source: trunk/server/fedora/config/etc/ldap.conf @ 1818

Last change on this file since 1818 was 1818, checked in by mitchb, 12 years ago
Move 389-ds's slapd-scripts.socket to /var/run It turns out that mode 777 directories containing files that daemons use is... not the most brilliant thing we've done. 389-ds has finally decided to insist on clobbering the permissions of /var/run/dirsrv to be less foolish, but several of our daemons and client programs need to be able to access the LDAP daemon's socket. Come visit it in its new home, conveniently located just two directories below the root.
File size: 8.9 KB
Line 
1# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
2#
3# This is the configuration file for the LDAP nameservice
4# switch library and the LDAP PAM module.
5#
6# The man pages for this file are nss_ldap(5) and pam_ldap(5)
7#
8# PADL Software
9# http://www.padl.com
10#
11
12# Your LDAP server. Must be resolvable without using LDAP.
13# Multiple hosts may be specified, each separated by a
14# space. How long nss_ldap takes to failover depends on
15# whether your LDAP client library supports configurable
16# network or connect timeouts (see bind_timelimit).
17#host 127.0.0.1
18
19# The distinguished name of the search base.
20base dc=scripts,dc=mit,dc=edu
21
22# Another way to specify your LDAP server is to provide an
23# uri with the server name. This allows to use
24# Unix Domain Sockets to connect to a local LDAP Server.
25#uri ldap://127.0.0.1/
26#uri ldaps://127.0.0.1/   
27#uri ldapi://%2fvar%2frun%2fldapi_sock/
28# Note: %2f encodes the '/' used as directory separator
29uri ldapi://%2fvar%2frun%2fslapd-scripts.socket/
30
31# The LDAP version to use (defaults to 3
32# if supported by client library)
33#ldap_version 3
34
35# The distinguished name to bind to the server with.
36# Optional: default is to bind anonymously.
37#binddn cn=proxyuser,dc=example,dc=com
38
39# The credentials to bind with.
40# Optional: default is no credential.
41#bindpw secret
42
43# The distinguished name to bind to the server with
44# if the effective user ID is root. Password is
45# stored in /etc/ldap.secret (mode 600)
46#rootbinddn cn=manager,dc=example,dc=com
47
48# The port.
49# Optional: default is 389.
50#port 389
51
52# The search scope.
53#scope sub
54#scope one
55#scope base
56
57# Search timelimit
58#timelimit 30
59timelimit 120
60
61# Bind/connect timelimit
62#bind_timelimit 30
63bind_timelimit 120
64
65# Reconnect policy: hard (default) will retry connecting to
66# the software with exponential backoff, soft will fail
67# immediately.
68#bind_policy hard
69
70# Idle timelimit; client will close connections
71# (nss_ldap only) if the server has not been contacted
72# for the number of seconds specified below.
73#idle_timelimit 3600
74idle_timelimit 3600
75
76# Filter to AND with uid=%s
77#pam_filter objectclass=account
78
79# The user ID attribute (defaults to uid)
80#pam_login_attribute uid
81
82# Search the root DSE for the password policy (works
83# with Netscape Directory Server)
84#pam_lookup_policy yes
85
86# Check the 'host' attribute for access control
87# Default is no; if set to yes, and user has no
88# value for the host attribute, and pam_ldap is
89# configured for account management (authorization)
90# then the user will not be allowed to login.
91#pam_check_host_attr yes
92
93# Check the 'authorizedService' attribute for access
94# control
95# Default is no; if set to yes, and the user has no
96# value for the authorizedService attribute, and
97# pam_ldap is configured for account management
98# (authorization) then the user will not be allowed
99# to login.
100#pam_check_service_attr yes
101
102# Group to enforce membership of
103#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
104
105# Group member attribute
106#pam_member_attribute uniquemember
107
108# Specify a minium or maximum UID number allowed
109#pam_min_uid 0
110#pam_max_uid 0
111
112# Template login attribute, default template user
113# (can be overriden by value of former attribute
114# in user's entry)
115#pam_login_attribute userPrincipalName
116#pam_template_login_attribute uid
117#pam_template_login nobody
118
119# HEADS UP: the pam_crypt, pam_nds_passwd,
120# and pam_ad_passwd options are no
121# longer supported.
122#
123# Do not hash the password at all; presume
124# the directory server will do it, if
125# necessary. This is the default.
126#pam_password clear
127
128# Hash password locally; required for University of
129# Michigan LDAP server, and works with Netscape
130# Directory Server if you're using the UNIX-Crypt
131# hash mechanism and not using the NT Synchronization
132# service.
133#pam_password crypt
134
135# Remove old password first, then update in
136# cleartext. Necessary for use with Novell
137# Directory Services (NDS)
138#pam_password clear_remove_old
139#pam_password nds
140
141# RACF is an alias for the above. For use with
142# IBM RACF
143#pam_password racf
144
145# Update Active Directory password, by
146# creating Unicode password and updating
147# unicodePwd attribute.
148#pam_password ad
149
150# Use the OpenLDAP password change
151# extended operation to update the password.
152#pam_password exop
153
154# Redirect users to a URL or somesuch on password
155# changes.
156#pam_password_prohibit_message Please visit http://internal to change your password.
157
158# RFC2307bis naming contexts
159# Syntax:
160# nss_base_XXX          base?scope?filter
161# where scope is {base,one,sub}
162# and filter is a filter to be &'d with the
163# default filter.
164# You can omit the suffix eg:
165# nss_base_passwd       ou=People,
166# to append the default base DN but this
167# may incur a small performance impact.
168nss_base_passwd         ou=People,dc=scripts,dc=mit,dc=edu?one
169#nss_base_shadow        ou=People,dc=example,dc=com?one
170nss_base_group          ou=Groups,dc=scripts,dc=mit,dc=edu?one
171#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
172#nss_base_services      ou=Services,dc=example,dc=com?one
173#nss_base_networks      ou=Networks,dc=example,dc=com?one
174#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
175#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
176#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
177#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
178#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
179#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
180#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one
181
182# Just assume that there are no supplemental groups for these named users
183nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
184
185# attribute/objectclass mapping
186# Syntax:
187#nss_map_attribute      rfc2307attribute        mapped_attribute
188#nss_map_objectclass    rfc2307objectclass      mapped_objectclass
189
190# configure --enable-nds is no longer supported.
191# NDS mappings
192#nss_map_attribute uniqueMember member
193
194# Services for UNIX 3.5 mappings
195#nss_map_objectclass posixAccount User
196#nss_map_objectclass shadowAccount User
197#nss_map_attribute uid msSFU30Name
198#nss_map_attribute uniqueMember msSFU30PosixMember
199#nss_map_attribute userPassword msSFU30Password
200#nss_map_attribute homeDirectory msSFU30HomeDirectory
201#nss_map_attribute homeDirectory msSFUHomeDirectory
202#nss_map_objectclass posixGroup Group
203#pam_login_attribute msSFU30Name
204#pam_filter objectclass=User
205#pam_password ad
206
207# configure --enable-mssfu-schema is no longer supported.
208# Services for UNIX 2.0 mappings
209#nss_map_objectclass posixAccount User
210#nss_map_objectclass shadowAccount user
211#nss_map_attribute uid msSFUName
212#nss_map_attribute uniqueMember posixMember
213#nss_map_attribute userPassword msSFUPassword
214#nss_map_attribute homeDirectory msSFUHomeDirectory
215#nss_map_attribute shadowLastChange pwdLastSet
216#nss_map_objectclass posixGroup Group
217#nss_map_attribute cn msSFUName
218#pam_login_attribute msSFUName
219#pam_filter objectclass=User
220#pam_password ad
221
222# RFC 2307 (AD) mappings
223#nss_map_objectclass posixAccount user
224#nss_map_objectclass shadowAccount user
225#nss_map_attribute uid sAMAccountName
226#nss_map_attribute homeDirectory unixHomeDirectory
227#nss_map_attribute shadowLastChange pwdLastSet
228#nss_map_objectclass posixGroup group
229#nss_map_attribute uniqueMember member
230#pam_login_attribute sAMAccountName
231#pam_filter objectclass=User
232#pam_password ad
233
234# configure --enable-authpassword is no longer supported
235# AuthPassword mappings
236#nss_map_attribute userPassword authPassword
237
238# AIX SecureWay mappings
239#nss_map_objectclass posixAccount aixAccount
240#nss_base_passwd ou=aixaccount,?one
241#nss_map_attribute uid userName
242#nss_map_attribute gidNumber gid
243#nss_map_attribute uidNumber uid
244#nss_map_attribute userPassword passwordChar
245#nss_map_objectclass posixGroup aixAccessGroup
246#nss_base_group ou=aixgroup,?one
247#nss_map_attribute cn groupName
248#nss_map_attribute uniqueMember member
249#pam_login_attribute userName
250#pam_filter objectclass=aixAccount
251#pam_password clear
252
253# Netscape SDK LDAPS
254#ssl on
255
256# Netscape SDK SSL options
257#sslpath /etc/ssl/certs
258
259# OpenLDAP SSL mechanism
260# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
261#ssl start_tls
262#ssl on
263
264# OpenLDAP SSL options
265# Require and verify server certificate (yes/no)
266# Default is to use libldap's default behavior, which can be configured in
267# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
268# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
269#tls_checkpeer yes
270
271# CA certificates for server certificate verification
272# At least one of these are required if tls_checkpeer is "yes"
273#tls_cacertfile /etc/ssl/ca.cert
274#tls_cacertdir /etc/ssl/certs
275
276# Seed the PRNG if /dev/urandom is not provided
277#tls_randfile /var/run/egd-pool
278
279# SSL cipher suite
280# See man ciphers for syntax
281#tls_ciphers TLSv1
282
283# Client certificate and key
284# Use these, if your server requires client authentication.
285#tls_cert
286#tls_key
287
288# Disable SASL security layers. This is needed for AD.
289#sasl_secprops maxssf=0
290
291# Override the default Kerberos ticket cache location.
292#krb5_ccname FILE:/etc/.ldapcache
293
294# SASL mechanism for PAM authentication - use is experimental
295# at present and does not support password policy control
296#pam_sasl_mech DIGEST-MD5
Note: See TracBrowser for help on using the repository browser.