"Fossies" - the Fresh Open Source Software Archive

Member "nss-pam-ldapd-0.9.12/man/nslcd.conf.5" (20 Nov 2021, 25738 Bytes) of package /linux/privat/nss-pam-ldapd-0.9.12.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 '\" -*- coding: utf-8 -*-
    2 .if \n(.g .ds T< \\FC
    3 .if \n(.g .ds T> \\F[\n[.fam]]
    4 .de URL
    5 \\$2 \(la\\$1\(ra\\$3
    6 ..
    7 .if \n(.g .mso www.tmac
    8 .TH nslcd.conf 5 "Nov 2021" "Version 0.9.12" "System Manager's Manual"
    9 .SH NAME
   10 nslcd.conf \- configuration file for LDAP nameservice daemon
   12 The \fInss-pam-ldapd\fR package allows LDAP
   13 directory servers to be used as a primary source of name service
   14 information. (Name service information typically includes users, hosts,
   15 groups, and other such data historically stored in flat files or
   16 NIS.)
   17 .PP
   18 The file \*(T<\fInslcd.conf\fR\*(T> contains the
   19 configuration information for running \fBnslcd\fR (see
   20 \fBnslcd\fR(8)).
   21 The file contains options, one on each line, defining the way
   22 NSS lookups and PAM actions
   23 are mapped to LDAP lookups.
   26 .TP 
   27 \*(T<\fBthreads\fR\*(T> \fINUM\fR
   28 Specifies the number of threads to start that can handle requests
   29 and perform LDAP queries.
   30 Each thread opens a separate connection to the LDAP
   31 server.
   32 The default is to start 5 threads.
   33 .TP 
   34 \*(T<\fBuid\fR\*(T> \fIUID\fR
   35 This specifies the user id with which the daemon should be run.
   36 This can be a numerical id or a symbolic value.
   37 If no uid is specified no attempt to change the user will be made.
   38 Note that you should use values that don't need LDAP
   39 to resolve.
   40 .TP 
   41 \*(T<\fBgid\fR\*(T> \fIGID\fR
   42 This specifies the group id with which the daemon should be run.
   43 This can be a numerical id or a symbolic value.
   44 If no gid is specified no attempt to change the group will be made.
   45 Note that you should use values that don't need LDAP
   46 to resolve.
   47 .TP 
   48 \*(T<\fBlog\fR\*(T> \fISCHEME\fR [\fILEVEL\fR]
   49 This option controls the way logging is done.
   50 The \fISCHEME\fR argument may either be
   51 \*(T<none\*(T>, \*(T<syslog\*(T> or an absolute
   52 file name.
   53 The \fILEVEL\fR argument is optional and specifies
   54 the log level.
   55 The log level may be one of: \*(T<crit\*(T>,
   56 \*(T<error\*(T>, \*(T<warning\*(T>,
   57 \*(T<notice\*(T>, \*(T<info\*(T> or
   58 \*(T<debug\*(T>. The default log level is \*(T<info\*(T>.
   59 All messages with the specified loglevel or higher are logged.
   60 This option can be supplied multiple times.
   61 If this option is omitted \*(T<syslog info\*(T> is assumed.
   63 .TP 
   64 \*(T<\fBuri\fR\*(T> \fIURI\fR ...
   65 Specifies the LDAP URI of the
   66 server to connect to.
   67 The URI scheme may be \*(T<ldap\*(T>,
   68 \*(T<ldapi\*(T> or \*(T<ldaps\*(T>, specifying
   69 LDAP over TCP,
   70 ICP or SSL respectively (if
   71 supported by the LDAP library).
   73 Alternatively, the value \*(T<DNS\*(T> may be
   74 used to try to lookup the server using DNS
   75 SRV records. 
   76 By default the current domain is used but another domain can
   77 be queried by using the
   78 \*(T<DNS:DOMAIN\*(T> syntax.
   79 To convert SRV records for port 389 into an
   80 \*(T<ldaps://\*(T> URI, \*(T<DNSLDAPS\*(T>
   81 can be used. 
   83 When using the \*(T<ldapi\*(T> scheme, \*(T<%2f\*(T> should be used to escape slashes
   84 (e.g. \*(T<ldapi://%2fvar%2frun%2fslapd%2fldapi/\*(T>), although most of the
   85 time this should not be needed.
   87 This option may be specified multiple times and/or with more
   88 URIs on the line, separated by spaces. Normally, only the first
   89 server will be used with the following servers as fall-back (see
   90 \*(T<\fBbind_timelimit\fR\*(T> below).
   92 If LDAP lookups are used for host name resolution,
   93 any host names should be specified as an IP address or name that can be
   94 resolved without using LDAP.
   95 .TP 
   96 \*(T<\fBldap_version\fR\*(T> \fIVERSION\fR
   97 Specifies the version of the LDAP protocol to use.
   98 The default is to use the maximum version supported by the
   99 LDAP library.
  100 .TP 
  101 \*(T<\fBbinddn\fR\*(T> \fIDN\fR
  102 Specifies the distinguished name with which to bind to the directory
  103 server for lookups.
  104 The default is to bind anonymously.
  105 .TP 
  106 \*(T<\fBbindpw\fR\*(T> \fIPASSWORD\fR
  107 Specifies the credentials with which to bind.
  108 This option is only applicable when used with \*(T<\fBbinddn\fR\*(T> above.
  109 If you set this option you should consider changing the permissions
  110 of the \*(T<\fInslcd.conf\fR\*(T> file to only grant access to
  111 the root user.
  112 .TP 
  113 \*(T<\fBrootpwmoddn\fR\*(T> \fIDN\fR
  114 Specifies the distinguished name to use when the root user tries to
  115 modify a user's password using the PAM module.
  117 Note that currently this DN needs to exist as a real entry in the
  118 LDAP directory.
  119 .TP 
  120 \*(T<\fBrootpwmodpw\fR\*(T> \fIPASSWORD\fR
  121 Specifies the credentials with which to bind if the root
  122 user tries to change a user's password.
  123 This option is only applicable when used with
  124 \*(T<\fBrootpwmoddn\fR\*(T> above.
  125 If this option is not specified the PAM module prompts the user for
  126 this password.
  127 If you set this option you should consider changing the permissions
  128 of the \*(T<\fInslcd.conf\fR\*(T> file to only grant access to
  129 the root user.
  131 .TP 
  132 \*(T<\fBsasl_mech\fR\*(T> \fIMECHANISM\fR
  133 Specifies the SASL mechanism to be used when
  134 performing SASL authentication.
  135 .TP 
  136 \*(T<\fBsasl_realm\fR\*(T> \fIREALM\fR
  137 Specifies the SASL realm to be used when performing
  138 SASL authentication.
  139 .TP 
  140 \*(T<\fBsasl_authcid\fR\*(T> \fIAUTHCID\fR
  141 Specifies the authentication identity to be used when performing
  142 SASL authentication.
  143 .TP 
  144 \*(T<\fBsasl_authzid\fR\*(T> \fIAUTHZID\fR
  145 Specifies the authorization identity to be used when performing
  146 SASL authentication.
  147 Must be specified in one of the formats: dn:<distinguished name>
  148 or u:<username>.
  149 .TP 
  150 \*(T<\fBsasl_secprops\fR\*(T> \fIPROPERTIES\fR
  151 Specifies Cyrus SASL security properties.
  152 Allowed values are described in the
  153 \fBldap.conf\fR(5)
  154 manual page.
  155 .TP 
  156 \*(T<\fBsasl_canonicalize\fR\*(T> yes|no
  157 Determines whether the LDAP server host name should
  158 be canonicalised. If this is set to yes the LDAP
  159 library will do a reverse host name lookup.
  160 By default, it is left up to the LDAP library
  161 whether this check is performed or not.
  163 .TP 
  164 \*(T<\fBkrb5_ccname\fR\*(T> \fINAME\fR
  165 Set the name for the GSS-API Kerberos credentials cache.
  167 .TP 
  168 \*(T<\fBbase\fR\*(T> [\fIMAP\fR] \fIDN\fR
  169 Specifies the distinguished name (DN)
  170 to use as search base.
  171 This option may be supplied multiple times and all specified bases
  172 will be searched.
  174 A global search base may be specified or a MAP-specific one.
  175 If no MAP-specific search bases are defined the global ones are used.
  177 If, instead of a DN, the value
  178 \fIDOMAIN\fR is specified, the host's
  179 DNS domain is used to construct a search base.
  180 A value of \fI""\fR can be used to indicate an
  181 empty search base (quotes are not otherwise supported for base
  182 values and not all LDAP server configurations support this). 
  184 If this value is not defined an attempt is made to look it up
  185 in the configured LDAP server. If the
  186 LDAP server is unavailable during start-up
  187 \fBnslcd\fR will not start.
  188 .TP 
  189 \*(T<\fBscope\fR\*(T> [\fIMAP\fR] sub[tree]|one[level]|base|children
  190 Specifies the search scope (subtree, onelevel, base or children).
  191 The default scope is subtree; base scope is almost never useful for
  192 name service lookups; children scope is not supported on all servers.
  193 .TP 
  194 \*(T<\fBderef\fR\*(T> never|searching|finding|always
  195 Specifies the policy for dereferencing aliases.
  196 The default policy is to never dereference aliases.
  197 .TP 
  198 \*(T<\fBreferrals\fR\*(T> yes|no
  199 Specifies whether automatic referral chasing should be enabled.
  200 The default behaviour is to chase referrals.
  201 .TP 
  202 \*(T<\fBfilter\fR\*(T> \fIMAP\fR \fIFILTER\fR
  203 The \fIFILTER\fR
  204 is an LDAP search filter to use for a
  205 specific map.
  206 The default filter is a basic search on the
  207 objectClass for the map (e.g. \*(T<(objectClass=posixAccount)\*(T>).
  208 .TP 
  209 \*(T<\fBmap\fR\*(T> \fIMAP\fR \fIATTRIBUTE\fR \fINEWATTRIBUTE\fR
  210 This option allows for custom attributes to be looked up instead of
  211 the default RFC 2307 attributes.
  212 The \fIMAP\fR may be one of
  213 the supported maps below.
  214 The \fIATTRIBUTE\fR is the one as
  215 used in RFC 2307 (e.g. \*(T<userPassword\*(T>,
  216 \*(T<ipProtocolNumber\*(T>, \*(T<macAddress\*(T>, etc.).
  217 The \fINEWATTRIBUTE\fR may be any attribute
  218 as it is available in the directory.
  220 If the \fINEWATTRIBUTE\fR is presented in
  221 quotes (") it is treated as an expression which will be evaluated
  222 to build up the actual value used.
  223 See the section on attribute mapping expressions below for more details.
  225 Only some attributes for group, passwd and shadow entries may be mapped
  226 with an expression (because other attributes may be used in search
  227 filters).
  228 For group entries only the \*(T<userPassword\*(T> attribute
  229 may be mapped with an expression.
  230 For passwd entries the following attributes may be mapped with an
  231 expression: \*(T<userPassword\*(T>, \*(T<gidNumber\*(T>,
  232 \*(T<gecos\*(T>, \*(T<homeDirectory\*(T> and
  233 \*(T<loginShell\*(T>.
  234 For shadow entries the following attributes may be mapped with an
  235 expression: \*(T<userPassword\*(T>, \*(T<shadowLastChange\*(T>,
  236 \*(T<shadowMin\*(T>, \*(T<shadowMax\*(T>,
  237 \*(T<shadowWarning\*(T>, \*(T<shadowInactive\*(T>,
  238 \*(T<shadowExpire\*(T> and \*(T<shadowFlag\*(T>.
  240 The \*(T<uidNumber\*(T> and \*(T<gidNumber\*(T>
  241 attributes in the \*(T<passwd\*(T> and \*(T<group\*(T>
  242 maps may be mapped to the \*(T<objectSid\*(T> followed by
  243 the domain SID to derive numeric user and group ids from the SID
  244 (e.g. \*(T<objectSid:S\-1\-5\-21\-3623811015\-3361044348\-30300820\*(T>).
  246 By default all \*(T<userPassword\*(T> attributes are mapped
  247 to the unmatchable password ("*") to avoid accidentally leaking
  248 password information.
  250 .TP 
  251 \*(T<\fBbind_timelimit\fR\*(T> \fISECONDS\fR
  252 Specifies the time limit (in seconds) to use when connecting to the
  253 directory server.
  254 This is distinct from the time limit specified in
  255 \*(T<\fBtimelimit\fR\*(T> and affects the set-up of the connection only.
  256 Note that not all LDAP client libraries have support
  257 for setting the connection time out.
  258 The default \*(T<\fBbind_timelimit\fR\*(T> is 10 seconds.
  259 .TP 
  260 \*(T<\fBtimelimit\fR\*(T> \fISECONDS\fR
  261 Specifies the time limit (in seconds) to wait for a response from the
  262 LDAP server.
  263 A value of zero (0), which is the default, is to wait indefinitely for
  264 searches to be completed.
  265 .TP 
  266 \*(T<\fBidle_timelimit\fR\*(T> \fISECONDS\fR
  267 Specifies the period of inactivity (in seconds) after which the
  268 connection to the LDAP server will be closed.
  269 The default is not to time out connections.
  270 .TP 
  271 \*(T<\fBreconnect_sleeptime\fR\*(T> \fISECONDS\fR
  272 Specifies the number of seconds to sleep when connecting to all
  273 LDAP servers fails.
  274 By default 1 second is waited between the first failure and the first
  275 retry.
  276 .TP 
  277 \*(T<\fBreconnect_retrytime\fR\*(T> \fISECONDS\fR
  278 Specifies the time after which the LDAP server is
  279 considered to be permanently unavailable.
  280 Once this time is reached retries will be done only once per this time period.
  281 The default value is 10 seconds.
  282 .PP
  283 Note that the reconnect logic as described above is the mechanism that
  284 is used between \fBnslcd\fR and the LDAP
  285 server. The mechanism between the NSS and
  286 PAM client libraries on one end and
  287 \fBnslcd\fR on the other is simpler with a fixed compiled-in
  288 time out of a 10 seconds for writing to \fBnslcd\fR and
  289 a time out of 60 seconds for reading answers.
  290 \fBnslcd\fR itself has a read time out of 0.5 seconds
  291 and a write time out of 60 seconds.
  293 .TP 
  294 \*(T<\fBssl\fR\*(T> on|off|start_tls
  295 Specifies whether to use SSL/TLS or not (the default is not to). If
  296 \fIstart_tls\fR
  297 is specified then StartTLS is used rather than raw LDAP over SSL.
  298 Not all LDAP client libraries support both SSL,
  299 StartTLS and all related configuration options.
  300 .TP 
  301 \*(T<\fBtls_reqcert\fR\*(T> never|allow|try|demand|hard
  302 Specifies what checks to perform on a server-supplied certificate.
  303 The meaning of the values is described in the
  304 \fBldap.conf\fR(5)
  305 manual page.
  306 At least one of \*(T<\fBtls_cacertdir\fR\*(T> and
  307 \*(T<\fBtls_cacertfile\fR\*(T> is required if peer verification is
  308 enabled.
  309 .TP 
  310 \*(T<\fBtls_cacertdir\fR\*(T> \fIPATH\fR
  311 Specifies the directory containing X.509 certificates for peer
  312 authentication.
  313 This parameter is ignored when using GnuTLS.
  314 On Debian OpenLDAP is linked against GnuTLS.
  315 .TP 
  316 \*(T<\fBtls_cacertfile\fR\*(T> \fIPATH\fR
  317 Specifies the path to the X.509 certificate for peer authentication.
  318 .TP 
  319 \*(T<\fBtls_randfile\fR\*(T> \fIPATH\fR
  320 Specifies the path to an entropy source.
  321 This parameter is ignored when using GnuTLS.
  322 On Debian OpenLDAP is linked against GnuTLS.
  323 .TP 
  324 \*(T<\fBtls_ciphers\fR\*(T> \fICIPHERS\fR
  325 Specifies the ciphers to use for TLS.
  326 See your TLS implementation's
  327 documentation for further information.
  328 .TP 
  329 \*(T<\fBtls_cert\fR\*(T> \fIPATH\fR
  330 Specifies the path to the file containing the local certificate for
  331 client TLS authentication.
  332 .TP 
  333 \*(T<\fBtls_key\fR\*(T> \fIPATH\fR
  334 Specifies the path to the file containing the private key for client
  335 TLS authentication.
  336 .TP 
  337 \*(T<\fBtls_reqsan\fR\*(T> never|allow|try|demand|hard
  338 Specifies the way server Subject Alternative Name (SAN) is checked in
  339 the server-supplied certificate.
  340 The meaning of the values is described in the
  341 \fBldap.conf\fR(5)
  342 manual page.
  343 .TP 
  344 \*(T<\fBtls_crlcheck\fR\*(T> none|peer|all
  345 Specifies if the Certificate Revocation List (CRL) of the CA should
  346 be used to verify if the server certificates have not been revoked.
  347 The meaning of the values is described in the
  348 \fBldap.conf\fR(5)
  349 manual page.
  350 .TP 
  351 \*(T<\fBtls_crlfile\fR\*(T> \fIPATH\fR
  352 Specifies the path to the file containing a Certificate Revocation List
  353 to be used to verify if the server certificates.
  354 The meaning of the values is described in the
  355 \fBldap.conf\fR(5)
  356 manual page.
  358 .TP 
  359 \*(T<\fBpagesize\fR\*(T> \fINUMBER\fR
  360 Set this to a number greater than 0 to request paged results from
  361 the LDAP server in accordance with RFC2696.
  362 The default (0) is to not request paged results.
  364 This is useful for LDAP servers that contain a
  365 lot of entries (e.g. more than 500) and limit the number of entries
  366 that are returned with one request.
  367 For OpenLDAP servers you may need to set
  368 \*(T<\fBsizelimit size.prtotal=unlimited\fR\*(T>
  369 for allowing more entries to be returned over multiple pages.
  370 .TP 
  371 \*(T<\fBnss_initgroups_ignoreusers\fR\*(T> user1,user2,...
  372 This option prevents group membership lookups through
  373 LDAP for the specified users. This can be useful
  374 in case of unavailability of the LDAP server.
  375 This option may be specified multiple times.
  377 Alternatively, the value \*(T<ALLLOCAL\*(T> may be
  378 used. With that value nslcd builds a full list of
  379 non-LDAP users on startup.
  380 .TP 
  381 \*(T<\fBnss_min_uid\fR\*(T> \fIUID\fR
  382 This option ensures that LDAP users with a numeric
  383 user id lower than the specified value are ignored. Also requests for
  384 users with a lower user id are ignored.
  385 .TP 
  386 \*(T<\fBnss_uid_offset\fR\*(T> \fINUMBER\fR
  387 This option specifies an offset that is added to all
  388 LDAP numeric user ids.
  389 This can be used to avoid user id collisions with local users or,
  390 when using \*(T<objectSid\*(T> attributes, for compatibility
  391 reasons.
  393 The value from the \*(T<\fBnss_min_uid\fR\*(T> option is evaluated
  394 after applying the offset.
  395 .TP 
  396 \*(T<\fBnss_gid_offset\fR\*(T> \fINUMBER\fR
  397 This option specifies an offset that is added to all
  398 LDAP numeric group ids.
  399 This can be used to avoid user id collisions with local groups or,
  400 when using \*(T<objectSid\*(T> attributes, for compatibility
  401 reasons.
  402 .TP 
  403 \*(T<\fBnss_nested_groups\fR\*(T> yes|no
  404 If this option is set, the \*(T<member\*(T> attribute of a
  405 group may point to another group.
  406 Members of nested groups are also returned in the higher level group
  407 and parent groups are returned when finding groups for a specific user.
  408 The default is not to perform extra searches for nested groups.
  409 .TP 
  410 \*(T<\fBnss_getgrent_skipmembers\fR\*(T> yes|no
  411 If this option is set, the group member list is not retrieved when
  412 looking up groups.
  413 Lookups for finding which groups a user belongs to will remain
  414 functional so the user will likely still get the correct groups
  415 assigned on login.
  417 This can offer a speed-up on systems that have very large groups.
  418 It has the downside of returning inconsistent information about
  419 group membership which may confuse some applications.
  420 This option is not recommended for most configurations.
  421 .TP 
  422 \*(T<\fBnss_disable_enumeration\fR\*(T> yes|no
  423 If this option is set, functions which cause all user/group entries to
  424 be loaded (getpwent(), getgrent(), setspent()) from the directory will
  425 not succeed in doing so.
  426 Applications that depend on being able to sequentially read all users
  427 and/or groups may fail to operate correctly.
  429 This can dramatically reduce LDAP server load in
  430 situations where there are a great number of users and/or groups.
  431 This is typically used in situations where user/program access to
  432 enumerate the entire directory is undesirable, and changing the
  433 behavior of the user/program is not possible.
  434 This option is not recommended for most configurations.
  435 .TP 
  436 \*(T<\fBvalidnames\fR\*(T> \fIREGEX\fR
  437 This option can be used to specify how user and group names are
  438 verified within the system. This pattern is used to check all user and
  439 group names that are requested and returned from LDAP.
  441 The regular expression should be specified as a POSIX extended regular
  442 expression. The expression itself needs to be separated by slash (/)
  443 characters and the 'i' flag may be appended at the end to indicate
  444 that the match should be case-insensitive.
  445 The default value is
  446 \*(T</^[a\-z0\-9._@$()]([a\-z0\-9._@$() \e\e~\-]*[a\-z0\-9._@$()~\-])?$/i\*(T>
  447 .TP 
  448 \*(T<\fBignorecase\fR\*(T> yes|no
  449 This specifies whether or not to perform searches for group,
  450 netgroup, passwd, protocols, rpc, services and shadow maps using
  451 case-insensitive matching.
  452 Setting this to \*(T<yes\*(T> could open up the system
  453 to authorisation bypass vulnerabilities and introduce nscd cache poisoning
  454 vulnerabilities which allow denial of service.
  455 The default is to perform case-sensitive filtering of LDAP search
  456 results for the above maps.
  457 .TP 
  458 \*(T<\fBpam_authc_ppolicy\fR\*(T> yes|no
  459 This option specifies whether password policy controls are requested
  460 and handled from the LDAP server when performing
  461 user authentication.
  462 By default the controls are requested and handled if available.
  463 .TP 
  464 \*(T<\fBpam_authc_search\fR\*(T> \fIFILTER\fR
  465 By default \fBnslcd\fR performs an
  466 LDAP search with the user's credentials after BIND
  467 (authentication) to ensure that the BIND operation was successful.
  468 The default search is a simple check to see if the user's DN exists.
  470 A search filter can be specified that will be used instead.
  471 The same substitutions as with the \*(T<\fBpam_authz_search\fR\*(T>
  472 option will be performed and the search should at least return one
  473 entry.
  475 The value \*(T<BASE\*(T> may be used to force the default
  476 search for the user DN.
  478 The value \*(T<NONE\*(T> may be used to indicate that no
  479 search should be performed after BIND.
  480 Note that some LDAP servers do not always return a
  481 correct error code as a result of a failed BIND operation (e.g. when
  482 an empty password is supplied).
  483 .TP 
  484 \*(T<\fBpam_authz_search\fR\*(T> \fIFILTER\fR
  485 This option allows flexible fine tuning of the authorisation check that
  486 should be performed. The search filter specified is executed and
  487 if any entries match, access is granted, otherwise access is denied.
  489 The search filter can contain the following variable references:
  490 \*(T<$username\*(T>, \*(T<$service\*(T>,
  491 \*(T<$ruser\*(T>, \*(T<$rhost\*(T>,
  492 \*(T<$tty\*(T>, \*(T<$hostname\*(T>,
  493 \*(T<$fqdn\*(T>, 
  494 \*(T<$domain\*(T>, 
  495 \*(T<$dn\*(T>, and \*(T<$uid\*(T>.
  496 These references are substituted in the search filter using the
  497 same syntax as described in the section on attribute mapping
  498 expressions below.
  500 For example, to check that the user has a proper \*(T<authorizedService\*(T>
  501 value if the attribute is present (this almost emulates the
  502 \*(T<\fBpam_check_service_attr\fR\*(T> option in PADL's pam_ldap):
  504 .nf
  505 \*(T<(&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))\*(T>
  506 .fi
  508 The \*(T<\fBpam_check_host_attr\fR\*(T> option can be emulated with:
  510 .nf
  511 \*(T<(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\e\e*)))\*(T>
  512 .fi
  514 This option may be specified multiple times and all specified searches
  515 should at least return one entry for access to be granted.
  516 .TP 
  517 \*(T<\fBpam_password_prohibit_message\fR\*(T> "\fIMESSAGE\fR"
  518 If this option is set password modification using pam_ldap will be
  519 denied and the specified message will be presented to the user instead.
  520 The message can be used to direct the user to an alternative means
  521 of changing their password.
  522 .TP 
  523 \*(T<\fBreconnect_invalidate\fR\*(T> \fIDB\fR,\fIDB\fR,...
  524 If this option is set, \fBnslcd\fR will try to flush the
  525 specified external caches on start-up and whenever a connection to the
  526 LDAP server is re-established after an error.
  528 \fIDB\fR can refer to one of the nsswitch maps,
  529 in which case \fBnscd\fR is contacted to flush its cache
  530 for the specified database.
  531 If \fIDB\fR is \*(T<nfsidmap\*(T>,
  532 \fBnfsidmap\fR is contacted to clear its cache.
  534 Using this option ensures that external caches are cleared of
  535 incorrect information (typically the absence of users) that may
  536 be present due to unavailability of the LDAP server.
  537 .TP 
  538 \*(T<\fBcache\fR\*(T> \fICACHE\fR \fITIME\fR [\fITIME\fR]
  539 Configure the time entries are kept in the specified internal cache.
  541 The first \fITIME\fR value specifies the time
  542 to keep found entries in the cache.
  543 The second \fITIME\fR value specifies to the
  544 time to remember that a particular entry was not found.
  545 If the second parameter is absent, it is assumed to be the same as
  546 the first.
  548 Time values are specified as a number followed by an
  549 \*(T<s\*(T> for seconds, \*(T<m\*(T> for minutes,
  550 \*(T<h\*(T> for hours or \*(T<d\*(T> for days.
  551 Use \*(T<0\*(T> or \*(T<off\*(T> to disable the
  552 cache.
  554 Currently, only the \*(T<dn2uid\*(T> cache is supported
  555 that is used to remember DN to username lookups that are used when the
  556 \*(T<member\*(T> attribute is used.
  557 The default time value for this cache is \*(T<15m\*(T>.
  559 The following maps are supported. They are referenced as
  560 \fIMAP\fR in the options above.
  561 .TP 
  562 alias[es]
  563 Mail aliases.
  564 Note that most mail servers do not use the NSS
  565 interface for requesting mail aliases and parse
  566 \*(T<\fI/etc/aliases\fR\*(T> on their own.
  567 .TP 
  568 ether[s]
  569 Ethernet numbers (mac addresses).
  570 .TP 
  571 group
  572 Posix groups.
  573 .TP 
  574 host[s]
  575 Host names.
  576 .TP 
  577 netgroup
  578 Host and user groups used for access control.
  579 .TP 
  580 network[s]
  581 Network numbers.
  582 .TP 
  583 passwd
  584 Posix users.
  585 .TP 
  586 protocol[s]
  587 Protocol definitions (like in \*(T<\fI/etc/protocols\fR\*(T>).
  588 .TP 
  589 rpc
  590 Remote procedure call names and numbers.
  591 .TP 
  592 service[s]
  593 Network service names and numbers.
  594 .TP 
  595 shadow
  596 Shadow user password information.
  598 For some attributes a mapping expression may be used to construct the
  599 resulting value.
  600 This is currently only possible for attributes that do
  601 not need to be used in search filters.
  602 The expressions are a subset of the double quoted string expressions in the
  603 Bourne (POSIX) shell.
  604 Instead of variable substitution, attribute lookups are done on the current
  605 entry and the attribute value is substituted.
  606 The following expressions are supported:
  607 .TP 
  608 \*(T<${attr}\*(T> (or \*(T<$attr\*(T> for short)
  609 will substitute the value of the attribute
  610 .TP 
  611 \*(T<${attr:\-word}\*(T>
  612 (use default) will substitute the value of the attribute or, if the
  613 attribute is not set or empty substitute the word
  614 .TP 
  615 \*(T<${attr:+word}\*(T>
  616 (use alternative) will substitute \*(T<word\*(T> if attribute
  617 is set, otherwise substitute the empty string
  618 .TP 
  619 \*(T<${attr:offset:length}\*(T>
  620 will substitute \*(T<length\*(T> characters (actually
  621 bytes) starting from position \*(T<offset\*(T> (which
  622 is counted starting at zero); the substituted string is
  623 truncated if it is too long; in particular, it can be of length
  624 zero (if \*(T<length\*(T> is zero or
  625 \*(T<offset\*(T> falls out of the original string)
  626 .TP 
  627 \*(T<${attr#word}\*(T>
  628 remove the shortest possible match of \*(T<word\*(T> from the
  629 left of the attribute value
  630 .TP 
  631 \*(T<${attr##word}\*(T>
  632 remove the longest possible match of \*(T<word\*(T> from the
  633 left of the attribute value (\fBpynslcd\fR only)
  634 .TP 
  635 \*(T<${attr%word}\*(T>
  636 remove the shortest possible match of \*(T<word\*(T> from the
  637 right of the attribute value (\fBpynslcd\fR only)
  638 .TP 
  639 \*(T<${attr%%word}\*(T>
  640 remove the longest possible match of \*(T<word\*(T> from the
  641 right of the attribute value (\fBpynslcd\fR only)
  642 .PP
  643 Only the # matching expression is supported in \fBnslcd\fR
  644 and only with the ? wildcard symbol. The \fBpynslcd\fR
  645 implementation supports full matching.
  646 .PP
  647 Quote (\*(T<"\*(T>), dollar (\*(T<$\*(T>) and
  648 backslash (\*(T<\e\*(T>) characters should be escaped with a
  649 backslash (\*(T<\e\*(T>).
  650 .PP
  651 The expressions are inspected to automatically fetch the appropriate
  652 attributes from LDAP.
  653 Some examples to demonstrate how these expressions may be used in
  654 attribute mapping:
  655 .TP 
  656 \*(T<"${shadowFlag:\-0}"\*(T>
  657 use the \*(T<shadowFlag\*(T> attribute, using the
  658 value 0 as default
  659 .TP 
  660 \*(T<"${homeDirectory:\-/home/$uid}"\*(T>
  661 use the \*(T<uid\*(T> attribute to build a
  662 \*(T<homeDirectory\*(T> value if that attribute is missing
  663 .TP 
  664 \*(T<"${isDisabled:+100}"\*(T>
  665 if the \*(T<isDisabled\*(T> attribute is set, return 100,
  666 otherwise leave value empty
  667 .TP 
  668 \*(T<"${userPassword#{crypt\e}}"\*(T>
  669 strip the {crypt} prefix from the userPassword attribute, returning
  670 the raw hash value
  671 .SH FILES
  672 .TP 
  673 \*(T<\fI/etc/nslcd.conf\fR\*(T>
  674 the main configuration file
  675 .TP 
  676 \*(T<\fI/etc/nsswitch.conf\fR\*(T>
  677 Name Service Switch configuration file
  678 .SH "SEE ALSO"
  679 \fBnslcd\fR(8),
  680 \fBnsswitch.conf\fR(5)
  681 .SH AUTHOR
  682 This manual was written by Arthur de Jong <arthur@arthurdejong.org>
  683 and is based on the
  684 \fBnss_ldap\fR(5)
  685 manual developed by PADL Software Pty Ltd.