nss-pam-ldapd-0.9.12.tar.gz: .../nslcd.conf.5

"Fossies" - the Fresh Open Source Software Archive

Member "nss-pam-ldapd-0.9.12/man/nslcd.conf.5" (20 Nov 2021, 25738 Bytes) of package /linux/privat/nss-pam-ldapd-0.9.12.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

1 '\" -*- coding: utf-8 -*- 2 .if \n(.g .ds T< \\FC 3 .if \n(.g .ds T> \\F[\n[.fam]] 4 .de URL 5 \\$2 \(la\\$1\(ra\\$3 6 .. 7 .if \n(.g .mso www.tmac 8 .TH nslcd.conf 5 "Nov 2021" "Version 0.9.12" "System Manager's Manual" 9 .SH NAME 10 nslcd.conf \- configuration file for LDAP nameservice daemon 11 .SH DESCRIPTION 12 The \fInss-pam-ldapd\fR package allows LDAP 13 directory servers to be used as a primary source of name service 14 information. (Name service information typically includes users, hosts, 15 groups, and other such data historically stored in flat files or 16 NIS.) 17 .PP 18 The file \*(T<\fInslcd.conf\fR\*(T> contains the 19 configuration information for running \fBnslcd\fR (see 20 \fBnslcd\fR(8)). 21 The file contains options, one on each line, defining the way 22 NSS lookups and PAM actions 23 are mapped to LDAP lookups. 24 .SH OPTIONS 25 .SS "RUNTIME OPTIONS" 26 .TP 27 \*(T<\fBthreads\fR\*(T> \fINUM\fR 28 Specifies the number of threads to start that can handle requests 29 and perform LDAP queries. 30 Each thread opens a separate connection to the LDAP 31 server. 32 The default is to start 5 threads. 33 .TP 34 \*(T<\fBuid\fR\*(T> \fIUID\fR 35 This specifies the user id with which the daemon should be run. 36 This can be a numerical id or a symbolic value. 37 If no uid is specified no attempt to change the user will be made. 38 Note that you should use values that don't need LDAP 39 to resolve. 40 .TP 41 \*(T<\fBgid\fR\*(T> \fIGID\fR 42 This specifies the group id with which the daemon should be run. 43 This can be a numerical id or a symbolic value. 44 If no gid is specified no attempt to change the group will be made. 45 Note that you should use values that don't need LDAP 46 to resolve. 47 .TP 48 \*(T<\fBlog\fR\*(T> \fISCHEME\fR [\fILEVEL\fR] 49 This option controls the way logging is done. 50 The \fISCHEME\fR argument may either be 51 \*(T<none\*(T>, \*(T<syslog\*(T> or an absolute 52 file name. 53 The \fILEVEL\fR argument is optional and specifies 54 the log level. 55 The log level may be one of: \*(T<crit\*(T>, 56 \*(T<error\*(T>, \*(T<warning\*(T>, 57 \*(T<notice\*(T>, \*(T<info\*(T> or 58 \*(T<debug\*(T>. The default log level is \*(T<info\*(T>. 59 All messages with the specified loglevel or higher are logged. 60 This option can be supplied multiple times. 61 If this option is omitted \*(T<syslog info\*(T> is assumed. 62 .SS "GENERAL CONNECTION OPTIONS" 63 .TP 64 \*(T<\fBuri\fR\*(T> \fIURI\fR ... 65 Specifies the LDAP URI of the 66 server to connect to. 67 The URI scheme may be \*(T<ldap\*(T>, 68 \*(T<ldapi\*(T> or \*(T<ldaps\*(T>, specifying 69 LDAP over TCP, 70 ICP or SSL respectively (if 71 supported by the LDAP library). 72 73 Alternatively, the value \*(T<DNS\*(T> may be 74 used to try to lookup the server using DNS 75 SRV records. 76 By default the current domain is used but another domain can 77 be queried by using the 78 \*(T<DNS:DOMAIN\*(T> syntax. 79 To convert SRV records for port 389 into an 80 \*(T<ldaps://\*(T> URI, \*(T<DNSLDAPS\*(T> 81 can be used. 82 83 When using the \*(T<ldapi\*(T> scheme, \*(T<%2f\*(T> should be used to escape slashes 84 (e.g. \*(T<ldapi://%2fvar%2frun%2fslapd%2fldapi/\*(T>), although most of the 85 time this should not be needed. 86 87 This option may be specified multiple times and/or with more 88 URIs on the line, separated by spaces. Normally, only the first 89 server will be used with the following servers as fall-back (see 90 \*(T<\fBbind_timelimit\fR\*(T> below). 91 92 If LDAP lookups are used for host name resolution, 93 any host names should be specified as an IP address or name that can be 94 resolved without using LDAP. 95 .TP 96 \*(T<\fBldap_version\fR\*(T> \fIVERSION\fR 97 Specifies the version of the LDAP protocol to use. 98 The default is to use the maximum version supported by the 99 LDAP library. 100 .TP 101 \*(T<\fBbinddn\fR\*(T> \fIDN\fR 102 Specifies the distinguished name with which to bind to the directory 103 server for lookups. 104 The default is to bind anonymously. 105 .TP 106 \*(T<\fBbindpw\fR\*(T> \fIPASSWORD\fR 107 Specifies the credentials with which to bind. 108 This option is only applicable when used with \*(T<\fBbinddn\fR\*(T> above. 109 If you set this option you should consider changing the permissions 110 of the \*(T<\fInslcd.conf\fR\*(T> file to only grant access to 111 the root user. 112 .TP 113 \*(T<\fBrootpwmoddn\fR\*(T> \fIDN\fR 114 Specifies the distinguished name to use when the root user tries to 115 modify a user's password using the PAM module. 116 117 Note that currently this DN needs to exist as a real entry in the 118 LDAP directory. 119 .TP 120 \*(T<\fBrootpwmodpw\fR\*(T> \fIPASSWORD\fR 121 Specifies the credentials with which to bind if the root 122 user tries to change a user's password. 123 This option is only applicable when used with 124 \*(T<\fBrootpwmoddn\fR\*(T> above. 125 If this option is not specified the PAM module prompts the user for 126 this password. 127 If you set this option you should consider changing the permissions 128 of the \*(T<\fInslcd.conf\fR\*(T> file to only grant access to 129 the root user. 130 .SS "SASL AUTHENTICATION OPTIONS" 131 .TP 132 \*(T<\fBsasl_mech\fR\*(T> \fIMECHANISM\fR 133 Specifies the SASL mechanism to be used when 134 performing SASL authentication. 135 .TP 136 \*(T<\fBsasl_realm\fR\*(T> \fIREALM\fR 137 Specifies the SASL realm to be used when performing 138 SASL authentication. 139 .TP 140 \*(T<\fBsasl_authcid\fR\*(T> \fIAUTHCID\fR 141 Specifies the authentication identity to be used when performing 142 SASL authentication. 143 .TP 144 \*(T<\fBsasl_authzid\fR\*(T> \fIAUTHZID\fR 145 Specifies the authorization identity to be used when performing 146 SASL authentication. 147 Must be specified in one of the formats: dn:<distinguished name> 148 or u:<username>. 149 .TP 150 \*(T<\fBsasl_secprops\fR\*(T> \fIPROPERTIES\fR 151 Specifies Cyrus SASL security properties. 152 Allowed values are described in the 153 \fBldap.conf\fR(5) 154 manual page. 155 .TP 156 \*(T<\fBsasl_canonicalize\fR\*(T> yes|no 157 Determines whether the LDAP server host name should 158 be canonicalised. If this is set to yes the LDAP 159 library will do a reverse host name lookup. 160 By default, it is left up to the LDAP library 161 whether this check is performed or not. 162 .SS "KERBEROS AUTHENTICATION OPTIONS" 163 .TP 164 \*(T<\fBkrb5_ccname\fR\*(T> \fINAME\fR 165 Set the name for the GSS-API Kerberos credentials cache. 166 .SS "SEARCH/MAPPING OPTIONS" 167 .TP 168 \*(T<\fBbase\fR\*(T> [\fIMAP\fR] \fIDN\fR 169 Specifies the distinguished name (DN) 170 to use as search base. 171 This option may be supplied multiple times and all specified bases 172 will be searched. 173 174 A global search base may be specified or a MAP-specific one. 175 If no MAP-specific search bases are defined the global ones are used. 176 177 If, instead of a DN, the value 178 \fIDOMAIN\fR is specified, the host's 179 DNS domain is used to construct a search base. 180 A value of \fI""\fR can be used to indicate an 181 empty search base (quotes are not otherwise supported for base 182 values and not all LDAP server configurations support this). 183 184 If this value is not defined an attempt is made to look it up 185 in the configured LDAP server. If the 186 LDAP server is unavailable during start-up 187 \fBnslcd\fR will not start. 188 .TP 189 \*(T<\fBscope\fR\*(T> [\fIMAP\fR] sub[tree]|one[level]|base|children 190 Specifies the search scope (subtree, onelevel, base or children). 191 The default scope is subtree; base scope is almost never useful for 192 name service lookups; children scope is not supported on all servers. 193 .TP 194 \*(T<\fBderef\fR\*(T> never|searching|finding|always 195 Specifies the policy for dereferencing aliases. 196 The default policy is to never dereference aliases. 197 .TP 198 \*(T<\fBreferrals\fR\*(T> yes|no 199 Specifies whether automatic referral chasing should be enabled. 200 The default behaviour is to chase referrals. 201 .TP 202 \*(T<\fBfilter\fR\*(T> \fIMAP\fR \fIFILTER\fR 203 The \fIFILTER\fR 204 is an LDAP search filter to use for a 205 specific map. 206 The default filter is a basic search on the 207 objectClass for the map (e.g. \*(T<(objectClass=posixAccount)\*(T>). 208 .TP 209 \*(T<\fBmap\fR\*(T> \fIMAP\fR \fIATTRIBUTE\fR \fINEWATTRIBUTE\fR 210 This option allows for custom attributes to be looked up instead of 211 the default RFC 2307 attributes. 212 The \fIMAP\fR may be one of 213 the supported maps below. 214 The \fIATTRIBUTE\fR is the one as 215 used in RFC 2307 (e.g. \*(T<userPassword\*(T>, 216 \*(T<ipProtocolNumber\*(T>, \*(T<macAddress\*(T>, etc.). 217 The \fINEWATTRIBUTE\fR may be any attribute 218 as it is available in the directory. 219 220 If the \fINEWATTRIBUTE\fR is presented in 221 quotes (") it is treated as an expression which will be evaluated 222 to build up the actual value used. 223 See the section on attribute mapping expressions below for more details. 224 225 Only some attributes for group, passwd and shadow entries may be mapped 226 with an expression (because other attributes may be used in search 227 filters). 228 For group entries only the \*(T<userPassword\*(T> attribute 229 may be mapped with an expression. 230 For passwd entries the following attributes may be mapped with an 231 expression: \*(T<userPassword\*(T>, \*(T<gidNumber\*(T>, 232 \*(T<gecos\*(T>, \*(T<homeDirectory\*(T> and 233 \*(T<loginShell\*(T>. 234 For shadow entries the following attributes may be mapped with an 235 expression: \*(T<userPassword\*(T>, \*(T<shadowLastChange\*(T>, 236 \*(T<shadowMin\*(T>, \*(T<shadowMax\*(T>, 237 \*(T<shadowWarning\*(T>, \*(T<shadowInactive\*(T>, 238 \*(T<shadowExpire\*(T> and \*(T<shadowFlag\*(T>. 239 240 The \*(T<uidNumber\*(T> and \*(T<gidNumber\*(T> 241 attributes in the \*(T<passwd\*(T> and \*(T<group\*(T> 242 maps may be mapped to the \*(T<objectSid\*(T> followed by 243 the domain SID to derive numeric user and group ids from the SID 244 (e.g. \*(T<objectSid:S\-1\-5\-21\-3623811015\-3361044348\-30300820\*(T>). 245 246 By default all \*(T<userPassword\*(T> attributes are mapped 247 to the unmatchable password ("*") to avoid accidentally leaking 248 password information. 249 .SS "TIMING/RECONNECT OPTIONS" 250 .TP 251 \*(T<\fBbind_timelimit\fR\*(T> \fISECONDS\fR 252 Specifies the time limit (in seconds) to use when connecting to the 253 directory server. 254 This is distinct from the time limit specified in 255 \*(T<\fBtimelimit\fR\*(T> and affects the set-up of the connection only. 256 Note that not all LDAP client libraries have support 257 for setting the connection time out. 258 The default \*(T<\fBbind_timelimit\fR\*(T> is 10 seconds. 259 .TP 260 \*(T<\fBtimelimit\fR\*(T> \fISECONDS\fR 261 Specifies the time limit (in seconds) to wait for a response from the 262 LDAP server. 263 A value of zero (0), which is the default, is to wait indefinitely for 264 searches to be completed. 265 .TP 266 \*(T<\fBidle_timelimit\fR\*(T> \fISECONDS\fR 267 Specifies the period of inactivity (in seconds) after which the 268 connection to the LDAP server will be closed. 269 The default is not to time out connections. 270 .TP 271 \*(T<\fBreconnect_sleeptime\fR\*(T> \fISECONDS\fR 272 Specifies the number of seconds to sleep when connecting to all 273 LDAP servers fails. 274 By default 1 second is waited between the first failure and the first 275 retry. 276 .TP 277 \*(T<\fBreconnect_retrytime\fR\*(T> \fISECONDS\fR 278 Specifies the time after which the LDAP server is 279 considered to be permanently unavailable. 280 Once this time is reached retries will be done only once per this time period. 281 The default value is 10 seconds. 282 .PP 283 Note that the reconnect logic as described above is the mechanism that 284 is used between \fBnslcd\fR and the LDAP 285 server. The mechanism between the NSS and 286 PAM client libraries on one end and 287 \fBnslcd\fR on the other is simpler with a fixed compiled-in 288 time out of a 10 seconds for writing to \fBnslcd\fR and 289 a time out of 60 seconds for reading answers. 290 \fBnslcd\fR itself has a read time out of 0.5 seconds 291 and a write time out of 60 seconds. 292 .SS "SSL/TLS OPTIONS" 293 .TP 294 \*(T<\fBssl\fR\*(T> on|off|start_tls 295 Specifies whether to use SSL/TLS or not (the default is not to). If 296 \fIstart_tls\fR 297 is specified then StartTLS is used rather than raw LDAP over SSL. 298 Not all LDAP client libraries support both SSL, 299 StartTLS and all related configuration options. 300 .TP 301 \*(T<\fBtls_reqcert\fR\*(T> never|allow|try|demand|hard 302 Specifies what checks to perform on a server-supplied certificate. 303 The meaning of the values is described in the 304 \fBldap.conf\fR(5) 305 manual page. 306 At least one of \*(T<\fBtls_cacertdir\fR\*(T> and 307 \*(T<\fBtls_cacertfile\fR\*(T> is required if peer verification is 308 enabled. 309 .TP 310 \*(T<\fBtls_cacertdir\fR\*(T> \fIPATH\fR 311 Specifies the directory containing X.509 certificates for peer 312 authentication. 313 This parameter is ignored when using GnuTLS. 314 On Debian OpenLDAP is linked against GnuTLS. 315 .TP 316 \*(T<\fBtls_cacertfile\fR\*(T> \fIPATH\fR 317 Specifies the path to the X.509 certificate for peer authentication. 318 .TP 319 \*(T<\fBtls_randfile\fR\*(T> \fIPATH\fR 320 Specifies the path to an entropy source. 321 This parameter is ignored when using GnuTLS. 322 On Debian OpenLDAP is linked against GnuTLS. 323 .TP 324 \*(T<\fBtls_ciphers\fR\*(T> \fICIPHERS\fR 325 Specifies the ciphers to use for TLS. 326 See your TLS implementation's 327 documentation for further information. 328 .TP 329 \*(T<\fBtls_cert\fR\*(T> \fIPATH\fR 330 Specifies the path to the file containing the local certificate for 331 client TLS authentication. 332 .TP 333 \*(T<\fBtls_key\fR\*(T> \fIPATH\fR 334 Specifies the path to the file containing the private key for client 335 TLS authentication. 336 .TP 337 \*(T<\fBtls_reqsan\fR\*(T> never|allow|try|demand|hard 338 Specifies the way server Subject Alternative Name (SAN) is checked in 339 the server-supplied certificate. 340 The meaning of the values is described in the 341 \fBldap.conf\fR(5) 342 manual page. 343 .TP 344 \*(T<\fBtls_crlcheck\fR\*(T> none|peer|all 345 Specifies if the Certificate Revocation List (CRL) of the CA should 346 be used to verify if the server certificates have not been revoked. 347 The meaning of the values is described in the 348 \fBldap.conf\fR(5) 349 manual page. 350 .TP 351 \*(T<\fBtls_crlfile\fR\*(T> \fIPATH\fR 352 Specifies the path to the file containing a Certificate Revocation List 353 to be used to verify if the server certificates. 354 The meaning of the values is described in the 355 \fBldap.conf\fR(5) 356 manual page. 357 .SS "OTHER OPTIONS" 358 .TP 359 \*(T<\fBpagesize\fR\*(T> \fINUMBER\fR 360 Set this to a number greater than 0 to request paged results from 361 the LDAP server in accordance with RFC2696. 362 The default (0) is to not request paged results. 363 364 This is useful for LDAP servers that contain a 365 lot of entries (e.g. more than 500) and limit the number of entries 366 that are returned with one request. 367 For OpenLDAP servers you may need to set 368 \*(T<\fBsizelimit size.prtotal=unlimited\fR\*(T> 369 for allowing more entries to be returned over multiple pages. 370 .TP 371 \*(T<\fBnss_initgroups_ignoreusers\fR\*(T> user1,user2,... 372 This option prevents group membership lookups through 373 LDAP for the specified users. This can be useful 374 in case of unavailability of the LDAP server. 375 This option may be specified multiple times. 376 377 Alternatively, the value \*(T<ALLLOCAL\*(T> may be 378 used. With that value nslcd builds a full list of 379 non-LDAP users on startup. 380 .TP 381 \*(T<\fBnss_min_uid\fR\*(T> \fIUID\fR 382 This option ensures that LDAP users with a numeric 383 user id lower than the specified value are ignored. Also requests for 384 users with a lower user id are ignored. 385 .TP 386 \*(T<\fBnss_uid_offset\fR\*(T> \fINUMBER\fR 387 This option specifies an offset that is added to all 388 LDAP numeric user ids. 389 This can be used to avoid user id collisions with local users or, 390 when using \*(T<objectSid\*(T> attributes, for compatibility 391 reasons. 392 393 The value from the \*(T<\fBnss_min_uid\fR\*(T> option is evaluated 394 after applying the offset. 395 .TP 396 \*(T<\fBnss_gid_offset\fR\*(T> \fINUMBER\fR 397 This option specifies an offset that is added to all 398 LDAP numeric group ids. 399 This can be used to avoid user id collisions with local groups or, 400 when using \*(T<objectSid\*(T> attributes, for compatibility 401 reasons. 402 .TP 403 \*(T<\fBnss_nested_groups\fR\*(T> yes|no 404 If this option is set, the \*(T<member\*(T> attribute of a 405 group may point to another group. 406 Members of nested groups are also returned in the higher level group 407 and parent groups are returned when finding groups for a specific user. 408 The default is not to perform extra searches for nested groups. 409 .TP 410 \*(T<\fBnss_getgrent_skipmembers\fR\*(T> yes|no 411 If this option is set, the group member list is not retrieved when 412 looking up groups. 413 Lookups for finding which groups a user belongs to will remain 414 functional so the user will likely still get the correct groups 415 assigned on login. 416 417 This can offer a speed-up on systems that have very large groups. 418 It has the downside of returning inconsistent information about 419 group membership which may confuse some applications. 420 This option is not recommended for most configurations. 421 .TP 422 \*(T<\fBnss_disable_enumeration\fR\*(T> yes|no 423 If this option is set, functions which cause all user/group entries to 424 be loaded (getpwent(), getgrent(), setspent()) from the directory will 425 not succeed in doing so. 426 Applications that depend on being able to sequentially read all users 427 and/or groups may fail to operate correctly. 428 429 This can dramatically reduce LDAP server load in 430 situations where there are a great number of users and/or groups. 431 This is typically used in situations where user/program access to 432 enumerate the entire directory is undesirable, and changing the 433 behavior of the user/program is not possible. 434 This option is not recommended for most configurations. 435 .TP 436 \*(T<\fBvalidnames\fR\*(T> \fIREGEX\fR 437 This option can be used to specify how user and group names are 438 verified within the system. This pattern is used to check all user and 439 group names that are requested and returned from LDAP. 440 441 The regular expression should be specified as a POSIX extended regular 442 expression. The expression itself needs to be separated by slash (/) 443 characters and the 'i' flag may be appended at the end to indicate 444 that the match should be case-insensitive. 445 The default value is 446 \*(T</^[a\-z0\-9._@$()]([a\-z0\-9._@$() \e\e~\-]*[a\-z0\-9._@$()~\-])?$/i\*(T> 447 .TP 448 \*(T<\fBignorecase\fR\*(T> yes|no 449 This specifies whether or not to perform searches for group, 450 netgroup, passwd, protocols, rpc, services and shadow maps using 451 case-insensitive matching. 452 Setting this to \*(T<yes\*(T> could open up the system 453 to authorisation bypass vulnerabilities and introduce nscd cache poisoning 454 vulnerabilities which allow denial of service. 455 The default is to perform case-sensitive filtering of LDAP search 456 results for the above maps. 457 .TP 458 \*(T<\fBpam_authc_ppolicy\fR\*(T> yes|no 459 This option specifies whether password policy controls are requested 460 and handled from the LDAP server when performing 461 user authentication. 462 By default the controls are requested and handled if available. 463 .TP 464 \*(T<\fBpam_authc_search\fR\*(T> \fIFILTER\fR 465 By default \fBnslcd\fR performs an 466 LDAP search with the user's credentials after BIND 467 (authentication) to ensure that the BIND operation was successful. 468 The default search is a simple check to see if the user's DN exists. 469 470 A search filter can be specified that will be used instead. 471 The same substitutions as with the \*(T<\fBpam_authz_search\fR\*(T> 472 option will be performed and the search should at least return one 473 entry. 474 475 The value \*(T<BASE\*(T> may be used to force the default 476 search for the user DN. 477 478 The value \*(T<NONE\*(T> may be used to indicate that no 479 search should be performed after BIND. 480 Note that some LDAP servers do not always return a 481 correct error code as a result of a failed BIND operation (e.g. when 482 an empty password is supplied). 483 .TP 484 \*(T<\fBpam_authz_search\fR\*(T> \fIFILTER\fR 485 This option allows flexible fine tuning of the authorisation check that 486 should be performed. The search filter specified is executed and 487 if any entries match, access is granted, otherwise access is denied. 488 489 The search filter can contain the following variable references: 490 \*(T<$username\*(T>, \*(T<$service\*(T>, 491 \*(T<$ruser\*(T>, \*(T<$rhost\*(T>, 492 \*(T<$tty\*(T>, \*(T<$hostname\*(T>, 493 \*(T<$fqdn\*(T>, 494 \*(T<$domain\*(T>, 495 \*(T<$dn\*(T>, and \*(T<$uid\*(T>. 496 These references are substituted in the search filter using the 497 same syntax as described in the section on attribute mapping 498 expressions below. 499 500 For example, to check that the user has a proper \*(T<authorizedService\*(T> 501 value if the attribute is present (this almost emulates the 502 \*(T<\fBpam_check_service_attr\fR\*(T> option in PADL's pam_ldap): 503 504 .nf 505 \*(T<(&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))\*(T> 506 .fi 507 508 The \*(T<\fBpam_check_host_attr\fR\*(T> option can be emulated with: 509 510 .nf 511 \*(T<(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\e\e*)))\*(T> 512 .fi 513 514 This option may be specified multiple times and all specified searches 515 should at least return one entry for access to be granted. 516 .TP 517 \*(T<\fBpam_password_prohibit_message\fR\*(T> "\fIMESSAGE\fR" 518 If this option is set password modification using pam_ldap will be 519 denied and the specified message will be presented to the user instead. 520 The message can be used to direct the user to an alternative means 521 of changing their password. 522 .TP 523 \*(T<\fBreconnect_invalidate\fR\*(T> \fIDB\fR,\fIDB\fR,... 524 If this option is set, \fBnslcd\fR will try to flush the 525 specified external caches on start-up and whenever a connection to the 526 LDAP server is re-established after an error. 527 528 \fIDB\fR can refer to one of the nsswitch maps, 529 in which case \fBnscd\fR is contacted to flush its cache 530 for the specified database. 531 If \fIDB\fR is \*(T<nfsidmap\*(T>, 532 \fBnfsidmap\fR is contacted to clear its cache. 533 534 Using this option ensures that external caches are cleared of 535 incorrect information (typically the absence of users) that may 536 be present due to unavailability of the LDAP server. 537 .TP 538 \*(T<\fBcache\fR\*(T> \fICACHE\fR \fITIME\fR [\fITIME\fR] 539 Configure the time entries are kept in the specified internal cache. 540 541 The first \fITIME\fR value specifies the time 542 to keep found entries in the cache. 543 The second \fITIME\fR value specifies to the 544 time to remember that a particular entry was not found. 545 If the second parameter is absent, it is assumed to be the same as 546 the first. 547 548 Time values are specified as a number followed by an 549 \*(T<s\*(T> for seconds, \*(T<m\*(T> for minutes, 550 \*(T<h\*(T> for hours or \*(T<d\*(T> for days. 551 Use \*(T<0\*(T> or \*(T<off\*(T> to disable the 552 cache. 553 554 Currently, only the \*(T<dn2uid\*(T> cache is supported 555 that is used to remember DN to username lookups that are used when the 556 \*(T<member\*(T> attribute is used. 557 The default time value for this cache is \*(T<15m\*(T>. 558 .SH "SUPPORTED MAPS" 559 The following maps are supported. They are referenced as 560 \fIMAP\fR in the options above. 561 .TP 562 alias[es] 563 Mail aliases. 564 Note that most mail servers do not use the NSS 565 interface for requesting mail aliases and parse 566 \*(T<\fI/etc/aliases\fR\*(T> on their own. 567 .TP 568 ether[s] 569 Ethernet numbers (mac addresses). 570 .TP 571 group 572 Posix groups. 573 .TP 574 host[s] 575 Host names. 576 .TP 577 netgroup 578 Host and user groups used for access control. 579 .TP 580 network[s] 581 Network numbers. 582 .TP 583 passwd 584 Posix users. 585 .TP 586 protocol[s] 587 Protocol definitions (like in \*(T<\fI/etc/protocols\fR\*(T>). 588 .TP 589 rpc 590 Remote procedure call names and numbers. 591 .TP 592 service[s] 593 Network service names and numbers. 594 .TP 595 shadow 596 Shadow user password information. 597 .SH "ATTRIBUTE MAPPING EXPRESSIONS" 598 For some attributes a mapping expression may be used to construct the 599 resulting value. 600 This is currently only possible for attributes that do 601 not need to be used in search filters. 602 The expressions are a subset of the double quoted string expressions in the 603 Bourne (POSIX) shell. 604 Instead of variable substitution, attribute lookups are done on the current 605 entry and the attribute value is substituted. 606 The following expressions are supported: 607 .TP 608 \*(T<${attr}\*(T> (or \*(T<$attr\*(T> for short) 609 will substitute the value of the attribute 610 .TP 611 \*(T<${attr:\-word}\*(T> 612 (use default) will substitute the value of the attribute or, if the 613 attribute is not set or empty substitute the word 614 .TP 615 \*(T<${attr:+word}\*(T> 616 (use alternative) will substitute \*(T<word\*(T> if attribute 617 is set, otherwise substitute the empty string 618 .TP 619 \*(T<${attr:offset:length}\*(T> 620 will substitute \*(T<length\*(T> characters (actually 621 bytes) starting from position \*(T<offset\*(T> (which 622 is counted starting at zero); the substituted string is 623 truncated if it is too long; in particular, it can be of length 624 zero (if \*(T<length\*(T> is zero or 625 \*(T<offset\*(T> falls out of the original string) 626 .TP 627 \*(T<${attr#word}\*(T> 628 remove the shortest possible match of \*(T<word\*(T> from the 629 left of the attribute value 630 .TP 631 \*(T<${attr##word}\*(T> 632 remove the longest possible match of \*(T<word\*(T> from the 633 left of the attribute value (\fBpynslcd\fR only) 634 .TP 635 \*(T<${attr%word}\*(T> 636 remove the shortest possible match of \*(T<word\*(T> from the 637 right of the attribute value (\fBpynslcd\fR only) 638 .TP 639 \*(T<${attr%%word}\*(T> 640 remove the longest possible match of \*(T<word\*(T> from the 641 right of the attribute value (\fBpynslcd\fR only) 642 .PP 643 Only the # matching expression is supported in \fBnslcd\fR 644 and only with the ? wildcard symbol. The \fBpynslcd\fR 645 implementation supports full matching. 646 .PP 647 Quote (\*(T<"\*(T>), dollar (\*(T<$\*(T>) and 648 backslash (\*(T<\e\*(T>) characters should be escaped with a 649 backslash (\*(T<\e\*(T>). 650 .PP 651 The expressions are inspected to automatically fetch the appropriate 652 attributes from LDAP. 653 Some examples to demonstrate how these expressions may be used in 654 attribute mapping: 655 .TP 656 \*(T<"${shadowFlag:\-0}"\*(T> 657 use the \*(T<shadowFlag\*(T> attribute, using the 658 value 0 as default 659 .TP 660 \*(T<"${homeDirectory:\-/home/$uid}"\*(T> 661 use the \*(T<uid\*(T> attribute to build a 662 \*(T<homeDirectory\*(T> value if that attribute is missing 663 .TP 664 \*(T<"${isDisabled:+100}"\*(T> 665 if the \*(T<isDisabled\*(T> attribute is set, return 100, 666 otherwise leave value empty 667 .TP 668 \*(T<"${userPassword#{crypt\e}}"\*(T> 669 strip the {crypt} prefix from the userPassword attribute, returning 670 the raw hash value 671 .SH FILES 672 .TP 673 \*(T<\fI/etc/nslcd.conf\fR\*(T> 674 the main configuration file 675 .TP 676 \*(T<\fI/etc/nsswitch.conf\fR\*(T> 677 Name Service Switch configuration file 678 .SH "SEE ALSO" 679 \fBnslcd\fR(8), 680 \fBnsswitch.conf\fR(5) 681 .SH AUTHOR 682 This manual was written by Arthur de Jong <arthur@arthurdejong.org> 683 and is based on the 684 \fBnss_ldap\fR(5) 685 manual developed by PADL Software Pty Ltd.