source: trunk/server/fedora/config/etc/ldap.conf @ 1331

Last change on this file since 1331 was 512, checked in by andersk, 17 years ago
Use ldapi:// url.
File size: 8.9 KB
Line 
1# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
2#
3# This is the configuration file for the LDAP nameservice
4# switch library and the LDAP PAM module.
5#
6# The man pages for this file are nss_ldap(5) and pam_ldap(5)
7#
8# PADL Software
9# http://www.padl.com
10#
11
12# Your LDAP server. Must be resolvable without using LDAP.
13# Multiple hosts may be specified, each separated by a
14# space. How long nss_ldap takes to failover depends on
15# whether your LDAP client library supports configurable
16# network or connect timeouts (see bind_timelimit).
17#host 127.0.0.1
18
19# The distinguished name of the search base.
20base dc=scripts,dc=mit,dc=edu
21
22# Another way to specify your LDAP server is to provide an
23# uri with the server name. This allows to use
24# Unix Domain Sockets to connect to a local LDAP Server.
25#uri ldap://127.0.0.1/
26#uri ldaps://127.0.0.1/   
27#uri ldapi://%2fvar%2frun%2fldapi_sock/
28# Note: %2f encodes the '/' used as directory separator
29uri ldapi://%2fvar%2frun%2fdirsrv%2fslapd-scripts.socket/
30
31# The LDAP version to use (defaults to 3
32# if supported by client library)
33#ldap_version 3
34
35# The distinguished name to bind to the server with.
36# Optional: default is to bind anonymously.
37#binddn cn=proxyuser,dc=example,dc=com
38
39# The credentials to bind with.
40# Optional: default is no credential.
41#bindpw secret
42
43# The distinguished name to bind to the server with
44# if the effective user ID is root. Password is
45# stored in /etc/ldap.secret (mode 600)
46#rootbinddn cn=manager,dc=example,dc=com
47
48# The port.
49# Optional: default is 389.
50#port 389
51
52# The search scope.
53#scope sub
54#scope one
55#scope base
56
57# Search timelimit
58#timelimit 30
59timelimit 120
60
61# Bind/connect timelimit
62#bind_timelimit 30
63bind_timelimit 120
64
65# Reconnect policy: hard (default) will retry connecting to
66# the software with exponential backoff, soft will fail
67# immediately.
68#bind_policy hard
69
70# Idle timelimit; client will close connections
71# (nss_ldap only) if the server has not been contacted
72# for the number of seconds specified below.
73#idle_timelimit 3600
74idle_timelimit 3600
75
76# Filter to AND with uid=%s
77#pam_filter objectclass=account
78
79# The user ID attribute (defaults to uid)
80#pam_login_attribute uid
81
82# Search the root DSE for the password policy (works
83# with Netscape Directory Server)
84#pam_lookup_policy yes
85
86# Check the 'host' attribute for access control
87# Default is no; if set to yes, and user has no
88# value for the host attribute, and pam_ldap is
89# configured for account management (authorization)
90# then the user will not be allowed to login.
91#pam_check_host_attr yes
92
93# Check the 'authorizedService' attribute for access
94# control
95# Default is no; if set to yes, and the user has no
96# value for the authorizedService attribute, and
97# pam_ldap is configured for account management
98# (authorization) then the user will not be allowed
99# to login.
100#pam_check_service_attr yes
101
102# Group to enforce membership of
103#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
104
105# Group member attribute
106#pam_member_attribute uniquemember
107
108# Specify a minium or maximum UID number allowed
109#pam_min_uid 0
110#pam_max_uid 0
111
112# Template login attribute, default template user
113# (can be overriden by value of former attribute
114# in user's entry)
115#pam_login_attribute userPrincipalName
116#pam_template_login_attribute uid
117#pam_template_login nobody
118
119# HEADS UP: the pam_crypt, pam_nds_passwd,
120# and pam_ad_passwd options are no
121# longer supported.
122#
123# Do not hash the password at all; presume
124# the directory server will do it, if
125# necessary. This is the default.
126#pam_password clear
127
128# Hash password locally; required for University of
129# Michigan LDAP server, and works with Netscape
130# Directory Server if you're using the UNIX-Crypt
131# hash mechanism and not using the NT Synchronization
132# service.
133#pam_password crypt
134
135# Remove old password first, then update in
136# cleartext. Necessary for use with Novell
137# Directory Services (NDS)
138#pam_password clear_remove_old
139#pam_password nds
140
141# RACF is an alias for the above. For use with
142# IBM RACF
143#pam_password racf
144
145# Update Active Directory password, by
146# creating Unicode password and updating
147# unicodePwd attribute.
148#pam_password ad
149
150# Use the OpenLDAP password change
151# extended operation to update the password.
152#pam_password exop
153
154# Redirect users to a URL or somesuch on password
155# changes.
156#pam_password_prohibit_message Please visit http://internal to change your password.
157
158# RFC2307bis naming contexts
159# Syntax:
160# nss_base_XXX          base?scope?filter
161# where scope is {base,one,sub}
162# and filter is a filter to be &'d with the
163# default filter.
164# You can omit the suffix eg:
165# nss_base_passwd       ou=People,
166# to append the default base DN but this
167# may incur a small performance impact.
168nss_base_passwd         ou=People,dc=scripts,dc=mit,dc=edu?one
169#nss_base_shadow        ou=People,dc=example,dc=com?one
170nss_base_group          ou=Groups,dc=scripts,dc=mit,dc=edu?one
171#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
172#nss_base_services      ou=Services,dc=example,dc=com?one
173#nss_base_networks      ou=Networks,dc=example,dc=com?one
174#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
175#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
176#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
177#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
178#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
179#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
180#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one
181
182# Just assume that there are no supplemental groups for these named users
183nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
184
185# attribute/objectclass mapping
186# Syntax:
187#nss_map_attribute      rfc2307attribute        mapped_attribute
188#nss_map_objectclass    rfc2307objectclass      mapped_objectclass
189
190# configure --enable-nds is no longer supported.
191# NDS mappings
192#nss_map_attribute uniqueMember member
193
194# Services for UNIX 3.5 mappings
195#nss_map_objectclass posixAccount User
196#nss_map_objectclass shadowAccount User
197#nss_map_attribute uid msSFU30Name
198#nss_map_attribute uniqueMember msSFU30PosixMember
199#nss_map_attribute userPassword msSFU30Password
200#nss_map_attribute homeDirectory msSFU30HomeDirectory
201#nss_map_attribute homeDirectory msSFUHomeDirectory
202#nss_map_objectclass posixGroup Group
203#pam_login_attribute msSFU30Name
204#pam_filter objectclass=User
205#pam_password ad
206
207# configure --enable-mssfu-schema is no longer supported.
208# Services for UNIX 2.0 mappings
209#nss_map_objectclass posixAccount User
210#nss_map_objectclass shadowAccount user
211#nss_map_attribute uid msSFUName
212#nss_map_attribute uniqueMember posixMember
213#nss_map_attribute userPassword msSFUPassword
214#nss_map_attribute homeDirectory msSFUHomeDirectory
215#nss_map_attribute shadowLastChange pwdLastSet
216#nss_map_objectclass posixGroup Group
217#nss_map_attribute cn msSFUName
218#pam_login_attribute msSFUName
219#pam_filter objectclass=User
220#pam_password ad
221
222# RFC 2307 (AD) mappings
223#nss_map_objectclass posixAccount user
224#nss_map_objectclass shadowAccount user
225#nss_map_attribute uid sAMAccountName
226#nss_map_attribute homeDirectory unixHomeDirectory
227#nss_map_attribute shadowLastChange pwdLastSet
228#nss_map_objectclass posixGroup group
229#nss_map_attribute uniqueMember member
230#pam_login_attribute sAMAccountName
231#pam_filter objectclass=User
232#pam_password ad
233
234# configure --enable-authpassword is no longer supported
235# AuthPassword mappings
236#nss_map_attribute userPassword authPassword
237
238# AIX SecureWay mappings
239#nss_map_objectclass posixAccount aixAccount
240#nss_base_passwd ou=aixaccount,?one
241#nss_map_attribute uid userName
242#nss_map_attribute gidNumber gid
243#nss_map_attribute uidNumber uid
244#nss_map_attribute userPassword passwordChar
245#nss_map_objectclass posixGroup aixAccessGroup
246#nss_base_group ou=aixgroup,?one
247#nss_map_attribute cn groupName
248#nss_map_attribute uniqueMember member
249#pam_login_attribute userName
250#pam_filter objectclass=aixAccount
251#pam_password clear
252
253# Netscape SDK LDAPS
254#ssl on
255
256# Netscape SDK SSL options
257#sslpath /etc/ssl/certs
258
259# OpenLDAP SSL mechanism
260# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
261#ssl start_tls
262#ssl on
263
264# OpenLDAP SSL options
265# Require and verify server certificate (yes/no)
266# Default is to use libldap's default behavior, which can be configured in
267# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
268# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
269#tls_checkpeer yes
270
271# CA certificates for server certificate verification
272# At least one of these are required if tls_checkpeer is "yes"
273#tls_cacertfile /etc/ssl/ca.cert
274#tls_cacertdir /etc/ssl/certs
275
276# Seed the PRNG if /dev/urandom is not provided
277#tls_randfile /var/run/egd-pool
278
279# SSL cipher suite
280# See man ciphers for syntax
281#tls_ciphers TLSv1
282
283# Client certificate and key
284# Use these, if your server requires client authentication.
285#tls_cert
286#tls_key
287
288# Disable SASL security layers. This is needed for AD.
289#sasl_secprops maxssf=0
290
291# Override the default Kerberos ticket cache location.
292#krb5_ccname FILE:/etc/.ldapcache
293
294# SASL mechanism for PAM authentication - use is experimental
295# at present and does not support password policy control
296#pam_sasl_mech DIGEST-MD5
Note: See TracBrowser for help on using the repository browser.