|
Packit |
6bd9ab |
'\" -*- coding: utf-8 -*-
|
|
Packit |
6bd9ab |
.if \n(.g .ds T< \\FC
|
|
Packit |
6bd9ab |
.if \n(.g .ds T> \\F[\n[.fam]]
|
|
Packit |
6bd9ab |
.de URL
|
|
Packit |
6bd9ab |
\\$2 \(la\\$1\(ra\\$3
|
|
Packit |
6bd9ab |
..
|
|
Packit |
6bd9ab |
.if \n(.g .mso www.tmac
|
|
Packit |
6bd9ab |
.TH nslcd.conf 5 "Feb 2018" "Version 0.9.9" "System Manager's Manual"
|
|
Packit |
6bd9ab |
.SH NAME
|
|
Packit |
6bd9ab |
nslcd.conf \- configuration file for LDAP nameservice daemon
|
|
Packit |
6bd9ab |
.SH DESCRIPTION
|
|
Packit |
6bd9ab |
The \fInss-pam-ldapd\fR package allows LDAP
|
|
Packit |
6bd9ab |
directory servers to be used as a primary source of name service
|
|
Packit |
6bd9ab |
information. (Name service information typically includes users, hosts,
|
|
Packit |
6bd9ab |
groups, and other such data historically stored in flat files or
|
|
Packit |
6bd9ab |
NIS.)
|
|
Packit |
6bd9ab |
.PP
|
|
Packit |
6bd9ab |
The file \*(T<\fInslcd.conf\fR\*(T> contains the
|
|
Packit |
6bd9ab |
configuration information for running \fBnslcd\fR (see
|
|
Packit |
6bd9ab |
\fBnslcd\fR(8)).
|
|
Packit |
6bd9ab |
The file contains options, one on each line, defining the way
|
|
Packit |
6bd9ab |
NSS lookups and PAM actions
|
|
Packit |
6bd9ab |
are mapped to LDAP lookups.
|
|
Packit |
6bd9ab |
.SH OPTIONS
|
|
Packit |
6bd9ab |
.SS "RUNTIME OPTIONS"
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBthreads\fR\*(T> \fINUM\fR
|
|
Packit |
6bd9ab |
Specifies the number of threads to start that can handle requests
|
|
Packit |
6bd9ab |
and perform LDAP queries.
|
|
Packit |
6bd9ab |
Each thread opens a separate connection to the LDAP
|
|
Packit |
6bd9ab |
server.
|
|
Packit |
6bd9ab |
The default is to start 5 threads.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBuid\fR\*(T> \fIUID\fR
|
|
Packit |
6bd9ab |
This specifies the user id with which the daemon should be run.
|
|
Packit |
6bd9ab |
This can be a numerical id or a symbolic value.
|
|
Packit |
6bd9ab |
If no uid is specified no attempt to change the user will be made.
|
|
Packit |
6bd9ab |
Note that you should use values that don't need LDAP
|
|
Packit |
6bd9ab |
to resolve.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBgid\fR\*(T> \fIGID\fR
|
|
Packit |
6bd9ab |
This specifies the group id with which the daemon should be run.
|
|
Packit |
6bd9ab |
This can be a numerical id or a symbolic value.
|
|
Packit |
6bd9ab |
If no gid is specified no attempt to change the group will be made.
|
|
Packit |
6bd9ab |
Note that you should use values that don't need LDAP
|
|
Packit |
6bd9ab |
to resolve.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBlog\fR\*(T> \fISCHEME\fR [\fILEVEL\fR]
|
|
Packit |
6bd9ab |
This option controls the way logging is done.
|
|
Packit |
6bd9ab |
The \fISCHEME\fR argument may either be
|
|
Packit |
6bd9ab |
\*(T<none\*(T>, \*(T<syslog\*(T> or an absolute
|
|
Packit |
6bd9ab |
file name.
|
|
Packit |
6bd9ab |
The \fILEVEL\fR argument is optional and specifies
|
|
Packit |
6bd9ab |
the log level.
|
|
Packit |
6bd9ab |
The log level may be one of: \*(T<crit\*(T>,
|
|
Packit |
6bd9ab |
\*(T<error\*(T>, \*(T<warning\*(T>,
|
|
Packit |
6bd9ab |
\*(T<notice\*(T>, \*(T<info\*(T> or
|
|
Packit |
6bd9ab |
\*(T<debug\*(T>. The default log level is \*(T<info\*(T>.
|
|
Packit |
6bd9ab |
All messages with the specified loglevel or higher are logged.
|
|
Packit |
6bd9ab |
This option can be supplied multiple times.
|
|
Packit |
6bd9ab |
If this option is omitted \*(T<syslog info\*(T> is assumed.
|
|
Packit |
6bd9ab |
.SS "GENERAL CONNECTION OPTIONS"
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBuri\fR\*(T> \fIURI\fR ...
|
|
Packit |
6bd9ab |
Specifies the LDAP URI of the
|
|
Packit |
6bd9ab |
server to connect to.
|
|
Packit |
6bd9ab |
The URI scheme may be \*(T<ldap\*(T>,
|
|
Packit |
6bd9ab |
\*(T<ldapi\*(T> or \*(T<ldaps\*(T>, specifying
|
|
Packit |
6bd9ab |
LDAP over TCP,
|
|
Packit |
6bd9ab |
ICP or SSL respectively (if
|
|
Packit |
6bd9ab |
supported by the LDAP library).
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Alternatively, the value \*(T<DNS\*(T> may be
|
|
Packit |
6bd9ab |
used to try to lookup the server using DNS
|
|
Packit |
6bd9ab |
SRV records.
|
|
Packit |
6bd9ab |
By default the current domain is used but another domain can
|
|
Packit |
6bd9ab |
be queried by using the
|
|
Packit |
6bd9ab |
\*(T<DNS:\*(T>\fIDOMAIN\fR syntax.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
When using the ldapi scheme, %2f should be used to escape slashes
|
|
Packit |
6bd9ab |
(e.g. ldapi://%2fvar%2frun%2fslapd%2fldapi/), although most of the
|
|
Packit |
6bd9ab |
time this should not be needed.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
This option may be specified multiple times and/or with more
|
|
Packit |
6bd9ab |
URIs on the line, separated by space. Normally, only the first
|
|
Packit |
6bd9ab |
server will be used with the following servers as fall-back (see
|
|
Packit |
6bd9ab |
\*(T<\fBbind_timelimit\fR\*(T> below).
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
If LDAP lookups are used for host name resolution,
|
|
Packit |
6bd9ab |
any host names should be specified as an IP address or name that can be
|
|
Packit |
6bd9ab |
resolved without using LDAP.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBldap_version\fR\*(T> \fIVERSION\fR
|
|
Packit |
6bd9ab |
Specifies the version of the LDAP protocol to use.
|
|
Packit |
6bd9ab |
The default is to use the maximum version supported by the
|
|
Packit |
6bd9ab |
LDAP library.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBbinddn\fR\*(T> \fIDN\fR
|
|
Packit |
6bd9ab |
Specifies the distinguished name with which to bind to the directory
|
|
Packit |
6bd9ab |
server for lookups.
|
|
Packit |
6bd9ab |
The default is to bind anonymously.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBbindpw\fR\*(T> \fIPASSWORD\fR
|
|
Packit |
6bd9ab |
Specifies the credentials with which to bind.
|
|
Packit |
6bd9ab |
This option is only applicable when used with \*(T<\fBbinddn\fR\*(T> above.
|
|
Packit |
6bd9ab |
If you set this option you should consider changing the permissions
|
|
Packit |
6bd9ab |
of the \*(T<\fInslcd.conf\fR\*(T> file to only grant access to
|
|
Packit |
6bd9ab |
the root user.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBrootpwmoddn\fR\*(T> \fIDN\fR
|
|
Packit |
6bd9ab |
Specifies the distinguished name to use when the root user tries to
|
|
Packit |
6bd9ab |
modify a user's password using the PAM module.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Note that currently this DN needs to exist as a real entry in the
|
|
Packit |
6bd9ab |
LDAP directory.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBrootpwmodpw\fR\*(T> \fIPASSWORD\fR
|
|
Packit |
6bd9ab |
Specifies the credentials with which to bind if the root
|
|
Packit |
6bd9ab |
user tries to change a user's password.
|
|
Packit |
6bd9ab |
This option is only applicable when used with
|
|
Packit |
6bd9ab |
\*(T<\fBrootpwmoddn\fR\*(T> above.
|
|
Packit |
6bd9ab |
If this option is not specified the PAM module prompts the user for
|
|
Packit |
6bd9ab |
this password.
|
|
Packit |
6bd9ab |
If you set this option you should consider changing the permissions
|
|
Packit |
6bd9ab |
of the \*(T<\fInslcd.conf\fR\*(T> file to only grant access to
|
|
Packit |
6bd9ab |
the root user.
|
|
Packit |
6bd9ab |
.SS "SASL AUTHENTICATION OPTIONS"
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBsasl_mech\fR\*(T> \fIMECHANISM\fR
|
|
Packit |
6bd9ab |
Specifies the SASL mechanism to be used when
|
|
Packit |
6bd9ab |
performing SASL authentication.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBsasl_realm\fR\*(T> \fIREALM\fR
|
|
Packit |
6bd9ab |
Specifies the SASL realm to be used when performing
|
|
Packit |
6bd9ab |
SASL authentication.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBsasl_authcid\fR\*(T> \fIAUTHCID\fR
|
|
Packit |
6bd9ab |
Specifies the authentication identity to be used when performing
|
|
Packit |
6bd9ab |
SASL authentication.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBsasl_authzid\fR\*(T> \fIAUTHZID\fR
|
|
Packit |
6bd9ab |
Specifies the authorization identity to be used when performing
|
|
Packit |
6bd9ab |
SASL authentication.
|
|
Packit |
6bd9ab |
Must be specified in one of the formats: dn:<distinguished name>
|
|
Packit |
6bd9ab |
or u:<username>.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBsasl_secprops\fR\*(T> \fIPROPERTIES\fR
|
|
Packit |
6bd9ab |
Specifies Cyrus SASL security properties.
|
|
Packit |
6bd9ab |
Allowed values are described in the
|
|
Packit |
6bd9ab |
\fBldap.conf\fR(5)
|
|
Packit |
6bd9ab |
manual page.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBsasl_canonicalize\fR\*(T> yes|no
|
|
Packit |
6bd9ab |
Determines whether the LDAP server host name should
|
|
Packit |
6bd9ab |
be canonicalised. If this is set to yes the LDAP
|
|
Packit |
6bd9ab |
library will do a reverse host name lookup.
|
|
Packit |
6bd9ab |
By default, it is left up to the LDAP library
|
|
Packit |
6bd9ab |
whether this check is performed or not.
|
|
Packit |
6bd9ab |
.SS "KERBEROS AUTHENTICATION OPTIONS"
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBkrb5_ccname\fR\*(T> \fINAME\fR
|
|
Packit |
6bd9ab |
Set the name for the GSS-API Kerberos credentials cache.
|
|
Packit |
6bd9ab |
.SS "SEARCH/MAPPING OPTIONS"
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBbase\fR\*(T> [\fIMAP\fR] \fIDN\fR
|
|
Packit |
6bd9ab |
Specifies the base distinguished name (DN)
|
|
Packit |
6bd9ab |
to use as search base.
|
|
Packit |
6bd9ab |
This option may be supplied multiple times and all specified bases
|
|
Packit |
6bd9ab |
will be searched.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
A global search base may be specified or a MAP-specific one.
|
|
Packit |
6bd9ab |
If no MAP-specific search bases are defined the global ones are used.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
If, instead of a DN, the value
|
|
Packit |
6bd9ab |
\fIDOMAIN\fR is specified, the host's
|
|
Packit |
6bd9ab |
DNS domain is used to construct a search base.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
If this value is not defined an attempt is made to look it up
|
|
Packit |
6bd9ab |
in the configured LDAP server. Note that if the
|
|
Packit |
6bd9ab |
LDAP server is unavailable during start-up
|
|
Packit |
6bd9ab |
\fBnslcd\fR will not start.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBscope\fR\*(T> [\fIMAP\fR] sub[tree]|one[level]|base|children
|
|
Packit |
6bd9ab |
Specifies the search scope (subtree, onelevel, base or children).
|
|
Packit |
6bd9ab |
The default scope is subtree; base scope is almost never useful for
|
|
Packit |
6bd9ab |
name service lookups; children scope is not supported on all servers.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBderef\fR\*(T> never|searching|finding|always
|
|
Packit |
6bd9ab |
Specifies the policy for dereferencing aliases.
|
|
Packit |
6bd9ab |
The default policy is to never dereference aliases.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBreferrals\fR\*(T> yes|no
|
|
Packit |
6bd9ab |
Specifies whether automatic referral chasing should be enabled.
|
|
Packit |
6bd9ab |
The default behaviour is to chase referrals.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBfilter\fR\*(T> \fIMAP\fR \fIFILTER\fR
|
|
Packit |
6bd9ab |
The \fIFILTER\fR
|
|
Packit |
6bd9ab |
is an LDAP search filter to use for a
|
|
Packit |
6bd9ab |
specific map.
|
|
Packit |
6bd9ab |
The default filter is a basic search on the
|
|
Packit |
6bd9ab |
objectClass for the map (e.g. \*(T<(objectClass=posixAccount)\*(T>).
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBmap\fR\*(T> \fIMAP\fR \fIATTRIBUTE\fR \fINEWATTRIBUTE\fR
|
|
Packit |
6bd9ab |
This option allows for custom attributes to be looked up instead of
|
|
Packit |
6bd9ab |
the default RFC 2307 attributes.
|
|
Packit |
6bd9ab |
The \fIMAP\fR may be one of
|
|
Packit |
6bd9ab |
the supported maps below.
|
|
Packit |
6bd9ab |
The \fIATTRIBUTE\fR is the one as
|
|
Packit |
6bd9ab |
used in RFC 2307 (e.g. \*(T<userPassword\*(T>,
|
|
Packit |
6bd9ab |
\*(T<ipProtocolNumber\*(T>, \*(T<macAddress\*(T>, etc.).
|
|
Packit |
6bd9ab |
The \fINEWATTRIBUTE\fR may be any attribute
|
|
Packit |
6bd9ab |
as it is available in the directory.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
If the \fINEWATTRIBUTE\fR is presented in
|
|
Packit |
6bd9ab |
quotes (") it is treated as an expression which will be evaluated
|
|
Packit |
6bd9ab |
to build up the actual value used.
|
|
Packit |
6bd9ab |
See the section on attribute mapping expressions below for more details.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Only some attributes for group, passwd and shadow entries may be mapped
|
|
Packit |
6bd9ab |
with an expression (because other attributes may be used in search
|
|
Packit |
6bd9ab |
filters).
|
|
Packit |
6bd9ab |
For group entries only the \*(T<userPassword\*(T> attribute
|
|
Packit |
6bd9ab |
may be mapped with an expression.
|
|
Packit |
6bd9ab |
For passwd entries the following attributes may be mapped with an
|
|
Packit |
6bd9ab |
expression: \*(T<userPassword\*(T>, \*(T<gidNumber\*(T>,
|
|
Packit |
6bd9ab |
\*(T<gecos\*(T>, \*(T<homeDirectory\*(T> and
|
|
Packit |
6bd9ab |
\*(T<loginShell\*(T>.
|
|
Packit |
6bd9ab |
For shadow entries the following attributes may be mapped with an
|
|
Packit |
6bd9ab |
expression: \*(T<userPassword\*(T>, \*(T<shadowLastChange\*(T>,
|
|
Packit |
6bd9ab |
\*(T<shadowMin\*(T>, \*(T<shadowMax\*(T>,
|
|
Packit |
6bd9ab |
\*(T<shadowWarning\*(T>, \*(T<shadowInactive\*(T>,
|
|
Packit |
6bd9ab |
\*(T<shadowExpire\*(T> and \*(T<shadowFlag\*(T>.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The \*(T<uidNumber\*(T> and \*(T<gidNumber\*(T>
|
|
Packit |
6bd9ab |
attributes in the \*(T<passwd\*(T> and \*(T<group\*(T>
|
|
Packit |
6bd9ab |
maps may be mapped to the \*(T<objectSid\*(T> followed by
|
|
Packit |
6bd9ab |
the domain SID to derive numeric user and group ids from the SID
|
|
Packit |
6bd9ab |
(e.g. \*(T<objectSid:S\-1\-5\-21\-3623811015\-3361044348\-30300820\*(T>).
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
By default all \*(T<userPassword\*(T> attributes are mapped
|
|
Packit |
6bd9ab |
to the unmatchable password ("*") to avoid accidentally leaking
|
|
Packit |
6bd9ab |
password information.
|
|
Packit |
6bd9ab |
.SS "TIMING/RECONNECT OPTIONS"
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBbind_timelimit\fR\*(T> \fISECONDS\fR
|
|
Packit |
6bd9ab |
Specifies the time limit (in seconds) to use when connecting to the
|
|
Packit |
6bd9ab |
directory server.
|
|
Packit |
6bd9ab |
This is distinct from the time limit specified in
|
|
Packit |
6bd9ab |
\*(T<\fBtimelimit\fR\*(T> and affects the set-up of the connection only.
|
|
Packit |
6bd9ab |
Note that not all LDAP client libraries have support
|
|
Packit |
6bd9ab |
for setting the connection time out.
|
|
Packit |
6bd9ab |
The default \*(T<\fBbind_timelimit\fR\*(T> is 10 seconds.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBtimelimit\fR\*(T> \fISECONDS\fR
|
|
Packit |
6bd9ab |
Specifies the time limit (in seconds) to wait for a response from the
|
|
Packit |
6bd9ab |
LDAP server.
|
|
Packit |
6bd9ab |
A value of zero (0), which is the default, is to wait indefinitely for
|
|
Packit |
6bd9ab |
searches to be completed.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBidle_timelimit\fR\*(T> \fISECONDS\fR
|
|
Packit |
6bd9ab |
Specifies the period if inactivity (in seconds) after which the
|
|
Packit |
6bd9ab |
connection to the LDAP server will be closed.
|
|
Packit |
6bd9ab |
The default is not to time out connections.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBreconnect_sleeptime\fR\*(T> \fISECONDS\fR
|
|
Packit |
6bd9ab |
Specifies the number of seconds to sleep when connecting to all
|
|
Packit |
6bd9ab |
LDAP servers fails.
|
|
Packit |
6bd9ab |
By default 1 second is waited between the first failure and the first
|
|
Packit |
6bd9ab |
retry.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBreconnect_retrytime\fR\*(T> \fISECONDS\fR
|
|
Packit |
6bd9ab |
Specifies the time after which the LDAP server is
|
|
Packit |
6bd9ab |
considered to be permanently unavailable.
|
|
Packit |
6bd9ab |
Once this time is reached retries will be done only once per this time period.
|
|
Packit |
6bd9ab |
The default value is 10 seconds.
|
|
Packit |
6bd9ab |
.PP
|
|
Packit |
6bd9ab |
Note that the reconnect logic as described above is the mechanism that
|
|
Packit |
6bd9ab |
is used between \fBnslcd\fR and the LDAP
|
|
Packit |
6bd9ab |
server. The mechanism between the NSS and
|
|
Packit |
6bd9ab |
PAM client libraries on one end and
|
|
Packit |
6bd9ab |
\fBnslcd\fR on the other is simpler with a fixed compiled-in
|
|
Packit |
6bd9ab |
time out of a 10 seconds for writing to \fBnslcd\fR and
|
|
Packit |
6bd9ab |
a time out of 60 seconds for reading answers.
|
|
Packit |
6bd9ab |
\fBnslcd\fR itself has a read time out of 0.5 seconds
|
|
Packit |
6bd9ab |
and a write time out of 60 seconds.
|
|
Packit |
6bd9ab |
.SS "SSL/TLS OPTIONS"
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBssl\fR\*(T> on|off|start_tls
|
|
Packit |
6bd9ab |
Specifies whether to use SSL/TLS or not (the default is not to). If
|
|
Packit |
6bd9ab |
\fIstart_tls\fR
|
|
Packit |
6bd9ab |
is specified then StartTLS is used rather than raw LDAP over SSL.
|
|
Packit |
6bd9ab |
Not all LDAP client libraries support both SSL,
|
|
Packit |
6bd9ab |
StartTLS and all related configuration options.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBtls_reqcert\fR\*(T> never|allow|try|demand|hard
|
|
Packit |
6bd9ab |
Specifies what checks to perform on a server-supplied certificate.
|
|
Packit |
6bd9ab |
The meaning of the values is described in the
|
|
Packit |
6bd9ab |
\fBldap.conf\fR(5)
|
|
Packit |
6bd9ab |
manual page.
|
|
Packit |
6bd9ab |
At least one of \*(T<\fBtls_cacertdir\fR\*(T> and
|
|
Packit |
6bd9ab |
\*(T<\fBtls_cacertfile\fR\*(T> is required if peer verification is
|
|
Packit |
6bd9ab |
enabled.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBtls_cacertdir\fR\*(T> \fIPATH\fR
|
|
Packit |
6bd9ab |
Specifies the directory containing X.509 certificates for peer
|
|
Packit |
6bd9ab |
authentication.
|
|
Packit |
6bd9ab |
This parameter is ignored when using GnuTLS.
|
|
Packit |
6bd9ab |
On Debian OpenLDAP is linked against GnuTLS.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBtls_cacertfile\fR\*(T> \fIPATH\fR
|
|
Packit |
6bd9ab |
Specifies the path to the X.509 certificate for peer authentication.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBtls_randfile\fR\*(T> \fIPATH\fR
|
|
Packit |
6bd9ab |
Specifies the path to an entropy source.
|
|
Packit |
6bd9ab |
This parameter is ignored when using GnuTLS.
|
|
Packit |
6bd9ab |
On Debian OpenLDAP is linked against GnuTLS.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBtls_ciphers\fR\*(T> \fICIPHERS\fR
|
|
Packit |
6bd9ab |
Specifies the ciphers to use for TLS.
|
|
Packit |
6bd9ab |
See your TLS implementation's
|
|
Packit |
6bd9ab |
documentation for further information.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBtls_cert\fR\*(T> \fIPATH\fR
|
|
Packit |
6bd9ab |
Specifies the path to the file containing the local certificate for
|
|
Packit |
6bd9ab |
client TLS authentication.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBtls_key\fR\*(T> \fIPATH\fR
|
|
Packit |
6bd9ab |
Specifies the path to the file containing the private key for client
|
|
Packit |
6bd9ab |
TLS authentication.
|
|
Packit |
6bd9ab |
.SS "OTHER OPTIONS"
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBpagesize\fR\*(T> \fINUMBER\fR
|
|
Packit |
6bd9ab |
Set this to a number greater than 0 to request paged results from
|
|
Packit |
6bd9ab |
the LDAP server in accordance with RFC2696.
|
|
Packit |
6bd9ab |
The default (0) is to not request paged results.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
This is useful for LDAP servers that contain a
|
|
Packit |
6bd9ab |
lot of entries (e.g. more than 500) and limit the number of entries
|
|
Packit |
6bd9ab |
that are returned with one request.
|
|
Packit |
6bd9ab |
For OpenLDAP servers you may need to set
|
|
Packit |
6bd9ab |
\*(T<\fBsizelimit size.prtotal=unlimited\fR\*(T>
|
|
Packit |
6bd9ab |
for allowing more entries to be returned over multiple pages.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBnss_initgroups_ignoreusers\fR\*(T> user1,user2,...
|
|
Packit |
6bd9ab |
This option prevents group membership lookups through
|
|
Packit |
6bd9ab |
LDAP for the specified users. This can be useful
|
|
Packit |
6bd9ab |
in case of unavailability of the LDAP server.
|
|
Packit |
6bd9ab |
This option may be specified multiple times.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Alternatively, the value \*(T<ALLLOCAL\*(T> may be
|
|
Packit |
6bd9ab |
used. With that value nslcd builds a full list of
|
|
Packit |
6bd9ab |
non-LDAP users on startup.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBnss_min_uid\fR\*(T> \fIUID\fR
|
|
Packit |
6bd9ab |
This option ensures that LDAP users with a numeric
|
|
Packit |
6bd9ab |
user id lower than the specified value are ignored. Also requests for
|
|
Packit |
6bd9ab |
users with a lower user id are ignored.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBnss_uid_offset\fR\*(T> \fINUMBER\fR
|
|
Packit |
6bd9ab |
This option specifies an offset that is added to all
|
|
Packit |
6bd9ab |
LDAP numeric user ids.
|
|
Packit |
6bd9ab |
This can be used to avoid user id collisions with local users or,
|
|
Packit |
6bd9ab |
when using \*(T<objectSid\*(T> attributes, for compatibility
|
|
Packit |
6bd9ab |
reasons.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The value from the \*(T<\fBnss_min_uid\fR\*(T> option is evaluated
|
|
Packit |
6bd9ab |
after applying the offset.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBnss_gid_offset\fR\*(T> \fINUMBER\fR
|
|
Packit |
6bd9ab |
This option specifies an offset that is added to all
|
|
Packit |
6bd9ab |
LDAP numeric group ids.
|
|
Packit |
6bd9ab |
This can be used to avoid user id collisions with local groups or,
|
|
Packit |
6bd9ab |
when using \*(T<objectSid\*(T> attributes, for compatibility
|
|
Packit |
6bd9ab |
reasons.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBnss_nested_groups\fR\*(T> yes|no
|
|
Packit |
6bd9ab |
If this option is set, the \*(T<member\*(T> attribute of a
|
|
Packit |
6bd9ab |
group may point to another group.
|
|
Packit |
6bd9ab |
Members of nested groups are also returned in the higher level group
|
|
Packit |
6bd9ab |
and parent groups are returned when finding groups for a specific user.
|
|
Packit |
6bd9ab |
The default is not to perform extra searches for nested groups.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBnss_getgrent_skipmembers\fR\*(T> yes|no
|
|
Packit |
6bd9ab |
If this option is set, the group member list is not retrieved when
|
|
Packit |
6bd9ab |
looking up groups.
|
|
Packit |
6bd9ab |
Lookups for finding which groups a user belongs to will remain
|
|
Packit |
6bd9ab |
functional so the user will likely still get the correct groups
|
|
Packit |
6bd9ab |
assigned on login.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
This can offer a speed-up on systems that have very large groups.
|
|
Packit |
6bd9ab |
It has the downside of returning inconsistent information about
|
|
Packit |
6bd9ab |
group membership which may confuse some applications.
|
|
Packit |
6bd9ab |
This option is not recommended for most configurations.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBnss_disable_enumeration\fR\*(T> yes|no
|
|
Packit |
6bd9ab |
If this option is set, functions which cause all user/group entries to
|
|
Packit |
6bd9ab |
be loaded (getpwent(), getgrent(), setspent()) from the directory will
|
|
Packit |
6bd9ab |
not succeed in doing so.
|
|
Packit |
6bd9ab |
Applications that depend on being able to sequentially read all users
|
|
Packit |
6bd9ab |
and/or groups may fail to operate correctly.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
This can dramatically reduce LDAP server load in
|
|
Packit |
6bd9ab |
situations where there are a great number of users and/or groups.
|
|
Packit |
6bd9ab |
This is typically used in situations where user/program access to
|
|
Packit |
6bd9ab |
enumerate the entire directory is undesirable, and changing the
|
|
Packit |
6bd9ab |
behavior of the user/program is not possible.
|
|
Packit |
6bd9ab |
This option is not recommended for most configurations.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBvalidnames\fR\*(T> \fIREGEX\fR
|
|
Packit |
6bd9ab |
This option can be used to specify how user and group names are
|
|
Packit |
6bd9ab |
verified within the system. This pattern is used to check all user and
|
|
Packit |
6bd9ab |
group names that are requested and returned from LDAP.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The regular expression should be specified as a POSIX extended regular
|
|
Packit |
6bd9ab |
expression. The expression itself needs to be separated by slash (/)
|
|
Packit |
6bd9ab |
characters and the 'i' flag may be appended at the end to indicate
|
|
Packit |
6bd9ab |
that the match should be case-insensetive.
|
|
Packit |
6bd9ab |
The default value is
|
|
Packit |
6bd9ab |
\*(T</^[a\-z0\-9._@$()]([a\-z0\-9._@$() \e\e~\-]*[a\-z0\-9._@$()~\-])?$/i\*(T>
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBignorecase\fR\*(T> yes|no
|
|
Packit |
6bd9ab |
This specifies whether or not to perform searches for group,
|
|
Packit |
6bd9ab |
netgroup, passwd, protocols, rpc, services and shadow maps using
|
|
Packit |
6bd9ab |
case-insensitive matching.
|
|
Packit |
6bd9ab |
Setting this to \*(T<yes\*(T> could open up the system
|
|
Packit |
6bd9ab |
to authorisation bypass vulnerabilities and introduce nscd cache poisoning
|
|
Packit |
6bd9ab |
vulnerabilities which allow denial of service.
|
|
Packit |
6bd9ab |
The default is to perform case-sensitve filtering of LDAP search
|
|
Packit |
6bd9ab |
results for the above maps.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBpam_authc_ppolicy\fR\*(T> yes|no
|
|
Packit |
6bd9ab |
This option specifies whether password policy controls are requested
|
|
Packit |
6bd9ab |
and handled from the LDAP server when performing
|
|
Packit |
6bd9ab |
user authentication.
|
|
Packit |
6bd9ab |
By default the controls are requested and handled if available.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBpam_authc_search\fR\*(T> \fIFILTER\fR
|
|
Packit |
6bd9ab |
By default \fBnslcd\fR performs an
|
|
Packit |
6bd9ab |
LDAP search with the user's credentials after BIND
|
|
Packit |
6bd9ab |
(authentication) to ensure that the BIND operation was successful.
|
|
Packit |
6bd9ab |
The default search is a simple check to see if the user's DN exists.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
A search filter can be specified that will be used instead.
|
|
Packit |
6bd9ab |
The same substitutions as with the \*(T<\fBpam_authz_search\fR\*(T>
|
|
Packit |
6bd9ab |
option will be performed and the search should at least return one
|
|
Packit |
6bd9ab |
entry.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The value \*(T<BASE\*(T> may be used to force the default
|
|
Packit |
6bd9ab |
search for the user DN.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The value \*(T<NONE\*(T> may be used to indicate that no
|
|
Packit |
6bd9ab |
search should be performed after BIND.
|
|
Packit |
6bd9ab |
Note that some LDAP servers do not always return a
|
|
Packit |
6bd9ab |
correct error code as a result of a failed BIND operation (e.g. when
|
|
Packit |
6bd9ab |
an empty password is supplied).
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBpam_authz_search\fR\*(T> \fIFILTER\fR
|
|
Packit |
6bd9ab |
This option allows flexible fine tuning of the authorisation check that
|
|
Packit |
6bd9ab |
should be performed. The search filter specified is executed and
|
|
Packit |
6bd9ab |
if any entries match, access is granted, otherwise access is denied.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The search filter can contain the following variable references:
|
|
Packit |
6bd9ab |
\*(T<$username\*(T>, \*(T<$service\*(T>,
|
|
Packit |
6bd9ab |
\*(T<$ruser\*(T>, \*(T<$rhost\*(T>,
|
|
Packit |
6bd9ab |
\*(T<$tty\*(T>, \*(T<$hostname\*(T>,
|
|
Packit |
6bd9ab |
\*(T<$fqdn\*(T>,
|
|
Packit |
6bd9ab |
\*(T<$dn\*(T>, and \*(T<$uid\*(T>.
|
|
Packit |
6bd9ab |
These references are substituted in the search filter using the
|
|
Packit |
6bd9ab |
same syntax as described in the section on attribute mapping
|
|
Packit |
6bd9ab |
expressions below.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
For example, to check that the user has a proper \*(T<authorizedService\*(T>
|
|
Packit |
6bd9ab |
value if the attribute is present (this almost emulates the
|
|
Packit |
6bd9ab |
\*(T<\fBpam_check_service_attr\fR\*(T> option in PADL's pam_ldap):
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
.nf
|
|
Packit |
6bd9ab |
\*(T<(&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))\*(T>
|
|
Packit |
6bd9ab |
.fi
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The \*(T<\fBpam_check_host_attr\fR\*(T> option can be emulated with:
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
.nf
|
|
Packit |
6bd9ab |
\*(T<(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\e\e*)))\*(T>
|
|
Packit |
6bd9ab |
.fi
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
This option may be specified multiple times and all specified searches
|
|
Packit |
6bd9ab |
should at least return one entry for access to be granted.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBpam_password_prohibit_message\fR\*(T> "\fIMESSAGE\fR"
|
|
Packit |
6bd9ab |
If this option is set password modification using pam_ldap will be
|
|
Packit |
6bd9ab |
denied and the specified message will be presented to the user instead.
|
|
Packit |
6bd9ab |
The message can be used to direct the user to an alternative means
|
|
Packit |
6bd9ab |
of changing their password.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBreconnect_invalidate\fR\*(T> \fIDB\fR,\fIDB\fR,...
|
|
Packit |
6bd9ab |
If this option is set, \fBnslcd\fR will try to flush the
|
|
Packit |
6bd9ab |
specified external caches on start-up and whenever a connection to the
|
|
Packit |
6bd9ab |
LDAP server is re-established after an error.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
\fIDB\fR can refer to one of the nsswitch maps,
|
|
Packit |
6bd9ab |
in which case \fBnscd\fR is contacted to flush its cache
|
|
Packit |
6bd9ab |
for the specified database.
|
|
Packit |
6bd9ab |
If \fIDB\fR is \*(T<nfsidmap\*(T>,
|
|
Packit |
6bd9ab |
\fBnfsidmap\fR is contacted to clear its cache.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Using this option ensures that external caches are cleared of
|
|
Packit |
6bd9ab |
incorrect information (typically the absence of users) that may
|
|
Packit |
6bd9ab |
be present due to unavailability of the LDAP server.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fBcache\fR\*(T> \fICACHE\fR \fITIME\fR [\fITIME\fR]
|
|
Packit |
6bd9ab |
Configure the time entries are kept in the specified internal cache.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
The first \fITIME\fR value specifies the time
|
|
Packit |
6bd9ab |
to keep found entries in the cache.
|
|
Packit |
6bd9ab |
The second \fITIME\fR value specifies to the
|
|
Packit |
6bd9ab |
time to remember that a particular entry was not found.
|
|
Packit |
6bd9ab |
If the second parameter is absent, it is assumed to be the same as
|
|
Packit |
6bd9ab |
the first.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Time values are specified as a number followed by an
|
|
Packit |
6bd9ab |
\*(T<s\*(T> for seconds, \*(T<m\*(T> for minutes,
|
|
Packit |
6bd9ab |
\*(T<h\*(T> for hours or \*(T<d\*(T> for days.
|
|
Packit |
6bd9ab |
Use \*(T<0\*(T> or \*(T<off\*(T> to disable the
|
|
Packit |
6bd9ab |
cache.
|
|
Packit |
6bd9ab |
|
|
Packit |
6bd9ab |
Currently, only the \*(T<dn2uid\*(T> cache is supported
|
|
Packit |
6bd9ab |
that is used to remember DN to username lookups that are used when the
|
|
Packit |
6bd9ab |
\*(T<member\*(T> attribute is used.
|
|
Packit |
6bd9ab |
The default time value for this cache is \*(T<15m\*(T>.
|
|
Packit |
6bd9ab |
.SH "SUPPORTED MAPS"
|
|
Packit |
6bd9ab |
The following maps are supported. They are referenced as
|
|
Packit |
6bd9ab |
\fIMAP\fR in the options above.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
alias[es]
|
|
Packit |
6bd9ab |
Mail aliases.
|
|
Packit |
6bd9ab |
Note that most mail servers do not use the NSS
|
|
Packit |
6bd9ab |
interface for requesting mail aliases and parse
|
|
Packit |
6bd9ab |
\*(T<\fI/etc/aliases\fR\*(T> on their own.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
ether[s]
|
|
Packit |
6bd9ab |
Ethernet numbers (mac addresses).
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
group
|
|
Packit |
6bd9ab |
Posix groups.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
host[s]
|
|
Packit |
6bd9ab |
Host names.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
netgroup
|
|
Packit |
6bd9ab |
Host and user groups used for access control.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
network[s]
|
|
Packit |
6bd9ab |
Network numbers.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
passwd
|
|
Packit |
6bd9ab |
Posix users.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
protocol[s]
|
|
Packit |
6bd9ab |
Protocol definitions (like in \*(T<\fI/etc/protocols\fR\*(T>).
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
rpc
|
|
Packit |
6bd9ab |
Remote procedure call names and numbers.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
service[s]
|
|
Packit |
6bd9ab |
Network service names and numbers.
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
shadow
|
|
Packit |
6bd9ab |
Shadow user password information.
|
|
Packit |
6bd9ab |
.SH "ATTRIBUTE MAPPING EXPRESSIONS"
|
|
Packit |
6bd9ab |
For some attributes a mapping expression may be used to construct the
|
|
Packit |
6bd9ab |
resulting value.
|
|
Packit |
6bd9ab |
This is currently only possible for attributes that do
|
|
Packit |
6bd9ab |
not need to be used in search filters.
|
|
Packit |
6bd9ab |
The expressions are a subset of the double quoted string expressions in the
|
|
Packit |
6bd9ab |
Bourne (POSIX) shell.
|
|
Packit |
6bd9ab |
Instead of variable substitution, attribute lookups are done on the current
|
|
Packit |
6bd9ab |
entry and the attribute value is substituted.
|
|
Packit |
6bd9ab |
The following expressions are supported:
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<${attr}\*(T> (or \*(T<$attr\*(T> for short)
|
|
Packit |
6bd9ab |
will substitute the value of the attribute
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<${attr:\-word}\*(T>
|
|
Packit |
6bd9ab |
(use default) will substitbute the value of the attribute or, if the
|
|
Packit |
6bd9ab |
attribute is not set or empty substitute the word
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<${attr:+word}\*(T>
|
|
Packit |
6bd9ab |
(use alternative) will substitute \*(T<word\*(T> if attribute
|
|
Packit |
6bd9ab |
is set, otherwise substitute the empty string
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<${attr:offset:length}\*(T>
|
|
Packit |
6bd9ab |
will substitute \*(T<length\*(T> characters (actually
|
|
Packit |
6bd9ab |
bytes) starting from position \*(T<offset\*(T> (which
|
|
Packit |
6bd9ab |
is counted starting at zero); the substituted string is
|
|
Packit |
6bd9ab |
truncated if it is too long; in particular, it can be of length
|
|
Packit |
6bd9ab |
zero (if \*(T<length\*(T> is zero or
|
|
Packit |
6bd9ab |
\*(T<offset\*(T> falls out of the original string)
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<${attr#word}\*(T>
|
|
Packit |
6bd9ab |
remove the shortest possible match of \*(T<word\*(T> from the
|
|
Packit |
6bd9ab |
left of the attribute value
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<${attr##word}\*(T>
|
|
Packit |
6bd9ab |
remove the longest possible match of \*(T<word\*(T> from the
|
|
Packit |
6bd9ab |
left of the attribute value (\fBpynslcd\fR only)
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<${attr%word}\*(T>
|
|
Packit |
6bd9ab |
remove the shortest possible match of \*(T<word\*(T> from the
|
|
Packit |
6bd9ab |
right of the attribute value (\fBpynslcd\fR only)
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<${attr%%word}\*(T>
|
|
Packit |
6bd9ab |
remove the longest possible match of \*(T<word\*(T> from the
|
|
Packit |
6bd9ab |
right of the attribute value (\fBpynslcd\fR only)
|
|
Packit |
6bd9ab |
.PP
|
|
Packit |
6bd9ab |
Only the # matching expression is supported in \fBnslcd\fR
|
|
Packit |
6bd9ab |
and only with the ? wildcard symbol. The \fBpynslcd\fR
|
|
Packit |
6bd9ab |
implementation supports full matching.
|
|
Packit |
6bd9ab |
.PP
|
|
Packit |
6bd9ab |
Quote (\*(T<"\*(T>), dollar (\*(T<$\*(T>) and
|
|
Packit |
6bd9ab |
backslash (\*(T<\e\*(T>) characters should be escaped with a
|
|
Packit |
6bd9ab |
backslash (\*(T<\e\*(T>).
|
|
Packit |
6bd9ab |
.PP
|
|
Packit |
6bd9ab |
The expressions are inspected to automatically fetch the appropriate
|
|
Packit |
6bd9ab |
attributes from LDAP.
|
|
Packit |
6bd9ab |
Some examples to demonstrate how these expressions may be used in
|
|
Packit |
6bd9ab |
attribute mapping:
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<"${shadowFlag:\-0}"\*(T>
|
|
Packit |
6bd9ab |
use the \*(T<shadowFlag\*(T> attribute, using the
|
|
Packit |
6bd9ab |
value 0 as default
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<"${homeDirectory:\-/home/$uid}"\*(T>
|
|
Packit |
6bd9ab |
use the \*(T<uid\*(T> attribute to build a
|
|
Packit |
6bd9ab |
\*(T<homeDirectory\*(T> value if that attribute is missing
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<"${isDisabled:+100}"\*(T>
|
|
Packit |
6bd9ab |
if the \*(T<isDisabled\*(T> attribute is set, return 100,
|
|
Packit |
6bd9ab |
otherwise leave value empty
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<"${userPassword#{crypt\e}}"\*(T>
|
|
Packit |
6bd9ab |
strip the {crypt} prefix from the userPassword attribute, returning
|
|
Packit |
6bd9ab |
the raw hash value
|
|
Packit |
6bd9ab |
.SH FILES
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fI/etc/nslcd.conf\fR\*(T>
|
|
Packit |
6bd9ab |
the main configuration file
|
|
Packit |
6bd9ab |
.TP
|
|
Packit |
6bd9ab |
\*(T<\fI/etc/nsswitch.conf\fR\*(T>
|
|
Packit |
6bd9ab |
Name Service Switch configuration file
|
|
Packit |
6bd9ab |
.SH "SEE ALSO"
|
|
Packit |
6bd9ab |
\fBnslcd\fR(8),
|
|
Packit |
6bd9ab |
\fBnsswitch.conf\fR(5)
|
|
Packit |
6bd9ab |
.SH AUTHOR
|
|
Packit |
6bd9ab |
This manual was written by Arthur de Jong <arthur@arthurdejong.org>
|
|
Packit |
6bd9ab |
and is based on the
|
|
Packit |
6bd9ab |
\fBnss_ldap\fR(5)
|
|
Packit |
6bd9ab |
manual developed by PADL Software Pty Ltd.
|