1nslcd.conf(5) System Manager's Manual nslcd.conf(5)
2
6 nslcd.conf - configuration file for LDAP nameservice daemon
7
9 The nss-pam-ldapd package allows LDAP directory servers to be used as a
10 primary source of name service information. (Name service information
11 typically includes users, hosts, groups, and other such data histori‐
12 cally stored in flat files or NIS.)
13 The file nslcd.conf contains the configuration information for running
15 nslcd (see nslcd(8)). The file contains options, one on each line,
16 defining the way NSS lookups are mapped onto LDAP lookups.
17
19 RUNTIME OPTIONS
20 threads NUM
21 Specifies the number of threads to start that can handle
22 requests and perform LDAP queries. The default is to start 5
23 threads.
24 uid UID
26 This specifies which user id with which the daemon should be
27 run. This can be a numerical id or a symbolic value. If no uid
28 is specified no attempt to change the user will be made. Note
29 that you should use values that don't need LDAP to resolve.
30 gid GID
32 This specifies which group id with which the daemon should be
33 run. This can be a numerical id or a symbolic value. If no gid
34 is specified no attempt to change the group will be made. Note
35 that you should use values that don't need LDAP to resolve.
36 GENERAL CONNECTION OPTIONS
38 uri URI ...
39 Specifies the LDAP URI of the server to connect to. The URI
40 scheme may be ldap, ldapi or ldaps, specifying LDAP over TCP,
41 ICP or SSL respectively (if supported by the LDAP library).
42 Alternatively, the value DNS may be used to try to lookup the
43 server using DNS SRV records. By default the current domain is
44 used but another domain can be queried by using the DNS:DOMAIN
45 syntax.
46 When using the ldapi scheme, %2f should be used to escape
48 slashes (e.g. ldapi://%2fvar%2frun%2fslapd%2fldapi/), although
49 most of the time this should not be needed.
50 This option may be specified multiple times and/or with more
52 URIs on the line, separated by space. Normally, only the first
53 server will be used with the following servers as fall-back (see
54 bind_timelimit below).
55 If LDAP lookups are used for host name resolution, any host
57 names should be specified as an IP address or name that can be
58 resolved without using LDAP.
59 ldap_version VERSION
61 Specifies the version of the LDAP protocol to use. The default
62 is to use the maximum version supported by the LDAP library.
63 binddn DN
65 Specifies the distinguished name with which to bind to the
66 directory server for lookups. The default is to bind anony‐
67 mously.
68 bindpw PASSWORD
70 Specifies the clear text credentials with which to bind. This
71 option is only applicable when used with binddn above. If you
72 set this option you should consider changing the permissions of
73 the nslcd.conf file to only grant access to the root user.
74 rootpwmoddn DN
76 Specifies the distinguished name to use when the root user tries
77 to modify a user's password using the PAM module. The PAM module
78 prompts the user for the admin password instead of the user's
79 password.
80 KERBEROS AUTHENTICATION OPTIONS
82 krb5_ccname NAME
83 Set the name for the GSS-API Kerberos credentials cache.
84 SEARCH/MAPPING OPTIONS
86 base [MAP] DN
87 Specifies the base distinguished name (DN) to use as search
88 base. This option may be supplied multiple times and all speci‐
89 fied bases will be searched.
90 A global search base may be specified or a MAP-specific one. If
92 no MAP-specific search bases are defined the global ones are
93 used.
94 If, instead of a DN, the value DOMAIN is specified, the host's
96 DNS domain is used to construct a search base.
97 If this value is not defined an attempt is made to look it up in
99 the configured LDAP server. Note that if the LDAP server is
100 unavailable during start-up nslcd will not start.
101 scope [MAP] sub[tree]|one[level]|base
103 Specifies the search scope (subtree, one level or base object).
104 The default scope is subtree; base scope is almost never useful
105 for name service lookups.
106 deref never|searching|finding|always
108 Specifies the policy for dereferencing aliases. The default
109 policy is to never dereference aliases.
110 referrals yes|no
112 Specifies whether automatic referral chasing should be enabled.
113 The default behaviour is to chase referrals.
114 filter MAP FILTER
116 The FILTER is an LDAP search filter to use for a specific map.
117 The default filter is a basic search on the objectClass for the
118 map (e.g. (objectClass=posixAccount)).
119 map MAP ATTRIBUTE NEWATTRIBUTE
121 This option allows for custom attributes to be looked up instead
122 of the default RFC 2307 attributes. The MAP may be one of the
123 supported maps below. The ATTRIBUTE is the one as used in RFC
124 2307 (e.g. userPassword, ipProtocolNumber or macAddress). The
125 NEWATTRIBUTE may be any attribute as it is available in the
126 directory.
127 If the NEWATTRIBUTE is presented in quotes (") it is treated as
129 an expression which will be evaluated to build up the actual
130 value used. See the section on attribute mapping expressions
131 below for more details.
132 Only some attributes for passwd and shadow entries may be mapped
134 with an expression (because other attributes may be used in
135 search filters). For passwd entries the following attributes
136 may be mapped with an expression: gidNumber, gecos, homeDirec‐
137 tory and loginShell. For shadow entries the following
138 attributes may be mapped with an expression: shadowLastChange,
139 shadowMin, shadowMax, shadowWarning, shadowInactive, shadowEx‐
140 pire and shadowFlag.
141 TIMING/RECONNECT OPTIONS
143 bind_timelimit SECONDS
144 Specifies the time limit (in seconds) to use when connecting to
145 the directory server. This is distinct from the time limit
146 specified in timelimit and affects the setup of the connection
147 only. Note that not all LDAP client libraries have support for
148 setting the connection time out. The default bind_timelimit is
149 10 seconds.
150 timelimit SECONDS
152 Specifies the time limit (in seconds) to wait for a response
153 from the LDAP server. A value of zero (0), which is the
154 default, is to wait indefinitely for searches to be completed.
155 idle_timelimit SECONDS
157 Specifies the period if inactivity (in seconds) after which the
158 connection to the LDAP server will be closed. The default is
159 not to time out connections.
160 reconnect_sleeptime SECONDS
162 Specifies the number of seconds to sleep when connecting to all
163 LDAP servers fails. By default 1 second is waited between the
164 first failure and the first retry.
165 reconnect_retrytime SECONDS
167 Specifies the time after which the LDAP server is considered to
168 be permanently unavailable. Once this time is reached retries
169 will be done only once per this time period. The default value
170 is 10 seconds.
171 Note that the reconnect logic as described above is the mechanism that
173 is used between nslcd and the LDAP server. The mechanism between the
174 NSS client library and nslcd is simpler with a fixed compiled-in time
175 out of a 10 seconds for writing to nslcd and a time out of 60 seconds
176 for reading answers. nslcd itself has a read time out of 0.5 seconds
177 and a write time out of 60 seconds.
178 SSL/TLS OPTIONS
180 ssl on|off|start_tls
181 Specifies whether to use SSL/TLS or not (the default is not to).
182 If start_tls is specified then StartTLS is used rather than raw
183 LDAP over SSL. Not all LDAP client libraries support both SSL,
184 StartTLS and all related configuration options.
185 tls_reqcert never|allow|try|demand|hard
187 Specifies what checks to perform on a server-supplied certifi‐
188 cate. The meaning of the values is described in the
189 ldap.conf(5) manual page. At least one of tls_cacertdir and
190 tls_cacertfile is required if peer verification is enabled.
191 tls_cacertdir PATH
193 Specifies the directory containing X.509 certificates for peer
194 authentication.
195 tls_cacertfile PATH
197 Specifies the path to the X.509 certificate for peer authentica‐
198 tion.
199 tls_randfile PATH
201 Specifies the path to an entropy source.
202 tls_ciphers CIPHERS
204 Specifies the ciphers to use for TLS. See your TLS implementa‐
205 tion's documentation for further information.
206 tls_cert PATH
208 Specifies the path to the file containing the local certificate
209 for client TLS authentication.
210 tls_key PATH
212 Specifies the path to the file containing the private key for
213 client TLS authentication.
214 OTHER OPTIONS
216 pagesize NUMBER
217 Set this to a number greater than 0 to request paged results
218 from the LDAP server in accordance with RFC2696. The default
219 (0) is to not request paged results.
220 This is useful for LDAP servers that contain a lot of entries
222 (e.g. more than 500) and limit the number of entries that are
223 returned with one request. For OpenLDAP servers you may need to
224 set sizelimit size.prtotal=unlimited for allowing more entries
225 to be returned over multiple pages.
226 nss_initgroups_ignoreusers user1,user2,...
228 This option prevents group membership lookups through LDAP for
229 the specified users. This can be useful in case of unavailabil‐
230 ity of the LDAP server. This option may be specified multiple
231 times.
232 Alternatively, the value ALLLOCAL may be used. With that value
234 nslcd builds a full list of non-LDAP users on startup.
235 validnames REGEX
237 This option can be used to specify how user and group names are
238 verified within the system. This pattern is used to check all
239 user and group names that are requested and returned from LDAP.
240 The regular expression should be specified as a POSIX extended
242 regular expression. The expression itself needs to be separated
243 by slash (/) characters and the 'i' flag may be appended at the
244 end to indicate that the match should be case-insensitive.
245 The default value is
247 /^[a-z0-9._@$()][a-z0-9._@$() \~-]*[a-z0-9._@$()~-]?$/i
248 pam_authz_search FILTER
251 This option allows flexible fine tuning of the authorisation
252 check that should be performed. The search filter specified is
253 executed and if any entries match, access is granted, otherwise
254 access is denied.
255 The search filter can contain the following variable references:
257 $username, $service, $ruser, $rhost, $tty, $hostname, $dn, and
258 $uid. These references are substituted in the search filter
259 using the same syntax as described in the section on attribute
260 mapping expressions below.
261 For example, to check that the user has a proper authorizedSer‐
263 vice value if the attribute is present: (&(objectClass=posixAc‐
264 count)(uid=$username) (|(authorizedService=$service)(!(autho‐
265 rizedService=*))))
266 The default behaviour is not to do this extra search and always
268 grant access.
269
271 The following maps are supported. They are referenced as MAP in the
272 options above.
273 alias[es]
275 Mail aliases. Note that most mail servers do not use the NSS
276 interface for requesting mail aliases and parse /etc/aliases on
277 their own.
278 ether[s]
280 Ethernet numbers (mac addresses).
281 group Posix groups.
283 host[s]
285 Host names.
286 netgroup
288 Host and user groups used for access control.
289 network[s]
291 Network numbers.
292 passwd Posix users.
294 protocol[s]
296 Protocol definitions (like in /etc/protocols).
297 rpc Remote procedure call names and numbers.
299 service[s]
301 Network service names and numbers.
302 shadow Shadow user password information.
304
306 For some attributes a mapping expression may be used to construct the
307 resulting value. This is currently only possible for attributes that do
308 not need to be used in search filters.
309 The expressions are a subset of the double quoted string expressions in
311 the Bourne (POSIX) shell. Instead of variable substitution, attribute
312 lookups are done on the current entry and the attribute value is sub‐
313 stituted. The following expressions are supported:
314 ${attr} (or $attr for short)
316 will substitute the value of the attribute
317 ${attr:-word}
319 (use default) will substitbute the value of the attribute or, if
320 the attribute is not set or empty substitute the word
321 ${attr:+word}
323 (use alternative) will substitbute word if attribute is set,
324 otherwise substitute the empty string
325 The nslcd daemon checks the expressions to figure out which attributes
327 to fetch from LDAP. Some examples to demonstrate how these expressions
328 may be used in attribute mapping:
329 "${shadowFlag:-0}"
331 use the shadowFlag attribute, using the value 0 as default
332 "${homeDirectory:-/home/$uid}"
334 use the uid attribute to build a homeDirectory value if that
335 attribute is missing
336 "${isDisabled:+100}"
338 if the isDisabled attribute is set, return 100, otherwise leave
339 value empty
340
342 /etc/nslcd.conf
343 the main configuration file
344 /etc/nsswitch.conf
346 Name Service Switch configuration file
347
349 nslcd(8), nsswitch.conf(5)
350
352 This manual was written by Arthur de Jong <arthur@arthurdejong.org> and
353 is based on the nss_ldap(5) manual developed by PADL Software Pty Ltd.
354Version 0.7.5 May 2010 nslcd.conf(5)