1: 2021-06-26 (土) 17:58:06 iseki  |
現: 2021-06-26 (土) 18:39:24 iseki |
| | ** ldap.conf [#c00dfc50] | | ** ldap.conf [#c00dfc50] |
| - | - LDAP の設定ファイル | + | - [[LDAP]] の設定ファイル |
| | + | -- /etc/ldap.conf |
| | + | -- [[OpenLDAP]] の場合は /etc/openldap/ldap.conf |
| | #br | | #br |
| | + | |
| | **** /etc/ldap.conf [#t65dbd4b] | | **** /etc/ldap.conf [#t65dbd4b] |
| | host 202.26.150.51 | | host 202.26.150.51 |
| | uri ldaps://202.26.150.51/ | | uri ldaps://202.26.150.51/ |
| | port 636 | | port 636 |
| | + | |
| | binddn cn=Manager | | binddn cn=Manager |
| | bindpw ***** | | bindpw ***** |
| | + | |
| | ssl no | | ssl no |
| | tls_reqcert never | | tls_reqcert never |
| | # http://www.padl.com | | # http://www.padl.com |
| | # | | # |
| | + | |
| | # Your LDAP server. Must be resolvable without using LDAP. | | # Your LDAP server. Must be resolvable without using LDAP. |
| | # Multiple hosts may be specified, each separated by a | | # Multiple hosts may be specified, each separated by a |
| | #host 127.0.0.1 | | #host 127.0.0.1 |
| | host 202.26.150.51 | | host 202.26.150.51 |
| | + | |
| | # The distinguished name of the search base. | | # The distinguished name of the search base. |
| | #base dc=padl,dc=com | | #base dc=padl,dc=com |
| | base dc=nsl,dc=tuis,dc=ac,dc=jp | | base dc=nsl,dc=tuis,dc=ac,dc=jp |
| | + | |
| | # Another way to specify your LDAP server is to provide an | | # Another way to specify your LDAP server is to provide an |
| | # uri with the server name. This allows to use | | # uri with the server name. This allows to use |
| | # Note: %2f encodes the '/' used as directory separator | | # Note: %2f encodes the '/' used as directory separator |
| | uri ldap://202.26.150.51/ | | uri ldap://202.26.150.51/ |
| | + | |
| | # The LDAP version to use (defaults to 3 | | # The LDAP version to use (defaults to 3 |
| | # if supported by client library) | | # if supported by client library) |
| | #ldap_version 3 | | #ldap_version 3 |
| | + | |
| | # The distinguished name to bind to the server with. | | # The distinguished name to bind to the server with. |
| | # Optional: default is to bind anonymously. | | # Optional: default is to bind anonymously. |
| | binddn cn=Manager | | binddn cn=Manager |
| | + | |
| | # The credentials to bind with. | | # The credentials to bind with. |
| | # Optional: default is no credential. | | # Optional: default is no credential. |
| | bindpw ****** | | bindpw ****** |
| | + | |
| | # The distinguished name to bind to the server with | | # The distinguished name to bind to the server with |
| | # if the effective user ID is root. Password is | | # if the effective user ID is root. Password is |
| | # stored in /etc/ldap.secret (mode 600) | | # stored in /etc/ldap.secret (mode 600) |
| | #rootbinddn cn=manager,dc=padl,dc=com | | #rootbinddn cn=manager,dc=padl,dc=com |
| | + | |
| | # The port. | | # The port. |
| | # Optional: default is 389. | | # Optional: default is 389. |
| | #port 389 | | #port 389 |
| | + | |
| | # The search scope. | | # The search scope. |
| | #scope sub | | #scope sub |
| | #scope one | | #scope one |
| | #scope base | | #scope base |
| | + | |
| | # Search timelimit | | # Search timelimit |
| | #timelimit 30 | | #timelimit 30 |
| | + | |
| | # Bind/connect timelimit | | # Bind/connect timelimit |
| | #bind_timelimit 30 | | #bind_timelimit 30 |
| | + | |
| | # Reconnect policy: hard (default) will retry connecting to | | # Reconnect policy: hard (default) will retry connecting to |
| | # the software with exponential backoff, soft will fail | | # the software with exponential backoff, soft will fail |
| | # immediately. | | # immediately. |
| | #bind_policy hard | | #bind_policy hard |
| | + | |
| | # Idle timelimit; client will close connections | | # Idle timelimit; client will close connections |
| | # (nss_ldap only) if the server has not been contacted | | # (nss_ldap only) if the server has not been contacted |
| | # for the number of seconds specified below. | | # for the number of seconds specified below. |
| | #idle_timelimit 3600 | | #idle_timelimit 3600 |
| | + | |
| | # Filter to AND with uid=%s | | # Filter to AND with uid=%s |
| | #pam_filter objectclass=account | | #pam_filter objectclass=account |
| | + | |
| | # The user ID attribute (defaults to uid) | | # The user ID attribute (defaults to uid) |
| | #pam_login_attribute uid | | #pam_login_attribute uid |
| | + | |
| | # Search the root DSE for the password policy (works | | # Search the root DSE for the password policy (works |
| | # with Netscape Directory Server) | | # with Netscape Directory Server) |
| | #pam_lookup_policy yes | | #pam_lookup_policy yes |
| | + | |
| | # Check the 'host' attribute for access control | | # Check the 'host' attribute for access control |
| | # Default is no; if set to yes, and user has no | | # Default is no; if set to yes, and user has no |
| | # then the user will not be allowed to login. | | # then the user will not be allowed to login. |
| | #pam_check_host_attr yes | | #pam_check_host_attr yes |
| | + | |
| | # Check the 'authorizedService' attribute for access | | # Check the 'authorizedService' attribute for access |
| | # control | | # control |
| | # to login. | | # to login. |
| | #pam_check_service_attr yes | | #pam_check_service_attr yes |
| | + | |
| | # Group to enforce membership of | | # Group to enforce membership of |
| | #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com | | #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com |
| | + | |
| | # Group member attribute | | # Group member attribute |
| | #pam_member_attribute uniquemember | | #pam_member_attribute uniquemember |
| | + | |
| | # Specify a minium or maximum UID number allowed | | # Specify a minium or maximum UID number allowed |
| | #pam_min_uid 0 | | #pam_min_uid 0 |
| | #pam_max_uid 0 | | #pam_max_uid 0 |
| | + | |
| | # Template login attribute, default template user | | # Template login attribute, default template user |
| | # (can be overriden by value of former attribute | | # (can be overriden by value of former attribute |
| | #pam_template_login_attribute uid | | #pam_template_login_attribute uid |
| | #pam_template_login nobody | | #pam_template_login nobody |
| | + | |
| | # HEADS UP: the pam_crypt, pam_nds_passwd, | | # HEADS UP: the pam_crypt, pam_nds_passwd, |
| | # and pam_ad_passwd options are no | | # and pam_ad_passwd options are no |
| | # necessary. This is the default. | | # necessary. This is the default. |
| | #pam_password clear | | #pam_password clear |
| | + | |
| | # Hash password locally; required for University of | | # Hash password locally; required for University of |
| | # Michigan LDAP server, and works with Netscape | | # Michigan LDAP server, and works with Netscape |
| | # service. | | # service. |
| | #pam_password crypt | | #pam_password crypt |
| | + | |
| | # Remove old password first, then update in | | # Remove old password first, then update in |
| | # cleartext. Necessary for use with Novell | | # cleartext. Necessary for use with Novell |
| | #pam_password clear_remove_old | | #pam_password clear_remove_old |
| | #pam_password nds | | #pam_password nds |
| | + | |
| | # RACF is an alias for the above. For use with | | # RACF is an alias for the above. For use with |
| | # IBM RACF | | # IBM RACF |
| | #pam_password racf | | #pam_password racf |
| | + | |
| | # Update Active Directory password, by | | # Update Active Directory password, by |
| | # creating Unicode password and updating | | # creating Unicode password and updating |
| | # unicodePwd attribute. | | # unicodePwd attribute. |
| | #pam_password ad | | #pam_password ad |
| | + | |
| | # Use the OpenLDAP password change | | # Use the OpenLDAP password change |
| | # extended operation to update the password. | | # extended operation to update the password. |
| | #pam_password exop | | #pam_password exop |
| | + | |
| | # Redirect users to a URL or somesuch on password | | # Redirect users to a URL or somesuch on password |
| | # changes. | | # changes. |
| | #pam_password_prohibit_message Please visit http://internal to change your password. | | #pam_password_prohibit_message Please visit http://internal to change your password. |
| | + | |
| | # RFC2307bis naming contexts | | # RFC2307bis naming contexts |
| | # Syntax: | | # Syntax: |
| | #nss_base_aliases ou=Aliases,dc=padl,dc=com?one | | #nss_base_aliases ou=Aliases,dc=padl,dc=com?one |
| | #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one | | #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one |
| | + | |
| | # attribute/objectclass mapping | | # attribute/objectclass mapping |
| | # Syntax: | | # Syntax: |
| | #nss_map_attribute rfc2307attribute mapped_attribute | | #nss_map_attribute rfc2307attribute mapped_attribute |
| | #nss_map_objectclass rfc2307objectclass mapped_objectclass | | #nss_map_objectclass rfc2307objectclass mapped_objectclass |
| | + | |
| | # configure --enable-nds is no longer supported. | | # configure --enable-nds is no longer supported. |
| | # NDS mappings | | # NDS mappings |
| | #nss_map_attribute uniqueMember member | | #nss_map_attribute uniqueMember member |
| | + | |
| | # Services for UNIX 3.5 mappings | | # Services for UNIX 3.5 mappings |
| | #nss_map_objectclass posixAccount User | | #nss_map_objectclass posixAccount User |
| | #pam_filter objectclass=User | | #pam_filter objectclass=User |
| | #pam_password ad | | #pam_password ad |
| | + | |
| | # configure --enable-mssfu-schema is no longer supported. | | # configure --enable-mssfu-schema is no longer supported. |
| | # Services for UNIX 2.0 mappings | | # Services for UNIX 2.0 mappings |
| | #pam_filter objectclass=User | | #pam_filter objectclass=User |
| | #pam_password ad | | #pam_password ad |
| | + | |
| | # RFC 2307 (AD) mappings | | # RFC 2307 (AD) mappings |
| | #nss_map_objectclass posixAccount user | | #nss_map_objectclass posixAccount user |
| | #pam_filter objectclass=User | | #pam_filter objectclass=User |
| | #pam_password ad | | #pam_password ad |
| | + | |
| | # configure --enable-authpassword is no longer supported | | # configure --enable-authpassword is no longer supported |
| | # AuthPassword mappings | | # AuthPassword mappings |
| | #nss_map_attribute userPassword authPassword | | #nss_map_attribute userPassword authPassword |
| | + | |
| | # AIX SecureWay mappings | | # AIX SecureWay mappings |
| | #nss_map_objectclass posixAccount aixAccount | | #nss_map_objectclass posixAccount aixAccount |
| | #pam_filter objectclass=aixAccount | | #pam_filter objectclass=aixAccount |
| | #pam_password clear | | #pam_password clear |
| | + | |
| | # Netscape SDK LDAPS | | # Netscape SDK LDAPS |
| | ssl no | | ssl no |
| | + | |
| | # Netscape SDK SSL options | | # Netscape SDK SSL options |
| | #sslpath /etc/ssl/certs | | #sslpath /etc/ssl/certs |
| | + | |
| | # OpenLDAP SSL mechanism | | # OpenLDAP SSL mechanism |
| | # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 | | # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 |
| | #ssl start_tls | | #ssl start_tls |
| | #ssl on | | #ssl on |
| | + | |
| | # OpenLDAP SSL options | | # OpenLDAP SSL options |
| | # Require and verify server certificate (yes/no) | | # Require and verify server certificate (yes/no) |
| | # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". | | # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". |
| | #tls_checkpeer yes | | #tls_checkpeer yes |
| | + | |
| | # CA certificates for server certificate verification | | # CA certificates for server certificate verification |
| | # At least one of these are required if tls_checkpeer is "yes" | | # At least one of these are required if tls_checkpeer is "yes" |
| | #tls_cacertfile /etc/ssl/ca.cert | | #tls_cacertfile /etc/ssl/ca.cert |
| | #tls_cacertdir /etc/ssl/certs | | #tls_cacertdir /etc/ssl/certs |
| | + | |
| | # Seed the PRNG if /dev/urandom is not provided | | # Seed the PRNG if /dev/urandom is not provided |
| | #tls_randfile /var/run/egd-pool | | #tls_randfile /var/run/egd-pool |
| | + | |
| | # SSL cipher suite | | # SSL cipher suite |
| | # See man ciphers for syntax | | # See man ciphers for syntax |
| | #tls_ciphers TLSv1 | | #tls_ciphers TLSv1 |
| | + | |
| | # Client certificate and key | | # Client certificate and key |
| | # Use these, if your server requires client authentication. | | # Use these, if your server requires client authentication. |
| | #tls_cert | | #tls_cert |
| | #tls_key | | #tls_key |
| | + | |
| | # Disable SASL security layers. This is needed for AD. | | # Disable SASL security layers. This is needed for AD. |
| | #sasl_secprops maxssf=0 | | #sasl_secprops maxssf=0 |
| | + | |
| | # Override the default Kerberos ticket cache location. | | # Override the default Kerberos ticket cache location. |
| | #krb5_ccname FILE:/etc/.ldapcache | | #krb5_ccname FILE:/etc/.ldapcache |
| | + | |
| | # SASL mechanism for PAM authentication - use is experimental | | # SASL mechanism for PAM authentication - use is experimental |
| | # at present and does not support password policy control | | # at present and does not support password policy control |
