xref: /dports/textproc/augeas/augeas-1.12.0/tests/root/etc/nslcd.conf

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# Specifies the number of threads to start that can handle requests and perform LDAP queries.
threads 5

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# This option controls the way logging is done.
log syslog info

# The location at which the LDAP server(s) should be reachable.
uri ldaps://XXX.XXX.XXX

# The search base that will be used for all queries.
base dc=XXX,dc=XXX

# The LDAP protocol version to use.
ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=annonymous,dc=example,dc=net
bindpw secret


# The DN used for password modifications by root.
rootpwmoddn cn=admin,dc=example,dc=com

# The password used for password modifications by root.
rootpwmodpw XXXXXX


# SASL authentication options
sasl_mech OTP
sasl_realm realm
sasl_authcid authcid
sasl_authzid dn:cn=annonymous,dc=example,dc=net
sasl_secprops noanonymous,noplain,minssf=0,maxssf=2,maxbufsize=65535
sasl_canonicalize yes

# Kerberos authentication options
krb5_ccname ccname

# Search/mapping options

# Specifies the base distinguished name (DN) to use as search base.
base dc=people,dc=example,dc=com
base dc=morepeople,dc=example,dc=com
base alias dc=aliases,dc=example,dc=com
base alias dc=morealiases,dc=example,dc=com
base group dc=group,dc=example,dc=com
base group dc=moregroup,dc=example,dc=com
base passwd dc=users,dc=example,dc=com

# Specifies the search scope (subtree, onelevel, base or children).
scope sub
scope passwd sub
scope aliases sub

# Specifies the policy for dereferencing aliases.
deref never

# Specifies whether automatic referral chasing should be enabled.
referrals yes

# The FILTER is an LDAP search filter to use for a specific map.
filter passwd (objectClass=posixAccount)

# This option allows for custom attributes to be looked up instead of the default RFC 2307 attributes.
map passwd homeDirectory \"${homeDirectory:-/home/$uid}\"
map passwd loginShell \"${loginShell:-/bin/bash}\"
map shadow userPassword myPassword

# Timing/reconnect options

# Specifies the time limit (in seconds) to use when connecting to the directory server.
bind_timelimit 30

# Specifies the time limit (in seconds) to wait for a response from the LDAP server.
timelimit 5

# Specifies the period if inactivity (in seconds) after which the connection to the LDAP server will be closed.
idle_timelimit 10

# Specifies the number of seconds to sleep when connecting to all LDAP servers fails.
reconnect_sleeptime 10

# Specifies the time after which the LDAP server is considered to be permanently unavailable.
reconnect_retrytime 10

# SSL/TLS options

# Specifies whether to use SSL/TLS or not (the default is not to).
ssl start_tls
# Specifies what checks to perform on a server-supplied certificate.
tls_reqcert never
# Specifies the directory containing X.509 certificates for peer authentication.
tls_cacertdir /etc/ssl/ca
# Specifies the path to the X.509 certificate for peer authentication.
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
# Specifies the path to an entropy source.
tls_randfile /dev/random
# Specifies the ciphers to use for TLS.
tls_ciphers TLSv1
# Specifies the path to the file containing the local certificate for client TLS authentication.
tls_cert /etc/ssl/certs/cert.pem
# Specifies the path to the file containing the private key for client TLS authentication.
tls_key /etc/ssl/private/cert.pem

# Other options
pagesize 100
nss_initgroups_ignoreusers user1,user2,user3
nss_min_uid 1000
nss_nested_groups yes
nss_getgrent_skipmembers yes
nss_disable_enumeration yes
validnames /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i
ignorecase yes
pam_authc_ppolicy yes
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))
pam_password_prohibit_message "MESSAGE LONG AND WITH SPACES"
reconnect_invalidate nfsidmap,db2,db3
cache dn2uid 1s 2h