1nslcd.conf(5) System Manager's Manual nslcd.conf(5)
2
6 nslcd.conf - configuration file for LDAP nameservice daemon
7
9 The nss-pam-ldapd package allows LDAP directory servers to be used as a
10 primary source of name service information. (Name service information
11 typically includes users, hosts, groups, and other such data histori‐
12 cally stored in flat files or NIS.)
13 The file nslcd.conf contains the configuration information for running
15 nslcd (see nslcd(8)). The file contains options, one on each line,
16 defining the way NSS lookups and PAM actions are mapped to LDAP
17 lookups.
18
20 RUNTIME OPTIONS
21 threads NUM
22 Specifies the number of threads to start that can handle
23 requests and perform LDAP queries. Each thread opens a separate
24 connection to the LDAP server. The default is to start 5
25 threads.
26 uid UID
28 This specifies the user id with which the daemon should be run.
29 This can be a numerical id or a symbolic value. If no uid is
30 specified no attempt to change the user will be made. Note that
31 you should use values that don't need LDAP to resolve.
32 gid GID
34 This specifies the group id with which the daemon should be run.
35 This can be a numerical id or a symbolic value. If no gid is
36 specified no attempt to change the group will be made. Note
37 that you should use values that don't need LDAP to resolve.
38 GENERAL CONNECTION OPTIONS
40 uri URI ...
41 Specifies the LDAP URI of the server to connect to. The URI
42 scheme may be ldap, ldapi or ldaps, specifying LDAP over TCP,
43 ICP or SSL respectively (if supported by the LDAP library).
44 Alternatively, the value DNS may be used to try to lookup the
46 server using DNS SRV records. By default the current domain is
47 used but another domain can be queried by using the DNS:DOMAIN
48 syntax.
49 When using the ldapi scheme, %2f should be used to escape
51 slashes (e.g. ldapi://%2fvar%2frun%2fslapd%2fldapi/), although
52 most of the time this should not be needed.
53 This option may be specified multiple times and/or with more
55 URIs on the line, separated by space. Normally, only the first
56 server will be used with the following servers as fall-back (see
57 bind_timelimit below).
58 If LDAP lookups are used for host name resolution, any host
60 names should be specified as an IP address or name that can be
61 resolved without using LDAP.
62 ldap_version VERSION
64 Specifies the version of the LDAP protocol to use. The default
65 is to use the maximum version supported by the LDAP library.
66 binddn DN
68 Specifies the distinguished name with which to bind to the
69 directory server for lookups. The default is to bind anony‐
70 mously.
71 bindpw PASSWORD
73 Specifies the credentials with which to bind. This option is
74 only applicable when used with binddn above. If you set this
75 option you should consider changing the permissions of the
76 nslcd.conf file to only grant access to the root user.
77 rootpwmoddn DN
79 Specifies the distinguished name to use when the root user tries
80 to modify a user's password using the PAM module.
81 rootpwmodpw PASSWORD
83 Specifies the credentials with which to bind if the root user
84 tries to change a user's password. This option is only applica‐
85 ble when used with rootpwmoddn above. If this option is not
86 specified the PAM module prompts the user for this password. If
87 you set this option you should consider changing the permissions
88 of the nslcd.conf file to only grant access to the root user.
89 SASL AUTHENTICATION OPTIONS
91 sasl_mech MECHANISM
92 Specifies the SASL mechanism to be used when performing SASL
93 authentication.
94 sasl_realm REALM
96 Specifies the SASL realm to be used when performing SASL authen‐
97 tication.
98 sasl_authcid AUTHCID
100 Specifies the authentication identity to be used when performing
101 SASL authentication.
102 sasl_authzid AUTHZID
104 Specifies the authorization identity to be used when performing
105 SASL authentication. Must be specified in one of the formats:
106 dn:<distinguished name> or u:<username>.
107 sasl_secprops PROPERTIES
109 Specifies Cyrus SASL security properties. Allowed values are
110 described in the ldap.conf(5) manual page.
111 sasl_canonicalize yes|no
113 Determines whether the LDAP server host name should be canoni‐
114 calised. If this is set to yes the LDAP library will do a
115 reverse host name lookup. By default, it is left up to the LDAP
116 library whether this check is performed or not.
117 KERBEROS AUTHENTICATION OPTIONS
119 krb5_ccname NAME
120 Set the name for the GSS-API Kerberos credentials cache.
121 SEARCH/MAPPING OPTIONS
123 base [MAP] DN
124 Specifies the base distinguished name (DN) to use as search
125 base. This option may be supplied multiple times and all speci‐
126 fied bases will be searched.
127 A global search base may be specified or a MAP-specific one. If
129 no MAP-specific search bases are defined the global ones are
130 used.
131 If, instead of a DN, the value DOMAIN is specified, the host's
133 DNS domain is used to construct a search base.
134 If this value is not defined an attempt is made to look it up in
136 the configured LDAP server. Note that if the LDAP server is
137 unavailable during start-up nslcd will not start.
138 scope [MAP] sub[tree]|one[level]|base
140 Specifies the search scope (subtree, one level or base object).
141 The default scope is subtree; base scope is almost never useful
142 for name service lookups.
143 deref never|searching|finding|always
145 Specifies the policy for dereferencing aliases. The default
146 policy is to never dereference aliases.
147 referrals yes|no
149 Specifies whether automatic referral chasing should be enabled.
150 The default behaviour is to chase referrals.
151 filter MAP FILTER
153 The FILTER is an LDAP search filter to use for a specific map.
154 The default filter is a basic search on the objectClass for the
155 map (e.g. (objectClass=posixAccount)).
156 map MAP ATTRIBUTE NEWATTRIBUTE
158 This option allows for custom attributes to be looked up instead
159 of the default RFC 2307 attributes. The MAP may be one of the
160 supported maps below. The ATTRIBUTE is the one as used in RFC
161 2307 (e.g. userPassword, ipProtocolNumber, macAddress, etc.).
162 The NEWATTRIBUTE may be any attribute as it is available in the
163 directory.
164 If the NEWATTRIBUTE is presented in quotes (") it is treated as
166 an expression which will be evaluated to build up the actual
167 value used. See the section on attribute mapping expressions
168 below for more details.
169 Only some attributes for group, passwd and shadow entries may be
171 mapped with an expression (because other attributes may be used
172 in search filters). For group entries only the userPassword
173 attribute may be mapped with an expression. For passwd entries
174 the following attributes may be mapped with an expression: user‐
175 Password, gidNumber, gecos, homeDirectory and loginShell. For
176 shadow entries the following attributes may be mapped with an
177 expression: userPassword, shadowLastChange, shadowMin, shadow‐
178 Max, shadowWarning, shadowInactive, shadowExpire and shadowFlag.
179 The uidNumber and gidNumber attributes in the passwd and group
181 maps may be mapped to the objectSid followed by the domain SID
182 to derive numeric user and group ids from the SID (e.g. object‐
183 Sid:S-1-5-21-3623811015-3361044348-30300820).
184 By default all userPassword attributes are mapped to the
186 unmatchable password ("*") to avoid accidentally leaking pass‐
187 word information.
188 TIMING/RECONNECT OPTIONS
190 bind_timelimit SECONDS
191 Specifies the time limit (in seconds) to use when connecting to
192 the directory server. This is distinct from the time limit
193 specified in timelimit and affects the set-up of the connection
194 only. Note that not all LDAP client libraries have support for
195 setting the connection time out. The default bind_timelimit is
196 10 seconds.
197 timelimit SECONDS
199 Specifies the time limit (in seconds) to wait for a response
200 from the LDAP server. A value of zero (0), which is the
201 default, is to wait indefinitely for searches to be completed.
202 idle_timelimit SECONDS
204 Specifies the period if inactivity (in seconds) after which the
205 connection to the LDAP server will be closed. The default is
206 not to time out connections.
207 reconnect_sleeptime SECONDS
209 Specifies the number of seconds to sleep when connecting to all
210 LDAP servers fails. By default 1 second is waited between the
211 first failure and the first retry.
212 reconnect_retrytime SECONDS
214 Specifies the time after which the LDAP server is considered to
215 be permanently unavailable. Once this time is reached retries
216 will be done only once per this time period. The default value
217 is 10 seconds.
218 Note that the reconnect logic as described above is the mechanism that
220 is used between nslcd and the LDAP server. The mechanism between the
221 NSS and PAM client libraries on one end and nslcd on the other is sim‐
222 pler with a fixed compiled-in time out of a 10 seconds for writing to
223 nslcd and a time out of 60 seconds for reading answers. nslcd itself
224 has a read time out of 0.5 seconds and a write time out of 60 seconds.
225 SSL/TLS OPTIONS
227 ssl on|off|start_tls
228 Specifies whether to use SSL/TLS or not (the default is not to).
229 If start_tls is specified then StartTLS is used rather than raw
230 LDAP over SSL. Not all LDAP client libraries support both SSL,
231 StartTLS and all related configuration options.
232 tls_reqcert never|allow|try|demand|hard
234 Specifies what checks to perform on a server-supplied certifi‐
235 cate. The meaning of the values is described in the
236 ldap.conf(5) manual page. At least one of tls_cacertdir and
237 tls_cacertfile is required if peer verification is enabled.
238 tls_cacertdir PATH
240 Specifies the directory containing X.509 certificates for peer
241 authentication. This parameter is ignored when using GnuTLS.
242 On Debian OpenLDAP is linked against GnuTLS.
243 tls_cacertfile PATH
245 Specifies the path to the X.509 certificate for peer authentica‐
246 tion.
247 tls_randfile PATH
249 Specifies the path to an entropy source. This parameter is
250 ignored when using GnuTLS. On Debian OpenLDAP is linked against
251 GnuTLS.
252 tls_ciphers CIPHERS
254 Specifies the ciphers to use for TLS. See your TLS implementa‐
255 tion's documentation for further information.
256 tls_cert PATH
258 Specifies the path to the file containing the local certificate
259 for client TLS authentication.
260 tls_key PATH
262 Specifies the path to the file containing the private key for
263 client TLS authentication.
264 OTHER OPTIONS
266 pagesize NUMBER
267 Set this to a number greater than 0 to request paged results
268 from the LDAP server in accordance with RFC2696. The default
269 (0) is to not request paged results.
270 This is useful for LDAP servers that contain a lot of entries
272 (e.g. more than 500) and limit the number of entries that are
273 returned with one request. For OpenLDAP servers you may need to
274 set sizelimit size.prtotal=unlimited for allowing more entries
275 to be returned over multiple pages.
276 nss_initgroups_ignoreusers user1,user2,...
278 This option prevents group membership lookups through LDAP for
279 the specified users. This can be useful in case of unavailabil‐
280 ity of the LDAP server. This option may be specified multiple
281 times.
282 Alternatively, the value ALLLOCAL may be used. With that value
284 nslcd builds a full list of non-LDAP users on startup.
285 nss_min_uid UID
287 This option ensures that LDAP users with a numeric user id lower
288 than the specified value are ignored. Also requests for users
289 with a lower user id are ignored.
290 validnames REGEX
292 This option can be used to specify how user and group names are
293 verified within the system. This pattern is used to check all
294 user and group names that are requested and returned from LDAP.
295 The regular expression should be specified as a POSIX extended
297 regular expression. The expression itself needs to be separated
298 by slash (/) characters and the 'i' flag may be appended at the
299 end to indicate that the match should be case-insensetive. The
300 default value is /^[a-z0-9._@$][a-z0-9._@$
301 \\~-]*[a-z0-9._@$~-]$/i
302 ignorecase yes|no
304 This specifies whether or not to perform searches for group,
305 netgroup, passwd, protocols, rpc, services and shadow maps using
306 case-insensitive matching. Setting this to yes could open up
307 the system to authorisation vulnerabilities and introduce nscd
308 cache poisoning vulnerabilities which allow denial of service.
309 The default is to perform case-sensitve filtering of LDAP search
310 results for the above maps.
311 pam_authz_search FILTER
313 This option allows flexible fine tuning of the authorisation
314 check that should be performed. The search filter specified is
315 executed and if any entries match, access is granted, otherwise
316 access is denied.
317 The search filter can contain the following variable references:
319 $username, $service, $ruser, $rhost, $tty, $hostname, $fqdn,
320 $dn, and $uid. These references are substituted in the search
321 filter using the same syntax as described in the section on
322 attribute mapping expressions below.
323 For example, to check that the user has a proper authorizedSer‐
325 vice value if the attribute is present (this almost emulates the
326 pam_check_service_attr option in PADL's pam_ldap):
327 (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))
329 The pam_check_host_attr option can be emulated with:
331 (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))
333 This option may be specified multiple times and all specified
335 searches should at least return one entry for access to be
336 granted.
337 pam_password_prohibit_message "MESSAGE"
339 If this option is set password modification using pam_ldap will
340 be denied and the specified message will be presented to the
341 user instead. The message can be used to direct the user to an
342 alternative means of changing their password.
343
345 The following maps are supported. They are referenced as MAP in the
346 options above.
347 alias[es]
349 Mail aliases. Note that most mail servers do not use the NSS
350 interface for requesting mail aliases and parse /etc/aliases on
351 their own.
352 ether[s]
354 Ethernet numbers (mac addresses).
355 group Posix groups.
357 host[s]
359 Host names.
360 netgroup
362 Host and user groups used for access control.
363 network[s]
365 Network numbers.
366 passwd Posix users.
368 protocol[s]
370 Protocol definitions (like in /etc/protocols).
371 rpc Remote procedure call names and numbers.
373 service[s]
375 Network service names and numbers.
376 shadow Shadow user password information.
378
380 For some attributes a mapping expression may be used to construct the
381 resulting value. This is currently only possible for attributes that
382 do not need to be used in search filters. The expressions are a subset
383 of the double quoted string expressions in the Bourne (POSIX) shell.
384 Instead of variable substitution, attribute lookups are done on the
385 current entry and the attribute value is substituted. The following
386 expressions are supported:
387 ${attr} (or $attr for short)
389 will substitute the value of the attribute
390 ${attr:-word}
392 (use default) will substitbute the value of the attribute or, if
393 the attribute is not set or empty substitute the word
394 ${attr:+word}
396 (use alternative) will substitbute word if attribute is set,
397 otherwise substitute the empty string
398 Quote ("), dollar ($) or backslash (\) characters should be escaped
400 with a backslash (\).
401 The nslcd daemon checks the expressions to figure out which attributes
403 to fetch from LDAP. Some examples to demonstrate how these expressions
404 may be used in attribute mapping:
405 "${shadowFlag:-0}"
407 use the shadowFlag attribute, using the value 0 as default
408 "${homeDirectory:-/home/$uid}"
410 use the uid attribute to build a homeDirectory value if that
411 attribute is missing
412 "${isDisabled:+100}"
414 if the isDisabled attribute is set, return 100, otherwise leave
415 value empty
416
418 /etc/nslcd.conf
419 the main configuration file
420 /etc/nsswitch.conf
422 Name Service Switch configuration file
423
425 nslcd(8), nsswitch.conf(5)
426
428 This manual was written by Arthur de Jong <arthur@arthurdejong.org> and
429 is based on the nss_ldap(5) manual developed by PADL Software Pty Ltd.
430Version 0.8.13 May 2013 nslcd.conf(5)