Entwicklungsumgebung/Dateiliste/pam ldap.conf: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(/etc/pam_ldap.conf) |
(komplett) |
||
Zeile 11: | Zeile 11: | ||
---- | |||
<source highlight="24,29,36,49,56,69,152" lang="text"> | |||
###DEBCONF### | |||
# the configuration of this file will be done by debconf as long as the | |||
# first line of the file says '###DEBCONF###' | |||
# | |||
# you should use dpkg-reconfigure to configure this file | |||
# | |||
# @(#)$Id: pam_ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ | |||
# | |||
# This is the configuration file for the LDAP nameservice | |||
# switch library and the LDAP PAM module. | |||
# | |||
# PADL Software | |||
# http://www.padl.com | |||
# | |||
# Your LDAP server. Must be resolvable without using LDAP. | |||
# Multiple hosts may be specified, each separated by a | |||
# space. How long nss_ldap takes to failover depends on | |||
# whether your LDAP client library supports configurable | |||
# network or connect timeouts (see bind_timelimit). | |||
#host 127.0.0.1 | |||
---- | # The distinguished name of the search base. | ||
base dc=delixs-schule,dc=de | |||
# Another way to specify your LDAP server is to provide an | |||
#uri ldap://10.100.0.1/ | |||
# Unix Domain Sockets to connect to a local LDAP Server. | |||
uri ldap://127.0.0.1/ | |||
#uri ldaps://127.0.0.1/ | |||
#uri ldapi://%2fvar%2frun%2fldapi_sock/ | |||
# Note: %2f encodes the '/' used as directory separator | |||
# The LDAP version to use (defaults to 3 | |||
# if supported by client library) | |||
ldap_version 3 | |||
# The distinguished name to bind to the server with. | |||
# Optional: default is to bind anonymously. | |||
#binddn cn=proxyuser,dc=padl,dc=com | |||
# The credentials to bind with. | |||
# Optional: default is no credential. | |||
#bindpw secret | |||
# The distinguished name to bind to the server with | |||
# if the effective user ID is root. Password is | |||
# stored in /etc/pam_ldap.secret (mode 600) | |||
rootbinddn cn=admin,dc=delixs-schule,dc=de | |||
# The port. | |||
# Optional: default is 389. | |||
#port 389 | |||
# The search scope. | |||
scope sub | |||
#scope one | |||
#scope base | |||
# Search timelimit | |||
#timelimit 30 | |||
# Bind/connect timelimit | |||
#bind_timelimit 30 | |||
# Reconnect policy: hard (default) will retry connecting to | |||
# the software with exponential backoff, soft will fail | |||
# immediately. | |||
bind_policy soft | |||
# Idle timelimit; client will close connections | |||
# (nss_ldap only) if the server has not been contacted | |||
# for the number of seconds specified below. | |||
#idle_timelimit 3600 | |||
# Filter to AND with uid=%s | |||
#pam_filter objectclass=account | |||
# The user ID attribute (defaults to uid) | |||
#pam_login_attribute uid | |||
# Search the root DSE for the password policy (works | |||
# with Netscape Directory Server) | |||
#pam_lookup_policy yes | |||
# Check the 'host' attribute for access control | |||
# Default is no; if set to yes, and user has no | |||
# value for the host attribute, and pam_ldap is | |||
# configured for account management (authorization) | |||
# then the user will not be allowed to login. | |||
#pam_check_host_attr yes | |||
# Check the 'authorizedService' attribute for access | |||
# control | |||
# Default is no; if set to yes, and the user has no | |||
# value for the authorizedService attribute, and | |||
# pam_ldap is configured for account management | |||
# (authorization) then the user will not be allowed | |||
# to login. | |||
#pam_check_service_attr yes | |||
# Group to enforce membership of | |||
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com | |||
# Group member attribute | |||
#pam_member_attribute uniquemember | |||
# Specify a minium or maximum UID number allowed | |||
#pam_min_uid 0 | |||
#pam_max_uid 0 | |||
# Template login attribute, default template user | |||
# (can be overriden by value of former attribute | |||
# in user's entry) | |||
#pam_login_attribute userPrincipalName | |||
#pam_template_login_attribute uid | |||
#pam_template_login nobody | |||
# HEADS UP: the pam_crypt, pam_nds_passwd, | |||
# and pam_ad_passwd options are no | |||
# longer supported. | |||
# | |||
# Do not hash the password at all; presume | |||
# the directory server will do it, if | |||
# necessary. This is the default. | |||
#pam_password crypt | |||
# Hash password locally; required for University of | |||
# Michigan LDAP server, and works with Netscape | |||
# Directory Server if you're using the UNIX-Crypt | |||
# hash mechanism and not using the NT Synchronization | |||
# service. | |||
#pam_password crypt | |||
# Remove old password first, then update in | |||
# cleartext. Necessary for use with Novell | |||
# Directory Services (NDS) | |||
#pam_password clear_remove_old | |||
#pam_password nds | |||
# RACF is an alias for the above. For use with | |||
# IBM RACF | |||
#pam_password racf | |||
# Update Active Directory password, by | |||
# creating Unicode password and updating | |||
# unicodePwd attribute. | |||
#pam_password ad | |||
# Use the OpenLDAP password change | |||
# extended operation to update the password. | |||
pam_password exop | |||
# Redirect users to a URL or somesuch on password | |||
# changes. | |||
#pam_password_prohibit_message Please visit http://internal to change your password. | |||
# RFC2307bis naming contexts | |||
# Syntax: | |||
# nss_base_XXX base?scope?filter | |||
# where scope is {base,one,sub} | |||
# and filter is a filter to be &'d with the | |||
# default filter. | |||
# You can omit the suffix eg: | |||
# nss_base_passwd ou=People, | |||
# to append the default base DN but this | |||
# may incur a small performance impact. | |||
#nss_base_passwd ou=People,dc=padl,dc=com?one | |||
#nss_base_shadow ou=People,dc=padl,dc=com?one | |||
#nss_base_group ou=Group,dc=padl,dc=com?one | |||
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one | |||
#nss_base_services ou=Services,dc=padl,dc=com?one | |||
#nss_base_networks ou=Networks,dc=padl,dc=com?one | |||
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one | |||
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one | |||
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one | |||
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne | |||
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one | |||
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one | |||
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one | |||
# attribute/objectclass mapping | |||
# Syntax: | |||
#nss_map_attribute rfc2307attribute mapped_attribute | |||
#nss_map_objectclass rfc2307objectclass mapped_objectclass | |||
# configure --enable-nds is no longer supported. | |||
# NDS mappings | |||
#nss_map_attribute uniqueMember member | |||
# Services for UNIX 3.5 mappings | |||
#nss_map_objectclass posixAccount User | |||
#nss_map_objectclass shadowAccount User | |||
#nss_map_attribute uid msSFU30Name | |||
#nss_map_attribute uniqueMember msSFU30PosixMember | |||
#nss_map_attribute userPassword msSFU30Password | |||
#nss_map_attribute homeDirectory msSFU30HomeDirectory | |||
#nss_map_attribute homeDirectory msSFUHomeDirectory | |||
#nss_map_objectclass posixGroup Group | |||
#pam_login_attribute msSFU30Name | |||
#pam_filter objectclass=User | |||
#pam_password ad | |||
# configure --enable-mssfu-schema is no longer supported. | |||
# Services for UNIX 2.0 mappings | |||
#nss_map_objectclass posixAccount User | |||
#nss_map_objectclass shadowAccount user | |||
#nss_map_attribute uid msSFUName | |||
#nss_map_attribute uniqueMember posixMember | |||
#nss_map_attribute userPassword msSFUPassword | |||
#nss_map_attribute homeDirectory msSFUHomeDirectory | |||
#nss_map_attribute shadowLastChange pwdLastSet | |||
#nss_map_objectclass posixGroup Group | |||
#nss_map_attribute cn msSFUName | |||
#pam_login_attribute msSFUName | |||
#pam_filter objectclass=User | |||
#pam_password ad | |||
# RFC 2307 (AD) mappings | |||
#nss_map_objectclass posixAccount user | |||
#nss_map_objectclass shadowAccount user | |||
#nss_map_attribute uid sAMAccountName | |||
#nss_map_attribute homeDirectory unixHomeDirectory | |||
#nss_map_attribute shadowLastChange pwdLastSet | |||
#nss_map_objectclass posixGroup group | |||
#nss_map_attribute uniqueMember member | |||
#pam_login_attribute sAMAccountName | |||
#pam_filter objectclass=User | |||
#pam_password ad | |||
# configure --enable-authpassword is no longer supported | |||
# AuthPassword mappings | |||
#nss_map_attribute userPassword authPassword | |||
# AIX SecureWay mappings | |||
#nss_map_objectclass posixAccount aixAccount | |||
#nss_base_passwd ou=aixaccount,?one | |||
#nss_map_attribute uid userName | |||
#nss_map_attribute gidNumber gid | |||
#nss_map_attribute uidNumber uid | |||
#nss_map_attribute userPassword passwordChar | |||
#nss_map_objectclass posixGroup aixAccessGroup | |||
#nss_base_group ou=aixgroup,?one | |||
#nss_map_attribute cn groupName | |||
#nss_map_attribute uniqueMember member | |||
#pam_login_attribute userName | |||
#pam_filter objectclass=aixAccount | |||
#pam_password clear | |||
# Netscape SDK LDAPS | |||
#ssl on | |||
# Netscape SDK SSL options | |||
#sslpath /etc/ssl/certs | |||
# OpenLDAP SSL mechanism | |||
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 | |||
#ssl start_tls | |||
#ssl on | |||
# OpenLDAP SSL options | |||
# Require and verify server certificate (yes/no) | |||
# Default is to use libldap's default behavior, which can be configured in | |||
# /etc/openldap/pam_ldap.conf using the TLS_REQCERT setting. The default for | |||
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". | |||
#tls_checkpeer yes | |||
# CA certificates for server certificate verification | |||
# At least one of these are required if tls_checkpeer is "yes" | |||
#tls_cacertfile /etc/ssl/ca.cert | |||
#tls_cacertdir /etc/ssl/certs | |||
# Seed the PRNG if /dev/urandom is not provided | |||
#tls_randfile /var/run/egd-pool | |||
# SSL cipher suite | |||
# See man ciphers for syntax | |||
#tls_ciphers TLSv1 | |||
# Client certificate and key | |||
# Use these, if your server requires client authentication. | |||
#tls_cert | |||
#tls_key | |||
# Disable SASL security layers. This is needed for AD. | |||
#sasl_secprops maxssf=0 | |||
# Override the default Kerberos ticket cache location. | |||
#krb5_ccname FILE:/etc/.ldapcache | |||
# SASL mechanism for PAM authentication - use is experimental | |||
# at present and does not support password policy control | |||
#pam_sasl_mech DIGEST-MD5 | |||
</source> | </source> | ||
Version vom 9. Juli 2009, 19:17 Uhr
![]() |
Diese Seite sollte nochmals überarbeitet werden. Eine Begründung befindet sich in der Regel unter Diskussion (oben). |
/etc/pam_ldap.conf
Achtung: Bitte achten Sie unbedingt darauf, beim Kopieren und Einfügen einen Editor mit UNIX-Zeilenumbrüchen zu verwenden!
Hinweis: Die im delixs-Schulserver geänderten Zeilen sind gelb unterlegt.
<source highlight="24,29,36,49,56,69,152" lang="text">
- DEBCONF###
- the configuration of this file will be done by debconf as long as the
- first line of the file says '###DEBCONF###'
- you should use dpkg-reconfigure to configure this file
- @(#)$Id: pam_ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
- This is the configuration file for the LDAP nameservice
- switch library and the LDAP PAM module.
- PADL Software
- http://www.padl.com
- Your LDAP server. Must be resolvable without using LDAP.
- Multiple hosts may be specified, each separated by a
- space. How long nss_ldap takes to failover depends on
- whether your LDAP client library supports configurable
- network or connect timeouts (see bind_timelimit).
- host 127.0.0.1
- The distinguished name of the search base.
base dc=delixs-schule,dc=de
- Another way to specify your LDAP server is to provide an
- uri ldap://10.100.0.1/
- Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://127.0.0.1/
- uri ldaps://127.0.0.1/
- uri ldapi://%2fvar%2frun%2fldapi_sock/
- Note: %2f encodes the '/' used as directory separator
- The LDAP version to use (defaults to 3
- if supported by client library)
ldap_version 3
- The distinguished name to bind to the server with.
- Optional: default is to bind anonymously.
- binddn cn=proxyuser,dc=padl,dc=com
- The credentials to bind with.
- Optional: default is no credential.
- bindpw secret
- The distinguished name to bind to the server with
- if the effective user ID is root. Password is
- stored in /etc/pam_ldap.secret (mode 600)
rootbinddn cn=admin,dc=delixs-schule,dc=de
- The port.
- Optional: default is 389.
- port 389
- The search scope.
scope sub
- scope one
- scope base
- Search timelimit
- timelimit 30
- Bind/connect timelimit
- bind_timelimit 30
- Reconnect policy: hard (default) will retry connecting to
- the software with exponential backoff, soft will fail
- immediately.
bind_policy soft
- Idle timelimit; client will close connections
- (nss_ldap only) if the server has not been contacted
- for the number of seconds specified below.
- idle_timelimit 3600
- Filter to AND with uid=%s
- pam_filter objectclass=account
- The user ID attribute (defaults to uid)
- pam_login_attribute uid
- Search the root DSE for the password policy (works
- with Netscape Directory Server)
- pam_lookup_policy yes
- Check the 'host' attribute for access control
- Default is no; if set to yes, and user has no
- value for the host attribute, and pam_ldap is
- configured for account management (authorization)
- then the user will not be allowed to login.
- pam_check_host_attr yes
- Check the 'authorizedService' attribute for access
- control
- Default is no; if set to yes, and the user has no
- value for the authorizedService attribute, and
- pam_ldap is configured for account management
- (authorization) then the user will not be allowed
- to login.
- pam_check_service_attr yes
- Group to enforce membership of
- pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
- Group member attribute
- pam_member_attribute uniquemember
- Specify a minium or maximum UID number allowed
- pam_min_uid 0
- pam_max_uid 0
- Template login attribute, default template user
- (can be overriden by value of former attribute
- in user's entry)
- pam_login_attribute userPrincipalName
- pam_template_login_attribute uid
- pam_template_login nobody
- HEADS UP: the pam_crypt, pam_nds_passwd,
- and pam_ad_passwd options are no
- longer supported.
- Do not hash the password at all; presume
- the directory server will do it, if
- necessary. This is the default.
- pam_password crypt
- Hash password locally; required for University of
- Michigan LDAP server, and works with Netscape
- Directory Server if you're using the UNIX-Crypt
- hash mechanism and not using the NT Synchronization
- service.
- pam_password crypt
- Remove old password first, then update in
- cleartext. Necessary for use with Novell
- Directory Services (NDS)
- pam_password clear_remove_old
- pam_password nds
- RACF is an alias for the above. For use with
- IBM RACF
- pam_password racf
- Update Active Directory password, by
- creating Unicode password and updating
- unicodePwd attribute.
- pam_password ad
- Use the OpenLDAP password change
- extended operation to update the password.
pam_password exop
- Redirect users to a URL or somesuch on password
- changes.
- pam_password_prohibit_message Please visit http://internal to change your password.
- RFC2307bis naming contexts
- Syntax:
- nss_base_XXX base?scope?filter
- where scope is {base,one,sub}
- and filter is a filter to be &'d with the
- default filter.
- You can omit the suffix eg:
- nss_base_passwd ou=People,
- to append the default base DN but this
- may incur a small performance impact.
- nss_base_passwd ou=People,dc=padl,dc=com?one
- nss_base_shadow ou=People,dc=padl,dc=com?one
- nss_base_group ou=Group,dc=padl,dc=com?one
- nss_base_hosts ou=Hosts,dc=padl,dc=com?one
- nss_base_services ou=Services,dc=padl,dc=com?one
- nss_base_networks ou=Networks,dc=padl,dc=com?one
- nss_base_protocols ou=Protocols,dc=padl,dc=com?one
- nss_base_rpc ou=Rpc,dc=padl,dc=com?one
- nss_base_ethers ou=Ethers,dc=padl,dc=com?one
- nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
- nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
- nss_base_aliases ou=Aliases,dc=padl,dc=com?one
- nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
- attribute/objectclass mapping
- Syntax:
- nss_map_attribute rfc2307attribute mapped_attribute
- nss_map_objectclass rfc2307objectclass mapped_objectclass
- configure --enable-nds is no longer supported.
- NDS mappings
- nss_map_attribute uniqueMember member
- Services for UNIX 3.5 mappings
- nss_map_objectclass posixAccount User
- nss_map_objectclass shadowAccount User
- nss_map_attribute uid msSFU30Name
- nss_map_attribute uniqueMember msSFU30PosixMember
- nss_map_attribute userPassword msSFU30Password
- nss_map_attribute homeDirectory msSFU30HomeDirectory
- nss_map_attribute homeDirectory msSFUHomeDirectory
- nss_map_objectclass posixGroup Group
- pam_login_attribute msSFU30Name
- pam_filter objectclass=User
- pam_password ad
- configure --enable-mssfu-schema is no longer supported.
- Services for UNIX 2.0 mappings
- nss_map_objectclass posixAccount User
- nss_map_objectclass shadowAccount user
- nss_map_attribute uid msSFUName
- nss_map_attribute uniqueMember posixMember
- nss_map_attribute userPassword msSFUPassword
- nss_map_attribute homeDirectory msSFUHomeDirectory
- nss_map_attribute shadowLastChange pwdLastSet
- nss_map_objectclass posixGroup Group
- nss_map_attribute cn msSFUName
- pam_login_attribute msSFUName
- pam_filter objectclass=User
- pam_password ad
- RFC 2307 (AD) mappings
- nss_map_objectclass posixAccount user
- nss_map_objectclass shadowAccount user
- nss_map_attribute uid sAMAccountName
- nss_map_attribute homeDirectory unixHomeDirectory
- nss_map_attribute shadowLastChange pwdLastSet
- nss_map_objectclass posixGroup group
- nss_map_attribute uniqueMember member
- pam_login_attribute sAMAccountName
- pam_filter objectclass=User
- pam_password ad
- configure --enable-authpassword is no longer supported
- AuthPassword mappings
- nss_map_attribute userPassword authPassword
- AIX SecureWay mappings
- nss_map_objectclass posixAccount aixAccount
- nss_base_passwd ou=aixaccount,?one
- nss_map_attribute uid userName
- nss_map_attribute gidNumber gid
- nss_map_attribute uidNumber uid
- nss_map_attribute userPassword passwordChar
- nss_map_objectclass posixGroup aixAccessGroup
- nss_base_group ou=aixgroup,?one
- nss_map_attribute cn groupName
- nss_map_attribute uniqueMember member
- pam_login_attribute userName
- pam_filter objectclass=aixAccount
- pam_password clear
- Netscape SDK LDAPS
- ssl on
- Netscape SDK SSL options
- sslpath /etc/ssl/certs
- OpenLDAP SSL mechanism
- start_tls mechanism uses the normal LDAP port, LDAPS typically 636
- ssl start_tls
- ssl on
- OpenLDAP SSL options
- Require and verify server certificate (yes/no)
- Default is to use libldap's default behavior, which can be configured in
- /etc/openldap/pam_ldap.conf using the TLS_REQCERT setting. The default for
- OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
- tls_checkpeer yes
- CA certificates for server certificate verification
- At least one of these are required if tls_checkpeer is "yes"
- tls_cacertfile /etc/ssl/ca.cert
- tls_cacertdir /etc/ssl/certs
- Seed the PRNG if /dev/urandom is not provided
- tls_randfile /var/run/egd-pool
- SSL cipher suite
- See man ciphers for syntax
- tls_ciphers TLSv1
- Client certificate and key
- Use these, if your server requires client authentication.
- tls_cert
- tls_key
- Disable SASL security layers. This is needed for AD.
- sasl_secprops maxssf=0
- Override the default Kerberos ticket cache location.
- krb5_ccname FILE:/etc/.ldapcache
- SASL mechanism for PAM authentication - use is experimental
- at present and does not support password policy control
- pam_sasl_mech DIGEST-MD5
</source>