API tools faq
paste
Advertisement
Guest User

ldap.conf

a guest
Dec 15th, 2010
206
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.20 KB | None | 0 0
raw download clone embed print report
  1. # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
  2. #
  3. # This is the configuration file for the LDAP nameservice
  4. # switch library and the LDAP PAM module.
  5. #
  6. # The man pages for this file are nss_ldap(5) and pam_ldap(5)
  7. #
  8. # PADL Software
  9. # http://www.padl.com
  10. #
  11.  
  12. #debug 1
  13.  
  14. # Your LDAP server. Must be resolvable without using LDAP.
  15. # Multiple hosts may be specified, each separated by a
  16. # space. How long nss_ldap takes to failover depends on
  17. # whether your LDAP client library supports configurable
  18. # network or connect timeouts (see bind_timelimit).
  19. host 192.168.1.37
  20.  
  21. # The distinguished name of the search base.
  22. base dc=dresults,dc=com
  23.  
  24. # Another way to specify your LDAP server is to provide an
  25. # uri with the server name. This allows to use
  26. # Unix Domain Sockets to connect to a local LDAP Server.
  27. uri ldap://192.168.1.37
  28. #uri ldaps://127.0.0.1/
  29. #uri ldapi://127.0.0.1/
  30. # Note: %2f encodes the '/' used as directory separator
  31.  
  32. # The LDAP version to use (defaults to 3
  33. # if supported by client library)
  34. ldap_version 3
  35.  
  36. # The distinguished name to bind to the server with.
  37. # Optional: default is to bind anonymously.
  38. #binddn cn=proxyuser,dc=example,dc=com
  39.  
  40. # The credentials to bind with.
  41. # Optional: default is no credential.
  42. #bindpw secret
  43.  
  44. # The distinguished name to bind to the server with
  45. # if the effective user ID is root. Password is
  46. # stored in /etc/ldap.secret (mode 600)
  47. rootbinddn cn=directory manager
  48. #,dc=example,dc=com
  49.  
  50. # The port.
  51. # Optional: default is 389.
  52. port 389
  53.  
  54. # The search scope.
  55. #scope sub
  56. #scope one
  57. #scope base
  58.  
  59. # Search timelimit
  60. #timelimit 30
  61. timelimit 120
  62.  
  63. # Bind/connect timelimit
  64. #bind_timelimit 30
  65. bind_timelimit 120
  66.  
  67. # Reconnect policy: hard (default) will retry connecting to
  68. # the software with exponential backoff, soft will fail
  69. # immediately.
  70. #bind_policy hard
  71.  
  72. # Idle timelimit; client will close connections
  73. # (nss_ldap only) if the server has not been contacted
  74. # for the number of seconds specified below.
  75. #idle_timelimit 3600
  76. idle_timelimit 3600
  77.  
  78. # Filter to AND with uid=%s
  79. #pam_filter objectclass=account
  80.  
  81. # The user ID attribute (defaults to uid)
  82. #pam_login_attribute uid
  83.  
  84. # Search the root DSE for the password policy (works
  85. # with Netscape Directory Server)
  86. #pam_lookup_policy yes
  87.  
  88. # Check the 'host' attribute for access control
  89. # Default is no; if set to yes, and user has no
  90. # value for the host attribute, and pam_ldap is
  91. # configured for account management (authorization)
  92. # then the user will not be allowed to login.
  93. #pam_check_host_attr yes
  94.  
  95. # Check the 'authorizedService' attribute for access
  96. # control
  97. # Default is no; if set to yes, and the user has no
  98. # value for the authorizedService attribute, and
  99. # pam_ldap is configured for account management
  100. # (authorization) then the user will not be allowed
  101. # to login.
  102. #pam_check_service_attr yes
  103.  
  104. # Group to enforce membership of
  105. #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
  106.  
  107. # Group member attribute
  108. #pam_member_attribute uniquemember
  109.  
  110. # Specify a minium or maximum UID number allowed
  111. #pam_min_uid 0
  112. #pam_max_uid 0
  113.  
  114. # Template login attribute, default template user
  115. # (can be overriden by value of former attribute
  116. # in user's entry)
  117. #pam_login_attribute userPrincipalName
  118. #pam_template_login_attribute uid
  119. #pam_template_login nobody
  120.  
  121. # HEADS UP: the pam_crypt, pam_nds_passwd,
  122. # and pam_ad_passwd options are no
  123. # longer supported.
  124. #
  125. # Do not hash the password at all; presume
  126. # the directory server will do it, if
  127. # necessary. This is the default.
  128. #pam_password clear
  129.  
  130. # Hash password locally; required for University of
  131. # Michigan LDAP server, and works with Netscape
  132. # Directory Server if you're using the UNIX-Crypt
  133. # hash mechanism and not using the NT Synchronization
  134. # service.
  135. #pam_password crypt
  136.  
  137. # Remove old password first, then update in
  138. # cleartext. Necessary for use with Novell
  139. # Directory Services (NDS)
  140. #pam_password clear_remove_old
  141. #pam_password nds
  142.  
  143. # RACF is an alias for the above. For use with
  144. # IBM RACF
  145. #pam_password racf
  146.  
  147. # Update Active Directory password, by
  148. # creating Unicode password and updating
  149. # unicodePwd attribute.
  150. #pam_password ad
  151.  
  152. # Use the OpenLDAP password change
  153. # extended operation to update the password.
  154. #pam_password exop
  155.  
  156. # Redirect users to a URL or somesuch on password
  157. # changes.
  158. #pam_password_prohibit_message Please visit http://internal to change your password.
  159.  
  160. # RFC2307bis naming contexts
  161. # Syntax:
  162. # nss_base_XXX base?scope?filter
  163. # where scope is {base,one,sub}
  164. # and filter is a filter to be &'d with the
  165. # default filter.
  166. # You can omit the suffix eg:
  167. # nss_base_passwd ou=People,
  168. # to append the default base DN but this
  169. # may incur a small performance impact.
  170. #nss_base_passwd ou=People,dc=example,dc=com?one
  171. #nss_base_shadow ou=People,dc=example,dc=com?one
  172. #nss_base_group ou=Group,dc=example,dc=com?one
  173. #nss_base_hosts ou=Hosts,dc=example,dc=com?one
  174. #nss_base_services ou=Services,dc=example,dc=com?one
  175. #nss_base_networks ou=Networks,dc=example,dc=com?one
  176. #nss_base_protocols ou=Protocols,dc=example,dc=com?one
  177. #nss_base_rpc ou=Rpc,dc=example,dc=com?one
  178. #nss_base_ethers ou=Ethers,dc=example,dc=com?one
  179. #nss_base_netmasks ou=Networks,dc=example,dc=com?ne
  180. #nss_base_bootparams ou=Ethers,dc=example,dc=com?one
  181. #nss_base_aliases ou=Aliases,dc=example,dc=com?one
  182. #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
  183.  
  184. # Just assume that there are no supplemental groups for these named users
  185. nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
  186.  
  187. # attribute/objectclass mapping
  188. # Syntax:
  189. #nss_map_attribute rfc2307attribute mapped_attribute
  190. #nss_map_objectclass rfc2307objectclass mapped_objectclass
  191.  
  192. # configure --enable-nds is no longer supported.
  193. # NDS mappings
  194. #nss_map_attribute uniqueMember member
  195.  
  196. # Services for UNIX 3.5 mappings
  197. #nss_map_objectclass posixAccount User
  198. #nss_map_objectclass shadowAccount User
  199. #nss_map_attribute uid msSFU30Name
  200. #nss_map_attribute uniqueMember msSFU30PosixMember
  201. #nss_map_attribute userPassword msSFU30Password
  202. #nss_map_attribute homeDirectory msSFU30HomeDirectory
  203. #nss_map_attribute homeDirectory msSFUHomeDirectory
  204. #nss_map_objectclass posixGroup Group
  205. #pam_login_attribute msSFU30Name
  206. #pam_filter objectclass=User
  207. #pam_password ad
  208.  
  209. # configure --enable-mssfu-schema is no longer supported.
  210. # Services for UNIX 2.0 mappings
  211. #nss_map_objectclass posixAccount User
  212. #nss_map_objectclass shadowAccount user
  213. #nss_map_attribute uid msSFUName
  214. #nss_map_attribute uniqueMember posixMember
  215. #nss_map_attribute userPassword msSFUPassword
  216. #nss_map_attribute homeDirectory msSFUHomeDirectory
  217. #nss_map_attribute shadowLastChange pwdLastSet
  218. #nss_map_objectclass posixGroup Group
  219. #nss_map_attribute cn msSFUName
  220. #pam_login_attribute msSFUName
  221. #pam_filter objectclass=User
  222. #pam_password ad
  223.  
  224. # RFC 2307 (AD) mappings
  225. #nss_map_objectclass posixAccount user
  226. #nss_map_objectclass shadowAccount user
  227. #nss_map_attribute uid sAMAccountName
  228. #nss_map_attribute homeDirectory unixHomeDirectory
  229. #nss_map_attribute shadowLastChange pwdLastSet
  230. #nss_map_objectclass posixGroup group
  231. #nss_map_attribute uniqueMember member
  232. #pam_login_attribute sAMAccountName
  233. #pam_filter objectclass=User
  234. #pam_password ad
  235.  
  236. # configure --enable-authpassword is no longer supported
  237. # AuthPassword mappings
  238. #nss_map_attribute userPassword authPassword
  239.  
  240. # AIX SecureWay mappings
  241. #nss_map_objectclass posixAccount aixAccount
  242. #nss_base_passwd ou=aixaccount,?one
  243. #nss_map_attribute uid userName
  244. #nss_map_attribute gidNumber gid
  245. #nss_map_attribute uidNumber uid
  246. #nss_map_attribute userPassword passwordChar
  247. #nss_map_objectclass posixGroup aixAccessGroup
  248. #nss_base_group ou=aixgroup,?one
  249. #nss_map_attribute cn groupName
  250. #nss_map_attribute uniqueMember member
  251. #pam_login_attribute userName
  252. #pam_filter objectclass=aixAccount
  253. #pam_password clear
  254.  
  255. # Netscape SDK LDAPS
  256. #ssl on
  257.  
  258. # Netscape SDK SSL options
  259. #sslpath /etc/ssl/certs
  260.  
  261. # OpenLDAP SSL mechanism
  262. # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
  263. #ssl start_tls
  264. #ssl on
  265.  
  266. # OpenLDAP SSL options
  267. # Require and verify server certificate (yes/no)
  268. # Default is to use libldap's default behavior, which can be configured in
  269. # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
  270. # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
  271. #tls_checkpeer yes
  272.  
  273. # CA certificates for server certificate verification
  274. # At least one of these are required if tls_checkpeer is "yes"
  275. #tls_cacertfile /etc/ssl/ca.cert
  276. #tls_cacertdir /etc/ssl/certs
  277.  
  278. # Seed the PRNG if /dev/urandom is not provided
  279. #tls_randfile /var/run/egd-pool
  280.  
  281. # SSL cipher suite
  282. # See man ciphers for syntax
  283. #tls_ciphers TLSv1
  284.  
  285. # Client certificate and key
  286. # Use these, if your server requires client authentication.
  287. #tls_cert
  288. #tls_key
  289.  
  290. # Disable SASL security layers. This is needed for AD.
  291. #sasl_secprops maxssf=0
  292.  
  293. # Override the default Kerberos ticket cache location.
  294. #krb5_ccname FILE:/etc/.ldapcache
  295.  
  296. # SASL mechanism for PAM authentication - use is experimental
  297. # at present and does not support password policy control
  298. #pam_sasl_mech DIGEST-MD5
  299. uri ldap://127.0.0.1/
  300. ssl no
  301. tls_cacertdir /etc/openldap/cacerts
  302. pam_password md5
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!