[484] | 1 | # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ |
---|
| 2 | # |
---|
| 3 | # This is the configuration file for the LDAP nameservice |
---|
| 4 | # switch library and the LDAP PAM module. |
---|
| 5 | # |
---|
| 6 | # The man pages for this file are nss_ldap(5) and pam_ldap(5) |
---|
| 7 | # |
---|
| 8 | # PADL Software |
---|
| 9 | # http://www.padl.com |
---|
| 10 | # |
---|
| 11 | |
---|
| 12 | # Your LDAP server. Must be resolvable without using LDAP. |
---|
| 13 | # Multiple hosts may be specified, each separated by a |
---|
| 14 | # space. How long nss_ldap takes to failover depends on |
---|
| 15 | # whether your LDAP client library supports configurable |
---|
| 16 | # network or connect timeouts (see bind_timelimit). |
---|
[512] | 17 | #host 127.0.0.1 |
---|
[484] | 18 | |
---|
| 19 | # The distinguished name of the search base. |
---|
| 20 | base dc=scripts,dc=mit,dc=edu |
---|
| 21 | |
---|
| 22 | # Another way to specify your LDAP server is to provide an |
---|
| 23 | # uri with the server name. This allows to use |
---|
| 24 | # Unix Domain Sockets to connect to a local LDAP Server. |
---|
| 25 | #uri ldap://127.0.0.1/ |
---|
| 26 | #uri ldaps://127.0.0.1/ |
---|
| 27 | #uri ldapi://%2fvar%2frun%2fldapi_sock/ |
---|
| 28 | # Note: %2f encodes the '/' used as directory separator |
---|
[512] | 29 | uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/ |
---|
[484] | 30 | |
---|
| 31 | # The LDAP version to use (defaults to 3 |
---|
| 32 | # if supported by client library) |
---|
| 33 | #ldap_version 3 |
---|
| 34 | |
---|
| 35 | # The distinguished name to bind to the server with. |
---|
| 36 | # Optional: default is to bind anonymously. |
---|
| 37 | #binddn cn=proxyuser,dc=example,dc=com |
---|
| 38 | |
---|
| 39 | # The credentials to bind with. |
---|
| 40 | # Optional: default is no credential. |
---|
| 41 | #bindpw secret |
---|
| 42 | |
---|
| 43 | # The distinguished name to bind to the server with |
---|
| 44 | # if the effective user ID is root. Password is |
---|
| 45 | # stored in /etc/ldap.secret (mode 600) |
---|
| 46 | #rootbinddn cn=manager,dc=example,dc=com |
---|
| 47 | |
---|
| 48 | # The port. |
---|
| 49 | # Optional: default is 389. |
---|
| 50 | #port 389 |
---|
| 51 | |
---|
| 52 | # The search scope. |
---|
| 53 | #scope sub |
---|
| 54 | #scope one |
---|
| 55 | #scope base |
---|
| 56 | |
---|
| 57 | # Search timelimit |
---|
| 58 | #timelimit 30 |
---|
| 59 | timelimit 120 |
---|
| 60 | |
---|
| 61 | # Bind/connect timelimit |
---|
| 62 | #bind_timelimit 30 |
---|
| 63 | bind_timelimit 120 |
---|
| 64 | |
---|
| 65 | # Reconnect policy: hard (default) will retry connecting to |
---|
| 66 | # the software with exponential backoff, soft will fail |
---|
| 67 | # immediately. |
---|
| 68 | #bind_policy hard |
---|
| 69 | |
---|
| 70 | # Idle timelimit; client will close connections |
---|
| 71 | # (nss_ldap only) if the server has not been contacted |
---|
| 72 | # for the number of seconds specified below. |
---|
| 73 | #idle_timelimit 3600 |
---|
| 74 | idle_timelimit 3600 |
---|
| 75 | |
---|
| 76 | # Filter to AND with uid=%s |
---|
| 77 | #pam_filter objectclass=account |
---|
| 78 | |
---|
| 79 | # The user ID attribute (defaults to uid) |
---|
| 80 | #pam_login_attribute uid |
---|
| 81 | |
---|
| 82 | # Search the root DSE for the password policy (works |
---|
| 83 | # with Netscape Directory Server) |
---|
| 84 | #pam_lookup_policy yes |
---|
| 85 | |
---|
| 86 | # Check the 'host' attribute for access control |
---|
| 87 | # Default is no; if set to yes, and user has no |
---|
| 88 | # value for the host attribute, and pam_ldap is |
---|
| 89 | # configured for account management (authorization) |
---|
| 90 | # then the user will not be allowed to login. |
---|
| 91 | #pam_check_host_attr yes |
---|
| 92 | |
---|
| 93 | # Check the 'authorizedService' attribute for access |
---|
| 94 | # control |
---|
| 95 | # Default is no; if set to yes, and the user has no |
---|
| 96 | # value for the authorizedService attribute, and |
---|
| 97 | # pam_ldap is configured for account management |
---|
| 98 | # (authorization) then the user will not be allowed |
---|
| 99 | # to login. |
---|
| 100 | #pam_check_service_attr yes |
---|
| 101 | |
---|
| 102 | # Group to enforce membership of |
---|
| 103 | #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com |
---|
| 104 | |
---|
| 105 | # Group member attribute |
---|
| 106 | #pam_member_attribute uniquemember |
---|
| 107 | |
---|
| 108 | # Specify a minium or maximum UID number allowed |
---|
| 109 | #pam_min_uid 0 |
---|
| 110 | #pam_max_uid 0 |
---|
| 111 | |
---|
| 112 | # Template login attribute, default template user |
---|
| 113 | # (can be overriden by value of former attribute |
---|
| 114 | # in user's entry) |
---|
| 115 | #pam_login_attribute userPrincipalName |
---|
| 116 | #pam_template_login_attribute uid |
---|
| 117 | #pam_template_login nobody |
---|
| 118 | |
---|
| 119 | # HEADS UP: the pam_crypt, pam_nds_passwd, |
---|
| 120 | # and pam_ad_passwd options are no |
---|
| 121 | # longer supported. |
---|
| 122 | # |
---|
| 123 | # Do not hash the password at all; presume |
---|
| 124 | # the directory server will do it, if |
---|
| 125 | # necessary. This is the default. |
---|
| 126 | #pam_password clear |
---|
| 127 | |
---|
| 128 | # Hash password locally; required for University of |
---|
| 129 | # Michigan LDAP server, and works with Netscape |
---|
| 130 | # Directory Server if you're using the UNIX-Crypt |
---|
| 131 | # hash mechanism and not using the NT Synchronization |
---|
| 132 | # service. |
---|
| 133 | #pam_password crypt |
---|
| 134 | |
---|
| 135 | # Remove old password first, then update in |
---|
| 136 | # cleartext. Necessary for use with Novell |
---|
| 137 | # Directory Services (NDS) |
---|
| 138 | #pam_password clear_remove_old |
---|
| 139 | #pam_password nds |
---|
| 140 | |
---|
| 141 | # RACF is an alias for the above. For use with |
---|
| 142 | # IBM RACF |
---|
| 143 | #pam_password racf |
---|
| 144 | |
---|
| 145 | # Update Active Directory password, by |
---|
| 146 | # creating Unicode password and updating |
---|
| 147 | # unicodePwd attribute. |
---|
| 148 | #pam_password ad |
---|
| 149 | |
---|
| 150 | # Use the OpenLDAP password change |
---|
| 151 | # extended operation to update the password. |
---|
| 152 | #pam_password exop |
---|
| 153 | |
---|
| 154 | # Redirect users to a URL or somesuch on password |
---|
| 155 | # changes. |
---|
| 156 | #pam_password_prohibit_message Please visit http://internal to change your password. |
---|
| 157 | |
---|
| 158 | # RFC2307bis naming contexts |
---|
| 159 | # Syntax: |
---|
| 160 | # nss_base_XXX base?scope?filter |
---|
| 161 | # where scope is {base,one,sub} |
---|
| 162 | # and filter is a filter to be &'d with the |
---|
| 163 | # default filter. |
---|
| 164 | # You can omit the suffix eg: |
---|
| 165 | # nss_base_passwd ou=People, |
---|
| 166 | # to append the default base DN but this |
---|
| 167 | # may incur a small performance impact. |
---|
| 168 | nss_base_passwd ou=People,dc=scripts,dc=mit,dc=edu?one |
---|
| 169 | #nss_base_shadow ou=People,dc=example,dc=com?one |
---|
| 170 | nss_base_group ou=Groups,dc=scripts,dc=mit,dc=edu?one |
---|
| 171 | #nss_base_hosts ou=Hosts,dc=example,dc=com?one |
---|
| 172 | #nss_base_services ou=Services,dc=example,dc=com?one |
---|
| 173 | #nss_base_networks ou=Networks,dc=example,dc=com?one |
---|
| 174 | #nss_base_protocols ou=Protocols,dc=example,dc=com?one |
---|
| 175 | #nss_base_rpc ou=Rpc,dc=example,dc=com?one |
---|
| 176 | #nss_base_ethers ou=Ethers,dc=example,dc=com?one |
---|
| 177 | #nss_base_netmasks ou=Networks,dc=example,dc=com?ne |
---|
| 178 | #nss_base_bootparams ou=Ethers,dc=example,dc=com?one |
---|
| 179 | #nss_base_aliases ou=Aliases,dc=example,dc=com?one |
---|
| 180 | #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one |
---|
| 181 | |
---|
| 182 | # Just assume that there are no supplemental groups for these named users |
---|
| 183 | nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd |
---|
| 184 | |
---|
| 185 | # attribute/objectclass mapping |
---|
| 186 | # Syntax: |
---|
| 187 | #nss_map_attribute rfc2307attribute mapped_attribute |
---|
| 188 | #nss_map_objectclass rfc2307objectclass mapped_objectclass |
---|
| 189 | |
---|
| 190 | # configure --enable-nds is no longer supported. |
---|
| 191 | # NDS mappings |
---|
| 192 | #nss_map_attribute uniqueMember member |
---|
| 193 | |
---|
| 194 | # Services for UNIX 3.5 mappings |
---|
| 195 | #nss_map_objectclass posixAccount User |
---|
| 196 | #nss_map_objectclass shadowAccount User |
---|
| 197 | #nss_map_attribute uid msSFU30Name |
---|
| 198 | #nss_map_attribute uniqueMember msSFU30PosixMember |
---|
| 199 | #nss_map_attribute userPassword msSFU30Password |
---|
| 200 | #nss_map_attribute homeDirectory msSFU30HomeDirectory |
---|
| 201 | #nss_map_attribute homeDirectory msSFUHomeDirectory |
---|
| 202 | #nss_map_objectclass posixGroup Group |
---|
| 203 | #pam_login_attribute msSFU30Name |
---|
| 204 | #pam_filter objectclass=User |
---|
| 205 | #pam_password ad |
---|
| 206 | |
---|
| 207 | # configure --enable-mssfu-schema is no longer supported. |
---|
| 208 | # Services for UNIX 2.0 mappings |
---|
| 209 | #nss_map_objectclass posixAccount User |
---|
| 210 | #nss_map_objectclass shadowAccount user |
---|
| 211 | #nss_map_attribute uid msSFUName |
---|
| 212 | #nss_map_attribute uniqueMember posixMember |
---|
| 213 | #nss_map_attribute userPassword msSFUPassword |
---|
| 214 | #nss_map_attribute homeDirectory msSFUHomeDirectory |
---|
| 215 | #nss_map_attribute shadowLastChange pwdLastSet |
---|
| 216 | #nss_map_objectclass posixGroup Group |
---|
| 217 | #nss_map_attribute cn msSFUName |
---|
| 218 | #pam_login_attribute msSFUName |
---|
| 219 | #pam_filter objectclass=User |
---|
| 220 | #pam_password ad |
---|
| 221 | |
---|
| 222 | # RFC 2307 (AD) mappings |
---|
| 223 | #nss_map_objectclass posixAccount user |
---|
| 224 | #nss_map_objectclass shadowAccount user |
---|
| 225 | #nss_map_attribute uid sAMAccountName |
---|
| 226 | #nss_map_attribute homeDirectory unixHomeDirectory |
---|
| 227 | #nss_map_attribute shadowLastChange pwdLastSet |
---|
| 228 | #nss_map_objectclass posixGroup group |
---|
| 229 | #nss_map_attribute uniqueMember member |
---|
| 230 | #pam_login_attribute sAMAccountName |
---|
| 231 | #pam_filter objectclass=User |
---|
| 232 | #pam_password ad |
---|
| 233 | |
---|
| 234 | # configure --enable-authpassword is no longer supported |
---|
| 235 | # AuthPassword mappings |
---|
| 236 | #nss_map_attribute userPassword authPassword |
---|
| 237 | |
---|
| 238 | # AIX SecureWay mappings |
---|
| 239 | #nss_map_objectclass posixAccount aixAccount |
---|
| 240 | #nss_base_passwd ou=aixaccount,?one |
---|
| 241 | #nss_map_attribute uid userName |
---|
| 242 | #nss_map_attribute gidNumber gid |
---|
| 243 | #nss_map_attribute uidNumber uid |
---|
| 244 | #nss_map_attribute userPassword passwordChar |
---|
| 245 | #nss_map_objectclass posixGroup aixAccessGroup |
---|
| 246 | #nss_base_group ou=aixgroup,?one |
---|
| 247 | #nss_map_attribute cn groupName |
---|
| 248 | #nss_map_attribute uniqueMember member |
---|
| 249 | #pam_login_attribute userName |
---|
| 250 | #pam_filter objectclass=aixAccount |
---|
| 251 | #pam_password clear |
---|
| 252 | |
---|
| 253 | # Netscape SDK LDAPS |
---|
| 254 | #ssl on |
---|
| 255 | |
---|
| 256 | # Netscape SDK SSL options |
---|
| 257 | #sslpath /etc/ssl/certs |
---|
| 258 | |
---|
| 259 | # OpenLDAP SSL mechanism |
---|
| 260 | # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 |
---|
| 261 | #ssl start_tls |
---|
| 262 | #ssl on |
---|
| 263 | |
---|
| 264 | # OpenLDAP SSL options |
---|
| 265 | # Require and verify server certificate (yes/no) |
---|
| 266 | # Default is to use libldap's default behavior, which can be configured in |
---|
| 267 | # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for |
---|
| 268 | # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". |
---|
| 269 | #tls_checkpeer yes |
---|
| 270 | |
---|
| 271 | # CA certificates for server certificate verification |
---|
| 272 | # At least one of these are required if tls_checkpeer is "yes" |
---|
| 273 | #tls_cacertfile /etc/ssl/ca.cert |
---|
| 274 | #tls_cacertdir /etc/ssl/certs |
---|
| 275 | |
---|
| 276 | # Seed the PRNG if /dev/urandom is not provided |
---|
| 277 | #tls_randfile /var/run/egd-pool |
---|
| 278 | |
---|
| 279 | # SSL cipher suite |
---|
| 280 | # See man ciphers for syntax |
---|
| 281 | #tls_ciphers TLSv1 |
---|
| 282 | |
---|
| 283 | # Client certificate and key |
---|
| 284 | # Use these, if your server requires client authentication. |
---|
| 285 | #tls_cert |
---|
| 286 | #tls_key |
---|
| 287 | |
---|
| 288 | # Disable SASL security layers. This is needed for AD. |
---|
| 289 | #sasl_secprops maxssf=0 |
---|
| 290 | |
---|
| 291 | # Override the default Kerberos ticket cache location. |
---|
| 292 | #krb5_ccname FILE:/etc/.ldapcache |
---|
| 293 | |
---|
| 294 | # SASL mechanism for PAM authentication - use is experimental |
---|
| 295 | # at present and does not support password policy control |
---|
| 296 | #pam_sasl_mech DIGEST-MD5 |
---|