|
1: 2021-06-26 (土) 17:58:06 iseki  |
| | + | ** ldap.conf [#c00dfc50] |
| | + | - LDAP の設定ファイル |
| | + | #br |
| | + | **** /etc/ldap.conf [#t65dbd4b] |
| | + | host 202.26.150.51 |
| | + | base dc=nsl,dc=tuis,dc=ac,dc=jp |
| | + | uri ldaps://202.26.150.51/ |
| | + | port 636 |
| | | | |
| | + | binddn cn=Manager |
| | + | bindpw ***** |
| | + | |
| | + | ssl no |
| | + | tls_reqcert never |
| | + | pam_password crypt |
| | + | |
| | + | **** Full [#w02569ea] |
| | + | # @(#)$Id$ |
| | + | # |
| | + | # This is the configuration file for the LDAP nameservice |
| | + | # switch library and the LDAP PAM module. |
| | + | # |
| | + | # PADL Software |
| | + | # http://www.padl.com |
| | + | # |
| | + | |
| | + | # Your LDAP server. Must be resolvable without using LDAP. |
| | + | # Multiple hosts may be specified, each separated by a |
| | + | # space. How long nss_ldap takes to failover depends on |
| | + | # whether your LDAP client library supports configurable |
| | + | # network or connect timeouts (see bind_timelimit). |
| | + | #host 127.0.0.1 |
| | + | host 202.26.150.51 |
| | + | |
| | + | # The distinguished name of the search base. |
| | + | #base dc=padl,dc=com |
| | + | base dc=nsl,dc=tuis,dc=ac,dc=jp |
| | + | |
| | + | # Another way to specify your LDAP server is to provide an |
| | + | # uri with the server name. This allows to use |
| | + | # Unix Domain Sockets to connect to a local LDAP Server. |
| | + | #uri ldap://127.0.0.1/ |
| | + | #uri ldaps://127.0.0.1/ |
| | + | #uri ldapi://%2fvar%2frun%2fldapi_sock/ |
| | + | # Note: %2f encodes the '/' used as directory separator |
| | + | uri ldap://202.26.150.51/ |
| | + | |
| | + | # The LDAP version to use (defaults to 3 |
| | + | # if supported by client library) |
| | + | #ldap_version 3 |
| | + | |
| | + | # The distinguished name to bind to the server with. |
| | + | # Optional: default is to bind anonymously. |
| | + | binddn cn=Manager |
| | + | |
| | + | # The credentials to bind with. |
| | + | # Optional: default is no credential. |
| | + | bindpw ****** |
| | + | |
| | + | # The distinguished name to bind to the server with |
| | + | # if the effective user ID is root. Password is |
| | + | # stored in /etc/ldap.secret (mode 600) |
| | + | #rootbinddn cn=manager,dc=padl,dc=com |
| | + | |
| | + | # The port. |
| | + | # Optional: default is 389. |
| | + | #port 389 |
| | + | |
| | + | # The search scope. |
| | + | #scope sub |
| | + | #scope one |
| | + | #scope base |
| | + | |
| | + | # Search timelimit |
| | + | #timelimit 30 |
| | + | |
| | + | # Bind/connect timelimit |
| | + | #bind_timelimit 30 |
| | + | |
| | + | # Reconnect policy: hard (default) will retry connecting to |
| | + | # the software with exponential backoff, soft will fail |
| | + | # immediately. |
| | + | #bind_policy hard |
| | + | |
| | + | # Idle timelimit; client will close connections |
| | + | # (nss_ldap only) if the server has not been contacted |
| | + | # for the number of seconds specified below. |
| | + | #idle_timelimit 3600 |
| | + | |
| | + | # Filter to AND with uid=%s |
| | + | #pam_filter objectclass=account |
| | + | |
| | + | # The user ID attribute (defaults to uid) |
| | + | #pam_login_attribute uid |
| | + | |
| | + | # Search the root DSE for the password policy (works |
| | + | # with Netscape Directory Server) |
| | + | #pam_lookup_policy yes |
| | + | |
| | + | # Check the 'host' attribute for access control |
| | + | # Default is no; if set to yes, and user has no |
| | + | # value for the host attribute, and pam_ldap is |
| | + | # configured for account management (authorization) |
| | + | # then the user will not be allowed to login. |
| | + | #pam_check_host_attr yes |
| | + | |
| | + | # Check the 'authorizedService' attribute for access |
| | + | # control |
| | + | # Default is no; if set to yes, and the user has no |
| | + | # value for the authorizedService attribute, and |
| | + | # pam_ldap is configured for account management |
| | + | # (authorization) then the user will not be allowed |
| | + | # to login. |
| | + | #pam_check_service_attr yes |
| | + | |
| | + | # Group to enforce membership of |
| | + | #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com |
| | + | |
| | + | # Group member attribute |
| | + | #pam_member_attribute uniquemember |
| | + | |
| | + | # Specify a minium or maximum UID number allowed |
| | + | #pam_min_uid 0 |
| | + | #pam_max_uid 0 |
| | + | |
| | + | # Template login attribute, default template user |
| | + | # (can be overriden by value of former attribute |
| | + | # in user's entry) |
| | + | #pam_login_attribute userPrincipalName |
| | + | #pam_template_login_attribute uid |
| | + | #pam_template_login nobody |
| | + | |
| | + | # HEADS UP: the pam_crypt, pam_nds_passwd, |
| | + | # and pam_ad_passwd options are no |
| | + | # longer supported. |
| | + | # |
| | + | # Do not hash the password at all; presume |
| | + | # the directory server will do it, if |
| | + | # necessary. This is the default. |
| | + | #pam_password clear |
| | + | |
| | + | # Hash password locally; required for University of |
| | + | # Michigan LDAP server, and works with Netscape |
| | + | # Directory Server if you're using the UNIX-Crypt |
| | + | # hash mechanism and not using the NT Synchronization |
| | + | # service. |
| | + | #pam_password crypt |
| | + | |
| | + | # Remove old password first, then update in |
| | + | # cleartext. Necessary for use with Novell |
| | + | # Directory Services (NDS) |
| | + | #pam_password clear_remove_old |
| | + | #pam_password nds |
| | + | |
| | + | # RACF is an alias for the above. For use with |
| | + | # IBM RACF |
| | + | #pam_password racf |
| | + | |
| | + | # Update Active Directory password, by |
| | + | # creating Unicode password and updating |
| | + | # unicodePwd attribute. |
| | + | #pam_password ad |
| | + | |
| | + | # Use the OpenLDAP password change |
| | + | # extended operation to update the password. |
| | + | #pam_password exop |
| | + | |
| | + | # Redirect users to a URL or somesuch on password |
| | + | # changes. |
| | + | #pam_password_prohibit_message Please visit http://internal to change your password. |
| | + | |
| | + | # RFC2307bis naming contexts |
| | + | # Syntax: |
| | + | # nss_base_XXX base?scope?filter |
| | + | # where scope is {base,one,sub} |
| | + | # and filter is a filter to be &'d with the |
| | + | # default filter. |
| | + | # You can omit the suffix eg: |
| | + | # nss_base_passwd ou=People, |
| | + | # to append the default base DN but this |
| | + | # may incur a small performance impact. |
| | + | #nss_base_passwd ou=People,dc=padl,dc=com?one |
| | + | #nss_base_shadow ou=People,dc=padl,dc=com?one |
| | + | #nss_base_group ou=Group,dc=padl,dc=com?one |
| | + | #nss_base_hosts ou=Hosts,dc=padl,dc=com?one |
| | + | #nss_base_services ou=Services,dc=padl,dc=com?one |
| | + | #nss_base_networks ou=Networks,dc=padl,dc=com?one |
| | + | #nss_base_protocols ou=Protocols,dc=padl,dc=com?one |
| | + | #nss_base_rpc ou=Rpc,dc=padl,dc=com?one |
| | + | #nss_base_ethers ou=Ethers,dc=padl,dc=com?one |
| | + | #nss_base_netmasks ou=Networks,dc=padl,dc=com?ne |
| | + | #nss_base_bootparams ou=Ethers,dc=padl,dc=com?one |
| | + | #nss_base_aliases ou=Aliases,dc=padl,dc=com?one |
| | + | #nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one |
| | + | |
| | + | # attribute/objectclass mapping |
| | + | # Syntax: |
| | + | #nss_map_attribute rfc2307attribute mapped_attribute |
| | + | #nss_map_objectclass rfc2307objectclass mapped_objectclass |
| | + | |
| | + | # configure --enable-nds is no longer supported. |
| | + | # NDS mappings |
| | + | #nss_map_attribute uniqueMember member |
| | + | |
| | + | # Services for UNIX 3.5 mappings |
| | + | #nss_map_objectclass posixAccount User |
| | + | #nss_map_objectclass shadowAccount User |
| | + | #nss_map_attribute uid msSFU30Name |
| | + | #nss_map_attribute uniqueMember msSFU30PosixMember |
| | + | #nss_map_attribute userPassword msSFU30Password |
| | + | #nss_map_attribute homeDirectory msSFU30HomeDirectory |
| | + | #nss_map_attribute homeDirectory msSFUHomeDirectory |
| | + | #nss_map_objectclass posixGroup Group |
| | + | #pam_login_attribute msSFU30Name |
| | + | #pam_filter objectclass=User |
| | + | #pam_password ad |
| | + | |
| | + | # configure --enable-mssfu-schema is no longer supported. |
| | + | # Services for UNIX 2.0 mappings |
| | + | #nss_map_objectclass posixAccount User |
| | + | #nss_map_objectclass shadowAccount user |
| | + | #nss_map_attribute uid msSFUName |
| | + | #nss_map_attribute uniqueMember posixMember |
| | + | #nss_map_attribute userPassword msSFUPassword |
| | + | #nss_map_attribute homeDirectory msSFUHomeDirectory |
| | + | #nss_map_attribute shadowLastChange pwdLastSet |
| | + | #nss_map_objectclass posixGroup Group |
| | + | #nss_map_attribute cn msSFUName |
| | + | #pam_login_attribute msSFUName |
| | + | #pam_filter objectclass=User |
| | + | #pam_password ad |
| | + | |
| | + | # RFC 2307 (AD) mappings |
| | + | #nss_map_objectclass posixAccount user |
| | + | #nss_map_objectclass shadowAccount user |
| | + | #nss_map_attribute uid sAMAccountName |
| | + | #nss_map_attribute homeDirectory unixHomeDirectory |
| | + | #nss_map_attribute shadowLastChange pwdLastSet |
| | + | #nss_map_objectclass posixGroup group |
| | + | #nss_map_attribute uniqueMember member |
| | + | #pam_login_attribute sAMAccountName |
| | + | #pam_filter objectclass=User |
| | + | #pam_password ad |
| | + | |
| | + | # configure --enable-authpassword is no longer supported |
| | + | # AuthPassword mappings |
| | + | #nss_map_attribute userPassword authPassword |
| | + | |
| | + | # AIX SecureWay mappings |
| | + | #nss_map_objectclass posixAccount aixAccount |
| | + | #nss_base_passwd ou=aixaccount,?one |
| | + | #nss_map_attribute uid userName |
| | + | #nss_map_attribute gidNumber gid |
| | + | #nss_map_attribute uidNumber uid |
| | + | #nss_map_attribute userPassword passwordChar |
| | + | #nss_map_objectclass posixGroup aixAccessGroup |
| | + | #nss_base_group ou=aixgroup,?one |
| | + | #nss_map_attribute cn groupName |
| | + | #nss_map_attribute uniqueMember member |
| | + | #pam_login_attribute userName |
| | + | #pam_filter objectclass=aixAccount |
| | + | #pam_password clear |
| | + | |
| | + | # Netscape SDK LDAPS |
| | + | ssl no |
| | + | |
| | + | # Netscape SDK SSL options |
| | + | #sslpath /etc/ssl/certs |
| | + | |
| | + | # OpenLDAP SSL mechanism |
| | + | # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 |
| | + | #ssl start_tls |
| | + | #ssl on |
| | + | |
| | + | # OpenLDAP SSL options |
| | + | # Require and verify server certificate (yes/no) |
| | + | # Default is to use libldap's default behavior, which can be configured in |
| | + | # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for |
| | + | # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". |
| | + | #tls_checkpeer yes |
| | + | |
| | + | # CA certificates for server certificate verification |
| | + | # At least one of these are required if tls_checkpeer is "yes" |
| | + | #tls_cacertfile /etc/ssl/ca.cert |
| | + | #tls_cacertdir /etc/ssl/certs |
| | + | |
| | + | # Seed the PRNG if /dev/urandom is not provided |
| | + | #tls_randfile /var/run/egd-pool |
| | + | |
| | + | # SSL cipher suite |
| | + | # See man ciphers for syntax |
| | + | #tls_ciphers TLSv1 |
| | + | |
| | + | # Client certificate and key |
| | + | # Use these, if your server requires client authentication. |
| | + | #tls_cert |
| | + | #tls_key |
| | + | |
| | + | # Disable SASL security layers. This is needed for AD. |
| | + | #sasl_secprops maxssf=0 |
| | + | |
| | + | # Override the default Kerberos ticket cache location. |
| | + | #krb5_ccname FILE:/etc/.ldapcache |
| | + | |
| | + | # SASL mechanism for PAM authentication - use is experimental |
| | + | # at present and does not support password policy control |
| | + | #pam_sasl_mech DIGEST-MD5 |
| | + | #tls_cacertdir /etc/openldap/cacerts |
| | + | pam_password crypt |
