Internal/SandboxConsoleSetup: ldap.conf

File ldap.conf, 9.0 KB (added by ssugrim, 13 years ago)

/etc/ldap.conf

Line 
1###DEBCONF###
2##
3## Configuration of this file will be managed by debconf as long as the
4## first line of the file says '###DEBCONF###'
5##
6## You should use dpkg-reconfigure to configure this file via debconf
7##
8
9#
10# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
11#
12# This is the configuration file for the LDAP nameservice
13# switch library and the LDAP PAM module.
14#
15# PADL Software
16# http://www.padl.com
17#
18
19# Your LDAP server. Must be resolvable without using LDAP.
20# Multiple hosts may be specified, each separated by a
21# space. How long nss_ldap takes to failover depends on
22# whether your LDAP client library supports configurable
23# network or connect timeouts (see bind_timelimit).
24#host 127.0.0.1
25
26# The distinguished name of the search base.
27base dc=orbit-lab,dc=org
28
29# Another way to specify your LDAP server is to provide an
30uri ldap://ldap1.orbit-lab.org/
31# Unix Domain Sockets to connect to a local LDAP Server.
32#uri ldap://127.0.0.1/
33#uri ldaps://127.0.0.1/
34#uri ldapi://%2fvar%2frun%2fldapi_sock/
35# Note: %2f encodes the '/' used as directory separator
36
37# The LDAP version to use (defaults to 3
38# if supported by client library)
39ldap_version 3
40
41# The distinguished name to bind to the server with.
42# Optional: default is to bind anonymously.
43binddn
44
45# The credentials to bind with.
46# Optional: default is no credential.
47#bindpw secret
48
49# The distinguished name to bind to the server with
50# if the effective user ID is root. Password is
51# stored in /etc/ldap.secret (mode 600)
52rootbinddn cn=admin,dc=orbit-lab,dc=org
53
54# The port.
55# Optional: default is 389.
56#port 389
57
58# The search scope.
59#scope sub
60#scope one
61#scope base
62
63# Search timelimit
64#timelimit 30
65
66# Bind/connect timelimit
67#bind_timelimit 30
68
69# Reconnect policy: hard (default) will retry connecting to
70# the software with exponential backoff, soft will fail
71# immediately.
72#bind_policy hard
73
74# Idle timelimit; client will close connections
75# (nss_ldap only) if the server has not been contacted
76# for the number of seconds specified below.
77#idle_timelimit 3600
78
79# Filter to AND with uid=%s
80#pam_filter objectclass=account
81
82# The user ID attribute (defaults to uid)
83#pam_login_attribute uid
84
85# Search the root DSE for the password policy (works
86# with Netscape Directory Server)
87#pam_lookup_policy yes
88
89# Check the 'host' attribute for access control
90# Default is no; if set to yes, and user has no
91# value for the host attribute, and pam_ldap is
92# configured for account management (authorization)
93# then the user will not be allowed to login.
94#pam_check_host_attr yes
95
96# Check the 'authorizedService' attribute for access
97# control
98# Default is no; if set to yes, and the user has no
99# value for the authorizedService attribute, and
100# pam_ldap is configured for account management
101# (authorization) then the user will not be allowed
102# to login.
103#pam_check_service_attr yes
104
105# Group to enforce membership of
106#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
107
108# Group member attribute
109#pam_member_attribute uniquemember
110
111# Specify a minium or maximum UID number allowed
112#pam_min_uid 0
113#pam_max_uid 0
114
115# Template login attribute, default template user
116# (can be overriden by value of former attribute
117# in user's entry)
118#pam_login_attribute userPrincipalName
119#pam_template_login_attribute uid
120#pam_template_login nobody
121
122# HEADS UP: the pam_crypt, pam_nds_passwd,
123# and pam_ad_passwd options are no
124# longer supported.
125#
126# Do not hash the password at all; presume
127# the directory server will do it, if
128# necessary. This is the default.
129pam_password md5
130
131# Hash password locally; required for University of
132# Michigan LDAP server, and works with Netscape
133# Directory Server if you're using the UNIX-Crypt
134# hash mechanism and not using the NT Synchronization
135# service.
136#pam_password crypt
137
138# Remove old password first, then update in
139# cleartext. Necessary for use with Novell
140# Directory Services (NDS)
141#pam_password clear_remove_old
142#pam_password nds
143
144# RACF is an alias for the above. For use with
145# IBM RACF
146#pam_password racf
147
148# Update Active Directory password, by
149# creating Unicode password and updating
150# unicodePwd attribute.
151#pam_password ad
152
153# Use the OpenLDAP password change
154# extended operation to update the password.
155#pam_password exop
156
157# Redirect users to a URL or somesuch on password
158# changes.
159#pam_password_prohibit_message Please visit http://internal to change your password.
160
161# RFC2307bis naming contexts
162# Syntax:
163# nss_base_XXX base?scope?filter
164# where scope is {base,one,sub}
165# and filter is a filter to be &'d with the
166# default filter.
167# You can omit the suffix eg:
168# nss_base_passwd ou=People,
169# to append the default base DN but this
170# may incur a small performance impact.
171#nss_base_passwd ou=People,dc=padl,dc=com?one
172#nss_base_shadow ou=People,dc=padl,dc=com?one
173#nss_base_group ou=Group,dc=padl,dc=com?one
174#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
175#nss_base_services ou=Services,dc=padl,dc=com?one
176#nss_base_networks ou=Networks,dc=padl,dc=com?one
177#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
178#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
179#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
180#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
181#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
182#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
183#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
184
185# attribute/objectclass mapping
186# Syntax:
187#nss_map_attribute rfc2307attribute mapped_attribute
188#nss_map_objectclass rfc2307objectclass mapped_objectclass
189
190# configure --enable-nds is no longer supported.
191# NDS mappings
192#nss_map_attribute uniqueMember member
193
194# Services for UNIX 3.5 mappings
195#nss_map_objectclass posixAccount User
196#nss_map_objectclass shadowAccount User
197#nss_map_attribute uid msSFU30Name
198#nss_map_attribute uniqueMember msSFU30PosixMember
199#nss_map_attribute userPassword msSFU30Password
200#nss_map_attribute homeDirectory msSFU30HomeDirectory
201#nss_map_attribute homeDirectory msSFUHomeDirectory
202#nss_map_objectclass posixGroup Group
203#pam_login_attribute msSFU30Name
204#pam_filter objectclass=User
205#pam_password ad
206
207# configure --enable-mssfu-schema is no longer supported.
208# Services for UNIX 2.0 mappings
209#nss_map_objectclass posixAccount User
210#nss_map_objectclass shadowAccount user
211#nss_map_attribute uid msSFUName
212#nss_map_attribute uniqueMember posixMember
213#nss_map_attribute userPassword msSFUPassword
214#nss_map_attribute homeDirectory msSFUHomeDirectory
215#nss_map_attribute shadowLastChange pwdLastSet
216#nss_map_objectclass posixGroup Group
217#nss_map_attribute cn msSFUName
218#pam_login_attribute msSFUName
219#pam_filter objectclass=User
220#pam_password ad
221
222# RFC 2307 (AD) mappings
223#nss_map_objectclass posixAccount user
224#nss_map_objectclass shadowAccount user
225#nss_map_attribute uid sAMAccountName
226#nss_map_attribute homeDirectory unixHomeDirectory
227#nss_map_attribute shadowLastChange pwdLastSet
228#nss_map_objectclass posixGroup group
229#nss_map_attribute uniqueMember member
230#pam_login_attribute sAMAccountName
231#pam_filter objectclass=User
232#pam_password ad
233
234# configure --enable-authpassword is no longer supported
235# AuthPassword mappings
236#nss_map_attribute userPassword authPassword
237
238# AIX SecureWay mappings
239#nss_map_objectclass posixAccount aixAccount
240#nss_base_passwd ou=aixaccount,?one
241#nss_map_attribute uid userName
242#nss_map_attribute gidNumber gid
243#nss_map_attribute uidNumber uid
244#nss_map_attribute userPassword passwordChar
245#nss_map_objectclass posixGroup aixAccessGroup
246#nss_base_group ou=aixgroup,?one
247#nss_map_attribute cn groupName
248#nss_map_attribute uniqueMember member
249#pam_login_attribute userName
250#pam_filter objectclass=aixAccount
251#pam_password clear
252
253# Netscape SDK LDAPS
254#ssl on
255
256# Netscape SDK SSL options
257#sslpath /etc/ssl/certs
258
259# OpenLDAP SSL mechanism
260# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
261#ssl start_tls
262#ssl on
263
264# OpenLDAP SSL options
265# Require and verify server certificate (yes/no)
266# Default is to use libldap's default behavior, which can be configured in
267# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
268# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
269#tls_checkpeer yes
270
271# CA certificates for server certificate verification
272# At least one of these are required if tls_checkpeer is "yes"
273#tls_cacertfile /etc/ssl/ca.cert
274#tls_cacertdir /etc/ssl/certs
275
276# Seed the PRNG if /dev/urandom is not provided
277#tls_randfile /var/run/egd-pool
278
279# SSL cipher suite
280# See man ciphers for syntax
281#tls_ciphers TLSv1
282
283# Client certificate and key
284# Use these, if your server requires client authentication.
285#tls_cert
286#tls_key
287
288# Disable SASL security layers. This is needed for AD.
289#sasl_secprops maxssf=0
290
291# Override the default Kerberos ticket cache location.
292#krb5_ccname FILE:/etc/.ldapcache
293
294# SASL mechanism for PAM authentication - use is experimental
295# at present and does not support password policy control
296#pam_sasl_mech DIGEST-MD5
297#nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,news,ntp,postfix,proxy,root,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data
298nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,news,ntp,postfix,proxy,root,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data