version 1, including all changes.
.
Rev |
Author |
# |
Line |
1 |
perry |
1 |
pam_ldap.conf |
|
|
2 |
!!!pam_ldap.conf |
|
|
3 |
NAME |
|
|
4 |
DESCRIPTION |
|
|
5 |
PARAMETERS |
|
|
6 |
PASSWORD HASHES |
|
|
7 |
OBSOLETE |
|
|
8 |
FILES |
|
|
9 |
AUTHOR |
|
|
10 |
---- |
|
|
11 |
!!NAME |
|
|
12 |
|
|
|
13 |
|
|
|
14 |
pam_ldap.conf - Configuration file for PAM LDAP Authentication library |
|
|
15 |
!!DESCRIPTION |
|
|
16 |
|
|
|
17 |
|
|
|
18 |
This file provides configuration information for PAM LDAP |
|
|
19 |
Authenticationb library. |
|
|
20 |
|
|
|
21 |
|
|
|
22 |
Each line in the file is either a comment (indicated with a |
|
|
23 |
hash '#') or a directive followed by a parameter. Directives |
|
|
24 |
which are not specified in the file are set to their default |
|
|
25 |
values. |
|
|
26 |
!!PARAMETERS |
|
|
27 |
|
|
|
28 |
|
|
|
29 |
The recognized directives are as follows: __host__ The |
|
|
30 |
LDAP directory server to direct all queries to. Must be |
|
|
31 |
resolvable without using LDAP. Can be a hostname or an IP |
|
|
32 |
address. If not specified the libraries will attempt to use |
|
|
33 |
DNS 'Resource Records' (RR) to find the appropriate |
|
|
34 |
host. |
|
|
35 |
|
|
|
36 |
|
|
|
37 |
__base__ |
|
|
38 |
|
|
|
39 |
|
|
|
40 |
The distinguished name of the search base. If this parameter |
|
|
41 |
is omitted it the defaultdomain is used in a fashion |
|
|
42 |
specified by RFC2247 |
|
|
43 |
|
|
|
44 |
|
|
|
45 |
Commonly the elements of the domain |
|
|
46 |
|
|
|
47 |
|
|
|
48 |
name prefixed with 'dc='. Example: dc=rage,dc=net. This |
|
|
49 |
value is required. |
|
|
50 |
|
|
|
51 |
|
|
|
52 |
__uri__ |
|
|
53 |
|
|
|
54 |
|
|
|
55 |
Another way to specify your LDAP server is to provide an uri |
|
|
56 |
with the server name. This allows to use Unix Domain Sockets |
|
|
57 |
to connect to a local LDAP Server. |
|
|
58 |
|
|
|
59 |
|
|
|
60 |
uri ldap://127.0.0.1/ |
|
|
61 |
uri ldaps://127.0.0.1/ |
|
|
62 |
uri ldapi://%2fvar%2frun%2fldapi_sock/ |
|
|
63 |
Note: %2f encodes the '/' used as directory |
|
|
64 |
separator |
|
|
65 |
|
|
|
66 |
|
|
|
67 |
__ldap_version__ |
|
|
68 |
|
|
|
69 |
|
|
|
70 |
LDAP version to use. Valid values are 2 or 3. |
|
|
71 |
|
|
|
72 |
|
|
|
73 |
__binddn__ |
|
|
74 |
|
|
|
75 |
|
|
|
76 |
The distinguished name to bind to the server with. If |
|
|
77 |
omitted the library will bind anonymously. |
|
|
78 |
|
|
|
79 |
|
|
|
80 |
__bindpw__ |
|
|
81 |
|
|
|
82 |
|
|
|
83 |
The credentials to bind with. This should only be specified |
|
|
84 |
in conjunction with binddn. |
|
|
85 |
|
|
|
86 |
|
|
|
87 |
__rootbinddn__ |
|
|
88 |
|
|
|
89 |
|
|
|
90 |
The distinguished name to bind to the server with if the |
|
|
91 |
effective user ID is root. |
|
|
92 |
|
|
|
93 |
|
|
|
94 |
Password is stored in /etc/ldap.secret (mode |
|
|
95 |
600) |
|
|
96 |
|
|
|
97 |
|
|
|
98 |
__port__ |
|
|
99 |
|
|
|
100 |
|
|
|
101 |
The TCP port to bind to the server with. Defaults to |
|
|
102 |
389 |
|
|
103 |
|
|
|
104 |
|
|
|
105 |
__scope__ |
|
|
106 |
|
|
|
107 |
|
|
|
108 |
The search scope. Should be one of 'one', 'base', or |
|
|
109 |
'sub'. |
|
|
110 |
|
|
|
111 |
|
|
|
112 |
__timelimit__ |
|
|
113 |
|
|
|
114 |
|
|
|
115 |
Timelimit for searches |
|
|
116 |
|
|
|
117 |
|
|
|
118 |
__bind_timelimit__ |
|
|
119 |
|
|
|
120 |
|
|
|
121 |
Timelimit for binding to LDAP server. |
|
|
122 |
If using Netscape SDK 4.x, this is used to set the TCP |
|
|
123 |
connection timeout as well as the bind |
|
|
124 |
timelimit. |
|
|
125 |
|
|
|
126 |
|
|
|
127 |
The following directives are pam-specific and should be left |
|
|
128 |
as defaults unless a given configuration specifies their |
|
|
129 |
change. |
|
|
130 |
|
|
|
131 |
|
|
|
132 |
__pam_filter__ |
|
|
133 |
|
|
|
134 |
|
|
|
135 |
Filter to AND with uid searches |
|
|
136 |
|
|
|
137 |
|
|
|
138 |
__pam_login_attribute__ |
|
|
139 |
|
|
|
140 |
|
|
|
141 |
The user ID attribute, defaults to 'uid' (as specified in |
|
|
142 |
RFC2307) |
|
|
143 |
|
|
|
144 |
|
|
|
145 |
__pam_lookup_policy__ |
|
|
146 |
|
|
|
147 |
|
|
|
148 |
Search the root DSE for the password policy. This works with |
|
|
149 |
Netscape directory server. The value can be one of 'yes' or |
|
|
150 |
'no'. |
|
|
151 |
|
|
|
152 |
|
|
|
153 |
__pam_groupdn__ |
|
|
154 |
|
|
|
155 |
|
|
|
156 |
The group to enforce membership of. |
|
|
157 |
|
|
|
158 |
|
|
|
159 |
__pam_member_attribute__ |
|
|
160 |
|
|
|
161 |
|
|
|
162 |
The group member attribute. Commonly |
|
|
163 |
'uniquememeber' |
|
|
164 |
|
|
|
165 |
|
|
|
166 |
__pam_login_attribute__ |
|
|
167 |
|
|
|
168 |
|
|
|
169 |
__pam_template_login_attribute pam_template_login__ |
|
|
170 |
Template login attribute, default template user (can be |
|
|
171 |
overriden by value of former attribute in user's |
|
|
172 |
entry) |
|
|
173 |
|
|
|
174 |
|
|
|
175 |
__pam_password__ |
|
|
176 |
|
|
|
177 |
|
|
|
178 |
Select the crypt to use when changing passwords. Possible |
|
|
179 |
choices are: clear, crypt, nds, ad and exop. |
|
|
180 |
!!PASSWORD HASHES |
|
|
181 |
|
|
|
182 |
|
|
|
183 |
libpam_ldap supports many types of hashes for passwords, the |
|
|
184 |
possible choices for pam_password are explained |
|
|
185 |
here. |
|
|
186 |
|
|
|
187 |
|
|
|
188 |
clear |
|
|
189 |
|
|
|
190 |
|
|
|
191 |
Don't set any encryptions, this is useful with servers that |
|
|
192 |
automatically encrypt userPassword entry. |
|
|
193 |
|
|
|
194 |
|
|
|
195 |
crypt |
|
|
196 |
|
|
|
197 |
|
|
|
198 |
make userPassword use the same format as the flat |
|
|
199 |
filesystem. this will work for most |
|
|
200 |
configurations |
|
|
201 |
|
|
|
202 |
|
|
|
203 |
nds |
|
|
204 |
|
|
|
205 |
|
|
|
206 |
Use Novell Directory Services-style updating, first remove |
|
|
207 |
the old password and then update with cleartext |
|
|
208 |
password. |
|
|
209 |
|
|
|
210 |
|
|
|
211 |
ad |
|
|
212 |
|
|
|
213 |
|
|
|
214 |
Active Directory-style. Create Unicode password and update |
|
|
215 |
unicodePwd attribute |
|
|
216 |
|
|
|
217 |
|
|
|
218 |
exop |
|
|
219 |
|
|
|
220 |
|
|
|
221 |
Use the OpenLDAP password change extended operation to |
|
|
222 |
update the password. |
|
|
223 |
!!OBSOLETE |
|
|
224 |
|
|
|
225 |
|
|
|
226 |
The pam_crypt, pam_nds_passwd, and pam_ad_passwd options are |
|
|
227 |
no longer supported. |
|
|
228 |
!!FILES |
|
|
229 |
|
|
|
230 |
|
|
|
231 |
/etc/pam_ldap.conf |
|
|
232 |
!!AUTHOR |
|
|
233 |
|
|
|
234 |
|
|
|
235 |
Software by Luke Howard |
|
|
236 |
---- |