1# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
2#
3# This is the configuration file for the LDAP nameservice
4# switch library and the LDAP PAM module.
5#
6# PADL Software
7# http://www.padl.com
8#
9
10# Your LDAP server. Must be resolvable without using LDAP.
11# Multiple hosts may be specified, each separated by a
12# space. How long nss_ldap takes to failover depends on
13# whether your LDAP client library supports configurable
14# network or connect timeouts (see bind_timelimit).
15host 127.0.0.1
16
17# The distinguished name of the search base.
18base dc=padl,dc=com
19
20# Another way to specify your LDAP server is to provide an
21# uri with the server name. This allows to use
22# Unix Domain Sockets to connect to a local LDAP Server.
23#uri ldap://127.0.0.1/
24#uri ldaps://127.0.0.1/
25#uri ldapi://%2fvar%2frun%2fldapi_sock/
26# Note: %2f encodes the '/' used as directory separator
27
28# The LDAP version to use (defaults to 3
29# if supported by client library)
30#ldap_version 3
31
32# The distinguished name to bind to the server with.
33# Optional: default is to bind anonymously.
34#binddn cn=proxyuser,dc=padl,dc=com
35
36# The credentials to bind with.
37# Optional: default is no credential.
38#bindpw secret
39
40# The distinguished name to bind to the server with
41# if the effective user ID is root. Password is
42# stored in /etc/ldap.secret (mode 600)
43#rootbinddn cn=manager,dc=padl,dc=com
44
45# The port.
46# Optional: default is 389.
47#port 389
48
49# The search scope.
50#scope sub
51#scope one
52#scope base
53
54# Search timelimit
55#timelimit 30
56
57# Bind/connect timelimit
58#bind_timelimit 30
59
60# Reconnect policy: hard (default) will retry connecting to
61# the software with exponential backoff, soft will fail
62# immediately.
63#bind_policy hard
64
65# Idle timelimit; client will close connections
66# (nss_ldap only) if the server has not been contacted
67# for the number of seconds specified below.
68#idle_timelimit 3600
69
70# Filter to AND with uid=%s
71#pam_filter objectclass=account
72
73# The user ID attribute (defaults to uid)
74#pam_login_attribute uid
75
76# Search the root DSE for the password policy (works
77# with Netscape Directory Server)
78#pam_lookup_policy yes
79
80# Check the 'host' attribute for access control
81# Default is no; if set to yes, and user has no
82# value for the host attribute, and pam_ldap is
83# configured for account management (authorization)
84# then the user will not be allowed to login.
85#pam_check_host_attr yes
86
87# Check the 'authorizedService' attribute for access
88# control
89# Default is no; if set to yes, and the user has no
90# value for the authorizedService attribute, and
91# pam_ldap is configured for account management
92# (authorization) then the user will not be allowed
93# to login.
94#pam_check_service_attr yes
95
96# Group to enforce membership of
97#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
98
99# Group member attribute
100#pam_member_attribute uniquemember
101
102# Specify a minium or maximum UID number allowed
103#pam_min_uid 0
104#pam_max_uid 0
105
106# Template login attribute, default template user
107# (can be overriden by value of former attribute
108# in user's entry)
109#pam_login_attribute userPrincipalName
110#pam_template_login_attribute uid
111#pam_template_login nobody
112
113# HEADS UP: the pam_crypt, pam_nds_passwd,
114# and pam_ad_passwd options are no
115# longer supported.
116#
117# Do not hash the password at all; presume
118# the directory server will do it, if
119# necessary. This is the default.
120#pam_password clear
121
122# Hash password locally; required for University of
123# Michigan LDAP server, and works with Netscape
124# Directory Server if you're using the UNIX-Crypt
125# hash mechanism and not using the NT Synchronization
126# service.
127#pam_password crypt
128
129# Remove old password first, then update in
130# cleartext. Necessary for use with Novell
131# Directory Services (NDS)
132#pam_password clear_remove_old
133#pam_password nds
134
135# RACF is an alias for the above. For use with
136# IBM RACF
137#pam_password racf
138
139# Update Active Directory password, by
140# creating Unicode password and updating
141# unicodePwd attribute.
142#pam_password ad
143
144# Use the OpenLDAP password change
145# extended operation to update the password.
146#pam_password exop
147
148# Redirect users to a URL or somesuch on password
149# changes.
150#pam_password_prohibit_message Please visit http://internal to change your password.
151
152# RFC2307bis naming contexts
153# Syntax:
154# nss_base_XXX		base?scope?filter
155# where scope is {base,one,sub}
156# and filter is a filter to be &'d with the
157# default filter.
158# You can omit the suffix eg:
159# nss_base_passwd	ou=People,
160# to append the default base DN but this
161# may incur a small performance impact.
162#nss_base_passwd	ou=People,dc=padl,dc=com?one
163#nss_base_shadow	ou=People,dc=padl,dc=com?one
164#nss_base_group		ou=Group,dc=padl,dc=com?one
165#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
166#nss_base_services	ou=Services,dc=padl,dc=com?one
167#nss_base_networks	ou=Networks,dc=padl,dc=com?one
168#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
169#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
170#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
171#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
172#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
173#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
174#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one
175
176# attribute/objectclass mapping
177# Syntax:
178#nss_map_attribute	rfc2307attribute	mapped_attribute
179#nss_map_objectclass	rfc2307objectclass	mapped_objectclass
180
181# configure --enable-nds is no longer supported.
182# NDS mappings
183#nss_map_attribute uniqueMember member
184
185# Services for UNIX 3.5 mappings
186#nss_map_objectclass posixAccount User
187#nss_map_objectclass shadowAccount User
188#nss_map_attribute uid msSFU30Name
189#nss_map_attribute uniqueMember msSFU30PosixMember
190#nss_map_attribute userPassword msSFU30Password
191#nss_map_attribute homeDirectory msSFU30HomeDirectory
192#nss_map_attribute homeDirectory msSFUHomeDirectory
193#nss_map_objectclass posixGroup Group
194#pam_login_attribute msSFU30Name
195#pam_filter objectclass=User
196#pam_password ad
197
198# configure --enable-mssfu-schema is no longer supported.
199# Services for UNIX 2.0 mappings
200#nss_map_objectclass posixAccount User
201#nss_map_objectclass shadowAccount user
202#nss_map_attribute uid msSFUName
203#nss_map_attribute uniqueMember posixMember
204#nss_map_attribute userPassword msSFUPassword
205#nss_map_attribute homeDirectory msSFUHomeDirectory
206#nss_map_attribute shadowLastChange pwdLastSet
207#nss_map_objectclass posixGroup Group
208#nss_map_attribute cn msSFUName
209#pam_login_attribute msSFUName
210#pam_filter objectclass=User
211#pam_password ad
212
213# RFC 2307 (AD) mappings
214#nss_map_objectclass posixAccount user
215#nss_map_objectclass shadowAccount user
216#nss_map_attribute uid sAMAccountName
217#nss_map_attribute homeDirectory unixHomeDirectory
218#nss_map_attribute shadowLastChange pwdLastSet
219#nss_map_objectclass posixGroup group
220#nss_map_attribute uniqueMember member
221#pam_login_attribute sAMAccountName
222#pam_filter objectclass=User
223#pam_password ad
224
225# configure --enable-authpassword is no longer supported
226# AuthPassword mappings
227#nss_map_attribute userPassword authPassword
228
229# AIX SecureWay mappings
230#nss_map_objectclass posixAccount aixAccount
231#nss_base_passwd ou=aixaccount,?one
232#nss_map_attribute uid userName
233#nss_map_attribute gidNumber gid
234#nss_map_attribute uidNumber uid
235#nss_map_attribute userPassword passwordChar
236#nss_map_objectclass posixGroup aixAccessGroup
237#nss_base_group ou=aixgroup,?one
238#nss_map_attribute cn groupName
239#nss_map_attribute uniqueMember member
240#pam_login_attribute userName
241#pam_filter objectclass=aixAccount
242#pam_password clear
243
244# Netscape SDK LDAPS
245#ssl on
246
247# Netscape SDK SSL options
248#sslpath /etc/ssl/certs
249
250# OpenLDAP SSL mechanism
251# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
252#ssl start_tls
253#ssl on
254
255# OpenLDAP SSL options
256# Require and verify server certificate (yes/no)
257# Default is to use libldap's default behavior, which can be configured in
258# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
259# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
260#tls_checkpeer yes
261
262# CA certificates for server certificate verification
263# At least one of these are required if tls_checkpeer is "yes"
264#tls_cacertfile /etc/ssl/ca.cert
265#tls_cacertdir /etc/ssl/certs
266
267# Seed the PRNG if /dev/urandom is not provided
268#tls_randfile /var/run/egd-pool
269
270# SSL cipher suite
271# See man ciphers for syntax
272#tls_ciphers TLSv1
273
274# Client certificate and key
275# Use these, if your server requires client authentication.
276#tls_cert
277#tls_key
278
279# Disable SASL security layers. This is needed for AD.
280#sasl_secprops maxssf=0
281
282# Override the default Kerberos ticket cache location.
283#krb5_ccname FILE:/etc/.ldapcache
284
285# SASL mechanism for PAM authentication - use is experimental
286# at present and does not support password policy control
287#pam_sasl_mech DIGEST-MD5
288