SOURCES: ldap.conf - update ldap.conf for current pam_ldap and co.

baggins baggins at pld-linux.org
Mon Jan 16 18:22:43 CET 2006


Author: baggins                      Date: Mon Jan 16 17:22:43 2006 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- update ldap.conf for current pam_ldap and co.

---- Files affected:
SOURCES:
   ldap.conf (1.3 -> 1.4) 

---- Diffs:

================================================================
Index: SOURCES/ldap.conf
diff -u SOURCES/ldap.conf:1.3 SOURCES/ldap.conf:1.4
--- SOURCES/ldap.conf:1.3	Wed Aug  4 14:05:06 2004
+++ SOURCES/ldap.conf	Mon Jan 16 18:22:38 2006
@@ -1,23 +1,91 @@
-#
-# $Id$
+# @(#)$Id$
 #
 # This is the configuration file for the LDAP nameservice
 # switch library and the LDAP PAM module.
 #
-# To contact the author, mail lukeh at padl.com.
+# PADL Software
+# http://www.padl.com
 #
 
-# Your LDAP server.
+# Your LDAP server. Must be resolvable without using LDAP.
+# Multiple hosts may be specified, each separated by a 
+# space. How long nss_ldap takes to failover depends on
+# whether your LDAP client library supports configurable
+# network or connect timeouts (see bind_timelimit).
 host 127.0.0.1
 
 # The distinguished name of the search base.
 base dc=my-domain,dc=com
 
-# Use the V3 protocol to optimize searches
+# Another way to specify your LDAP server is to provide an
+# uri with the server name. This allows to use
+# Unix Domain Sockets to connect to a local LDAP Server.
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/   
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
 ldap_version 3
 
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+#binddn cn=proxyuser,dc=padl,dc=com
+
+# The credentials to bind with. 
+# Optional: default is no credential.
+#bindpw secret
+
+# BEGIN PLD Linux specific options
+
+# Enabling userconnect check feature allows you
+# to make a connection to LDAP server using
+# user DN and password given by application,
+# but without fetching any data from LDAP server!
+# If connect succeeds then we're authenticated.
+
+# Enable support.
+#userconnect_check yes
+
+# The distinguished name to bind to the server with
+# A_USER macro will be expanded into username.
+#userdn cn=A_USER,dc=padl,dc=com
+
+# END PLD Linux specific options
+
+# The distinguished name to bind to the server with
+# if the effective user ID is root. Password is
+# stored in /etc/ldap.secret (mode 600)
+#rootbinddn cn=manager,dc=padl,dc=com
+
+# The port.
+# Optional: default is 389.
+#port 389
+
+# The search scope.
+#scope sub
+#scope one
+#scope base
+
+# Search timelimit
+#timelimit 30
+
+# Bind/connect timelimit
+#bind_timelimit 30
+
+# Reconnect policy: hard (default) will retry connecting to
+# the software with exponential backoff, soft will fail
+# immediately.
+#bind_policy hard
+
+# Idle timelimit; client will close connections
+# (nss_ldap only) if the server has not been contacted
+# for the number of seconds specified below.
+#idle_timelimit 3600
+
 # Filter to AND with uid=%s
-#pam_filter objectclass=posixaccount
+#pam_filter objectclass=account
 
 # The user ID attribute (defaults to uid)
 pam_login_attribute uid
@@ -26,16 +94,215 @@
 # with Netscape Directory Server)
 #pam_lookup_policy yes
 
+# Check the 'host' attribute for access control
+# Default is no; if set to yes, and user has no
+# value for the host attribute, and pam_ldap is
+# configured for account management (authorization)
+# then the user will not be allowed to login.
+#pam_check_host_attr yes
+
+# Check the 'authorizedService' attribute for access
+# control
+# Default is no; if set to yes, and the user has no
+# value for the authorizedService attribute, and
+# pam_ldap is configured for account management
+# (authorization) then the user will not be allowed
+# to login.
+#pam_check_service_attr yes
+
 # Group to enforce membership of
 #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
 
 # Group member attribute
 #pam_member_attribute uniquemember
 
+# Specify a minium or maximum UID number allowed
+#pam_min_uid 0
+#pam_max_uid 0
+
+# Template login attribute, default template user
+# (can be overriden by value of former attribute
+# in user's entry)
+#pam_login_attribute userPrincipalName
+#pam_template_login_attribute uid
+#pam_template_login nobody
+
+# HEADS UP: the pam_crypt, pam_nds_passwd,
+# and pam_ad_passwd options are no
+# longer supported.
+#
+# If you are using XAD, you can set pam_password
+# to racf, ad, or exop. Make sure that you have
+# SSL enabled.
+
+# Do not hash the password at all; presume
+# the directory server will do it, if
+# necessary. This is the default.
+#pam_password clear
+
 # Hash password locally; required for University of
 # Michigan LDAP server, and works with Netscape
 # Directory Server if you're using the UNIX-Crypt
 # hash mechanism and not using the NT Synchronization
-# service.
-pam_crypt local
+# service. 
+pam_password crypt
+
+# Remove old password first, then update in
+# cleartext. Necessary for use with Novell
+# Directory Services (NDS)
+#pam_password clear_remove_old
+#pam_password nds
+
+# RACF is an alias for the above. For use with
+# IBM RACF
+#pam_password racf
+
+# Update Active Directory password, by
+# creating Unicode password and updating
+# unicodePwd attribute.
+#pam_password ad
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+#pam_password exop
+
+# Redirect users to a URL or somesuch on password
+# changes.
+#pam_password_prohibit_message Please visit http://internal to change your password.
+
+# RFC2307bis naming contexts
+# Syntax:
+# nss_base_XXX		base?scope?filter
+# where scope is {base,one,sub}
+# and filter is a filter to be &'d with the
+# default filter.
+# You can omit the suffix eg:
+# nss_base_passwd	ou=People,
+# to append the default base DN but this
+# may incur a small performance impact.
+#nss_base_passwd	ou=People,dc=padl,dc=com?one
+#nss_base_shadow	ou=People,dc=padl,dc=com?one
+#nss_base_group		ou=Group,dc=padl,dc=com?one
+#nss_base_hosts		ou=Hosts,dc=padl,dc=com?one
+#nss_base_services	ou=Services,dc=padl,dc=com?one
+#nss_base_networks	ou=Networks,dc=padl,dc=com?one
+#nss_base_protocols	ou=Protocols,dc=padl,dc=com?one
+#nss_base_rpc		ou=Rpc,dc=padl,dc=com?one
+#nss_base_ethers	ou=Ethers,dc=padl,dc=com?one
+#nss_base_netmasks	ou=Networks,dc=padl,dc=com?ne
+#nss_base_bootparams	ou=Ethers,dc=padl,dc=com?one
+#nss_base_aliases	ou=Aliases,dc=padl,dc=com?one
+#nss_base_netgroup	ou=Netgroup,dc=padl,dc=com?one
+
+# attribute/objectclass mapping
+# Syntax:
+#nss_map_attribute	rfc2307attribute	mapped_attribute
+#nss_map_objectclass	rfc2307objectclass	mapped_objectclass
+
+# configure --enable-nds is no longer supported.
+# NDS mappings
+#nss_map_attribute uniqueMember member
+
+# Services for UNIX 3.5 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount User
+#nss_map_attribute uid msSFU30Name
+#nss_map_attribute uniqueMember msSFU30PosixMember
+#nss_map_attribute userPassword msSFU30Password
+#nss_map_attribute homeDirectory msSFU30HomeDirectory
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_objectclass posixGroup Group
+#pam_login_attribute msSFU30Name
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-mssfu-schema is no longer supported.
+# Services for UNIX 2.0 mappings
+#nss_map_objectclass posixAccount User
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid msSFUName
+#nss_map_attribute uniqueMember posixMember
+#nss_map_attribute userPassword msSFUPassword
+#nss_map_attribute homeDirectory msSFUHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup Group
+#nss_map_attribute cn msSFUName
+#pam_login_attribute msSFUName
+#pam_filter objectclass=User
+#pam_password ad
+
+# RFC 2307 (AD) mappings
+#nss_map_objectclass posixAccount user
+#nss_map_objectclass shadowAccount user
+#nss_map_attribute uid sAMAccountName
+#nss_map_attribute homeDirectory unixHomeDirectory
+#nss_map_attribute shadowLastChange pwdLastSet
+#nss_map_objectclass posixGroup group
+#nss_map_attribute uniqueMember member
+#pam_login_attribute sAMAccountName
+#pam_filter objectclass=User
+#pam_password ad
+
+# configure --enable-authpassword is no longer supported
+# AuthPassword mappings
+#nss_map_attribute userPassword authPassword
+
+# AIX SecureWay mappings
+#nss_map_objectclass posixAccount aixAccount
+#nss_base_passwd ou=aixaccount,?one
+#nss_map_attribute uid userName
+#nss_map_attribute gidNumber gid
+#nss_map_attribute uidNumber uid
+#nss_map_attribute userPassword passwordChar
+#nss_map_objectclass posixGroup aixAccessGroup
+#nss_base_group ou=aixgroup,?one
+#nss_map_attribute cn groupName
+#nss_map_attribute uniqueMember member
+#pam_login_attribute userName
+#pam_filter objectclass=aixAccount
+#pam_password clear
+
+# Netscape SDK LDAPS
+#ssl on
+
+# Netscape SDK SSL options
+#sslpath /etc/ssl/certs/cert7.db
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+#ssl start_tls
+#ssl on
+
+# OpenLDAP SSL options
+# Require and verify server certificate (yes/no)
+# Default is to use libldap's default behavior, which can be configured in
+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
+#tls_checkpeer yes
+
+# CA certificates for server certificate verification
+# At least one of these are required if tls_checkpeer is "yes"
+#tls_cacertfile /etc/ssl/ca.cert
+#tls_cacertdir /etc/ssl/certs
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key
+
+# Disable SASL security layers. This is needed for AD.
+#sasl_secprops maxssf=0
+
+# Override the default Kerberos ticket cache location.
+#krb5_ccname FILE:/etc/.ldapcache
 
+# SASL mechanism for PAM authentication - use is experimental
+# at present and does not support password policy control
+#pam_sasl_mech DIGEST-MD5
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/SOURCES/ldap.conf?r1=1.3&r2=1.4&f=u



More information about the pld-cvs-commit mailing list