2 # nslcd configuration file. See nslcd.conf(5)
5 # Specifies the number of threads to start that can handle requests and perform LDAP queries.
8 # The user and group nslcd should run as.
12 # This option controls the way logging is done.
15 # The location at which the LDAP server(s) should be reachable.
16 uri ldaps://XXX.XXX.XXX
18 # The search base that will be used for all queries.
21 # The LDAP protocol version to use.
24 # The DN to bind with for normal lookups.
25 binddn cn=annonymous,dc=example,dc=net
29 # The DN used for password modifications by root.
30 rootpwmoddn cn=admin,dc=example,dc=com
32 # The password used for password modifications by root.
36 # SASL authentication options
40 sasl_authzid dn:cn=annonymous,dc=example,dc=net
41 sasl_secprops noanonymous,noplain,minssf=0,maxssf=2,maxbufsize=65535
44 # Kerberos authentication options
47 # Search/mapping options
49 # Specifies the base distinguished name (DN) to use as search base.
50 base dc=people,dc=example,dc=com
51 base dc=morepeople,dc=example,dc=com
52 base alias dc=aliases,dc=example,dc=com
53 base alias dc=morealiases,dc=example,dc=com
54 base group dc=group,dc=example,dc=com
55 base group dc=moregroup,dc=example,dc=com
56 base passwd dc=users,dc=example,dc=com
58 # Specifies the search scope (subtree, onelevel, base or children).
63 # Specifies the policy for dereferencing aliases.
66 # Specifies whether automatic referral chasing should be enabled.
69 # The FILTER is an LDAP search filter to use for a specific map.
70 filter passwd (objectClass=posixAccount)
72 # This option allows for custom attributes to be looked up instead of the default RFC 2307 attributes.
73 map passwd homeDirectory \"${homeDirectory:-/home/$uid}\"
74 map passwd loginShell \"${loginShell:-/bin/bash}\"
75 map shadow userPassword myPassword
77 # Timing/reconnect options
79 # Specifies the time limit (in seconds) to use when connecting to the directory server.
82 # Specifies the time limit (in seconds) to wait for a response from the LDAP server.
85 # Specifies the period if inactivity (in seconds) after which the connection to the LDAP server will be closed.
88 # Specifies the number of seconds to sleep when connecting to all LDAP servers fails.
89 reconnect_sleeptime 10
91 # Specifies the time after which the LDAP server is considered to be permanently unavailable.
92 reconnect_retrytime 10
96 # Specifies whether to use SSL/TLS or not (the default is not to).
98 # Specifies what checks to perform on a server-supplied certificate.
100 # Specifies the directory containing X.509 certificates for peer authentication.
101 tls_cacertdir /etc/ssl/ca
102 # Specifies the path to the X.509 certificate for peer authentication.
103 tls_cacertfile /etc/ssl/certs/ca-certificates.crt
104 # Specifies the path to an entropy source.
105 tls_randfile /dev/random
106 # Specifies the ciphers to use for TLS.
108 # Specifies the path to the file containing the local certificate for client TLS authentication.
109 tls_cert /etc/ssl/certs/cert.pem
110 # Specifies the path to the file containing the private key for client TLS authentication.
111 tls_key /etc/ssl/private/cert.pem
115 nss_initgroups_ignoreusers user1,user2,user3
117 nss_nested_groups yes
118 nss_getgrent_skipmembers yes
119 nss_disable_enumeration yes
120 validnames /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i
122 pam_authc_ppolicy yes
123 pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))
124 pam_password_prohibit_message "MESSAGE LONG AND WITH SPACES"
125 reconnect_invalidate nfsidmap,db2,db3