1 | ###DEBCONF###
|
---|
2 | ##
|
---|
3 | ## Configuration of this file will be managed by debconf as long as the
|
---|
4 | ## first line of the file says '###DEBCONF###'
|
---|
5 | ##
|
---|
6 | ## You should use dpkg-reconfigure to configure this file via debconf
|
---|
7 | ##
|
---|
8 |
|
---|
9 | #
|
---|
10 | # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
|
---|
11 | #
|
---|
12 | # This is the configuration file for the LDAP nameservice
|
---|
13 | # switch library and the LDAP PAM module.
|
---|
14 | #
|
---|
15 | # PADL Software
|
---|
16 | # http://www.padl.com
|
---|
17 | #
|
---|
18 |
|
---|
19 | # Your LDAP server. Must be resolvable without using LDAP.
|
---|
20 | # Multiple hosts may be specified, each separated by a
|
---|
21 | # space. How long nss_ldap takes to failover depends on
|
---|
22 | # whether your LDAP client library supports configurable
|
---|
23 | # network or connect timeouts (see bind_timelimit).
|
---|
24 | #host 127.0.0.1
|
---|
25 |
|
---|
26 | # The distinguished name of the search base.
|
---|
27 | base dc=orbit-lab,dc=org
|
---|
28 |
|
---|
29 | # Another way to specify your LDAP server is to provide an
|
---|
30 | uri ldap://ldap1.orbit-lab.org/
|
---|
31 | # Unix Domain Sockets to connect to a local LDAP Server.
|
---|
32 | #uri ldap://127.0.0.1/
|
---|
33 | #uri ldaps://127.0.0.1/
|
---|
34 | #uri ldapi://%2fvar%2frun%2fldapi_sock/
|
---|
35 | # Note: %2f encodes the '/' used as directory separator
|
---|
36 |
|
---|
37 | # The LDAP version to use (defaults to 3
|
---|
38 | # if supported by client library)
|
---|
39 | ldap_version 3
|
---|
40 |
|
---|
41 | # The distinguished name to bind to the server with.
|
---|
42 | # Optional: default is to bind anonymously.
|
---|
43 | binddn
|
---|
44 |
|
---|
45 | # The credentials to bind with.
|
---|
46 | # Optional: default is no credential.
|
---|
47 | #bindpw secret
|
---|
48 |
|
---|
49 | # The distinguished name to bind to the server with
|
---|
50 | # if the effective user ID is root. Password is
|
---|
51 | # stored in /etc/ldap.secret (mode 600)
|
---|
52 | rootbinddn cn=admin,dc=orbit-lab,dc=org
|
---|
53 |
|
---|
54 | # The port.
|
---|
55 | # Optional: default is 389.
|
---|
56 | #port 389
|
---|
57 |
|
---|
58 | # The search scope.
|
---|
59 | #scope sub
|
---|
60 | #scope one
|
---|
61 | #scope base
|
---|
62 |
|
---|
63 | # Search timelimit
|
---|
64 | #timelimit 30
|
---|
65 |
|
---|
66 | # Bind/connect timelimit
|
---|
67 | #bind_timelimit 30
|
---|
68 |
|
---|
69 | # Reconnect policy: hard (default) will retry connecting to
|
---|
70 | # the software with exponential backoff, soft will fail
|
---|
71 | # immediately.
|
---|
72 | #bind_policy hard
|
---|
73 |
|
---|
74 | # Idle timelimit; client will close connections
|
---|
75 | # (nss_ldap only) if the server has not been contacted
|
---|
76 | # for the number of seconds specified below.
|
---|
77 | #idle_timelimit 3600
|
---|
78 |
|
---|
79 | # Filter to AND with uid=%s
|
---|
80 | #pam_filter objectclass=account
|
---|
81 |
|
---|
82 | # The user ID attribute (defaults to uid)
|
---|
83 | #pam_login_attribute uid
|
---|
84 |
|
---|
85 | # Search the root DSE for the password policy (works
|
---|
86 | # with Netscape Directory Server)
|
---|
87 | #pam_lookup_policy yes
|
---|
88 |
|
---|
89 | # Check the 'host' attribute for access control
|
---|
90 | # Default is no; if set to yes, and user has no
|
---|
91 | # value for the host attribute, and pam_ldap is
|
---|
92 | # configured for account management (authorization)
|
---|
93 | # then the user will not be allowed to login.
|
---|
94 | #pam_check_host_attr yes
|
---|
95 |
|
---|
96 | # Check the 'authorizedService' attribute for access
|
---|
97 | # control
|
---|
98 | # Default is no; if set to yes, and the user has no
|
---|
99 | # value for the authorizedService attribute, and
|
---|
100 | # pam_ldap is configured for account management
|
---|
101 | # (authorization) then the user will not be allowed
|
---|
102 | # to login.
|
---|
103 | #pam_check_service_attr yes
|
---|
104 |
|
---|
105 | # Group to enforce membership of
|
---|
106 | #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
|
---|
107 |
|
---|
108 | # Group member attribute
|
---|
109 | #pam_member_attribute uniquemember
|
---|
110 |
|
---|
111 | # Specify a minium or maximum UID number allowed
|
---|
112 | #pam_min_uid 0
|
---|
113 | #pam_max_uid 0
|
---|
114 |
|
---|
115 | # Template login attribute, default template user
|
---|
116 | # (can be overriden by value of former attribute
|
---|
117 | # in user's entry)
|
---|
118 | #pam_login_attribute userPrincipalName
|
---|
119 | #pam_template_login_attribute uid
|
---|
120 | #pam_template_login nobody
|
---|
121 |
|
---|
122 | # HEADS UP: the pam_crypt, pam_nds_passwd,
|
---|
123 | # and pam_ad_passwd options are no
|
---|
124 | # longer supported.
|
---|
125 | #
|
---|
126 | # Do not hash the password at all; presume
|
---|
127 | # the directory server will do it, if
|
---|
128 | # necessary. This is the default.
|
---|
129 | pam_password md5
|
---|
130 |
|
---|
131 | # Hash password locally; required for University of
|
---|
132 | # Michigan LDAP server, and works with Netscape
|
---|
133 | # Directory Server if you're using the UNIX-Crypt
|
---|
134 | # hash mechanism and not using the NT Synchronization
|
---|
135 | # service.
|
---|
136 | #pam_password crypt
|
---|
137 |
|
---|
138 | # Remove old password first, then update in
|
---|
139 | # cleartext. Necessary for use with Novell
|
---|
140 | # Directory Services (NDS)
|
---|
141 | #pam_password clear_remove_old
|
---|
142 | #pam_password nds
|
---|
143 |
|
---|
144 | # RACF is an alias for the above. For use with
|
---|
145 | # IBM RACF
|
---|
146 | #pam_password racf
|
---|
147 |
|
---|
148 | # Update Active Directory password, by
|
---|
149 | # creating Unicode password and updating
|
---|
150 | # unicodePwd attribute.
|
---|
151 | #pam_password ad
|
---|
152 |
|
---|
153 | # Use the OpenLDAP password change
|
---|
154 | # extended operation to update the password.
|
---|
155 | #pam_password exop
|
---|
156 |
|
---|
157 | # Redirect users to a URL or somesuch on password
|
---|
158 | # changes.
|
---|
159 | #pam_password_prohibit_message Please visit http://internal to change your password.
|
---|
160 |
|
---|
161 | # RFC2307bis naming contexts
|
---|
162 | # Syntax:
|
---|
163 | # nss_base_XXX base?scope?filter
|
---|
164 | # where scope is {base,one,sub}
|
---|
165 | # and filter is a filter to be &'d with the
|
---|
166 | # default filter.
|
---|
167 | # You can omit the suffix eg:
|
---|
168 | # nss_base_passwd ou=People,
|
---|
169 | # to append the default base DN but this
|
---|
170 | # may incur a small performance impact.
|
---|
171 | #nss_base_passwd ou=People,dc=padl,dc=com?one
|
---|
172 | #nss_base_shadow ou=People,dc=padl,dc=com?one
|
---|
173 | #nss_base_group ou=Group,dc=padl,dc=com?one
|
---|
174 | #nss_base_hosts ou=Hosts,dc=padl,dc=com?one
|
---|
175 | #nss_base_services ou=Services,dc=padl,dc=com?one
|
---|
176 | #nss_base_networks ou=Networks,dc=padl,dc=com?one
|
---|
177 | #nss_base_protocols ou=Protocols,dc=padl,dc=com?one
|
---|
178 | #nss_base_rpc ou=Rpc,dc=padl,dc=com?one
|
---|
179 | #nss_base_ethers ou=Ethers,dc=padl,dc=com?one
|
---|
180 | #nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
|
---|
181 | #nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
|
---|
182 | #nss_base_aliases ou=Aliases,dc=padl,dc=com?one
|
---|
183 | #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
|
---|
184 |
|
---|
185 | # attribute/objectclass mapping
|
---|
186 | # Syntax:
|
---|
187 | #nss_map_attribute rfc2307attribute mapped_attribute
|
---|
188 | #nss_map_objectclass rfc2307objectclass mapped_objectclass
|
---|
189 |
|
---|
190 | # configure --enable-nds is no longer supported.
|
---|
191 | # NDS mappings
|
---|
192 | #nss_map_attribute uniqueMember member
|
---|
193 |
|
---|
194 | # Services for UNIX 3.5 mappings
|
---|
195 | #nss_map_objectclass posixAccount User
|
---|
196 | #nss_map_objectclass shadowAccount User
|
---|
197 | #nss_map_attribute uid msSFU30Name
|
---|
198 | #nss_map_attribute uniqueMember msSFU30PosixMember
|
---|
199 | #nss_map_attribute userPassword msSFU30Password
|
---|
200 | #nss_map_attribute homeDirectory msSFU30HomeDirectory
|
---|
201 | #nss_map_attribute homeDirectory msSFUHomeDirectory
|
---|
202 | #nss_map_objectclass posixGroup Group
|
---|
203 | #pam_login_attribute msSFU30Name
|
---|
204 | #pam_filter objectclass=User
|
---|
205 | #pam_password ad
|
---|
206 |
|
---|
207 | # configure --enable-mssfu-schema is no longer supported.
|
---|
208 | # Services for UNIX 2.0 mappings
|
---|
209 | #nss_map_objectclass posixAccount User
|
---|
210 | #nss_map_objectclass shadowAccount user
|
---|
211 | #nss_map_attribute uid msSFUName
|
---|
212 | #nss_map_attribute uniqueMember posixMember
|
---|
213 | #nss_map_attribute userPassword msSFUPassword
|
---|
214 | #nss_map_attribute homeDirectory msSFUHomeDirectory
|
---|
215 | #nss_map_attribute shadowLastChange pwdLastSet
|
---|
216 | #nss_map_objectclass posixGroup Group
|
---|
217 | #nss_map_attribute cn msSFUName
|
---|
218 | #pam_login_attribute msSFUName
|
---|
219 | #pam_filter objectclass=User
|
---|
220 | #pam_password ad
|
---|
221 |
|
---|
222 | # RFC 2307 (AD) mappings
|
---|
223 | #nss_map_objectclass posixAccount user
|
---|
224 | #nss_map_objectclass shadowAccount user
|
---|
225 | #nss_map_attribute uid sAMAccountName
|
---|
226 | #nss_map_attribute homeDirectory unixHomeDirectory
|
---|
227 | #nss_map_attribute shadowLastChange pwdLastSet
|
---|
228 | #nss_map_objectclass posixGroup group
|
---|
229 | #nss_map_attribute uniqueMember member
|
---|
230 | #pam_login_attribute sAMAccountName
|
---|
231 | #pam_filter objectclass=User
|
---|
232 | #pam_password ad
|
---|
233 |
|
---|
234 | # configure --enable-authpassword is no longer supported
|
---|
235 | # AuthPassword mappings
|
---|
236 | #nss_map_attribute userPassword authPassword
|
---|
237 |
|
---|
238 | # AIX SecureWay mappings
|
---|
239 | #nss_map_objectclass posixAccount aixAccount
|
---|
240 | #nss_base_passwd ou=aixaccount,?one
|
---|
241 | #nss_map_attribute uid userName
|
---|
242 | #nss_map_attribute gidNumber gid
|
---|
243 | #nss_map_attribute uidNumber uid
|
---|
244 | #nss_map_attribute userPassword passwordChar
|
---|
245 | #nss_map_objectclass posixGroup aixAccessGroup
|
---|
246 | #nss_base_group ou=aixgroup,?one
|
---|
247 | #nss_map_attribute cn groupName
|
---|
248 | #nss_map_attribute uniqueMember member
|
---|
249 | #pam_login_attribute userName
|
---|
250 | #pam_filter objectclass=aixAccount
|
---|
251 | #pam_password clear
|
---|
252 |
|
---|
253 | # Netscape SDK LDAPS
|
---|
254 | #ssl on
|
---|
255 |
|
---|
256 | # Netscape SDK SSL options
|
---|
257 | #sslpath /etc/ssl/certs
|
---|
258 |
|
---|
259 | # OpenLDAP SSL mechanism
|
---|
260 | # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
|
---|
261 | #ssl start_tls
|
---|
262 | #ssl on
|
---|
263 |
|
---|
264 | # OpenLDAP SSL options
|
---|
265 | # Require and verify server certificate (yes/no)
|
---|
266 | # Default is to use libldap's default behavior, which can be configured in
|
---|
267 | # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
|
---|
268 | # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
|
---|
269 | #tls_checkpeer yes
|
---|
270 |
|
---|
271 | # CA certificates for server certificate verification
|
---|
272 | # At least one of these are required if tls_checkpeer is "yes"
|
---|
273 | #tls_cacertfile /etc/ssl/ca.cert
|
---|
274 | #tls_cacertdir /etc/ssl/certs
|
---|
275 |
|
---|
276 | # Seed the PRNG if /dev/urandom is not provided
|
---|
277 | #tls_randfile /var/run/egd-pool
|
---|
278 |
|
---|
279 | # SSL cipher suite
|
---|
280 | # See man ciphers for syntax
|
---|
281 | #tls_ciphers TLSv1
|
---|
282 |
|
---|
283 | # Client certificate and key
|
---|
284 | # Use these, if your server requires client authentication.
|
---|
285 | #tls_cert
|
---|
286 | #tls_key
|
---|
287 |
|
---|
288 | # Disable SASL security layers. This is needed for AD.
|
---|
289 | #sasl_secprops maxssf=0
|
---|
290 |
|
---|
291 | # Override the default Kerberos ticket cache location.
|
---|
292 | #krb5_ccname FILE:/etc/.ldapcache
|
---|
293 |
|
---|
294 | # SASL mechanism for PAM authentication - use is experimental
|
---|
295 | # at present and does not support password policy control
|
---|
296 | #pam_sasl_mech DIGEST-MD5
|
---|
297 | #nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,news,ntp,postfix,proxy,root,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data
|
---|
298 | nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,libvirt-qemu,list,lp,mail,man,messagebus,news,ntp,postfix,proxy,root,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data
|
---|