pam_ldap.conf
NAME DESCRIPTION PARAMETERS PASSWORD HASHES OBSOLETE FILES AUTHOR
pam_ldap.conf - Configuration file for PAM LDAP Authentication library
This file provides configuration information for PAM LDAP Authenticationb library.
Each line in the file is either a comment (indicated with a hash '#') or a directive followed by a parameter. Directives which are not specified in the file are set to their default values.
The recognized directives are as follows: host The LDAP directory server to direct all queries to. Must be resolvable without using LDAP. Can be a hostname or an IP address. If not specified the libraries will attempt to use DNS 'Resource Records' (RR) to find the appropriate host.
base
The distinguished name of the search base. If this parameter is omitted it the defaultdomain is used in a fashion specified by RFC2247
Commonly the elements of the domain
name prefixed with 'dc='. Example: dc=rage,dc=net. This value is required.
uri
Another way to specify your LDAP server is to provide an uri with the server name. This allows to use Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://127.0.0.1/ uri ldaps://127.0.0.1/ uri ldapi://%2fvar%2frun%2fldapi_sock/ Note: %2f encodes the '/' used as directory separator
ldap_version
LDAP version to use. Valid values are 2 or 3.
binddn
The distinguished name to bind to the server with. If omitted the library will bind anonymously.
bindpw
The credentials to bind with. This should only be specified in conjunction with binddn.
rootbinddn
The distinguished name to bind to the server with if the effective user ID is root.
Password is stored in /etc/ldap.secret (mode 600)
port
The TCP port to bind to the server with. Defaults to 389
scope
The search scope. Should be one of 'one', 'base', or 'sub'.
timelimit
Timelimit for searches
bind_timelimit
Timelimit for binding to LDAP server. If using Netscape SDK 4.x, this is used to set the TCP connection timeout as well as the bind timelimit.
The following directives are pam-specific and should be left as defaults unless a given configuration specifies their change.
pam_filter
Filter to AND with uid searches
pam_login_attribute
The user ID attribute, defaults to 'uid' (as specified in RFC2307)
pam_lookup_policy
Search the root DSE for the password policy. This works with Netscape directory server. The value can be one of 'yes' or 'no'.
pam_groupdn
The group to enforce membership of.
pam_member_attribute
The group member attribute. Commonly 'uniquememeber'
pam_login_attribute
pam_template_login_attribute pam_template_login Template login attribute, default template user (can be overriden by value of former attribute in user's entry)
pam_password
Select the crypt to use when changing passwords. Possible choices are: clear, crypt, nds, ad and exop.
libpam_ldap supports many types of hashes for passwords, the possible choices for pam_password are explained here.
clear
Don't set any encryptions, this is useful with servers that automatically encrypt userPassword entry.
crypt
make userPassword use the same format as the flat filesystem. this will work for most configurations
nds
Use Novell Directory Services-style updating, first remove the old password and then update with cleartext password.
ad
Active Directory-style. Create Unicode password and update unicodePwd attribute
exop
Use the OpenLDAP password change extended operation to update the password.
The pam_crypt, pam_nds_passwd, and pam_ad_passwd options are no longer supported.
/etc/pam_ldap.conf
Software by Luke Howard
One page links to pam_ldap.conf(5):
