This file provides configuration information for PAM LDAP Authenticationb library.
The recognized directives are as follows: host The LDAP directory server to direct all queries to. Must be resolvable without using LDAP. Can be a hostname or an IP address. If not specified the libraries will attempt to use DNS 'Resource Records' (RR) to find the appropriate host.
The distinguished name of the search base. If this parameter is omitted it the defaultdomain is used in a fashion specified by RFC2247
Commonly the elements of the domain
name prefixed with 'dc='. Example: dc=rage,dc=net. This value is required.
Another way to specify your LDAP server is to provide an uri with the server name. This allows to use Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://127.0.0.1/ uri ldaps://127.0.0.1/ uri ldapi://%2fvar%2frun%2fldapi_sock/ Note: %2f encodes the '/' used as directory separator
LDAP version to use. Valid values are 2 or 3.
The distinguished name to bind to the server with. If omitted the library will bind anonymously.
The credentials to bind with. This should only be specified in conjunction with binddn.
The distinguished name to bind to the server with if the effective user ID is root.
Password is stored in /etc/ldap.secret (mode 600)
The TCP port to bind to the server with. Defaults to 389
The search scope. Should be one of 'one', 'base', or 'sub'.
Timelimit for searches
Timelimit for binding to LDAP server. If using Netscape SDK 4.x, this is used to set the TCP connection timeout as well as the bind timelimit.
The following directives are pam-specific and should be left as defaults unless a given configuration specifies their change.
Filter to AND with uid searches
The user ID attribute, defaults to 'uid' (as specified in RFC2307)
Search the root DSE for the password policy. This works with Netscape directory server. The value can be one of 'yes' or 'no'.
The group to enforce membership of.
The group member attribute. Commonly 'uniquememeber'
pam_template_login_attribute pam_template_login Template login attribute, default template user (can be overriden by value of former attribute in user's entry)
libpam_ldap supports many types of hashes for passwords, the possible choices for pam_password are explained here.
Don't set any encryptions, this is useful with servers that automatically encrypt userPassword entry.
make userPassword use the same format as the flat filesystem. this will work for most configurations
Use Novell Directory Services-style updating, first remove the old password and then update with cleartext password.
Active Directory-style. Create Unicode password and update unicodePwd attribute