| [484] | 1 | # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ | 
|---|
|  | 2 | # | 
|---|
|  | 3 | # This is the configuration file for the LDAP nameservice | 
|---|
|  | 4 | # switch library and the LDAP PAM module. | 
|---|
|  | 5 | # | 
|---|
|  | 6 | # The man pages for this file are nss_ldap(5) and pam_ldap(5) | 
|---|
|  | 7 | # | 
|---|
|  | 8 | # PADL Software | 
|---|
|  | 9 | # http://www.padl.com | 
|---|
|  | 10 | # | 
|---|
|  | 11 |  | 
|---|
|  | 12 | # Your LDAP server. Must be resolvable without using LDAP. | 
|---|
|  | 13 | # Multiple hosts may be specified, each separated by a | 
|---|
|  | 14 | # space. How long nss_ldap takes to failover depends on | 
|---|
|  | 15 | # whether your LDAP client library supports configurable | 
|---|
|  | 16 | # network or connect timeouts (see bind_timelimit). | 
|---|
| [512] | 17 | #host 127.0.0.1 | 
|---|
| [484] | 18 |  | 
|---|
|  | 19 | # The distinguished name of the search base. | 
|---|
|  | 20 | base dc=scripts,dc=mit,dc=edu | 
|---|
|  | 21 |  | 
|---|
|  | 22 | # Another way to specify your LDAP server is to provide an | 
|---|
|  | 23 | # uri with the server name. This allows to use | 
|---|
|  | 24 | # Unix Domain Sockets to connect to a local LDAP Server. | 
|---|
|  | 25 | #uri ldap://127.0.0.1/ | 
|---|
|  | 26 | #uri ldaps://127.0.0.1/ | 
|---|
|  | 27 | #uri ldapi://%2fvar%2frun%2fldapi_sock/ | 
|---|
|  | 28 | # Note: %2f encodes the '/' used as directory separator | 
|---|
| [1878] | 29 | uri ldapi://%2fvar%2frun%2fslapd-scripts.socket/ | 
|---|
| [484] | 30 |  | 
|---|
|  | 31 | # The LDAP version to use (defaults to 3 | 
|---|
|  | 32 | # if supported by client library) | 
|---|
|  | 33 | #ldap_version 3 | 
|---|
|  | 34 |  | 
|---|
|  | 35 | # The distinguished name to bind to the server with. | 
|---|
|  | 36 | # Optional: default is to bind anonymously. | 
|---|
|  | 37 | #binddn cn=proxyuser,dc=example,dc=com | 
|---|
|  | 38 |  | 
|---|
|  | 39 | # The credentials to bind with. | 
|---|
|  | 40 | # Optional: default is no credential. | 
|---|
|  | 41 | #bindpw secret | 
|---|
|  | 42 |  | 
|---|
|  | 43 | # The distinguished name to bind to the server with | 
|---|
|  | 44 | # if the effective user ID is root. Password is | 
|---|
|  | 45 | # stored in /etc/ldap.secret (mode 600) | 
|---|
|  | 46 | #rootbinddn cn=manager,dc=example,dc=com | 
|---|
|  | 47 |  | 
|---|
|  | 48 | # The port. | 
|---|
|  | 49 | # Optional: default is 389. | 
|---|
|  | 50 | #port 389 | 
|---|
|  | 51 |  | 
|---|
|  | 52 | # The search scope. | 
|---|
|  | 53 | #scope sub | 
|---|
|  | 54 | #scope one | 
|---|
|  | 55 | #scope base | 
|---|
|  | 56 |  | 
|---|
|  | 57 | # Search timelimit | 
|---|
|  | 58 | #timelimit 30 | 
|---|
|  | 59 | timelimit 120 | 
|---|
|  | 60 |  | 
|---|
|  | 61 | # Bind/connect timelimit | 
|---|
|  | 62 | #bind_timelimit 30 | 
|---|
|  | 63 | bind_timelimit 120 | 
|---|
|  | 64 |  | 
|---|
|  | 65 | # Reconnect policy: hard (default) will retry connecting to | 
|---|
|  | 66 | # the software with exponential backoff, soft will fail | 
|---|
|  | 67 | # immediately. | 
|---|
|  | 68 | #bind_policy hard | 
|---|
|  | 69 |  | 
|---|
|  | 70 | # Idle timelimit; client will close connections | 
|---|
|  | 71 | # (nss_ldap only) if the server has not been contacted | 
|---|
|  | 72 | # for the number of seconds specified below. | 
|---|
|  | 73 | #idle_timelimit 3600 | 
|---|
|  | 74 | idle_timelimit 3600 | 
|---|
|  | 75 |  | 
|---|
|  | 76 | # Filter to AND with uid=%s | 
|---|
|  | 77 | #pam_filter objectclass=account | 
|---|
|  | 78 |  | 
|---|
|  | 79 | # The user ID attribute (defaults to uid) | 
|---|
|  | 80 | #pam_login_attribute uid | 
|---|
|  | 81 |  | 
|---|
|  | 82 | # Search the root DSE for the password policy (works | 
|---|
|  | 83 | # with Netscape Directory Server) | 
|---|
|  | 84 | #pam_lookup_policy yes | 
|---|
|  | 85 |  | 
|---|
|  | 86 | # Check the 'host' attribute for access control | 
|---|
|  | 87 | # Default is no; if set to yes, and user has no | 
|---|
|  | 88 | # value for the host attribute, and pam_ldap is | 
|---|
|  | 89 | # configured for account management (authorization) | 
|---|
|  | 90 | # then the user will not be allowed to login. | 
|---|
|  | 91 | #pam_check_host_attr yes | 
|---|
|  | 92 |  | 
|---|
|  | 93 | # Check the 'authorizedService' attribute for access | 
|---|
|  | 94 | # control | 
|---|
|  | 95 | # Default is no; if set to yes, and the user has no | 
|---|
|  | 96 | # value for the authorizedService attribute, and | 
|---|
|  | 97 | # pam_ldap is configured for account management | 
|---|
|  | 98 | # (authorization) then the user will not be allowed | 
|---|
|  | 99 | # to login. | 
|---|
|  | 100 | #pam_check_service_attr yes | 
|---|
|  | 101 |  | 
|---|
|  | 102 | # Group to enforce membership of | 
|---|
|  | 103 | #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com | 
|---|
|  | 104 |  | 
|---|
|  | 105 | # Group member attribute | 
|---|
|  | 106 | #pam_member_attribute uniquemember | 
|---|
|  | 107 |  | 
|---|
|  | 108 | # Specify a minium or maximum UID number allowed | 
|---|
|  | 109 | #pam_min_uid 0 | 
|---|
|  | 110 | #pam_max_uid 0 | 
|---|
|  | 111 |  | 
|---|
|  | 112 | # Template login attribute, default template user | 
|---|
|  | 113 | # (can be overriden by value of former attribute | 
|---|
|  | 114 | # in user's entry) | 
|---|
|  | 115 | #pam_login_attribute userPrincipalName | 
|---|
|  | 116 | #pam_template_login_attribute uid | 
|---|
|  | 117 | #pam_template_login nobody | 
|---|
|  | 118 |  | 
|---|
|  | 119 | # HEADS UP: the pam_crypt, pam_nds_passwd, | 
|---|
|  | 120 | # and pam_ad_passwd options are no | 
|---|
|  | 121 | # longer supported. | 
|---|
|  | 122 | # | 
|---|
|  | 123 | # Do not hash the password at all; presume | 
|---|
|  | 124 | # the directory server will do it, if | 
|---|
|  | 125 | # necessary. This is the default. | 
|---|
|  | 126 | #pam_password clear | 
|---|
|  | 127 |  | 
|---|
|  | 128 | # Hash password locally; required for University of | 
|---|
|  | 129 | # Michigan LDAP server, and works with Netscape | 
|---|
|  | 130 | # Directory Server if you're using the UNIX-Crypt | 
|---|
|  | 131 | # hash mechanism and not using the NT Synchronization | 
|---|
|  | 132 | # service. | 
|---|
|  | 133 | #pam_password crypt | 
|---|
|  | 134 |  | 
|---|
|  | 135 | # Remove old password first, then update in | 
|---|
|  | 136 | # cleartext. Necessary for use with Novell | 
|---|
|  | 137 | # Directory Services (NDS) | 
|---|
|  | 138 | #pam_password clear_remove_old | 
|---|
|  | 139 | #pam_password nds | 
|---|
|  | 140 |  | 
|---|
|  | 141 | # RACF is an alias for the above. For use with | 
|---|
|  | 142 | # IBM RACF | 
|---|
|  | 143 | #pam_password racf | 
|---|
|  | 144 |  | 
|---|
|  | 145 | # Update Active Directory password, by | 
|---|
|  | 146 | # creating Unicode password and updating | 
|---|
|  | 147 | # unicodePwd attribute. | 
|---|
|  | 148 | #pam_password ad | 
|---|
|  | 149 |  | 
|---|
|  | 150 | # Use the OpenLDAP password change | 
|---|
|  | 151 | # extended operation to update the password. | 
|---|
|  | 152 | #pam_password exop | 
|---|
|  | 153 |  | 
|---|
|  | 154 | # Redirect users to a URL or somesuch on password | 
|---|
|  | 155 | # changes. | 
|---|
|  | 156 | #pam_password_prohibit_message Please visit http://internal to change your password. | 
|---|
|  | 157 |  | 
|---|
|  | 158 | # RFC2307bis naming contexts | 
|---|
|  | 159 | # Syntax: | 
|---|
|  | 160 | # nss_base_XXX          base?scope?filter | 
|---|
|  | 161 | # where scope is {base,one,sub} | 
|---|
|  | 162 | # and filter is a filter to be &'d with the | 
|---|
|  | 163 | # default filter. | 
|---|
|  | 164 | # You can omit the suffix eg: | 
|---|
|  | 165 | # nss_base_passwd       ou=People, | 
|---|
|  | 166 | # to append the default base DN but this | 
|---|
|  | 167 | # may incur a small performance impact. | 
|---|
|  | 168 | nss_base_passwd         ou=People,dc=scripts,dc=mit,dc=edu?one | 
|---|
|  | 169 | #nss_base_shadow        ou=People,dc=example,dc=com?one | 
|---|
|  | 170 | nss_base_group          ou=Groups,dc=scripts,dc=mit,dc=edu?one | 
|---|
|  | 171 | #nss_base_hosts         ou=Hosts,dc=example,dc=com?one | 
|---|
|  | 172 | #nss_base_services      ou=Services,dc=example,dc=com?one | 
|---|
|  | 173 | #nss_base_networks      ou=Networks,dc=example,dc=com?one | 
|---|
|  | 174 | #nss_base_protocols     ou=Protocols,dc=example,dc=com?one | 
|---|
|  | 175 | #nss_base_rpc           ou=Rpc,dc=example,dc=com?one | 
|---|
|  | 176 | #nss_base_ethers        ou=Ethers,dc=example,dc=com?one | 
|---|
|  | 177 | #nss_base_netmasks      ou=Networks,dc=example,dc=com?ne | 
|---|
|  | 178 | #nss_base_bootparams    ou=Ethers,dc=example,dc=com?one | 
|---|
|  | 179 | #nss_base_aliases       ou=Aliases,dc=example,dc=com?one | 
|---|
|  | 180 | #nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one | 
|---|
|  | 181 |  | 
|---|
|  | 182 | # Just assume that there are no supplemental groups for these named users | 
|---|
|  | 183 | nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd | 
|---|
|  | 184 |  | 
|---|
|  | 185 | # attribute/objectclass mapping | 
|---|
|  | 186 | # Syntax: | 
|---|
|  | 187 | #nss_map_attribute      rfc2307attribute        mapped_attribute | 
|---|
|  | 188 | #nss_map_objectclass    rfc2307objectclass      mapped_objectclass | 
|---|
|  | 189 |  | 
|---|
|  | 190 | # configure --enable-nds is no longer supported. | 
|---|
|  | 191 | # NDS mappings | 
|---|
|  | 192 | #nss_map_attribute uniqueMember member | 
|---|
|  | 193 |  | 
|---|
|  | 194 | # Services for UNIX 3.5 mappings | 
|---|
|  | 195 | #nss_map_objectclass posixAccount User | 
|---|
|  | 196 | #nss_map_objectclass shadowAccount User | 
|---|
|  | 197 | #nss_map_attribute uid msSFU30Name | 
|---|
|  | 198 | #nss_map_attribute uniqueMember msSFU30PosixMember | 
|---|
|  | 199 | #nss_map_attribute userPassword msSFU30Password | 
|---|
|  | 200 | #nss_map_attribute homeDirectory msSFU30HomeDirectory | 
|---|
|  | 201 | #nss_map_attribute homeDirectory msSFUHomeDirectory | 
|---|
|  | 202 | #nss_map_objectclass posixGroup Group | 
|---|
|  | 203 | #pam_login_attribute msSFU30Name | 
|---|
|  | 204 | #pam_filter objectclass=User | 
|---|
|  | 205 | #pam_password ad | 
|---|
|  | 206 |  | 
|---|
|  | 207 | # configure --enable-mssfu-schema is no longer supported. | 
|---|
|  | 208 | # Services for UNIX 2.0 mappings | 
|---|
|  | 209 | #nss_map_objectclass posixAccount User | 
|---|
|  | 210 | #nss_map_objectclass shadowAccount user | 
|---|
|  | 211 | #nss_map_attribute uid msSFUName | 
|---|
|  | 212 | #nss_map_attribute uniqueMember posixMember | 
|---|
|  | 213 | #nss_map_attribute userPassword msSFUPassword | 
|---|
|  | 214 | #nss_map_attribute homeDirectory msSFUHomeDirectory | 
|---|
|  | 215 | #nss_map_attribute shadowLastChange pwdLastSet | 
|---|
|  | 216 | #nss_map_objectclass posixGroup Group | 
|---|
|  | 217 | #nss_map_attribute cn msSFUName | 
|---|
|  | 218 | #pam_login_attribute msSFUName | 
|---|
|  | 219 | #pam_filter objectclass=User | 
|---|
|  | 220 | #pam_password ad | 
|---|
|  | 221 |  | 
|---|
|  | 222 | # RFC 2307 (AD) mappings | 
|---|
|  | 223 | #nss_map_objectclass posixAccount user | 
|---|
|  | 224 | #nss_map_objectclass shadowAccount user | 
|---|
|  | 225 | #nss_map_attribute uid sAMAccountName | 
|---|
|  | 226 | #nss_map_attribute homeDirectory unixHomeDirectory | 
|---|
|  | 227 | #nss_map_attribute shadowLastChange pwdLastSet | 
|---|
|  | 228 | #nss_map_objectclass posixGroup group | 
|---|
|  | 229 | #nss_map_attribute uniqueMember member | 
|---|
|  | 230 | #pam_login_attribute sAMAccountName | 
|---|
|  | 231 | #pam_filter objectclass=User | 
|---|
|  | 232 | #pam_password ad | 
|---|
|  | 233 |  | 
|---|
|  | 234 | # configure --enable-authpassword is no longer supported | 
|---|
|  | 235 | # AuthPassword mappings | 
|---|
|  | 236 | #nss_map_attribute userPassword authPassword | 
|---|
|  | 237 |  | 
|---|
|  | 238 | # AIX SecureWay mappings | 
|---|
|  | 239 | #nss_map_objectclass posixAccount aixAccount | 
|---|
|  | 240 | #nss_base_passwd ou=aixaccount,?one | 
|---|
|  | 241 | #nss_map_attribute uid userName | 
|---|
|  | 242 | #nss_map_attribute gidNumber gid | 
|---|
|  | 243 | #nss_map_attribute uidNumber uid | 
|---|
|  | 244 | #nss_map_attribute userPassword passwordChar | 
|---|
|  | 245 | #nss_map_objectclass posixGroup aixAccessGroup | 
|---|
|  | 246 | #nss_base_group ou=aixgroup,?one | 
|---|
|  | 247 | #nss_map_attribute cn groupName | 
|---|
|  | 248 | #nss_map_attribute uniqueMember member | 
|---|
|  | 249 | #pam_login_attribute userName | 
|---|
|  | 250 | #pam_filter objectclass=aixAccount | 
|---|
|  | 251 | #pam_password clear | 
|---|
|  | 252 |  | 
|---|
|  | 253 | # Netscape SDK LDAPS | 
|---|
|  | 254 | #ssl on | 
|---|
|  | 255 |  | 
|---|
|  | 256 | # Netscape SDK SSL options | 
|---|
|  | 257 | #sslpath /etc/ssl/certs | 
|---|
|  | 258 |  | 
|---|
|  | 259 | # OpenLDAP SSL mechanism | 
|---|
|  | 260 | # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 | 
|---|
|  | 261 | #ssl start_tls | 
|---|
|  | 262 | #ssl on | 
|---|
|  | 263 |  | 
|---|
|  | 264 | # OpenLDAP SSL options | 
|---|
|  | 265 | # Require and verify server certificate (yes/no) | 
|---|
|  | 266 | # Default is to use libldap's default behavior, which can be configured in | 
|---|
|  | 267 | # /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for | 
|---|
|  | 268 | # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". | 
|---|
|  | 269 | #tls_checkpeer yes | 
|---|
|  | 270 |  | 
|---|
|  | 271 | # CA certificates for server certificate verification | 
|---|
|  | 272 | # At least one of these are required if tls_checkpeer is "yes" | 
|---|
|  | 273 | #tls_cacertfile /etc/ssl/ca.cert | 
|---|
|  | 274 | #tls_cacertdir /etc/ssl/certs | 
|---|
|  | 275 |  | 
|---|
|  | 276 | # Seed the PRNG if /dev/urandom is not provided | 
|---|
|  | 277 | #tls_randfile /var/run/egd-pool | 
|---|
|  | 278 |  | 
|---|
|  | 279 | # SSL cipher suite | 
|---|
|  | 280 | # See man ciphers for syntax | 
|---|
|  | 281 | #tls_ciphers TLSv1 | 
|---|
|  | 282 |  | 
|---|
|  | 283 | # Client certificate and key | 
|---|
|  | 284 | # Use these, if your server requires client authentication. | 
|---|
|  | 285 | #tls_cert | 
|---|
|  | 286 | #tls_key | 
|---|
|  | 287 |  | 
|---|
|  | 288 | # Disable SASL security layers. This is needed for AD. | 
|---|
|  | 289 | #sasl_secprops maxssf=0 | 
|---|
|  | 290 |  | 
|---|
|  | 291 | # Override the default Kerberos ticket cache location. | 
|---|
|  | 292 | #krb5_ccname FILE:/etc/.ldapcache | 
|---|
|  | 293 |  | 
|---|
|  | 294 | # SASL mechanism for PAM authentication - use is experimental | 
|---|
|  | 295 | # at present and does not support password policy control | 
|---|
|  | 296 | #pam_sasl_mech DIGEST-MD5 | 
|---|