Entwicklungsumgebung/Dateiliste/pam ldap.conf

/etc/pam_ldap.conf

Achtung: Bitte achten Sie unbedingt darauf, beim Kopieren und Einfügen einen Editor mit UNIX-Zeilenumbrüchen zu verwenden!

Hinweis: Die im delixs-Schulserver geänderten Zeilen sind gelb unterlegt.

---

<source highlight="24,29,36,49,56,69,152" lang="text">

1. 1. 1. DEBCONF###
2. the configuration of this file will be done by debconf as long as the
3. first line of the file says '###DEBCONF###'
5. you should use dpkg-reconfigure to configure this file
7. @(#)$Id: pam_ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
9. This is the configuration file for the LDAP nameservice
10. switch library and the LDAP PAM module.
12. PADL Software
13. http://www.padl.com

1. Your LDAP server. Must be resolvable without using LDAP.
2. Multiple hosts may be specified, each separated by a
3. space. How long nss_ldap takes to failover depends on
4. whether your LDAP client library supports configurable
5. network or connect timeouts (see bind_timelimit).
6. host 127.0.0.1

1. The distinguished name of the search base.

base dc=delixs-schule,dc=de

1. Another way to specify your LDAP server is to provide an
2. uri ldap://10.100.0.1/
3. Unix Domain Sockets to connect to a local LDAP Server.

uri ldap://127.0.0.1/

1. uri ldaps://127.0.0.1/
2. uri ldapi://%2fvar%2frun%2fldapi_sock/
3. Note: %2f encodes the '/' used as directory separator

1. The LDAP version to use (defaults to 3
2. if supported by client library)

ldap_version 3

1. The distinguished name to bind to the server with.
2. Optional: default is to bind anonymously.
3. binddn cn=proxyuser,dc=padl,dc=com

1. The credentials to bind with.
2. Optional: default is no credential.
3. bindpw secret

1. The distinguished name to bind to the server with
2. if the effective user ID is root. Password is
3. stored in /etc/pam_ldap.secret (mode 600)

rootbinddn cn=admin,dc=delixs-schule,dc=de

1. The port.
2. Optional: default is 389.
3. port 389

1. The search scope.

scope sub

1. scope one
2. scope base

1. Search timelimit
2. timelimit 30

1. Bind/connect timelimit
2. bind_timelimit 30

1. Reconnect policy: hard (default) will retry connecting to
2. the software with exponential backoff, soft will fail
3. immediately.

bind_policy soft

1. Idle timelimit; client will close connections
2. (nss_ldap only) if the server has not been contacted
3. for the number of seconds specified below.
4. idle_timelimit 3600

1. Filter to AND with uid=%s
2. pam_filter objectclass=account

1. The user ID attribute (defaults to uid)
2. pam_login_attribute uid

1. Search the root DSE for the password policy (works
2. with Netscape Directory Server)
3. pam_lookup_policy yes

1. Check the 'host' attribute for access control
2. Default is no; if set to yes, and user has no
3. value for the host attribute, and pam_ldap is
4. configured for account management (authorization)
5. then the user will not be allowed to login.
6. pam_check_host_attr yes

1. Check the 'authorizedService' attribute for access
2. control
3. Default is no; if set to yes, and the user has no
4. value for the authorizedService attribute, and
5. pam_ldap is configured for account management
6. (authorization) then the user will not be allowed
7. to login.
8. pam_check_service_attr yes

1. Group to enforce membership of
2. pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

1. Group member attribute
2. pam_member_attribute uniquemember

1. Specify a minium or maximum UID number allowed
2. pam_min_uid 0
3. pam_max_uid 0

1. Template login attribute, default template user
2. (can be overriden by value of former attribute
3. in user's entry)
4. pam_login_attribute userPrincipalName
5. pam_template_login_attribute uid
6. pam_template_login nobody

1. HEADS UP: the pam_crypt, pam_nds_passwd,
2. and pam_ad_passwd options are no
3. longer supported.
5. Do not hash the password at all; presume
6. the directory server will do it, if
7. necessary. This is the default.
8. pam_password crypt

1. Hash password locally; required for University of
2. Michigan LDAP server, and works with Netscape
3. Directory Server if you're using the UNIX-Crypt
4. hash mechanism and not using the NT Synchronization
5. service.
6. pam_password crypt

1. Remove old password first, then update in
2. cleartext. Necessary for use with Novell
3. Directory Services (NDS)
4. pam_password clear_remove_old
5. pam_password nds

1. RACF is an alias for the above. For use with
2. IBM RACF
3. pam_password racf

1. Update Active Directory password, by
2. creating Unicode password and updating
3. unicodePwd attribute.
4. pam_password ad

1. Use the OpenLDAP password change
2. extended operation to update the password.

pam_password exop

1. Redirect users to a URL or somesuch on password
2. changes.
3. pam_password_prohibit_message Please visit http://internal to change your password.

1. RFC2307bis naming contexts
2. Syntax:
3. nss_base_XXX base?scope?filter
4. where scope is {base,one,sub}
5. and filter is a filter to be &'d with the
6. default filter.
7. You can omit the suffix eg:
8. nss_base_passwd ou=People,
9. to append the default base DN but this
10. may incur a small performance impact.
11. nss_base_passwd ou=People,dc=padl,dc=com?one
12. nss_base_shadow ou=People,dc=padl,dc=com?one
13. nss_base_group ou=Group,dc=padl,dc=com?one
14. nss_base_hosts ou=Hosts,dc=padl,dc=com?one
15. nss_base_services ou=Services,dc=padl,dc=com?one
16. nss_base_networks ou=Networks,dc=padl,dc=com?one
17. nss_base_protocols ou=Protocols,dc=padl,dc=com?one
18. nss_base_rpc ou=Rpc,dc=padl,dc=com?one
19. nss_base_ethers ou=Ethers,dc=padl,dc=com?one
20. nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
21. nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
22. nss_base_aliases ou=Aliases,dc=padl,dc=com?one
23. nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one

1. attribute/objectclass mapping
2. Syntax:
3. nss_map_attribute rfc2307attribute mapped_attribute
4. nss_map_objectclass rfc2307objectclass mapped_objectclass

1. configure --enable-nds is no longer supported.
2. NDS mappings
3. nss_map_attribute uniqueMember member

1. Services for UNIX 3.5 mappings
2. nss_map_objectclass posixAccount User
3. nss_map_objectclass shadowAccount User
4. nss_map_attribute uid msSFU30Name
5. nss_map_attribute uniqueMember msSFU30PosixMember
6. nss_map_attribute userPassword msSFU30Password
7. nss_map_attribute homeDirectory msSFU30HomeDirectory
8. nss_map_attribute homeDirectory msSFUHomeDirectory
9. nss_map_objectclass posixGroup Group
10. pam_login_attribute msSFU30Name
11. pam_filter objectclass=User
12. pam_password ad

1. configure --enable-mssfu-schema is no longer supported.
2. Services for UNIX 2.0 mappings
3. nss_map_objectclass posixAccount User
4. nss_map_objectclass shadowAccount user
5. nss_map_attribute uid msSFUName
6. nss_map_attribute uniqueMember posixMember
7. nss_map_attribute userPassword msSFUPassword
8. nss_map_attribute homeDirectory msSFUHomeDirectory
9. nss_map_attribute shadowLastChange pwdLastSet
10. nss_map_objectclass posixGroup Group
11. nss_map_attribute cn msSFUName
12. pam_login_attribute msSFUName
13. pam_filter objectclass=User
14. pam_password ad

1. RFC 2307 (AD) mappings
2. nss_map_objectclass posixAccount user
3. nss_map_objectclass shadowAccount user
4. nss_map_attribute uid sAMAccountName
5. nss_map_attribute homeDirectory unixHomeDirectory
6. nss_map_attribute shadowLastChange pwdLastSet
7. nss_map_objectclass posixGroup group
8. nss_map_attribute uniqueMember member
9. pam_login_attribute sAMAccountName
10. pam_filter objectclass=User
11. pam_password ad

1. configure --enable-authpassword is no longer supported
2. AuthPassword mappings
3. nss_map_attribute userPassword authPassword

1. AIX SecureWay mappings
2. nss_map_objectclass posixAccount aixAccount
3. nss_base_passwd ou=aixaccount,?one
4. nss_map_attribute uid userName
5. nss_map_attribute gidNumber gid
6. nss_map_attribute uidNumber uid
7. nss_map_attribute userPassword passwordChar
8. nss_map_objectclass posixGroup aixAccessGroup
9. nss_base_group ou=aixgroup,?one
10. nss_map_attribute cn groupName
11. nss_map_attribute uniqueMember member
12. pam_login_attribute userName
13. pam_filter objectclass=aixAccount
14. pam_password clear

1. Netscape SDK LDAPS
2. ssl on

1. Netscape SDK SSL options
2. sslpath /etc/ssl/certs

1. OpenLDAP SSL mechanism
2. start_tls mechanism uses the normal LDAP port, LDAPS typically 636
3. ssl start_tls
4. ssl on

1. OpenLDAP SSL options
2. Require and verify server certificate (yes/no)
3. Default is to use libldap's default behavior, which can be configured in
4. /etc/openldap/pam_ldap.conf using the TLS_REQCERT setting. The default for
5. OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
6. tls_checkpeer yes

1. CA certificates for server certificate verification
2. At least one of these are required if tls_checkpeer is "yes"
3. tls_cacertfile /etc/ssl/ca.cert
4. tls_cacertdir /etc/ssl/certs

1. Seed the PRNG if /dev/urandom is not provided
2. tls_randfile /var/run/egd-pool

1. SSL cipher suite
2. See man ciphers for syntax
3. tls_ciphers TLSv1

1. Client certificate and key
2. Use these, if your server requires client authentication.
3. tls_cert
4. tls_key

1. Disable SASL security layers. This is needed for AD.
2. sasl_secprops maxssf=0

1. Override the default Kerberos ticket cache location.
2. krb5_ccname FILE:/etc/.ldapcache

1. SASL mechanism for PAM authentication - use is experimental
2. at present and does not support password policy control
3. pam_sasl_mech DIGEST-MD5

</source>

---