1# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ 2# 3# This is the configuration file for the LDAP nameservice 4# switch library and the LDAP PAM module. 5# 6# The man pages for this file are nss_ldap(5) and pam_ldap(5) 7# 8# PADL Software 9# http://www.padl.com 10# 11 12# Your LDAP server. Must be resolvable without using LDAP. 13# Multiple hosts may be specified, each separated by a 14# space. How long nss_ldap takes to failover depends on 15# whether your LDAP client library supports configurable 16# network or connect timeouts (see bind_timelimit). 17host 127.0.0.1 18 19# The distinguished name of the search base. 20base dc=example,dc=com 21 22# Another way to specify your LDAP server is to provide an 23# uri with the server name. This allows to use 24# Unix Domain Sockets to connect to a local LDAP Server. 25#uri ldap://127.0.0.1/ 26#uri ldaps://127.0.0.1/ 27#uri ldapi://%2fvar%2frun%2fldapi_sock/ 28# Note: %2f encodes the '/' used as directory separator 29 30# The LDAP version to use (defaults to 3 31# if supported by client library) 32#ldap_version 3 33 34# The distinguished name to bind to the server with. 35# Optional: default is to bind anonymously. 36#binddn cn=proxyuser,dc=example,dc=com 37 38# The credentials to bind with. 39# Optional: default is no credential. 40#bindpw secret 41 42# The distinguished name to bind to the server with 43# if the effective user ID is root. Password is 44# stored in /etc/ldap.secret (mode 600) 45#rootbinddn cn=manager,dc=example,dc=com 46 47# The port. 48# Optional: default is 389. 49#port 389 50 51# The search scope. 52#scope sub 53#scope one 54#scope base 55 56# Search timelimit 57#timelimit 30 58timelimit 120 59 60# Bind/connect timelimit 61#bind_timelimit 30 62bind_timelimit 120 63 64# Reconnect policy: hard (default) will retry connecting to 65# the software with exponential backoff, soft will fail 66# immediately. 67#bind_policy hard 68 69# Idle timelimit; client will close connections 70# (nss_ldap only) if the server has not been contacted 71# for the number of seconds specified below. 72#idle_timelimit 3600 73idle_timelimit 3600 74 75# Filter to AND with uid=%s 76#pam_filter objectclass=account 77 78# The user ID attribute (defaults to uid) 79#pam_login_attribute uid 80 81# Search the root DSE for the password policy (works 82# with Netscape Directory Server) 83#pam_lookup_policy yes 84 85# Check the 'host' attribute for access control 86# Default is no; if set to yes, and user has no 87# value for the host attribute, and pam_ldap is 88# configured for account management (authorization) 89# then the user will not be allowed to login. 90#pam_check_host_attr yes 91 92# Check the 'authorizedService' attribute for access 93# control 94# Default is no; if set to yes, and the user has no 95# value for the authorizedService attribute, and 96# pam_ldap is configured for account management 97# (authorization) then the user will not be allowed 98# to login. 99#pam_check_service_attr yes 100 101# Group to enforce membership of 102#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com 103 104# Group member attribute 105#pam_member_attribute uniquemember 106 107# Specify a minium or maximum UID number allowed 108#pam_min_uid 0 109#pam_max_uid 0 110 111# Template login attribute, default template user 112# (can be overriden by value of former attribute 113# in user's entry) 114#pam_login_attribute userPrincipalName 115#pam_template_login_attribute uid 116#pam_template_login nobody 117 118# HEADS UP: the pam_crypt, pam_nds_passwd, 119# and pam_ad_passwd options are no 120# longer supported. 121# 122# Do not hash the password at all; presume 123# the directory server will do it, if 124# necessary. This is the default. 125#pam_password clear 126 127# Hash password locally; required for University of 128# Michigan LDAP server, and works with Netscape 129# Directory Server if you're using the UNIX-Crypt 130# hash mechanism and not using the NT Synchronization 131# service. 132#pam_password crypt 133 134# Remove old password first, then update in 135# cleartext. Necessary for use with Novell 136# Directory Services (NDS) 137#pam_password clear_remove_old 138#pam_password nds 139 140# RACF is an alias for the above. For use with 141# IBM RACF 142#pam_password racf 143 144# Update Active Directory password, by 145# creating Unicode password and updating 146# unicodePwd attribute. 147#pam_password ad 148 149# Use the OpenLDAP password change 150# extended operation to update the password. 151#pam_password exop 152 153# Redirect users to a URL or somesuch on password 154# changes. 155#pam_password_prohibit_message Please visit http://internal to change your password. 156 157# RFC2307bis naming contexts 158# Syntax: 159# nss_base_XXX base?scope?filter 160# where scope is {base,one,sub} 161# and filter is a filter to be &'d with the 162# default filter. 163# You can omit the suffix eg: 164# nss_base_passwd ou=People, 165# to append the default base DN but this 166# may incur a small performance impact. 167#nss_base_passwd ou=People,dc=example,dc=com?one 168#nss_base_shadow ou=People,dc=example,dc=com?one 169#nss_base_group ou=Group,dc=example,dc=com?one 170#nss_base_hosts ou=Hosts,dc=example,dc=com?one 171#nss_base_services ou=Services,dc=example,dc=com?one 172#nss_base_networks ou=Networks,dc=example,dc=com?one 173#nss_base_protocols ou=Protocols,dc=example,dc=com?one 174#nss_base_rpc ou=Rpc,dc=example,dc=com?one 175#nss_base_ethers ou=Ethers,dc=example,dc=com?one 176#nss_base_netmasks ou=Networks,dc=example,dc=com?ne 177#nss_base_bootparams ou=Ethers,dc=example,dc=com?one 178#nss_base_aliases ou=Aliases,dc=example,dc=com?one 179#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one 180 181# Just assume that there are no supplemental groups for these named users 182nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser 183 184# attribute/objectclass mapping 185# Syntax: 186#nss_map_attribute rfc2307attribute mapped_attribute 187#nss_map_objectclass rfc2307objectclass mapped_objectclass 188 189# configure --enable-nds is no longer supported. 190# NDS mappings 191#nss_map_attribute uniqueMember member 192 193# Services for UNIX 3.5 mappings 194#nss_map_objectclass posixAccount User 195#nss_map_objectclass shadowAccount User 196#nss_map_attribute uid msSFU30Name 197#nss_map_attribute uniqueMember msSFU30PosixMember 198#nss_map_attribute userPassword msSFU30Password 199#nss_map_attribute homeDirectory msSFU30HomeDirectory 200#nss_map_attribute homeDirectory msSFUHomeDirectory 201#nss_map_objectclass posixGroup Group 202#pam_login_attribute msSFU30Name 203#pam_filter objectclass=User 204#pam_password ad 205 206# configure --enable-mssfu-schema is no longer supported. 207# Services for UNIX 2.0 mappings 208#nss_map_objectclass posixAccount User 209#nss_map_objectclass shadowAccount user 210#nss_map_attribute uid msSFUName 211#nss_map_attribute uniqueMember posixMember 212#nss_map_attribute userPassword msSFUPassword 213#nss_map_attribute homeDirectory msSFUHomeDirectory 214#nss_map_attribute shadowLastChange pwdLastSet 215#nss_map_objectclass posixGroup Group 216#nss_map_attribute cn msSFUName 217#pam_login_attribute msSFUName 218#pam_filter objectclass=User 219#pam_password ad 220 221# RFC 2307 (AD) mappings 222#nss_map_objectclass posixAccount user 223#nss_map_objectclass shadowAccount user 224#nss_map_attribute uid sAMAccountName 225#nss_map_attribute homeDirectory unixHomeDirectory 226#nss_map_attribute shadowLastChange pwdLastSet 227#nss_map_objectclass posixGroup group 228#nss_map_attribute uniqueMember member 229#pam_login_attribute sAMAccountName 230#pam_filter objectclass=User 231#pam_password ad 232 233# configure --enable-authpassword is no longer supported 234# AuthPassword mappings 235#nss_map_attribute userPassword authPassword 236 237# AIX SecureWay mappings 238#nss_map_objectclass posixAccount aixAccount 239#nss_base_passwd ou=aixaccount,?one 240#nss_map_attribute uid userName 241#nss_map_attribute gidNumber gid 242#nss_map_attribute uidNumber uid 243#nss_map_attribute userPassword passwordChar 244#nss_map_objectclass posixGroup aixAccessGroup 245#nss_base_group ou=aixgroup,?one 246#nss_map_attribute cn groupName 247#nss_map_attribute uniqueMember member 248#pam_login_attribute userName 249#pam_filter objectclass=aixAccount 250#pam_password clear 251 252# Netscape SDK LDAPS 253#ssl on 254 255# Netscape SDK SSL options 256#sslpath /etc/ssl/certs 257 258# OpenLDAP SSL mechanism 259# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 260#ssl start_tls 261#ssl on 262 263# OpenLDAP SSL options 264# Require and verify server certificate (yes/no) 265# Default is to use libldap's default behavior, which can be configured in 266# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for 267# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". 268#tls_checkpeer yes 269 270# CA certificates for server certificate verification 271# At least one of these are required if tls_checkpeer is "yes" 272#tls_cacertfile /etc/ssl/ca.cert 273#tls_cacertdir /etc/ssl/certs 274 275# Seed the PRNG if /dev/urandom is not provided 276#tls_randfile /var/run/egd-pool 277 278# SSL cipher suite 279# See man ciphers for syntax 280#tls_ciphers TLSv1 281 282# Client certificate and key 283# Use these, if your server requires client authentication. 284#tls_cert 285#tls_key 286 287# Disable SASL security layers. This is needed for AD. 288#sasl_secprops maxssf=0 289 290# Override the default Kerberos ticket cache location. 291#krb5_ccname FILE:/etc/.ldapcache 292 293# SASL mechanism for PAM authentication - use is experimental 294# at present and does not support password policy control 295#pam_sasl_mech DIGEST-MD5 296