Lenny/Dateiliste/pam ldap.conf

Aus Delixs
Version vom 28. März 2011, 18:46 Uhr von Schoffer (Diskussion | Beiträge) (Lenny)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen


Baustelle Archiv: Dieser Artikel beschreibt nicht die Funktionalität des derzeit aktuellen delixs-Servers. Er beschreibt ältere Schulserver-Funktionen und dient dem Zweck der Archivierung.


/etc/pam_ldap.conf

Achtung: Bitte achten Sie unbedingt darauf, beim Kopieren und Einfügen einen Editor mit UNIX-Zeilenumbrüchen zu verwenden!

Hinweis: Die im delixs-Schulserver geänderten Zeilen sind gelb unterlegt.



<source highlight="24,29,36,49,56,69,152" lang="text">

      1. DEBCONF###
  1. the configuration of this file will be done by debconf as long as the
  2. first line of the file says '###DEBCONF###'
  3. you should use dpkg-reconfigure to configure this file
  4. @(#)$Id: pam_ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
  5. This is the configuration file for the LDAP nameservice
  6. switch library and the LDAP PAM module.
  7. PADL Software
  8. http://www.padl.com
  1. Your LDAP server. Must be resolvable without using LDAP.
  2. Multiple hosts may be specified, each separated by a
  3. space. How long nss_ldap takes to failover depends on
  4. whether your LDAP client library supports configurable
  5. network or connect timeouts (see bind_timelimit).
  6. host 127.0.0.1
  1. The distinguished name of the search base.

base dc=delixs-schule,dc=de

  1. Another way to specify your LDAP server is to provide an
  2. uri ldap://10.100.0.1/
  3. Unix Domain Sockets to connect to a local LDAP Server.

uri ldap://127.0.0.1/

  1. uri ldaps://127.0.0.1/
  2. uri ldapi://%2fvar%2frun%2fldapi_sock/
  3. Note: %2f encodes the '/' used as directory separator
  1. The LDAP version to use (defaults to 3
  2. if supported by client library)

ldap_version 3

  1. The distinguished name to bind to the server with.
  2. Optional: default is to bind anonymously.
  3. binddn cn=proxyuser,dc=padl,dc=com
  1. The credentials to bind with.
  2. Optional: default is no credential.
  3. bindpw secret
  1. The distinguished name to bind to the server with
  2. if the effective user ID is root. Password is
  3. stored in /etc/pam_ldap.secret (mode 600)

rootbinddn cn=admin,dc=delixs-schule,dc=de

  1. The port.
  2. Optional: default is 389.
  3. port 389
  1. The search scope.

scope sub

  1. scope one
  2. scope base
  1. Search timelimit
  2. timelimit 30
  1. Bind/connect timelimit
  2. bind_timelimit 30
  1. Reconnect policy: hard (default) will retry connecting to
  2. the software with exponential backoff, soft will fail
  3. immediately.

bind_policy soft

  1. Idle timelimit; client will close connections
  2. (nss_ldap only) if the server has not been contacted
  3. for the number of seconds specified below.
  4. idle_timelimit 3600
  1. Filter to AND with uid=%s
  2. pam_filter objectclass=account
  1. The user ID attribute (defaults to uid)
  2. pam_login_attribute uid
  1. Search the root DSE for the password policy (works
  2. with Netscape Directory Server)
  3. pam_lookup_policy yes
  1. Check the 'host' attribute for access control
  2. Default is no; if set to yes, and user has no
  3. value for the host attribute, and pam_ldap is
  4. configured for account management (authorization)
  5. then the user will not be allowed to login.
  6. pam_check_host_attr yes
  1. Check the 'authorizedService' attribute for access
  2. control
  3. Default is no; if set to yes, and the user has no
  4. value for the authorizedService attribute, and
  5. pam_ldap is configured for account management
  6. (authorization) then the user will not be allowed
  7. to login.
  8. pam_check_service_attr yes
  1. Group to enforce membership of
  2. pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
  1. Group member attribute
  2. pam_member_attribute uniquemember
  1. Specify a minium or maximum UID number allowed
  2. pam_min_uid 0
  3. pam_max_uid 0
  1. Template login attribute, default template user
  2. (can be overriden by value of former attribute
  3. in user's entry)
  4. pam_login_attribute userPrincipalName
  5. pam_template_login_attribute uid
  6. pam_template_login nobody
  1. HEADS UP: the pam_crypt, pam_nds_passwd,
  2. and pam_ad_passwd options are no
  3. longer supported.
  4. Do not hash the password at all; presume
  5. the directory server will do it, if
  6. necessary. This is the default.
  7. pam_password crypt
  1. Hash password locally; required for University of
  2. Michigan LDAP server, and works with Netscape
  3. Directory Server if you're using the UNIX-Crypt
  4. hash mechanism and not using the NT Synchronization
  5. service.
  6. pam_password crypt
  1. Remove old password first, then update in
  2. cleartext. Necessary for use with Novell
  3. Directory Services (NDS)
  4. pam_password clear_remove_old
  5. pam_password nds
  1. RACF is an alias for the above. For use with
  2. IBM RACF
  3. pam_password racf
  1. Update Active Directory password, by
  2. creating Unicode password and updating
  3. unicodePwd attribute.
  4. pam_password ad
  1. Use the OpenLDAP password change
  2. extended operation to update the password.

pam_password exop

  1. Redirect users to a URL or somesuch on password
  2. changes.
  3. pam_password_prohibit_message Please visit http://internal to change your password.
  1. RFC2307bis naming contexts
  2. Syntax:
  3. nss_base_XXX base?scope?filter
  4. where scope is {base,one,sub}
  5. and filter is a filter to be &'d with the
  6. default filter.
  7. You can omit the suffix eg:
  8. nss_base_passwd ou=People,
  9. to append the default base DN but this
  10. may incur a small performance impact.
  11. nss_base_passwd ou=People,dc=padl,dc=com?one
  12. nss_base_shadow ou=People,dc=padl,dc=com?one
  13. nss_base_group ou=Group,dc=padl,dc=com?one
  14. nss_base_hosts ou=Hosts,dc=padl,dc=com?one
  15. nss_base_services ou=Services,dc=padl,dc=com?one
  16. nss_base_networks ou=Networks,dc=padl,dc=com?one
  17. nss_base_protocols ou=Protocols,dc=padl,dc=com?one
  18. nss_base_rpc ou=Rpc,dc=padl,dc=com?one
  19. nss_base_ethers ou=Ethers,dc=padl,dc=com?one
  20. nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
  21. nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
  22. nss_base_aliases ou=Aliases,dc=padl,dc=com?one
  23. nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one
  1. attribute/objectclass mapping
  2. Syntax:
  3. nss_map_attribute rfc2307attribute mapped_attribute
  4. nss_map_objectclass rfc2307objectclass mapped_objectclass
  1. configure --enable-nds is no longer supported.
  2. NDS mappings
  3. nss_map_attribute uniqueMember member
  1. Services for UNIX 3.5 mappings
  2. nss_map_objectclass posixAccount User
  3. nss_map_objectclass shadowAccount User
  4. nss_map_attribute uid msSFU30Name
  5. nss_map_attribute uniqueMember msSFU30PosixMember
  6. nss_map_attribute userPassword msSFU30Password
  7. nss_map_attribute homeDirectory msSFU30HomeDirectory
  8. nss_map_attribute homeDirectory msSFUHomeDirectory
  9. nss_map_objectclass posixGroup Group
  10. pam_login_attribute msSFU30Name
  11. pam_filter objectclass=User
  12. pam_password ad
  1. configure --enable-mssfu-schema is no longer supported.
  2. Services for UNIX 2.0 mappings
  3. nss_map_objectclass posixAccount User
  4. nss_map_objectclass shadowAccount user
  5. nss_map_attribute uid msSFUName
  6. nss_map_attribute uniqueMember posixMember
  7. nss_map_attribute userPassword msSFUPassword
  8. nss_map_attribute homeDirectory msSFUHomeDirectory
  9. nss_map_attribute shadowLastChange pwdLastSet
  10. nss_map_objectclass posixGroup Group
  11. nss_map_attribute cn msSFUName
  12. pam_login_attribute msSFUName
  13. pam_filter objectclass=User
  14. pam_password ad
  1. RFC 2307 (AD) mappings
  2. nss_map_objectclass posixAccount user
  3. nss_map_objectclass shadowAccount user
  4. nss_map_attribute uid sAMAccountName
  5. nss_map_attribute homeDirectory unixHomeDirectory
  6. nss_map_attribute shadowLastChange pwdLastSet
  7. nss_map_objectclass posixGroup group
  8. nss_map_attribute uniqueMember member
  9. pam_login_attribute sAMAccountName
  10. pam_filter objectclass=User
  11. pam_password ad
  1. configure --enable-authpassword is no longer supported
  2. AuthPassword mappings
  3. nss_map_attribute userPassword authPassword
  1. AIX SecureWay mappings
  2. nss_map_objectclass posixAccount aixAccount
  3. nss_base_passwd ou=aixaccount,?one
  4. nss_map_attribute uid userName
  5. nss_map_attribute gidNumber gid
  6. nss_map_attribute uidNumber uid
  7. nss_map_attribute userPassword passwordChar
  8. nss_map_objectclass posixGroup aixAccessGroup
  9. nss_base_group ou=aixgroup,?one
  10. nss_map_attribute cn groupName
  11. nss_map_attribute uniqueMember member
  12. pam_login_attribute userName
  13. pam_filter objectclass=aixAccount
  14. pam_password clear
  1. Netscape SDK LDAPS
  2. ssl on
  1. Netscape SDK SSL options
  2. sslpath /etc/ssl/certs
  1. OpenLDAP SSL mechanism
  2. start_tls mechanism uses the normal LDAP port, LDAPS typically 636
  3. ssl start_tls
  4. ssl on
  1. OpenLDAP SSL options
  2. Require and verify server certificate (yes/no)
  3. Default is to use libldap's default behavior, which can be configured in
  4. /etc/openldap/pam_ldap.conf using the TLS_REQCERT setting. The default for
  5. OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
  6. tls_checkpeer yes
  1. CA certificates for server certificate verification
  2. At least one of these are required if tls_checkpeer is "yes"
  3. tls_cacertfile /etc/ssl/ca.cert
  4. tls_cacertdir /etc/ssl/certs
  1. Seed the PRNG if /dev/urandom is not provided
  2. tls_randfile /var/run/egd-pool
  1. SSL cipher suite
  2. See man ciphers for syntax
  3. tls_ciphers TLSv1
  1. Client certificate and key
  2. Use these, if your server requires client authentication.
  3. tls_cert
  4. tls_key
  1. Disable SASL security layers. This is needed for AD.
  2. sasl_secprops maxssf=0
  1. Override the default Kerberos ticket cache location.
  2. krb5_ccname FILE:/etc/.ldapcache
  1. SASL mechanism for PAM authentication - use is experimental
  2. at present and does not support password policy control
  3. pam_sasl_mech DIGEST-MD5

</source>




zurück | Hauptseite