
220 | ||
221 | # configure --enable-nds is no longer supported. | |
222 | # NDS mappings | |
223 | #nss_map_attribute uniqueMember member | |
224 | ||
225 | # Services for UNIX 3.5 mappings | |
226 | #nss_map_objectclass posixAccount User | |
227 | #nss_map_objectclass shadowAccount User | |
228 | #nss_map_attribute uid msSFU30Name | |
229 | #nss_map_attribute uniqueMember msSFU30PosixMember | |
230 | #nss_map_attribute userPassword msSFU30Password | |
231 | #nss_map_attribute homeDirectory msSFU30HomeDirectory | |
232 | #nss_map_attribute homeDirectory msSFUHomeDirectory | |
233 | #nss_map_objectclass posixGroup Group | |
234 | #pam_login_attribute msSFU30Name | |
235 | #pam_filter objectclass=User | |
236 | #pam_password ad | |
237 | ||
238 | # configure --enable-mssfu-schema is no longer supported. | |
239 | # Services for UNIX 2.0 mappings | |
240 | #nss_map_objectclass posixAccount User | |
241 | #nss_map_objectclass shadowAccount user | |
242 | #nss_map_attribute uid msSFUName | |
243 | #nss_map_attribute uniqueMember posixMember | |
244 | #nss_map_attribute userPassword msSFUPassword | |
245 | #nss_map_attribute homeDirectory msSFUHomeDirectory | |
246 | #nss_map_attribute shadowLastChange pwdLastSet | |
247 | #nss_map_objectclass posixGroup Group | |
248 | #nss_map_attribute cn msSFUName | |
249 | #pam_login_attribute msSFUName | |
250 | #pam_filter objectclass=User | |
251 | #pam_password ad | |
252 | ||
253 | # RFC 2307 (AD) mappings | |
254 | #nss_map_objectclass posixAccount user | |
255 | #nss_map_objectclass shadowAccount user | |
256 | #nss_map_attribute uid sAMAccountName | |
257 | #nss_map_attribute homeDirectory unixHomeDirectory | |
258 | #nss_map_attribute shadowLastChange pwdLastSet | |
259 | #nss_map_objectclass posixGroup group | |
260 | #nss_map_attribute uniqueMember member | |
261 | #pam_login_attribute sAMAccountName | |
262 | #pam_filter objectclass=User | |
263 | #pam_password ad | |
264 | ||
265 | # configure --enable-authpassword is no longer supported | |
266 | # AuthPassword mappings | |
267 | #nss_map_attribute userPassword authPassword | |
268 | ||
269 | # AIX SecureWay mappings | |
270 | #nss_map_objectclass posixAccount aixAccount | |
271 | #nss_base_passwd ou=aixaccount,?one | |
272 | #nss_map_attribute uid userName | |
273 | #nss_map_attribute gidNumber gid | |
274 | #nss_map_attribute uidNumber uid | |
275 | #nss_map_attribute userPassword passwordChar | |
276 | #nss_map_objectclass posixGroup aixAccessGroup | |
277 | #nss_base_group ou=aixgroup,?one | |
278 | #nss_map_attribute cn groupName | |
279 | #nss_map_attribute uniqueMember member | |
280 | #pam_login_attribute userName | |
281 | #pam_filter objectclass=aixAccount | |
282 | #pam_password clear | |
283 | ||
2fbbad31 JR |
284 | # For pre-RFC2307bis automount schema |
285 | #nss_map_objectclass automountMap nisMap | |
286 | #nss_map_attribute automountMapName nisMapName | |
287 | #nss_map_objectclass automount nisObject | |
288 | #nss_map_attribute automountKey cn | |
289 | #nss_map_attribute automountInformation nisMapEntry | |
290 | ||
22a1867c JR |
291 | # Netscape SDK LDAPS |
292 | #ssl on | |
293 | ||
294 | # Netscape SDK SSL options | |
295 | #sslpath /etc/ssl/certs/cert7.db | |
296 | ||
297 | # OpenLDAP SSL mechanism | |
298 | # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 | |
299 | #ssl start_tls | |
300 | #ssl on | |
301 | ||
302 | # OpenLDAP SSL options | |
303 | # Require and verify server certificate (yes/no) | |
304 | # Default is to use libldap's default behavior, which can be configured in | |
305 | # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for | |
306 | # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". | |
307 | #tls_checkpeer yes | |
308 | ||
309 | # CA certificates for server certificate verification | |
310 | # At least one of these are required if tls_checkpeer is "yes" | |
9be9eb20 ER |
311 | #tls_cacertfile /etc/certs/ca-certificates.crt |
312 | #tls_cacertdir /etc/openssl/certs | |
22a1867c JR |
313 | |
314 | # Seed the PRNG if /dev/urandom is not provided | |
315 | #tls_randfile /var/run/egd-pool | |
316 | ||
317 | # SSL cipher suite | |
318 | # See man ciphers for syntax | |
319 | #tls_ciphers TLSv1 | |
320 | ||
321 | # Client certificate and key | |
322 | # Use these, if your server requires client authentication. | |
323 | #tls_cert | |
324 | #tls_key | |
325 | ||
326 | # Disable SASL security layers. This is needed for AD. | |
327 | #sasl_secprops maxssf=0 | |
328 | ||
329 | # Override the default Kerberos ticket cache location. | |
330 | #krb5_ccname FILE:/etc/.ldapcache | |
9d6f98cd | 331 | |
22a1867c JR |
332 | # SASL mechanism for PAM authentication - use is experimental |
333 | # at present and does not support password policy control | |
334 | #pam_sasl_mech DIGEST-MD5 |