source: server/fedora/config/etc/ldap.conf @ 509

Last change on this file since 509 was 484, checked in by andersk, 17 years ago
/etc/ldap.conf.
File size: 8.8 KB
Line 
1# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
2#
3# This is the configuration file for the LDAP nameservice
4# switch library and the LDAP PAM module.
5#
6# The man pages for this file are nss_ldap(5) and pam_ldap(5)
7#
8# PADL Software
9# http://www.padl.com
10#
11
12# Your LDAP server. Must be resolvable without using LDAP.
13# Multiple hosts may be specified, each separated by a
14# space. How long nss_ldap takes to failover depends on
15# whether your LDAP client library supports configurable
16# network or connect timeouts (see bind_timelimit).
17host 127.0.0.1
18
19# The distinguished name of the search base.
20base dc=scripts,dc=mit,dc=edu
21
22# Another way to specify your LDAP server is to provide an
23# uri with the server name. This allows to use
24# Unix Domain Sockets to connect to a local LDAP Server.
25#uri ldap://127.0.0.1/
26#uri ldaps://127.0.0.1/   
27#uri ldapi://%2fvar%2frun%2fldapi_sock/
28# Note: %2f encodes the '/' used as directory separator
29
30# The LDAP version to use (defaults to 3
31# if supported by client library)
32#ldap_version 3
33
34# The distinguished name to bind to the server with.
35# Optional: default is to bind anonymously.
36#binddn cn=proxyuser,dc=example,dc=com
37
38# The credentials to bind with.
39# Optional: default is no credential.
40#bindpw secret
41
42# The distinguished name to bind to the server with
43# if the effective user ID is root. Password is
44# stored in /etc/ldap.secret (mode 600)
45#rootbinddn cn=manager,dc=example,dc=com
46
47# The port.
48# Optional: default is 389.
49#port 389
50
51# The search scope.
52#scope sub
53#scope one
54#scope base
55
56# Search timelimit
57#timelimit 30
58timelimit 120
59
60# Bind/connect timelimit
61#bind_timelimit 30
62bind_timelimit 120
63
64# Reconnect policy: hard (default) will retry connecting to
65# the software with exponential backoff, soft will fail
66# immediately.
67#bind_policy hard
68
69# Idle timelimit; client will close connections
70# (nss_ldap only) if the server has not been contacted
71# for the number of seconds specified below.
72#idle_timelimit 3600
73idle_timelimit 3600
74
75# Filter to AND with uid=%s
76#pam_filter objectclass=account
77
78# The user ID attribute (defaults to uid)
79#pam_login_attribute uid
80
81# Search the root DSE for the password policy (works
82# with Netscape Directory Server)
83#pam_lookup_policy yes
84
85# Check the 'host' attribute for access control
86# Default is no; if set to yes, and user has no
87# value for the host attribute, and pam_ldap is
88# configured for account management (authorization)
89# then the user will not be allowed to login.
90#pam_check_host_attr yes
91
92# Check the 'authorizedService' attribute for access
93# control
94# Default is no; if set to yes, and the user has no
95# value for the authorizedService attribute, and
96# pam_ldap is configured for account management
97# (authorization) then the user will not be allowed
98# to login.
99#pam_check_service_attr yes
100
101# Group to enforce membership of
102#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
103
104# Group member attribute
105#pam_member_attribute uniquemember
106
107# Specify a minium or maximum UID number allowed
108#pam_min_uid 0
109#pam_max_uid 0
110
111# Template login attribute, default template user
112# (can be overriden by value of former attribute
113# in user's entry)
114#pam_login_attribute userPrincipalName
115#pam_template_login_attribute uid
116#pam_template_login nobody
117
118# HEADS UP: the pam_crypt, pam_nds_passwd,
119# and pam_ad_passwd options are no
120# longer supported.
121#
122# Do not hash the password at all; presume
123# the directory server will do it, if
124# necessary. This is the default.
125#pam_password clear
126
127# Hash password locally; required for University of
128# Michigan LDAP server, and works with Netscape
129# Directory Server if you're using the UNIX-Crypt
130# hash mechanism and not using the NT Synchronization
131# service.
132#pam_password crypt
133
134# Remove old password first, then update in
135# cleartext. Necessary for use with Novell
136# Directory Services (NDS)
137#pam_password clear_remove_old
138#pam_password nds
139
140# RACF is an alias for the above. For use with
141# IBM RACF
142#pam_password racf
143
144# Update Active Directory password, by
145# creating Unicode password and updating
146# unicodePwd attribute.
147#pam_password ad
148
149# Use the OpenLDAP password change
150# extended operation to update the password.
151#pam_password exop
152
153# Redirect users to a URL or somesuch on password
154# changes.
155#pam_password_prohibit_message Please visit http://internal to change your password.
156
157# RFC2307bis naming contexts
158# Syntax:
159# nss_base_XXX          base?scope?filter
160# where scope is {base,one,sub}
161# and filter is a filter to be &'d with the
162# default filter.
163# You can omit the suffix eg:
164# nss_base_passwd       ou=People,
165# to append the default base DN but this
166# may incur a small performance impact.
167nss_base_passwd         ou=People,dc=scripts,dc=mit,dc=edu?one
168#nss_base_shadow        ou=People,dc=example,dc=com?one
169nss_base_group          ou=Groups,dc=scripts,dc=mit,dc=edu?one
170#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
171#nss_base_services      ou=Services,dc=example,dc=com?one
172#nss_base_networks      ou=Networks,dc=example,dc=com?one
173#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
174#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
175#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
176#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
177#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
178#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
179#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one
180
181# Just assume that there are no supplemental groups for these named users
182nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
183
184# attribute/objectclass mapping
185# Syntax:
186#nss_map_attribute      rfc2307attribute        mapped_attribute
187#nss_map_objectclass    rfc2307objectclass      mapped_objectclass
188
189# configure --enable-nds is no longer supported.
190# NDS mappings
191#nss_map_attribute uniqueMember member
192
193# Services for UNIX 3.5 mappings
194#nss_map_objectclass posixAccount User
195#nss_map_objectclass shadowAccount User
196#nss_map_attribute uid msSFU30Name
197#nss_map_attribute uniqueMember msSFU30PosixMember
198#nss_map_attribute userPassword msSFU30Password
199#nss_map_attribute homeDirectory msSFU30HomeDirectory
200#nss_map_attribute homeDirectory msSFUHomeDirectory
201#nss_map_objectclass posixGroup Group
202#pam_login_attribute msSFU30Name
203#pam_filter objectclass=User
204#pam_password ad
205
206# configure --enable-mssfu-schema is no longer supported.
207# Services for UNIX 2.0 mappings
208#nss_map_objectclass posixAccount User
209#nss_map_objectclass shadowAccount user
210#nss_map_attribute uid msSFUName
211#nss_map_attribute uniqueMember posixMember
212#nss_map_attribute userPassword msSFUPassword
213#nss_map_attribute homeDirectory msSFUHomeDirectory
214#nss_map_attribute shadowLastChange pwdLastSet
215#nss_map_objectclass posixGroup Group
216#nss_map_attribute cn msSFUName
217#pam_login_attribute msSFUName
218#pam_filter objectclass=User
219#pam_password ad
220
221# RFC 2307 (AD) mappings
222#nss_map_objectclass posixAccount user
223#nss_map_objectclass shadowAccount user
224#nss_map_attribute uid sAMAccountName
225#nss_map_attribute homeDirectory unixHomeDirectory
226#nss_map_attribute shadowLastChange pwdLastSet
227#nss_map_objectclass posixGroup group
228#nss_map_attribute uniqueMember member
229#pam_login_attribute sAMAccountName
230#pam_filter objectclass=User
231#pam_password ad
232
233# configure --enable-authpassword is no longer supported
234# AuthPassword mappings
235#nss_map_attribute userPassword authPassword
236
237# AIX SecureWay mappings
238#nss_map_objectclass posixAccount aixAccount
239#nss_base_passwd ou=aixaccount,?one
240#nss_map_attribute uid userName
241#nss_map_attribute gidNumber gid
242#nss_map_attribute uidNumber uid
243#nss_map_attribute userPassword passwordChar
244#nss_map_objectclass posixGroup aixAccessGroup
245#nss_base_group ou=aixgroup,?one
246#nss_map_attribute cn groupName
247#nss_map_attribute uniqueMember member
248#pam_login_attribute userName
249#pam_filter objectclass=aixAccount
250#pam_password clear
251
252# Netscape SDK LDAPS
253#ssl on
254
255# Netscape SDK SSL options
256#sslpath /etc/ssl/certs
257
258# OpenLDAP SSL mechanism
259# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
260#ssl start_tls
261#ssl on
262
263# OpenLDAP SSL options
264# Require and verify server certificate (yes/no)
265# Default is to use libldap's default behavior, which can be configured in
266# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
267# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
268#tls_checkpeer yes
269
270# CA certificates for server certificate verification
271# At least one of these are required if tls_checkpeer is "yes"
272#tls_cacertfile /etc/ssl/ca.cert
273#tls_cacertdir /etc/ssl/certs
274
275# Seed the PRNG if /dev/urandom is not provided
276#tls_randfile /var/run/egd-pool
277
278# SSL cipher suite
279# See man ciphers for syntax
280#tls_ciphers TLSv1
281
282# Client certificate and key
283# Use these, if your server requires client authentication.
284#tls_cert
285#tls_key
286
287# Disable SASL security layers. This is needed for AD.
288#sasl_secprops maxssf=0
289
290# Override the default Kerberos ticket cache location.
291#krb5_ccname FILE:/etc/.ldapcache
292
293# SASL mechanism for PAM authentication - use is experimental
294# at present and does not support password policy control
295#pam_sasl_mech DIGEST-MD5
Note: See TracBrowser for help on using the repository browser.