# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # Specifies the number of threads to start that can handle requests and perform LDAP queries. threads 5 # The user and group nslcd should run as. uid nslcd gid nslcd # This option controls the way logging is done. log syslog info # The location at which the LDAP server(s) should be reachable. uri ldaps://XXX.XXX.XXX # The search base that will be used for all queries. base dc=XXX,dc=XXX # The LDAP protocol version to use. ldap_version 3 # The DN to bind with for normal lookups. binddn cn=annonymous,dc=example,dc=net bindpw secret # The DN used for password modifications by root. rootpwmoddn cn=admin,dc=example,dc=com # The password used for password modifications by root. rootpwmodpw XXXXXX # SASL authentication options sasl_mech OTP sasl_realm realm sasl_authcid authcid sasl_authzid dn:cn=annonymous,dc=example,dc=net sasl_secprops noanonymous,noplain,minssf=0,maxssf=2,maxbufsize=65535 sasl_canonicalize yes # Kerberos authentication options krb5_ccname ccname # Search/mapping options # Specifies the base distinguished name (DN) to use as search base. base dc=people,dc=example,dc=com base dc=morepeople,dc=example,dc=com base alias dc=aliases,dc=example,dc=com base alias dc=morealiases,dc=example,dc=com base group dc=group,dc=example,dc=com base group dc=moregroup,dc=example,dc=com base passwd dc=users,dc=example,dc=com # Specifies the search scope (subtree, onelevel, base or children). scope sub scope passwd sub scope aliases sub # Specifies the policy for dereferencing aliases. deref never # Specifies whether automatic referral chasing should be enabled. referrals yes # The FILTER is an LDAP search filter to use for a specific map. filter passwd (objectClass=posixAccount) # This option allows for custom attributes to be looked up instead of the default RFC 2307 attributes. map passwd homeDirectory \"${homeDirectory:-/home/$uid}\" map passwd loginShell \"${loginShell:-/bin/bash}\" map shadow userPassword myPassword # Timing/reconnect options # Specifies the time limit (in seconds) to use when connecting to the directory server. bind_timelimit 30 # Specifies the time limit (in seconds) to wait for a response from the LDAP server. timelimit 5 # Specifies the period if inactivity (in seconds) after which the connection to the LDAP server will be closed. idle_timelimit 10 # Specifies the number of seconds to sleep when connecting to all LDAP servers fails. reconnect_sleeptime 10 # Specifies the time after which the LDAP server is considered to be permanently unavailable. reconnect_retrytime 10 # SSL/TLS options # Specifies whether to use SSL/TLS or not (the default is not to). ssl start_tls # Specifies what checks to perform on a server-supplied certificate. tls_reqcert never # Specifies the directory containing X.509 certificates for peer authentication. tls_cacertdir /etc/ssl/ca # Specifies the path to the X.509 certificate for peer authentication. tls_cacertfile /etc/ssl/certs/ca-certificates.crt # Specifies the path to an entropy source. tls_randfile /dev/random # Specifies the ciphers to use for TLS. tls_ciphers TLSv1 # Specifies the path to the file containing the local certificate for client TLS authentication. tls_cert /etc/ssl/certs/cert.pem # Specifies the path to the file containing the private key for client TLS authentication. tls_key /etc/ssl/private/cert.pem # Other options pagesize 100 nss_initgroups_ignoreusers user1,user2,user3 nss_min_uid 1000 nss_nested_groups yes nss_getgrent_skipmembers yes nss_disable_enumeration yes validnames /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i ignorecase yes pam_authc_ppolicy yes pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*)))) pam_password_prohibit_message "MESSAGE LONG AND WITH SPACES" reconnect_invalidate nfsidmap,db2,db3 cache dn2uid 1s 2h