1# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ 2# 3# This is the configuration file for the LDAP nameservice 4# switch library and the LDAP PAM module. 5# 6# PADL Software 7# http://www.padl.com 8# 9 10# Your LDAP server. Must be resolvable without using LDAP. 11# Multiple hosts may be specified, each separated by a 12# space. How long nss_ldap takes to failover depends on 13# whether your LDAP client library supports configurable 14# network or connect timeouts (see bind_timelimit). 15host 127.0.0.1 16 17# The distinguished name of the search base. 18base dc=padl,dc=com 19 20# Another way to specify your LDAP server is to provide an 21# uri with the server name. This allows to use 22# Unix Domain Sockets to connect to a local LDAP Server. 23#uri ldap://127.0.0.1/ 24#uri ldaps://127.0.0.1/ 25#uri ldapi://%2fvar%2frun%2fldapi_sock/ 26# Note: %2f encodes the '/' used as directory separator 27 28# The LDAP version to use (defaults to 3 29# if supported by client library) 30#ldap_version 3 31 32# The distinguished name to bind to the server with. 33# Optional: default is to bind anonymously. 34#binddn cn=proxyuser,dc=padl,dc=com 35 36# The credentials to bind with. 37# Optional: default is no credential. 38#bindpw secret 39 40# The distinguished name to bind to the server with 41# if the effective user ID is root. Password is 42# stored in /etc/ldap.secret (mode 600) 43#rootbinddn cn=manager,dc=padl,dc=com 44 45# The port. 46# Optional: default is 389. 47#port 389 48 49# The search scope. 50#scope sub 51#scope one 52#scope base 53 54# Search timelimit 55#timelimit 30 56 57# Bind/connect timelimit 58#bind_timelimit 30 59 60# Reconnect policy: hard (default) will retry connecting to 61# the software with exponential backoff, soft will fail 62# immediately. 63#bind_policy hard 64 65# Idle timelimit; client will close connections 66# (nss_ldap only) if the server has not been contacted 67# for the number of seconds specified below. 68#idle_timelimit 3600 69 70# Filter to AND with uid=%s 71#pam_filter objectclass=account 72 73# The user ID attribute (defaults to uid) 74#pam_login_attribute uid 75 76# Search the root DSE for the password policy (works 77# with Netscape Directory Server) 78#pam_lookup_policy yes 79 80# Check the 'host' attribute for access control 81# Default is no; if set to yes, and user has no 82# value for the host attribute, and pam_ldap is 83# configured for account management (authorization) 84# then the user will not be allowed to login. 85#pam_check_host_attr yes 86 87# Check the 'authorizedService' attribute for access 88# control 89# Default is no; if set to yes, and the user has no 90# value for the authorizedService attribute, and 91# pam_ldap is configured for account management 92# (authorization) then the user will not be allowed 93# to login. 94#pam_check_service_attr yes 95 96# Group to enforce membership of 97#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com 98 99# Group member attribute 100#pam_member_attribute uniquemember 101 102# Specify a minium or maximum UID number allowed 103#pam_min_uid 0 104#pam_max_uid 0 105 106# Template login attribute, default template user 107# (can be overriden by value of former attribute 108# in user's entry) 109#pam_login_attribute userPrincipalName 110#pam_template_login_attribute uid 111#pam_template_login nobody 112 113# HEADS UP: the pam_crypt, pam_nds_passwd, 114# and pam_ad_passwd options are no 115# longer supported. 116# 117# Do not hash the password at all; presume 118# the directory server will do it, if 119# necessary. This is the default. 120#pam_password clear 121 122# Hash password locally; required for University of 123# Michigan LDAP server, and works with Netscape 124# Directory Server if you're using the UNIX-Crypt 125# hash mechanism and not using the NT Synchronization 126# service. 127#pam_password crypt 128 129# Remove old password first, then update in 130# cleartext. Necessary for use with Novell 131# Directory Services (NDS) 132#pam_password clear_remove_old 133#pam_password nds 134 135# RACF is an alias for the above. For use with 136# IBM RACF 137#pam_password racf 138 139# Update Active Directory password, by 140# creating Unicode password and updating 141# unicodePwd attribute. 142#pam_password ad 143 144# Use the OpenLDAP password change 145# extended operation to update the password. 146#pam_password exop 147 148# Redirect users to a URL or somesuch on password 149# changes. 150#pam_password_prohibit_message Please visit http://internal to change your password. 151 152# RFC2307bis naming contexts 153# Syntax: 154# nss_base_XXX base?scope?filter 155# where scope is {base,one,sub} 156# and filter is a filter to be &'d with the 157# default filter. 158# You can omit the suffix eg: 159# nss_base_passwd ou=People, 160# to append the default base DN but this 161# may incur a small performance impact. 162#nss_base_passwd ou=People,dc=padl,dc=com?one 163#nss_base_shadow ou=People,dc=padl,dc=com?one 164#nss_base_group ou=Group,dc=padl,dc=com?one 165#nss_base_hosts ou=Hosts,dc=padl,dc=com?one 166#nss_base_services ou=Services,dc=padl,dc=com?one 167#nss_base_networks ou=Networks,dc=padl,dc=com?one 168#nss_base_protocols ou=Protocols,dc=padl,dc=com?one 169#nss_base_rpc ou=Rpc,dc=padl,dc=com?one 170#nss_base_ethers ou=Ethers,dc=padl,dc=com?one 171#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne 172#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one 173#nss_base_aliases ou=Aliases,dc=padl,dc=com?one 174#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one 175 176# attribute/objectclass mapping 177# Syntax: 178#nss_map_attribute rfc2307attribute mapped_attribute 179#nss_map_objectclass rfc2307objectclass mapped_objectclass 180 181# configure --enable-nds is no longer supported. 182# NDS mappings 183#nss_map_attribute uniqueMember member 184 185# Services for UNIX 3.5 mappings 186#nss_map_objectclass posixAccount User 187#nss_map_objectclass shadowAccount User 188#nss_map_attribute uid msSFU30Name 189#nss_map_attribute uniqueMember msSFU30PosixMember 190#nss_map_attribute userPassword msSFU30Password 191#nss_map_attribute homeDirectory msSFU30HomeDirectory 192#nss_map_attribute homeDirectory msSFUHomeDirectory 193#nss_map_objectclass posixGroup Group 194#pam_login_attribute msSFU30Name 195#pam_filter objectclass=User 196#pam_password ad 197 198# configure --enable-mssfu-schema is no longer supported. 199# Services for UNIX 2.0 mappings 200#nss_map_objectclass posixAccount User 201#nss_map_objectclass shadowAccount user 202#nss_map_attribute uid msSFUName 203#nss_map_attribute uniqueMember posixMember 204#nss_map_attribute userPassword msSFUPassword 205#nss_map_attribute homeDirectory msSFUHomeDirectory 206#nss_map_attribute shadowLastChange pwdLastSet 207#nss_map_objectclass posixGroup Group 208#nss_map_attribute cn msSFUName 209#pam_login_attribute msSFUName 210#pam_filter objectclass=User 211#pam_password ad 212 213# RFC 2307 (AD) mappings 214#nss_map_objectclass posixAccount user 215#nss_map_objectclass shadowAccount user 216#nss_map_attribute uid sAMAccountName 217#nss_map_attribute homeDirectory unixHomeDirectory 218#nss_map_attribute shadowLastChange pwdLastSet 219#nss_map_objectclass posixGroup group 220#nss_map_attribute uniqueMember member 221#pam_login_attribute sAMAccountName 222#pam_filter objectclass=User 223#pam_password ad 224 225# configure --enable-authpassword is no longer supported 226# AuthPassword mappings 227#nss_map_attribute userPassword authPassword 228 229# AIX SecureWay mappings 230#nss_map_objectclass posixAccount aixAccount 231#nss_base_passwd ou=aixaccount,?one 232#nss_map_attribute uid userName 233#nss_map_attribute gidNumber gid 234#nss_map_attribute uidNumber uid 235#nss_map_attribute userPassword passwordChar 236#nss_map_objectclass posixGroup aixAccessGroup 237#nss_base_group ou=aixgroup,?one 238#nss_map_attribute cn groupName 239#nss_map_attribute uniqueMember member 240#pam_login_attribute userName 241#pam_filter objectclass=aixAccount 242#pam_password clear 243 244# Netscape SDK LDAPS 245#ssl on 246 247# Netscape SDK SSL options 248#sslpath /etc/ssl/certs 249 250# OpenLDAP SSL mechanism 251# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 252#ssl start_tls 253#ssl on 254 255# OpenLDAP SSL options 256# Require and verify server certificate (yes/no) 257# Default is to use libldap's default behavior, which can be configured in 258# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for 259# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". 260#tls_checkpeer yes 261 262# CA certificates for server certificate verification 263# At least one of these are required if tls_checkpeer is "yes" 264#tls_cacertfile /etc/ssl/ca.cert 265#tls_cacertdir /etc/ssl/certs 266 267# Seed the PRNG if /dev/urandom is not provided 268#tls_randfile /var/run/egd-pool 269 270# SSL cipher suite 271# See man ciphers for syntax 272#tls_ciphers TLSv1 273 274# Client certificate and key 275# Use these, if your server requires client authentication. 276#tls_cert 277#tls_key 278 279# Disable SASL security layers. This is needed for AD. 280#sasl_secprops maxssf=0 281 282# Override the default Kerberos ticket cache location. 283#krb5_ccname FILE:/etc/.ldapcache 284 285# SASL mechanism for PAM authentication - use is experimental 286# at present and does not support password policy control 287#pam_sasl_mech DIGEST-MD5 288