1# /etc/nslcd.conf 2# nslcd configuration file. See nslcd.conf(5) 3# for details. 4 5# Specifies the number of threads to start that can handle requests and perform LDAP queries. 6threads 5 7 8# The user and group nslcd should run as. 9uid nslcd 10gid nslcd 11 12# This option controls the way logging is done. 13log syslog info 14 15# The location at which the LDAP server(s) should be reachable. 16uri ldaps://XXX.XXX.XXX 17 18# The search base that will be used for all queries. 19base dc=XXX,dc=XXX 20 21# The LDAP protocol version to use. 22ldap_version 3 23 24# The DN to bind with for normal lookups. 25binddn cn=annonymous,dc=example,dc=net 26bindpw secret 27 28 29# The DN used for password modifications by root. 30rootpwmoddn cn=admin,dc=example,dc=com 31 32# The password used for password modifications by root. 33rootpwmodpw XXXXXX 34 35 36# SASL authentication options 37sasl_mech OTP 38sasl_realm realm 39sasl_authcid authcid 40sasl_authzid dn:cn=annonymous,dc=example,dc=net 41sasl_secprops noanonymous,noplain,minssf=0,maxssf=2,maxbufsize=65535 42sasl_canonicalize yes 43 44# Kerberos authentication options 45krb5_ccname ccname 46 47# Search/mapping options 48 49# Specifies the base distinguished name (DN) to use as search base. 50base dc=people,dc=example,dc=com 51base dc=morepeople,dc=example,dc=com 52base alias dc=aliases,dc=example,dc=com 53base alias dc=morealiases,dc=example,dc=com 54base group dc=group,dc=example,dc=com 55base group dc=moregroup,dc=example,dc=com 56base passwd dc=users,dc=example,dc=com 57 58# Specifies the search scope (subtree, onelevel, base or children). 59scope sub 60scope passwd sub 61scope aliases sub 62 63# Specifies the policy for dereferencing aliases. 64deref never 65 66# Specifies whether automatic referral chasing should be enabled. 67referrals yes 68 69# The FILTER is an LDAP search filter to use for a specific map. 70filter passwd (objectClass=posixAccount) 71 72# This option allows for custom attributes to be looked up instead of the default RFC 2307 attributes. 73map passwd homeDirectory \"${homeDirectory:-/home/$uid}\" 74map passwd loginShell \"${loginShell:-/bin/bash}\" 75map shadow userPassword myPassword 76 77# Timing/reconnect options 78 79# Specifies the time limit (in seconds) to use when connecting to the directory server. 80bind_timelimit 30 81 82# Specifies the time limit (in seconds) to wait for a response from the LDAP server. 83timelimit 5 84 85# Specifies the period if inactivity (in seconds) after which the connection to the LDAP server will be closed. 86idle_timelimit 10 87 88# Specifies the number of seconds to sleep when connecting to all LDAP servers fails. 89reconnect_sleeptime 10 90 91# Specifies the time after which the LDAP server is considered to be permanently unavailable. 92reconnect_retrytime 10 93 94# SSL/TLS options 95 96# Specifies whether to use SSL/TLS or not (the default is not to). 97ssl start_tls 98# Specifies what checks to perform on a server-supplied certificate. 99tls_reqcert never 100# Specifies the directory containing X.509 certificates for peer authentication. 101tls_cacertdir /etc/ssl/ca 102# Specifies the path to the X.509 certificate for peer authentication. 103tls_cacertfile /etc/ssl/certs/ca-certificates.crt 104# Specifies the path to an entropy source. 105tls_randfile /dev/random 106# Specifies the ciphers to use for TLS. 107tls_ciphers TLSv1 108# Specifies the path to the file containing the local certificate for client TLS authentication. 109tls_cert /etc/ssl/certs/cert.pem 110# Specifies the path to the file containing the private key for client TLS authentication. 111tls_key /etc/ssl/private/cert.pem 112 113# Other options 114pagesize 100 115nss_initgroups_ignoreusers user1,user2,user3 116nss_min_uid 1000 117nss_nested_groups yes 118nss_getgrent_skipmembers yes 119nss_disable_enumeration yes 120validnames /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i 121ignorecase yes 122pam_authc_ppolicy yes 123pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*)))) 124pam_password_prohibit_message "MESSAGE LONG AND WITH SPACES" 125reconnect_invalidate nfsidmap,db2,db3 126cache dn2uid 1s 2h 127