is a Name Service Switch (NSS) module and Pluggable Authentication Module (PAM) that allows your LDAP server to provide user account, group, host name, alias, netgroup, and basically any other information that you would normally get from /etc flat files or NIS. It also allows you to do authentication to an LDAP server.
| nslcd.conf.5 (nss-pam-ldapd-0.9.11) | : | nslcd.conf.5 (nss-pam-ldapd-0.9.12) |
|---|
| | |
| skipping to change at line 45 | | skipping to change at line 45 |
|---|
| messages with the specified loglevel or higher are logged. This
option can be supplied multiple | | messages with the specified loglevel or higher are logged. This
option can be supplied multiple |
| times. If this option is omitted syslog info is assumed. | | times. If this option is omitted syslog info is assumed. |
| | |
| GENERAL CONNECTION OPTIONS | | GENERAL CONNECTION OPTIONS |
| uri URI ... | | uri URI ... |
| Specifies the LDAP URI of the server to connect to. The URI schem
e may be ldap, ldapi or ldaps, | | Specifies the LDAP URI of the server to connect to. The URI schem
e may be ldap, ldapi or ldaps, |
| specifying LDAP over TCP, ICP or SSL respectively (if supported by
the LDAP library). | | specifying LDAP over TCP, ICP or SSL respectively (if supported by
the LDAP library). |
| | |
| Alternatively, the value DNS may be used to try to lookup the s
erver using DNS SRV records. By | | Alternatively, the value DNS may be used to try to lookup the s
erver using DNS SRV records. By |
| default the current domain is used but another domain can be queri
ed by using the DNS:DOMAIN syn- | | default the current domain is used but another domain can be queri
ed by using the DNS:DOMAIN syn- |
|
| tax. | | tax. To convert SRV records for port 389 into an ldaps:// URI, DN
SLDAPS can be used. |
| | |
| When using the ldapi scheme, %2f should be used
to escape slashes (e.g. | | When using the ldapi scheme, %2f should be used
to escape slashes (e.g. |
| ldapi://%2fvar%2frun%2fslapd%2fldapi/), although most of the time
this should not be needed. | | ldapi://%2fvar%2frun%2fslapd%2fldapi/), although most of the time
this should not be needed. |
| | |
|
| This option may be specified multiple times and/or with more URIs | | This option may be specified multiple times and/or with more URIs |
| on the line, separated by space. | | on the line, separated by spa- |
| Normally, only the first server will be used with the fol | | ces. Normally, only the first server will be used with the fol |
| lowing servers as fall-back (see | | lowing servers as fall-back (see |
| bind_timelimit below). | | bind_timelimit below). |
| | |
| If LDAP lookups are used for host name resolution, any host names
should be specified as an IP | | If LDAP lookups are used for host name resolution, any host names
should be specified as an IP |
| address or name that can be resolved without using LDAP. | | address or name that can be resolved without using LDAP. |
| | |
| ldap_version VERSION | | ldap_version VERSION |
| Specifies the version of the LDAP protocol to use. The default is
to use the maximum version sup- | | Specifies the version of the LDAP protocol to use. The default is
to use the maximum version sup- |
| ported by the LDAP library. | | ported by the LDAP library. |
| | |
| binddn DN | | binddn DN |
| | |
| skipping to change at line 111 | | skipping to change at line 111 |
|---|
| Determines whether the LDAP server host name should be canonica
lised. If this is set to yes the | | Determines whether the LDAP server host name should be canonica
lised. If this is set to yes the |
| LDAP library will do a reverse host name lookup. By default, it i
s left up to the LDAP library | | LDAP library will do a reverse host name lookup. By default, it i
s left up to the LDAP library |
| whether this check is performed or not. | | whether this check is performed or not. |
| | |
| KERBEROS AUTHENTICATION OPTIONS | | KERBEROS AUTHENTICATION OPTIONS |
| krb5_ccname NAME | | krb5_ccname NAME |
| Set the name for the GSS-API Kerberos credentials cache. | | Set the name for the GSS-API Kerberos credentials cache. |
| | |
| SEARCH/MAPPING OPTIONS | | SEARCH/MAPPING OPTIONS |
| base [MAP] DN | | base [MAP] DN |
|
| Specifies the base distinguished name (DN) to use as search ba | | Specifies the distinguished name (DN) to use as search base. This |
| se. This option may be supplied | | option may be supplied multiple |
| multiple times and all specified bases will be searched. | | times and all specified bases will be searched. |
| | |
| A global search base may be specified or a MAP-specific one. If n
o MAP-specific search bases are | | A global search base may be specified or a MAP-specific one. If n
o MAP-specific search bases are |
| defined the global ones are used. | | defined the global ones are used. |
| | |
| If, instead of a DN, the value DOMAIN is specified, the host's D
NS domain is used to construct a | | If, instead of a DN, the value DOMAIN is specified, the host's D
NS domain is used to construct a |
|
| search base. | | search base. A value of "" can be used to indicate an empty searc |
| | h base (quotes are not otherwise |
| | supported for base values and not all LDAP server configurations s |
| | upport this). |
| | |
|
| If this value is not defined an attempt is made to look it up in t | | If this value is not defined an attempt is made to look it up i |
| he configured LDAP server. Note | | n the configured LDAP server. If |
| that if the LDAP server is unavailable during start-up nslcd will | | the LDAP server is unavailable during start-up nslcd will not star |
| not start. | | t. |
| | |
| scope [MAP] sub[tree]|one[level]|base|children | | scope [MAP] sub[tree]|one[level]|base|children |
|
| Specifies the search scope (subtree, onelevel, base or children)
. The default scope is subtree; | | Specifies the search scope (subtree, onelevel, base or children).
The default scope is subtree; |
| base scope is almost never useful for name service lookups; childr
en scope is not supported on all | | base scope is almost never useful for name service lookups; childr
en scope is not supported on all |
| servers. | | servers. |
| | |
| deref never|searching|finding|always | | deref never|searching|finding|always |
|
| Specifies the policy for dereferencing aliases. The defaul
t policy is to never dereference | | Specifies the policy for dereferencing aliases. The default po
licy is to never dereference |
| aliases. | | aliases. |
| | |
| referrals yes|no | | referrals yes|no |
| Specifies whether automatic referral chasing should be enabled. T
he default behaviour is to chase | | Specifies whether automatic referral chasing should be enabled. T
he default behaviour is to chase |
| referrals. | | referrals. |
| | |
| filter MAP FILTER | | filter MAP FILTER |
|
| The FILTER is an LDAP search filter to use for a specific map
. The default filter is a basic | | The FILTER is an LDAP search filter to use for a specific map. Th
e default filter is a basic |
| search on the objectClass for the map (e.g. (objectClass=posixAcco
unt)). | | search on the objectClass for the map (e.g. (objectClass=posixAcco
unt)). |
| | |
| map MAP ATTRIBUTE NEWATTRIBUTE | | map MAP ATTRIBUTE NEWATTRIBUTE |
|
| This option allows for custom attributes to be looked up inst | | This option allows for custom attributes to be looked up |
| ead of the default RFC 2307 | | instead of the default RFC 2307 |
| attributes. The MAP may be one of the supported maps below. The | | attributes. The MAP may be one of the supported maps below. The |
| ATTRIBUTE is the one as used in | | ATTRIBUTE is the one as used in |
| RFC 2307 (e.g. userPassword, ipProtocolNumber, macAddress, etc.). | | RFC 2307 (e.g. userPassword, ipProtocolNumber, macAddress, etc |
| The NEWATTRIBUTE may be any | | .). The NEWATTRIBUTE may be any |
| attribute as it is available in the directory. | | attribute as it is available in the directory. |
| | |
| If the NEWATTRIBUTE is presented in quotes (") it is treated as an
expression which will be evalu- | | If the NEWATTRIBUTE is presented in quotes (") it is treated as an
expression which will be evalu- |
|
| ated to build up the actual value used. See the section on attrib
ute mapping expressions below | | ated to build up the actual value used. See the section on att
ribute mapping expressions below |
| for more details. | | for more details. |
| | |
|
| Only some attributes for group, passwd and shadow entries
may be mapped with an expression | | Only some attributes for group, passwd and shadow entries may
be mapped with an expression |
| (because other attributes may be used in search filters). For gro
up entries only the userPassword | | (because other attributes may be used in search filters). For gro
up entries only the userPassword |
|
| attribute may be mapped with an expression. For passwd entries | | attribute may be mapped with an expression. For passwd entries th |
| the following attributes may be | | e following attributes may be |
| mapped with an expression: userPassword, gidNumber, gecos, homeD | | mapped with an expression: userPassword, gidNumber, gecos, ho |
| irectory and loginShell. For | | meDirectory and loginShell. For |
| shadow entries the following attributes may be mapped with an | | shadow entries the following attributes may be mapped with an e |
| expression: userPassword, shad- | | xpression: userPassword, shad- |
| owLastChange, shadowMin, shadowMax, shadowWarning, shadowInactive,
shadowExpire and shadowFlag. | | owLastChange, shadowMin, shadowMax, shadowWarning, shadowInactive,
shadowExpire and shadowFlag. |
| | |
| The uidNumber and gidNumber attributes in the passwd and group map
s may be mapped to the objectSid | | The uidNumber and gidNumber attributes in the passwd and group map
s may be mapped to the objectSid |
|
| followed by the domain SID to derive numeric user and grou
p ids from the SID (e.g. object- | | followed by the domain SID to derive numeric user and group ids
from the SID (e.g. object- |
| Sid:S-1-5-21-3623811015-3361044348-30300820). | | Sid:S-1-5-21-3623811015-3361044348-30300820). |
| | |
| By default all userPassword attributes are mapped to the unmatchab
le password ("*") to avoid acci- | | By default all userPassword attributes are mapped to the unmatchab
le password ("*") to avoid acci- |
| dentally leaking password information. | | dentally leaking password information. |
| | |
| TIMING/RECONNECT OPTIONS | | TIMING/RECONNECT OPTIONS |
| bind_timelimit SECONDS | | bind_timelimit SECONDS |
|
| Specifies the time limit (in seconds) to use when connecting t
o the directory server. This is | | Specifies the time limit (in seconds) to use when connecting to th
e directory server. This is |
| distinct from the time limit specified in timelimit and affects th
e set-up of the connection only. | | distinct from the time limit specified in timelimit and affects th
e set-up of the connection only. |
|
| Note that not all LDAP client libraries have support for setti
ng the connection time out. The | | Note that not all LDAP client libraries have support for setting t
he connection time out. The |
| default bind_timelimit is 10 seconds. | | default bind_timelimit is 10 seconds. |
| | |
| timelimit SECONDS | | timelimit SECONDS |
|
| Specifies the time limit (in seconds) to wait for a response from
the LDAP server. A value of | | Specifies the time limit (in seconds) to wait for a response f
rom the LDAP server. A value of |
| zero (0), which is the default, is to wait indefinitely for search
es to be completed. | | zero (0), which is the default, is to wait indefinitely for search
es to be completed. |
| | |
| idle_timelimit SECONDS | | idle_timelimit SECONDS |
|
| Specifies the period if inactivity (in seconds) after which the co
nnection to the LDAP server will | | Specifies the period of inactivity (in seconds) after which the co
nnection to the LDAP server will |
| be closed. The default is not to time out connections. | | be closed. The default is not to time out connections. |
| | |
| reconnect_sleeptime SECONDS | | reconnect_sleeptime SECONDS |
|
| Specifies the number of seconds to sleep when connecting to all LD
AP servers fails. By default 1 | | Specifies the number of seconds to sleep when connecting to all L
DAP servers fails. By default 1 |
| second is waited between the first failure and the first retry. | | second is waited between the first failure and the first retry. |
| | |
| reconnect_retrytime SECONDS | | reconnect_retrytime SECONDS |
|
| Specifies the time after which the LDAP server is considered to b
e permanently unavailable. Once | | Specifies the time after which the LDAP server is considered to be
permanently unavailable. Once |
| this time is reached retries will be done only once per this time
period. The default value is 10 | | this time is reached retries will be done only once per this time
period. The default value is 10 |
| seconds. | | seconds. |
| | |
| Note that the reconnect logic as described above is the mechanism that is
used between nslcd and the LDAP | | Note that the reconnect logic as described above is the mechanism that is
used between nslcd and the LDAP |
|
| server. The mechanism between the NSS and PAM client libraries on one end | | server. The mechanism between the NSS and PAM client libraries on one en |
| and nslcd on the other is sim- | | d and nslcd on the other is sim- |
| pler with a fixed compiled-in time out of a 10 seconds for writing to ns | | pler with a fixed compiled-in time out of a 10 seconds for writing to nsl |
| lcd and a time out of 60 seconds | | cd and a time out of 60 seconds |
| for reading answers. nslcd itself has a read time out of 0.5 seconds and
a write time out of 60 seconds. | | for reading answers. nslcd itself has a read time out of 0.5 seconds and
a write time out of 60 seconds. |
| | |
| SSL/TLS OPTIONS | | SSL/TLS OPTIONS |
| ssl on|off|start_tls | | ssl on|off|start_tls |
|
| Specifies whether to use SSL/TLS or not (the default is not to). I | | Specifies whether to use SSL/TLS or not (the default is not to) |
| f start_tls is specified then | | . If start_tls is specified then |
| StartTLS is used rather than raw LDAP over SSL. Not all LDAP cl | | StartTLS is used rather than raw LDAP over SSL. Not all LDAP clie |
| ient libraries support both SSL, | | nt libraries support both SSL, |
| StartTLS and all related configuration options. | | StartTLS and all related configuration options. |
| | |
| tls_reqcert never|allow|try|demand|hard | | tls_reqcert never|allow|try|demand|hard |
|
| Specifies what checks to perform on a server-supplied certificate. | | Specifies what checks to perform on a server-supplied certificat |
| The meaning of the values is | | e. The meaning of the values is |
| described in the ldap.conf(5) manual page. At least one of tls | | described in the ldap.conf(5) manual page. At least one of tls_ca |
| _cacertdir and tls_cacertfile is | | certdir and tls_cacertfile is |
| required if peer verification is enabled. | | required if peer verification is enabled. |
| | |
| tls_cacertdir PATH | | tls_cacertdir PATH |
|
| Specifies the directory containing X.509 certificates for peer aut
hentication. This parameter is | | Specifies the directory containing X.509 certificates for peer au
thentication. This parameter is |
| ignored when using GnuTLS. On Debian OpenLDAP is linked against G
nuTLS. | | ignored when using GnuTLS. On Debian OpenLDAP is linked against G
nuTLS. |
| | |
| tls_cacertfile PATH | | tls_cacertfile PATH |
| Specifies the path to the X.509 certificate for peer authenticatio
n. | | Specifies the path to the X.509 certificate for peer authenticatio
n. |
| | |
| tls_randfile PATH | | tls_randfile PATH |
|
| Specifies the path to an entropy source. This parameter is ignor
ed when using GnuTLS. On Debian | | Specifies the path to an entropy source. This parameter is ignore
d when using GnuTLS. On Debian |
| OpenLDAP is linked against GnuTLS. | | OpenLDAP is linked against GnuTLS. |
| | |
| tls_ciphers CIPHERS | | tls_ciphers CIPHERS |
|
| Specifies the ciphers to use for TLS. See your TLS implementatio
n's documentation for further | | Specifies the ciphers to use for TLS. See your TLS implementa
tion's documentation for further |
| information. | | information. |
| | |
| tls_cert PATH | | tls_cert PATH |
| Specifies the path to the file containing the local certificate fo
r client TLS authentication. | | Specifies the path to the file containing the local certificate fo
r client TLS authentication. |
| | |
| tls_key PATH | | tls_key PATH |
| Specifies the path to the file containing the private key for clie
nt TLS authentication. | | Specifies the path to the file containing the private key for clie
nt TLS authentication. |
| | |
|
| | tls_reqsan never|allow|try|demand|hard |
| | Specifies the way server Subject Alternative Name (SAN) is checked |
| | in the server-supplied certifi- |
| | cate. The meaning of the values is described in the ldap.conf(5) |
| | manual page. |
| | |
| | tls_crlcheck none|peer|all |
| | Specifies if the Certificate Revocation List (CRL) of the CA |
| | should be used to verify if the |
| | server certificates have not been revoked. The meaning of the |
| | values is described in the |
| | ldap.conf(5) manual page. |
| | |
| | tls_crlfile PATH |
| | Specifies the path to the file containing a Certificate Revocat |
| | ion List to be used to verify if |
| | the server certificates. The meaning of the values is described i |
| | n the ldap.conf(5) manual page. |
| | |
| OTHER OPTIONS | | OTHER OPTIONS |
| pagesize NUMBER | | pagesize NUMBER |
|
| Set this to a number greater than 0 to request paged results fr
om the LDAP server in accordance | | Set this to a number greater than 0 to request paged results from
the LDAP server in accordance |
| with RFC2696. The default (0) is to not request paged results. | | with RFC2696. The default (0) is to not request paged results. |
| | |
|
| This is useful for LDAP servers that contain a lot of entries (e.g | | This is useful for LDAP servers that contain a lot of entries (e |
| . more than 500) and limit the | | .g. more than 500) and limit the |
| number of entries that are returned with one request. For Open | | number of entries that are returned with one request. For OpenLDA |
| LDAP servers you may need to set | | P servers you may need to set |
| sizelimit size.prtotal=unlimited for allowing more entries to be r
eturned over multiple pages. | | sizelimit size.prtotal=unlimited for allowing more entries to be r
eturned over multiple pages. |
| | |
| nss_initgroups_ignoreusers user1,user2,... | | nss_initgroups_ignoreusers user1,user2,... |
|
| This option prevents group membership lookups through LDAP for the
specified users. This can be | | This option prevents group membership lookups through LDAP for
the specified users. This can be |
| useful in case of unavailability of the LDAP server. This option
may be specified multiple times. | | useful in case of unavailability of the LDAP server. This option
may be specified multiple times. |
| | |
|
| Alternatively, the value ALLLOCAL may be used. With that value
nslcd builds a full list of non- | | Alternatively, the value ALLLOCAL may be used. With that value nsl
cd builds a full list of non- |
| LDAP users on startup. | | LDAP users on startup. |
| | |
| nss_min_uid UID | | nss_min_uid UID |
|
| This option ensures that LDAP users with a numeric user id lower
than the specified value are | | This option ensures that LDAP users with a numeric user id lo
wer than the specified value are |
| ignored. Also requests for users with a lower user id are ignored. | | ignored. Also requests for users with a lower user id are ignored. |
| | |
| nss_uid_offset NUMBER | | nss_uid_offset NUMBER |
|
| This option specifies an offset that is added to all LDAP numeri | | This option specifies an offset that is added to all LDAP numeric |
| c user ids. This can be used to | | user ids. This can be used to |
| avoid user id collisions with local users or, when using objectSid | | avoid user id collisions with local users or, when using objectS |
| attributes, for compatibility | | id attributes, for compatibility |
| reasons. | | reasons. |
| | |
| The value from the nss_min_uid option is evaluated after applying
the offset. | | The value from the nss_min_uid option is evaluated after applying
the offset. |
| | |
| nss_gid_offset NUMBER | | nss_gid_offset NUMBER |
|
| This option specifies an offset that is added to all LDAP numeric | | This option specifies an offset that is added to all LDAP numeric |
| group ids. This can be used to | | group ids. This can be used to |
| avoid user id collisions with local groups or, when using objectSi | | avoid user id collisions with local groups or, when using objectS |
| d attributes, for compatibility | | id attributes, for compatibility |
| reasons. | | reasons. |
| | |
| nss_nested_groups yes|no | | nss_nested_groups yes|no |
|
| If this option is set, the member attribute of a group may poi | | If this option is set, the member attribute of a group may point t |
| nt to another group. Members of | | o another group. Members of |
| nested groups are also returned in the higher level group and par | | nested groups are also returned in the higher level group and |
| ent groups are returned when | | parent groups are returned when |
| finding groups for a specific user. The default is not to p | | finding groups for a specific user. The default is not to perfo |
| erform extra searches for nested | | rm extra searches for nested |
| groups. | | groups. |
| | |
| nss_getgrent_skipmembers yes|no | | nss_getgrent_skipmembers yes|no |
| If this option is set, the group member list is not retrieved when
looking up groups. Lookups for | | If this option is set, the group member list is not retrieved when
looking up groups. Lookups for |
|
| finding which groups a user belongs to will remain functional s
o the user will likely still get | | finding which groups a user belongs to will remain functional so t
he user will likely still get |
| the correct groups assigned on login. | | the correct groups assigned on login. |
| | |
|
| This can offer a speed-up on systems that have very large groups. | | This can offer a speed-up on systems that have very large groups. |
| It has the downside of return- | | It has the downside of return- |
| ing inconsistent information about group membership which may | | ing inconsistent information about group membership which may con |
| confuse some applications. This | | fuse some applications. This |
| option is not recommended for most configurations. | | option is not recommended for most configurations. |
| | |
| nss_disable_enumeration yes|no | | nss_disable_enumeration yes|no |
| If this option is set, functions which cause all user/group entrie
s to be loaded (getpwent(), get- | | If this option is set, functions which cause all user/group entrie
s to be loaded (getpwent(), get- |
| grent(), setspent()) from the directory will not succeed in doing
so. Applications that depend on | | grent(), setspent()) from the directory will not succeed in doing
so. Applications that depend on |
| being able to sequentially read all users and/or groups may fail t
o operate correctly. | | being able to sequentially read all users and/or groups may fail t
o operate correctly. |
| | |
|
| This can dramatically reduce LDAP server load in situations where | | This can dramatically reduce LDAP server load in situations w |
| there are a great number of | | here there are a great number of |
| users and/or groups. This is typically used in situations where | | users and/or groups. This is typically used in situations where u |
| user/program access to enumerate | | ser/program access to enumerate |
| the entire directory is undesirable, and changing the behavior of | | the entire directory is undesirable, and changing the behavior o |
| the user/program is not possi- | | f the user/program is not possi- |
| ble. This option is not recommended for most configurations. | | ble. This option is not recommended for most configurations. |
| | |
| validnames REGEX | | validnames REGEX |
|
| This option can be used to specify how user and group names are
verified within the system. This | | This option can be used to specify how user and group names are ve
rified within the system. This |
| pattern is used to check all user and group names that are request
ed and returned from LDAP. | | pattern is used to check all user and group names that are request
ed and returned from LDAP. |
| | |
|
| The regular expression should be specified as a POSIX extended reg | | The regular expression should be specified as a POSIX extended re |
| ular expression. The expression | | gular expression. The expression |
| itself needs to be separated by slash (/) characters and the 'i' | | itself needs to be separated by slash (/) characters and the 'i' f |
| flag may be appended at the end | | lag may be appended at the end |
| to indicate that the match should be case-insensitiv
e. The default value is | | to indicate that the match should be case-insensitiv
e. The default value is |
| /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i | | /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i |
| | |
| ignorecase yes|no | | ignorecase yes|no |
|
| This specifies whether or not to perform searches for group, n | | This specifies whether or not to perform searches for group, netg |
| etgroup, passwd, protocols, rpc, | | roup, passwd, protocols, rpc, |
| services and shadow maps using case-insensitive matching. Setting | | services and shadow maps using case-insensitive matching. Setti |
| this to yes could open up the | | ng this to yes could open up the |
| system to authorisation bypass vulnerabilities and introduce nscd | | system to authorisation bypass vulnerabilities and introduce nscd |
| cache poisoning vulnerabilities | | cache poisoning vulnerabilities |
| which allow denial of service. The default is to perform case-sen | | which allow denial of service. The default is to perform case-se |
| sitive filtering of LDAP search | | nsitive filtering of LDAP search |
| results for the above maps. | | results for the above maps. |
| | |
| pam_authc_ppolicy yes|no | | pam_authc_ppolicy yes|no |
|
| This option specifies whether password policy controls are req | | This option specifies whether password policy controls are request |
| uested and handled from the LDAP | | ed and handled from the LDAP |
| server when performing user authentication. By default the contro | | server when performing user authentication. By default the contr |
| ls are requested and handled if | | ols are requested and handled if |
| available. | | available. |
| | |
| pam_authc_search FILTER | | pam_authc_search FILTER |
|
| By default nslcd performs an LDAP search with the user's credent | | By default nslcd performs an LDAP search with the user's credentia |
| ials after BIND (authentication) | | ls after BIND (authentication) |
| to ensure that the BIND operation was successful. The default sea | | to ensure that the BIND operation was successful. The default se |
| rch is a simple check to see if | | arch is a simple check to see if |
| the user's DN exists. | | the user's DN exists. |
| | |
|
| A search filter can be specified that will be used instead. Th
e same substitutions as with the | | A search filter can be specified that will be used instead. The s
ame substitutions as with the |
| pam_authz_search option will be performed and the search should at
least return one entry. | | pam_authz_search option will be performed and the search should at
least return one entry. |
| | |
| The value BASE may be used to force the default search for the use
r DN. | | The value BASE may be used to force the default search for the use
r DN. |
| | |
|
| The value NONE may be used to indicate that no search should be pe
rformed after BIND. Note that | | The value NONE may be used to indicate that no search should be
performed after BIND. Note that |
| some LDAP servers do not always return a correct error code as a r
esult of a failed BIND operation | | some LDAP servers do not always return a correct error code as a r
esult of a failed BIND operation |
| (e.g. when an empty password is supplied). | | (e.g. when an empty password is supplied). |
| | |
| pam_authz_search FILTER | | pam_authz_search FILTER |
|
| This option allows flexible fine tuning of the authorisation check | | This option allows flexible fine tuning of the authorisation che |
| that should be performed. The | | ck that should be performed. The |
| search filter specified is executed and if any entries match, acc | | search filter specified is executed and if any entries match, acce |
| ess is granted, otherwise access | | ss is granted, otherwise access |
| is denied. | | is denied. |
| | |
|
| The search filter can contain the following variable references: | | The search filter can contain the following variable referenc |
| $username, $service, $ruser, | | es: $username, $service, $ruser, |
| $rhost, $tty, $hostname, $fqdn, $domain, $dn, and $uid. These r | | $rhost, $tty, $hostname, $fqdn, $domain, $dn, and $uid. These ref |
| eferences are substituted in the | | erences are substituted in the |
| search filter using the same syntax as described in the section on | | search filter using the same syntax as described in the section |
| attribute mapping expressions | | on attribute mapping expressions |
| below. | | below. |
| | |
|
| For example, to check that the user has a proper authorizedS
ervice value if the attribute is | | For example, to check that the user has a proper authorizedServic
e value if the attribute is |
| present (this almost emulates the pam_check_service_attr option in
PADL's pam_ldap): | | present (this almost emulates the pam_check_service_attr option in
PADL's pam_ldap): |
| | |
| (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$s
ervice)(!(authorizedService=*)))) | | (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$s
ervice)(!(authorizedService=*)))) |
| | |
| The pam_check_host_attr option can be emulated with: | | The pam_check_host_attr option can be emulated with: |
| | |
| (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host
=$fqdn)(host=\\*))) | | (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host
=$fqdn)(host=\\*))) |
| | |
|
| This option may be specified multiple times and all specified sear
ches should at least return one | | This option may be specified multiple times and all specified sea
rches should at least return one |
| entry for access to be granted. | | entry for access to be granted. |
| | |
| pam_password_prohibit_message "MESSAGE" | | pam_password_prohibit_message "MESSAGE" |
|
| If this option is set password modification using pam_ldap will | | If this option is set password modification using pam_ldap will be |
| be denied and the specified mes- | | denied and the specified mes- |
| sage will be presented to the user instead. The message can be us | | sage will be presented to the user instead. The message can |
| ed to direct the user to an | | be used to direct the user to an |
| alternative means of changing their password. | | alternative means of changing their password. |
| | |
| reconnect_invalidate DB,DB,... | | reconnect_invalidate DB,DB,... |
| If this option is set, nslcd will try to flush the specified exter
nal caches on start-up and when- | | If this option is set, nslcd will try to flush the specified exter
nal caches on start-up and when- |
| ever a connection to the LDAP server is re-established after an er
ror. | | ever a connection to the LDAP server is re-established after an er
ror. |
| | |
|
| DB can refer to one of the nsswitch maps, in which case nscd is co
ntacted to flush its cache for | | DB can refer to one of the nsswitch maps, in which case nscd is
contacted to flush its cache for |
| the specified database. If DB is nfsidmap, nfsidmap is contacted
to clear its cache. | | the specified database. If DB is nfsidmap, nfsidmap is contacted
to clear its cache. |
| | |
| Using this option ensures that external caches are cleared of inco
rrect information (typically the | | Using this option ensures that external caches are cleared of inco
rrect information (typically the |
| absence of users) that may be present due to unavailability of the
LDAP server. | | absence of users) that may be present due to unavailability of the
LDAP server. |
| | |
| cache CACHE TIME [TIME] | | cache CACHE TIME [TIME] |
| Configure the time entries are kept in the specified internal cach
e. | | Configure the time entries are kept in the specified internal cach
e. |
| | |
| The first TIME value specifies the time to keep found entries in t
he cache. The second TIME value | | The first TIME value specifies the time to keep found entries in t
he cache. The second TIME value |
|
| specifies to the time to remember that a particular entry was not
found. If the second parameter | | specifies to the time to remember that a particular entry was not
found. If the second parameter |
| is absent, it is assumed to be the same as the first. | | is absent, it is assumed to be the same as the first. |
| | |
|
| Time values are specified as a number followed by an s for seconds
, m for minutes, h for hours or | | Time values are specified as a number followed by an s for second
s, m for minutes, h for hours or |
| d for days. Use 0 or off to disable the cache. | | d for days. Use 0 or off to disable the cache. |
| | |
| Currently, only the dn2uid cache is supported that is used to reme
mber DN to username lookups that | | Currently, only the dn2uid cache is supported that is used to reme
mber DN to username lookups that |
| are used when the member attribute is used. The default time valu
e for this cache is 15m. | | are used when the member attribute is used. The default time valu
e for this cache is 15m. |
| | |
| SUPPORTED MAPS | | SUPPORTED MAPS |
| The following maps are supported. They are referenced as MAP in the optio
ns above. | | The following maps are supported. They are referenced as MAP in the optio
ns above. |
| | |
| alias[es] | | alias[es] |
|
| Mail aliases. Note that most mail servers do not use the NSS
interface for requesting mail | | Mail aliases. Note that most mail servers do not use the N
SS interface for requesting mail |
| aliases and parse /etc/aliases on their own. | | aliases and parse /etc/aliases on their own. |
| | |
| ether[s] | | ether[s] |
| Ethernet numbers (mac addresses). | | Ethernet numbers (mac addresses). |
| | |
| group Posix groups. | | group Posix groups. |
| | |
| host[s] | | host[s] |
| Host names. | | Host names. |
| | |
| | |
| skipping to change at line 403 | | skipping to change at line 417 |
|---|
| rpc Remote procedure call names and numbers. | | rpc Remote procedure call names and numbers. |
| | |
| service[s] | | service[s] |
| Network service names and numbers. | | Network service names and numbers. |
| | |
| shadow Shadow user password information. | | shadow Shadow user password information. |
| | |
| ATTRIBUTE MAPPING EXPRESSIONS | | ATTRIBUTE MAPPING EXPRESSIONS |
| For some attributes a mapping expression may be used to construct the res
ulting value. This is currently | | For some attributes a mapping expression may be used to construct the res
ulting value. This is currently |
| only possible for attributes that do not need to be used in search filter
s. The expressions are a subset | | only possible for attributes that do not need to be used in search filter
s. The expressions are a subset |
|
| of the double quoted string expressions in the Bourne (POSIX) shell. I | | of the double quoted string expressions in the Bourne (POSIX) shell. Ins |
| nstead of variable substitution, | | tead of variable substitution, |
| attribute lookups are done on the current entry and the attribute value i | | attribute lookups are done on the current entry and the attribute valu |
| s substituted. The following | | e is substituted. The following |
| expressions are supported: | | expressions are supported: |
| | |
| ${attr} (or $attr for short) | | ${attr} (or $attr for short) |
| will substitute the value of the attribute | | will substitute the value of the attribute |
| | |
| ${attr:-word} | | ${attr:-word} |
|
| (use default) will substitute the value of the attribute or, if t
he attribute is not set or empty | | (use default) will substitute the value of the attribute or, if th
e attribute is not set or empty |
| substitute the word | | substitute the word |
| | |
| ${attr:+word} | | ${attr:+word} |
| (use alternative) will substitute word if attribute is set, otherw
ise substitute the empty string | | (use alternative) will substitute word if attribute is set, otherw
ise substitute the empty string |
| | |
| ${attr:offset:length} | | ${attr:offset:length} |
| will substitute length characters (actually bytes) starting from p
osition offset (which is counted | | will substitute length characters (actually bytes) starting from p
osition offset (which is counted |
| starting at zero); the substituted string is truncated if it is to
o long; in particular, it can be | | starting at zero); the substituted string is truncated if it is to
o long; in particular, it can be |
| of length zero (if length is zero or offset falls out of the origi
nal string) | | of length zero (if length is zero or offset falls out of the origi
nal string) |
| | |
| | |
| skipping to change at line 434 | | skipping to change at line 448 |
|---|
| | |
| ${attr##word} | | ${attr##word} |
| remove the longest possible match of word from the left of the att
ribute value (pynslcd only) | | remove the longest possible match of word from the left of the att
ribute value (pynslcd only) |
| | |
| ${attr%word} | | ${attr%word} |
| remove the shortest possible match of word from the right of the a
ttribute value (pynslcd only) | | remove the shortest possible match of word from the right of the a
ttribute value (pynslcd only) |
| | |
| ${attr%%word} | | ${attr%%word} |
| remove the longest possible match of word from the right of the at
tribute value (pynslcd only) | | remove the longest possible match of word from the right of the at
tribute value (pynslcd only) |
| | |
|
| Only the # matching expression is supported in nslcd and only with the ?
wildcard symbol. The pynslcd | | Only the # matching expression is supported in nslcd and only with th
e ? wildcard symbol. The pynslcd |
| implementation supports full matching. | | implementation supports full matching. |
| | |
| Quote ("), dollar ($) and backslash (\) characters should be escaped with
a backslash (\). | | Quote ("), dollar ($) and backslash (\) characters should be escaped with
a backslash (\). |
| | |
| The expressions are inspected to automatically fetch the appropriate attr
ibutes from LDAP. Some examples | | The expressions are inspected to automatically fetch the appropriate attr
ibutes from LDAP. Some examples |
| to demonstrate how these expressions may be used in attribute mapping: | | to demonstrate how these expressions may be used in attribute mapping: |
| | |
| "${shadowFlag:-0}" | | "${shadowFlag:-0}" |
| use the shadowFlag attribute, using the value 0 as default | | use the shadowFlag attribute, using the value 0 as default |
| | |
| | |
| skipping to change at line 465 | | skipping to change at line 479 |
|---|
| /etc/nslcd.conf | | /etc/nslcd.conf |
| the main configuration file | | the main configuration file |
| | |
| /etc/nsswitch.conf | | /etc/nsswitch.conf |
| Name Service Switch configuration file | | Name Service Switch configuration file |
| | |
| SEE ALSO | | SEE ALSO |
| nslcd(8), nsswitch.conf(5) | | nslcd(8), nsswitch.conf(5) |
| | |
| AUTHOR | | AUTHOR |
|
| This manual was written by Arthur de Jong <arthur@arthurdejong.org> and i
s based on the nss_ldap(5) man- | | This manual was written by Arthur de Jong <arthur@arthurdejong.org> and
is based on the nss_ldap(5) man- |
| ual developed by PADL Software Pty Ltd. | | ual developed by PADL Software Pty Ltd. |
| | |
|
| Version 0.9.11 Oct 2018
nslcd.conf(5) | | Version 0.9.12 Nov 2021
nslcd.conf(5) |
| | | |
| End of changes. 58 change blocks. |
|---|
| 135 lines changed or deleted | | 157 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 