Entwicklungsumgebung/Dateiliste/libnss-ldap.conf: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(libnss-ldap.conf) |
(libnss-ldap.conf) |
||
Zeile 14: | Zeile 14: | ||
---- | ---- | ||
<source highlight=" | <source highlight="21,24,25,30,37,54,61,69,78,83" lang="text"> | ||
###DEBCONF### | |||
# the configuration of this file will be done by debconf as long as the | |||
# first line of the file says '###DEBCONF###' | |||
# | |||
# you should use dpkg-reconfigure libnss-ldap to configure this file. | |||
# | |||
# @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $ | |||
# | |||
# This is the configuration file for the LDAP nameservice | |||
# switch library and the LDAP PAM module. | |||
# | |||
# PADL Software | |||
# http://www.padl.com | |||
# | |||
# Your LDAP server. Must be resolvable without using LDAP. | |||
# Multiple hosts may be specified, each separated by a | |||
# space. How long nss_ldap takes to failover depends on | |||
# whether your LDAP client library supports configurable | |||
# network or connect timeouts (see bind_timelimit). | |||
host 127.0.0.1 | |||
# The distinguished name of the search base. | |||
base dc=delixs-schule,dc=de | |||
deref always | |||
# Another way to specify your LDAP server is to provide an | |||
#uri ldap://10.100.0.1/ | |||
# Unix Domain Sockets to connect to a local LDAP Server. | |||
uri ldap://127.0.0.1/ | |||
#uri ldaps://127.0.0.1/ | |||
#uri ldapi://%2fvar%2frun%2fldapi_sock/ | |||
# Note: %2f encodes the '/' used as directory separator | |||
# The LDAP version to use (defaults to 3 | |||
# if supported by client library) | |||
ldap_version 3 | |||
# The distinguished name to bind to the server with. | |||
# Optional: default is to bind anonymously. | |||
# Please do not put double quotes around it as they | |||
# would be included literally. | |||
#binddn cn=proxyuser,dc=padl,dc=com | |||
# The credentials to bind with. | |||
# Optional: default is no credential. | |||
#bindpw secret | |||
# The distinguished name to bind to the server with | |||
# if the effective user ID is root. Password is | |||
# stored in /etc/libnss-ldap.secret (mode 600) | |||
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead | |||
# of an editor to create the file. | |||
rootbinddn cn=admin,dc=delixs-schule,dc=de | |||
# The port. | |||
# Optional: default is 389. | |||
#port 389 | |||
# The search scope. | |||
scope sub | |||
#scope one | |||
#scope base | |||
# Search timelimit | |||
#timelimit 30 | |||
# Bind/connect timelimit | |||
bind_timelimit 30 | |||
# Reconnect policy: | |||
# hard_open: reconnect to DSA with exponential backoff if | |||
# opening connection failed | |||
# hard_init: reconnect to DSA with exponential backoff if | |||
# initializing connection failed | |||
# hard: alias for hard_open | |||
# soft: return immediately on server failure | |||
bind_policy soft | |||
# Connection policy: | |||
# persist: DSA connections are kept open (default) | |||
# oneshot: DSA connections destroyed after request | |||
nss_connect_policy persist | |||
# Idle timelimit; client will close connections | |||
# (nss_ldap only) if the server has not been contacted | |||
# for the number of seconds specified below. | |||
#idle_timelimit 3600 | |||
# Use paged rseults | |||
#nss_paged_results yes | |||
# Pagesize: when paged results enable, used to set the | |||
# pagesize to a custom value | |||
#pagesize 1000 | |||
# Filter to AND with uid=%s | |||
#pam_filter objectclass=account | |||
# The user ID attribute (defaults to uid) | |||
#pam_login_attribute uid | |||
# Search the root DSE for the password policy (works | |||
# with Netscape Directory Server) | |||
#pam_lookup_policy yes | |||
# Check the 'host' attribute for access control | |||
# Default is no; if set to yes, and user has no | |||
# value for the host attribute, and pam_ldap is | |||
# configured for account management (authorization) | |||
# then the user will not be allowed to login. | |||
#pam_check_host_attr yes | |||
# Check the 'authorizedService' attribute for access | |||
# control | |||
# Default is no; if set to yes, and the user has no | |||
# value for the authorizedService attribute, and | |||
# pam_ldap is configured for account management | |||
# (authorization) then the user will not be allowed | |||
# to login. | |||
#pam_check_service_attr yes | |||
# Group to enforce membership of | |||
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com | |||
# Group member attribute | |||
#pam_member_attribute uniquemember | |||
# Specify a minium or maximum UID number allowed | |||
#pam_min_uid 0 | |||
#pam_max_uid 0 | |||
# Template login attribute, default template user | |||
# (can be overriden by value of former attribute | |||
# in user's entry) | |||
#pam_login_attribute userPrincipalName | |||
#pam_template_login_attribute uid | |||
#pam_template_login nobody | |||
# HEADS UP: the pam_crypt, pam_nds_passwd, | |||
# and pam_ad_passwd options are no | |||
# longer supported. | |||
# | |||
# Do not hash the password at all; presume | |||
# the directory server will do it, if | |||
# necessary. This is the default. | |||
#pam_password clear | |||
# Hash password locally; required for University of | |||
# Michigan LDAP server, and works with Netscape | |||
# Directory Server if you're using the UNIX-Crypt | |||
# hash mechanism and not using the NT Synchronization | |||
# service. | |||
#pam_password crypt | |||
# Remove old password first, then update in | |||
# cleartext. Necessary for use with Novell | |||
# Directory Services (NDS) | |||
#pam_password nds | |||
# RACF is an alias for the above. For use with | |||
# IBM RACF | |||
#pam_password racf | |||
# Update Active Directory password, by | |||
# creating Unicode password and updating | |||
# unicodePwd attribute. | |||
#pam_password ad | |||
# Use the OpenLDAP password change | |||
# extended operation to update the password. | |||
#pam_password exop | |||
# Redirect users to a URL or somesuch on password | |||
# changes. | |||
#pam_password_prohibit_message Please visit http://internal to change your password. | |||
# Use backlinks for answering initgroups() | |||
#nss_initgroups backlink | |||
# Enable support for RFC2307bis (distinguished names in group | |||
# members) | |||
#nss_schema rfc2307bis | |||
# RFC2307bis naming contexts | |||
# Syntax: | |||
# nss_base_XXX base?scope?filter | |||
# where scope is {base,one,sub} | |||
# and filter is a filter to be &'d with the | |||
# default filter. | |||
# You can omit the suffix eg: | |||
# nss_base_passwd ou=People, | |||
# to append the default base DN but this | |||
# may incur a small performance impact. | |||
#nss_base_passwd ou=People,dc=padl,dc=com?one | |||
#nss_base_shadow ou=People,dc=padl,dc=com?one | |||
#nss_base_group ou=Group,dc=padl,dc=com?one | |||
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one | |||
#nss_base_services ou=Services,dc=padl,dc=com?one | |||
#nss_base_networks ou=Networks,dc=padl,dc=com?one | |||
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one | |||
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one | |||
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one | |||
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne | |||
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one | |||
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one | |||
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one | |||
# attribute/objectclass mapping | |||
# Syntax: | |||
#nss_map_attribute rfc2307attribute mapped_attribute | |||
#nss_map_objectclass rfc2307objectclass mapped_objectclass | |||
# configure --enable-nds is no longer supported. | |||
# NDS mappings | |||
#nss_map_attribute uniqueMember member | |||
# Services for UNIX 3.5 mappings | |||
#nss_map_objectclass posixAccount User | |||
#nss_map_objectclass shadowAccount User | |||
#nss_map_attribute uid msSFU30Name | |||
#nss_map_attribute uniqueMember msSFU30PosixMember | |||
#nss_map_attribute userPassword msSFU30Password | |||
#nss_map_attribute homeDirectory msSFU30HomeDirectory | |||
#nss_map_attribute homeDirectory msSFUHomeDirectory | |||
#nss_map_objectclass posixGroup Group | |||
#pam_login_attribute msSFU30Name | |||
#pam_filter objectclass=User | |||
#pam_password ad | |||
# configure --enable-mssfu-schema is no longer supported. | |||
# Services for UNIX 2.0 mappings | |||
#nss_map_objectclass posixAccount User | |||
#nss_map_objectclass shadowAccount user | |||
#nss_map_attribute uid msSFUName | |||
#nss_map_attribute uniqueMember posixMember | |||
#nss_map_attribute userPassword msSFUPassword | |||
#nss_map_attribute homeDirectory msSFUHomeDirectory | |||
#nss_map_attribute shadowLastChange pwdLastSet | |||
#nss_map_objectclass posixGroup Group | |||
#nss_map_attribute cn msSFUName | |||
#pam_login_attribute msSFUName | |||
#pam_filter objectclass=User | |||
#pam_password ad | |||
# RFC 2307 (AD) mappings | |||
#nss_map_objectclass posixAccount user | |||
#nss_map_objectclass shadowAccount user | |||
#nss_map_attribute uid sAMAccountName | |||
#nss_map_attribute homeDirectory unixHomeDirectory | |||
#nss_map_attribute shadowLastChange pwdLastSet | |||
#nss_map_objectclass posixGroup group | |||
#nss_map_attribute uniqueMember member | |||
#pam_login_attribute sAMAccountName | |||
#pam_filter objectclass=User | |||
#pam_password ad | |||
# configure --enable-authpassword is no longer supported | |||
# AuthPassword mappings | |||
#nss_map_attribute userPassword authPassword | |||
# AIX SecureWay mappings | |||
#nss_map_objectclass posixAccount aixAccount | |||
#nss_base_passwd ou=aixaccount,?one | |||
#nss_map_attribute uid userName | |||
#nss_map_attribute gidNumber gid | |||
#nss_map_attribute uidNumber uid | |||
#nss_map_attribute userPassword passwordChar | |||
#nss_map_objectclass posixGroup aixAccessGroup | |||
#nss_base_group ou=aixgroup,?one | |||
#nss_map_attribute cn groupName | |||
#nss_map_attribute uniqueMember member | |||
#pam_login_attribute userName | |||
#pam_filter objectclass=aixAccount | |||
#pam_password clear | |||
# For pre-RFC2307bis automount schema | |||
#nss_map_objectclass automountMap nisMap | |||
#nss_map_attribute automountMapName nisMapName | |||
#nss_map_objectclass automount nisObject | |||
#nss_map_attribute automountKey cn | |||
#nss_map_attribute automountInformation nisMapEntry | |||
# Netscape SDK LDAPS | |||
#ssl on | |||
# Netscape SDK SSL options | |||
#sslpath /etc/ssl/certs | |||
# OpenLDAP SSL mechanism | |||
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 | |||
#ssl start_tls | |||
#ssl on | |||
# OpenLDAP SSL options | |||
# Require and verify server certificate (yes/no) | |||
# Default is to use libldap's default behavior, which can be configured in | |||
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for | |||
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". | |||
#tls_checkpeer yes | |||
# CA certificates for server certificate verification | |||
# At least one of these are required if tls_checkpeer is "yes" | |||
#tls_cacertfile /etc/ssl/ca.cert | |||
#tls_cacertdir /etc/ssl/certs | |||
# Seed the PRNG if /dev/urandom is not provided | |||
#tls_randfile /var/run/egd-pool | |||
# SSL cipher suite | |||
# See man ciphers for syntax | |||
#tls_ciphers TLSv1 | |||
# Client certificate and key | |||
# Use these, if your server requires client authentication. | |||
#tls_cert | |||
#tls_key | |||
# Disable SASL security layers. This is needed for AD. | |||
#sasl_secprops maxssf=0 | |||
# Override the default Kerberos ticket cache location. | |||
#krb5_ccname FILE:/etc/.ldapcache | |||
</source> | </source> | ||
Version vom 9. Juli 2009, 18:44 Uhr
Diese Seite sollte nochmals überarbeitet werden. Eine Begründung befindet sich in der Regel unter Diskussion (oben). |
/etc/libnss-ldap.conf
Achtung: Bitte achten Sie unbedingt darauf, beim Kopieren und Einfügen einen Editor mit UNIX-Zeilenumbrüchen zu verwenden!
Hinweis: Die im delixs-Schulserver geänderten Zeilen sind gelb unterlegt.
<source highlight="21,24,25,30,37,54,61,69,78,83" lang="text">
- DEBCONF###
- the configuration of this file will be done by debconf as long as the
- first line of the file says '###DEBCONF###'
- you should use dpkg-reconfigure libnss-ldap to configure this file.
- @(#)$Id: ldap.conf,v 2.48 2008/07/03 02:30:29 lukeh Exp $
- This is the configuration file for the LDAP nameservice
- switch library and the LDAP PAM module.
- PADL Software
- http://www.padl.com
- Your LDAP server. Must be resolvable without using LDAP.
- Multiple hosts may be specified, each separated by a
- space. How long nss_ldap takes to failover depends on
- whether your LDAP client library supports configurable
- network or connect timeouts (see bind_timelimit).
host 127.0.0.1
- The distinguished name of the search base.
base dc=delixs-schule,dc=de deref always
- Another way to specify your LDAP server is to provide an
- uri ldap://10.100.0.1/
- Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://127.0.0.1/
- uri ldaps://127.0.0.1/
- uri ldapi://%2fvar%2frun%2fldapi_sock/
- Note: %2f encodes the '/' used as directory separator
- The LDAP version to use (defaults to 3
- if supported by client library)
ldap_version 3
- The distinguished name to bind to the server with.
- Optional: default is to bind anonymously.
- Please do not put double quotes around it as they
- would be included literally.
- binddn cn=proxyuser,dc=padl,dc=com
- The credentials to bind with.
- Optional: default is no credential.
- bindpw secret
- The distinguished name to bind to the server with
- if the effective user ID is root. Password is
- stored in /etc/libnss-ldap.secret (mode 600)
- Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
- of an editor to create the file.
rootbinddn cn=admin,dc=delixs-schule,dc=de
- The port.
- Optional: default is 389.
- port 389
- The search scope.
scope sub
- scope one
- scope base
- Search timelimit
- timelimit 30
- Bind/connect timelimit
bind_timelimit 30
- Reconnect policy:
- hard_open: reconnect to DSA with exponential backoff if
- opening connection failed
- hard_init: reconnect to DSA with exponential backoff if
- initializing connection failed
- hard: alias for hard_open
- soft: return immediately on server failure
bind_policy soft
- Connection policy:
- persist: DSA connections are kept open (default)
- oneshot: DSA connections destroyed after request
nss_connect_policy persist
- Idle timelimit; client will close connections
- (nss_ldap only) if the server has not been contacted
- for the number of seconds specified below.
- idle_timelimit 3600
- Use paged rseults
- nss_paged_results yes
- Pagesize: when paged results enable, used to set the
- pagesize to a custom value
- pagesize 1000
- Filter to AND with uid=%s
- pam_filter objectclass=account
- The user ID attribute (defaults to uid)
- pam_login_attribute uid
- Search the root DSE for the password policy (works
- with Netscape Directory Server)
- pam_lookup_policy yes
- Check the 'host' attribute for access control
- Default is no; if set to yes, and user has no
- value for the host attribute, and pam_ldap is
- configured for account management (authorization)
- then the user will not be allowed to login.
- pam_check_host_attr yes
- Check the 'authorizedService' attribute for access
- control
- Default is no; if set to yes, and the user has no
- value for the authorizedService attribute, and
- pam_ldap is configured for account management
- (authorization) then the user will not be allowed
- to login.
- pam_check_service_attr yes
- Group to enforce membership of
- pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
- Group member attribute
- pam_member_attribute uniquemember
- Specify a minium or maximum UID number allowed
- pam_min_uid 0
- pam_max_uid 0
- Template login attribute, default template user
- (can be overriden by value of former attribute
- in user's entry)
- pam_login_attribute userPrincipalName
- pam_template_login_attribute uid
- pam_template_login nobody
- HEADS UP: the pam_crypt, pam_nds_passwd,
- and pam_ad_passwd options are no
- longer supported.
- Do not hash the password at all; presume
- the directory server will do it, if
- necessary. This is the default.
- pam_password clear
- Hash password locally; required for University of
- Michigan LDAP server, and works with Netscape
- Directory Server if you're using the UNIX-Crypt
- hash mechanism and not using the NT Synchronization
- service.
- pam_password crypt
- Remove old password first, then update in
- cleartext. Necessary for use with Novell
- Directory Services (NDS)
- pam_password nds
- RACF is an alias for the above. For use with
- IBM RACF
- pam_password racf
- Update Active Directory password, by
- creating Unicode password and updating
- unicodePwd attribute.
- pam_password ad
- Use the OpenLDAP password change
- extended operation to update the password.
- pam_password exop
- Redirect users to a URL or somesuch on password
- changes.
- pam_password_prohibit_message Please visit http://internal to change your password.
- Use backlinks for answering initgroups()
- nss_initgroups backlink
- Enable support for RFC2307bis (distinguished names in group
- members)
- nss_schema rfc2307bis
- RFC2307bis naming contexts
- Syntax:
- nss_base_XXX base?scope?filter
- where scope is {base,one,sub}
- and filter is a filter to be &'d with the
- default filter.
- You can omit the suffix eg:
- nss_base_passwd ou=People,
- to append the default base DN but this
- may incur a small performance impact.
- nss_base_passwd ou=People,dc=padl,dc=com?one
- nss_base_shadow ou=People,dc=padl,dc=com?one
- nss_base_group ou=Group,dc=padl,dc=com?one
- nss_base_hosts ou=Hosts,dc=padl,dc=com?one
- nss_base_services ou=Services,dc=padl,dc=com?one
- nss_base_networks ou=Networks,dc=padl,dc=com?one
- nss_base_protocols ou=Protocols,dc=padl,dc=com?one
- nss_base_rpc ou=Rpc,dc=padl,dc=com?one
- nss_base_ethers ou=Ethers,dc=padl,dc=com?one
- nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
- nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
- nss_base_aliases ou=Aliases,dc=padl,dc=com?one
- nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
- attribute/objectclass mapping
- Syntax:
- nss_map_attribute rfc2307attribute mapped_attribute
- nss_map_objectclass rfc2307objectclass mapped_objectclass
- configure --enable-nds is no longer supported.
- NDS mappings
- nss_map_attribute uniqueMember member
- Services for UNIX 3.5 mappings
- nss_map_objectclass posixAccount User
- nss_map_objectclass shadowAccount User
- nss_map_attribute uid msSFU30Name
- nss_map_attribute uniqueMember msSFU30PosixMember
- nss_map_attribute userPassword msSFU30Password
- nss_map_attribute homeDirectory msSFU30HomeDirectory
- nss_map_attribute homeDirectory msSFUHomeDirectory
- nss_map_objectclass posixGroup Group
- pam_login_attribute msSFU30Name
- pam_filter objectclass=User
- pam_password ad
- configure --enable-mssfu-schema is no longer supported.
- Services for UNIX 2.0 mappings
- nss_map_objectclass posixAccount User
- nss_map_objectclass shadowAccount user
- nss_map_attribute uid msSFUName
- nss_map_attribute uniqueMember posixMember
- nss_map_attribute userPassword msSFUPassword
- nss_map_attribute homeDirectory msSFUHomeDirectory
- nss_map_attribute shadowLastChange pwdLastSet
- nss_map_objectclass posixGroup Group
- nss_map_attribute cn msSFUName
- pam_login_attribute msSFUName
- pam_filter objectclass=User
- pam_password ad
- RFC 2307 (AD) mappings
- nss_map_objectclass posixAccount user
- nss_map_objectclass shadowAccount user
- nss_map_attribute uid sAMAccountName
- nss_map_attribute homeDirectory unixHomeDirectory
- nss_map_attribute shadowLastChange pwdLastSet
- nss_map_objectclass posixGroup group
- nss_map_attribute uniqueMember member
- pam_login_attribute sAMAccountName
- pam_filter objectclass=User
- pam_password ad
- configure --enable-authpassword is no longer supported
- AuthPassword mappings
- nss_map_attribute userPassword authPassword
- AIX SecureWay mappings
- nss_map_objectclass posixAccount aixAccount
- nss_base_passwd ou=aixaccount,?one
- nss_map_attribute uid userName
- nss_map_attribute gidNumber gid
- nss_map_attribute uidNumber uid
- nss_map_attribute userPassword passwordChar
- nss_map_objectclass posixGroup aixAccessGroup
- nss_base_group ou=aixgroup,?one
- nss_map_attribute cn groupName
- nss_map_attribute uniqueMember member
- pam_login_attribute userName
- pam_filter objectclass=aixAccount
- pam_password clear
- For pre-RFC2307bis automount schema
- nss_map_objectclass automountMap nisMap
- nss_map_attribute automountMapName nisMapName
- nss_map_objectclass automount nisObject
- nss_map_attribute automountKey cn
- nss_map_attribute automountInformation nisMapEntry
- Netscape SDK LDAPS
- ssl on
- Netscape SDK SSL options
- sslpath /etc/ssl/certs
- OpenLDAP SSL mechanism
- start_tls mechanism uses the normal LDAP port, LDAPS typically 636
- ssl start_tls
- ssl on
- OpenLDAP SSL options
- Require and verify server certificate (yes/no)
- Default is to use libldap's default behavior, which can be configured in
- /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
- OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
- tls_checkpeer yes
- CA certificates for server certificate verification
- At least one of these are required if tls_checkpeer is "yes"
- tls_cacertfile /etc/ssl/ca.cert
- tls_cacertdir /etc/ssl/certs
- Seed the PRNG if /dev/urandom is not provided
- tls_randfile /var/run/egd-pool
- SSL cipher suite
- See man ciphers for syntax
- tls_ciphers TLSv1
- Client certificate and key
- Use these, if your server requires client authentication.
- tls_cert
- tls_key
- Disable SASL security layers. This is needed for AD.
- sasl_secprops maxssf=0
- Override the default Kerberos ticket cache location.
- krb5_ccname FILE:/etc/.ldapcache
</source>