Entwicklungsumgebung/Dateiliste/pam ldap.conf
Diese Seite sollte nochmals überarbeitet werden. Eine Begründung befindet sich in der Regel unter Diskussion (oben). |
/etc/pam_ldap.conf
Achtung: Bitte achten Sie unbedingt darauf, beim Kopieren und Einfügen einen Editor mit UNIX-Zeilenumbrüchen zu verwenden!
Hinweis: Die im delixs-Schulserver geänderten Zeilen sind gelb unterlegt.
<source highlight="24,29,36,49,56,69,152" lang="text">
- DEBCONF###
- the configuration of this file will be done by debconf as long as the
- first line of the file says '###DEBCONF###'
- you should use dpkg-reconfigure to configure this file
- @(#)$Id: pam_ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
- This is the configuration file for the LDAP nameservice
- switch library and the LDAP PAM module.
- PADL Software
- http://www.padl.com
- Your LDAP server. Must be resolvable without using LDAP.
- Multiple hosts may be specified, each separated by a
- space. How long nss_ldap takes to failover depends on
- whether your LDAP client library supports configurable
- network or connect timeouts (see bind_timelimit).
- host 127.0.0.1
- The distinguished name of the search base.
base dc=delixs-schule,dc=de
- Another way to specify your LDAP server is to provide an
- uri ldap://10.100.0.1/
- Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://127.0.0.1/
- uri ldaps://127.0.0.1/
- uri ldapi://%2fvar%2frun%2fldapi_sock/
- Note: %2f encodes the '/' used as directory separator
- The LDAP version to use (defaults to 3
- if supported by client library)
ldap_version 3
- The distinguished name to bind to the server with.
- Optional: default is to bind anonymously.
- binddn cn=proxyuser,dc=padl,dc=com
- The credentials to bind with.
- Optional: default is no credential.
- bindpw secret
- The distinguished name to bind to the server with
- if the effective user ID is root. Password is
- stored in /etc/pam_ldap.secret (mode 600)
rootbinddn cn=admin,dc=delixs-schule,dc=de
- The port.
- Optional: default is 389.
- port 389
- The search scope.
scope sub
- scope one
- scope base
- Search timelimit
- timelimit 30
- Bind/connect timelimit
- bind_timelimit 30
- Reconnect policy: hard (default) will retry connecting to
- the software with exponential backoff, soft will fail
- immediately.
bind_policy soft
- Idle timelimit; client will close connections
- (nss_ldap only) if the server has not been contacted
- for the number of seconds specified below.
- idle_timelimit 3600
- Filter to AND with uid=%s
- pam_filter objectclass=account
- The user ID attribute (defaults to uid)
- pam_login_attribute uid
- Search the root DSE for the password policy (works
- with Netscape Directory Server)
- pam_lookup_policy yes
- Check the 'host' attribute for access control
- Default is no; if set to yes, and user has no
- value for the host attribute, and pam_ldap is
- configured for account management (authorization)
- then the user will not be allowed to login.
- pam_check_host_attr yes
- Check the 'authorizedService' attribute for access
- control
- Default is no; if set to yes, and the user has no
- value for the authorizedService attribute, and
- pam_ldap is configured for account management
- (authorization) then the user will not be allowed
- to login.
- pam_check_service_attr yes
- Group to enforce membership of
- pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
- Group member attribute
- pam_member_attribute uniquemember
- Specify a minium or maximum UID number allowed
- pam_min_uid 0
- pam_max_uid 0
- Template login attribute, default template user
- (can be overriden by value of former attribute
- in user's entry)
- pam_login_attribute userPrincipalName
- pam_template_login_attribute uid
- pam_template_login nobody
- HEADS UP: the pam_crypt, pam_nds_passwd,
- and pam_ad_passwd options are no
- longer supported.
- Do not hash the password at all; presume
- the directory server will do it, if
- necessary. This is the default.
- pam_password crypt
- Hash password locally; required for University of
- Michigan LDAP server, and works with Netscape
- Directory Server if you're using the UNIX-Crypt
- hash mechanism and not using the NT Synchronization
- service.
- pam_password crypt
- Remove old password first, then update in
- cleartext. Necessary for use with Novell
- Directory Services (NDS)
- pam_password clear_remove_old
- pam_password nds
- RACF is an alias for the above. For use with
- IBM RACF
- pam_password racf
- Update Active Directory password, by
- creating Unicode password and updating
- unicodePwd attribute.
- pam_password ad
- Use the OpenLDAP password change
- extended operation to update the password.
pam_password exop
- Redirect users to a URL or somesuch on password
- changes.
- pam_password_prohibit_message Please visit http://internal to change your password.
- RFC2307bis naming contexts
- Syntax:
- nss_base_XXX base?scope?filter
- where scope is {base,one,sub}
- and filter is a filter to be &'d with the
- default filter.
- You can omit the suffix eg:
- nss_base_passwd ou=People,
- to append the default base DN but this
- may incur a small performance impact.
- nss_base_passwd ou=People,dc=padl,dc=com?one
- nss_base_shadow ou=People,dc=padl,dc=com?one
- nss_base_group ou=Group,dc=padl,dc=com?one
- nss_base_hosts ou=Hosts,dc=padl,dc=com?one
- nss_base_services ou=Services,dc=padl,dc=com?one
- nss_base_networks ou=Networks,dc=padl,dc=com?one
- nss_base_protocols ou=Protocols,dc=padl,dc=com?one
- nss_base_rpc ou=Rpc,dc=padl,dc=com?one
- nss_base_ethers ou=Ethers,dc=padl,dc=com?one
- nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
- nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
- nss_base_aliases ou=Aliases,dc=padl,dc=com?one
- nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
- attribute/objectclass mapping
- Syntax:
- nss_map_attribute rfc2307attribute mapped_attribute
- nss_map_objectclass rfc2307objectclass mapped_objectclass
- configure --enable-nds is no longer supported.
- NDS mappings
- nss_map_attribute uniqueMember member
- Services for UNIX 3.5 mappings
- nss_map_objectclass posixAccount User
- nss_map_objectclass shadowAccount User
- nss_map_attribute uid msSFU30Name
- nss_map_attribute uniqueMember msSFU30PosixMember
- nss_map_attribute userPassword msSFU30Password
- nss_map_attribute homeDirectory msSFU30HomeDirectory
- nss_map_attribute homeDirectory msSFUHomeDirectory
- nss_map_objectclass posixGroup Group
- pam_login_attribute msSFU30Name
- pam_filter objectclass=User
- pam_password ad
- configure --enable-mssfu-schema is no longer supported.
- Services for UNIX 2.0 mappings
- nss_map_objectclass posixAccount User
- nss_map_objectclass shadowAccount user
- nss_map_attribute uid msSFUName
- nss_map_attribute uniqueMember posixMember
- nss_map_attribute userPassword msSFUPassword
- nss_map_attribute homeDirectory msSFUHomeDirectory
- nss_map_attribute shadowLastChange pwdLastSet
- nss_map_objectclass posixGroup Group
- nss_map_attribute cn msSFUName
- pam_login_attribute msSFUName
- pam_filter objectclass=User
- pam_password ad
- RFC 2307 (AD) mappings
- nss_map_objectclass posixAccount user
- nss_map_objectclass shadowAccount user
- nss_map_attribute uid sAMAccountName
- nss_map_attribute homeDirectory unixHomeDirectory
- nss_map_attribute shadowLastChange pwdLastSet
- nss_map_objectclass posixGroup group
- nss_map_attribute uniqueMember member
- pam_login_attribute sAMAccountName
- pam_filter objectclass=User
- pam_password ad
- configure --enable-authpassword is no longer supported
- AuthPassword mappings
- nss_map_attribute userPassword authPassword
- AIX SecureWay mappings
- nss_map_objectclass posixAccount aixAccount
- nss_base_passwd ou=aixaccount,?one
- nss_map_attribute uid userName
- nss_map_attribute gidNumber gid
- nss_map_attribute uidNumber uid
- nss_map_attribute userPassword passwordChar
- nss_map_objectclass posixGroup aixAccessGroup
- nss_base_group ou=aixgroup,?one
- nss_map_attribute cn groupName
- nss_map_attribute uniqueMember member
- pam_login_attribute userName
- pam_filter objectclass=aixAccount
- pam_password clear
- Netscape SDK LDAPS
- ssl on
- Netscape SDK SSL options
- sslpath /etc/ssl/certs
- OpenLDAP SSL mechanism
- start_tls mechanism uses the normal LDAP port, LDAPS typically 636
- ssl start_tls
- ssl on
- OpenLDAP SSL options
- Require and verify server certificate (yes/no)
- Default is to use libldap's default behavior, which can be configured in
- /etc/openldap/pam_ldap.conf using the TLS_REQCERT setting. The default for
- OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
- tls_checkpeer yes
- CA certificates for server certificate verification
- At least one of these are required if tls_checkpeer is "yes"
- tls_cacertfile /etc/ssl/ca.cert
- tls_cacertdir /etc/ssl/certs
- Seed the PRNG if /dev/urandom is not provided
- tls_randfile /var/run/egd-pool
- SSL cipher suite
- See man ciphers for syntax
- tls_ciphers TLSv1
- Client certificate and key
- Use these, if your server requires client authentication.
- tls_cert
- tls_key
- Disable SASL security layers. This is needed for AD.
- sasl_secprops maxssf=0
- Override the default Kerberos ticket cache location.
- krb5_ccname FILE:/etc/.ldapcache
- SASL mechanism for PAM authentication - use is experimental
- at present and does not support password policy control
- pam_sasl_mech DIGEST-MD5
</source>