From 65d86148ccb391ec57cf7715f9d295c22e148f70 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Mon, 15 Dec 2014 16:25:24 -0500 Subject: update the manual --- configure.ac | 12 +- man/nslcd.8.xml | 180 -------- man/nslcd.8.xml.in | 155 +++++++ man/nslcd.conf.5.xml | 1084 ----------------------------------------------- man/nslcd.conf.5.xml.in | 337 +++++++++++++++ 5 files changed, 502 insertions(+), 1266 deletions(-) delete mode 100644 man/nslcd.8.xml create mode 100644 man/nslcd.8.xml.in delete mode 100644 man/nslcd.conf.5.xml create mode 100644 man/nslcd.conf.5.xml.in diff --git a/configure.ac b/configure.ac index f25c6f1..49d6bd6 100644 --- a/configure.ac +++ b/configure.ac @@ -364,6 +364,14 @@ then fi # generate files -AC_CONFIG_FILES([Makefile compat/Makefile common/Makefile nslcd/Makefile - man/Makefile tests/Makefile]) +AC_CONFIG_FILES([ + Makefile + compat/Makefile + common/Makefile + nslcd/Makefile + tests/Makefile + man/Makefile + man/nslcd.8.xml + man/nslcd.conf.5.xml + ]) AC_OUTPUT diff --git a/man/nslcd.8.xml b/man/nslcd.8.xml deleted file mode 100644 index 87703d6..0000000 --- a/man/nslcd.8.xml +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - - - Arthur - de Jong - - - - - nslcd - 8 - Version 0.9.4 - System Manager's Manual - Jun 2014 - - - - nslcd - local LDAP name service daemon - - - - - nslcd - options - - - - - Description - - nslcd is a daemon that will do LDAP queries for local - processes that want to do user, group and other naming lookups (NSS) or do - user authentication, authorisation or password modification (PAM). - - - nslcd is configured through a configuration file - (see nslcd.conf5). - - - See the included README for information on configuring the LDAP server. - - - - - Options - - nslcd accepts the following options: - - - - - , - - - - Check if the daemon is running. - This causes nslcd to return 0 if the daemon is already running and 1 if it is not. - - - - - - - , - - - - Enable debugging mode. - nslcd will not put itself in the background and sends - verbose debugging info to stderr. - nslcd will handle connections as usual. - This option is for debugging purposes only. - Specify this option multiple times to also include more detailed logging - from the LDAP library. - - - - - - - , - - - - Do not fork or daemonise and run nslcd in the - foreground. - - - - - - - - - - Display short help and exit. - - - - - - , - - - Output version information and exit. - - - - - - - - Signals - - - / - - Cancel any running queries and exit. - - - - - - Cause nslcd to retry any failing connections - to the LDAP server, regardless of the - and options. - - - - - - - Files - - /etc/nslcd.conf - the configuration file - (see nslcd.conf5) - - - - - See Also - - nslcd.conf5 - - - - - Author - This manual was written by Arthur de Jong <arthur@arthurdejong.org>. - - - diff --git a/man/nslcd.8.xml.in b/man/nslcd.8.xml.in new file mode 100644 index 0000000..536de29 --- /dev/null +++ b/man/nslcd.8.xml.in @@ -0,0 +1,155 @@ + + + + + + + + + + Arthur + de Jong + + + + + nslcd + 8 + Version @PACKAGE_VERSION@ + System Manager's Manual + Jun 2014 + + + + nslcd + local LDAP name service daemon + + + + + nslcd + options + + + + + Description + + nslcd is a daemon that will do LDAP queries for local + processes that want to do user, group and other naming lookups (NSS) or do + user authentication, authorisation or password modification (PAM). + + + nslcd is configured through a configuration file + (see nslcd.conf5). + + + See the included README for information on configuring the LDAP server. + + + + + Options + + nslcd accepts the following options: + + + + + , + + + + Enable debugging mode. + nslcd will not put itself in the background and sends + verbose debugging info to stderr. + nslcd will handle connections as usual. + This option is for debugging purposes only. + Specify this option multiple times to also include more detailed logging + from the LDAP library. + + + + + + + + + + Display short help and exit. + + + + + + , + + + Output version information and exit. + + + + + + + + Signals + + + / + + Cancel any running queries and exit. + + + + + + Cause nslcd to rescan the hackers.git + directory, regardless any detected changes. + + + + + + + Files + + /etc/nslcd.conf - the configuration file + (see nslcd.conf5) + + + + + See Also + + nslcd.conf5 + + + + + Author + This manual was written by Arthur de Jong <arthur@arthurdejong.org>. + + + diff --git a/man/nslcd.conf.5.xml b/man/nslcd.conf.5.xml deleted file mode 100644 index 5cf2408..0000000 --- a/man/nslcd.conf.5.xml +++ /dev/null @@ -1,1084 +0,0 @@ - - - - - - - - - - Arthur - de Jong - - - - - nslcd.conf - 5 - Version 0.9.4 - System Manager's Manual - Jun 2014 - - - - nslcd.conf - configuration file for LDAP nameservice daemon - - - - Description - - The nss-pam-ldapd package allows LDAP - directory servers to be used as a primary source of name service - information. (Name service information typically includes users, hosts, - groups, and other such data historically stored in flat files or - NIS.) - - - The file nslcd.conf contains the - configuration information for running nslcd (see - nslcd8). - The file contains options, one on each line, defining the way - NSS lookups and PAM actions - are mapped to LDAP lookups. - - - - - Options - - - Runtime options - - - - NUM - - - Specifies the number of threads to start that can handle requests - and perform LDAP queries. - Each thread opens a separate connection to the LDAP - server. - The default is to start 5 threads. - - - - - - UID - - - This specifies the user id with which the daemon should be run. - This can be a numerical id or a symbolic value. - If no uid is specified no attempt to change the user will be made. - Note that you should use values that don't need LDAP - to resolve. - - - - - - GID - - - This specifies the group id with which the daemon should be run. - This can be a numerical id or a symbolic value. - If no gid is specified no attempt to change the group will be made. - Note that you should use values that don't need LDAP - to resolve. - - - - - - SCHEME LEVEL - - - This option controls the way logging is done. - The SCHEME argument may either be - none, syslog or an absolute - file name. - The LEVEL argument is optional and specifies - the log level. - The log level may be one of: crit, - error, warning, - notice, info or - debug. The default log level is info. - All messages with the specified loglevel or higher are logged. - This option can be supplied multiple times. - If this option is omitted syslog info is assumed. - - - - - - - - - General connection options - - - - URI - - - Specifies the LDAP URI of the - server to connect to. - The URI scheme may be ldap, - ldapi or ldaps, specifying - LDAP over TCP, - ICP or SSL respectively (if - supported by the LDAP library). - - - Alternatively, the value DNS may be - used to try to lookup the server using DNS - SRV records. - By default the current domain is used but another domain can - be queried by using the - DNS:DOMAIN syntax. - - - - When using the ldapi scheme, %2f should be used to escape slashes - (e.g. ldapi://%2fvar%2frun%2fslapd%2fldapi/), although most of the - time this should not be needed. - - - This option may be specified multiple times. Normally, only the first - server will be used with the following servers as fall-back (see - below). - - - If LDAP lookups are used for host name resolution, - any host names should be specified as an IP address or name that can be - resolved without using LDAP. - - - - - - VERSION - - - Specifies the version of the LDAP protocol to use. - The default is to use the maximum version supported by the - LDAP library. - - - - - DN - - - Specifies the distinguished name with which to bind to the directory - server for lookups. - The default is to bind anonymously. - - - - - - PASSWORD - - - Specifies the credentials with which to bind. - This option is only applicable when used with above. - If you set this option you should consider changing the permissions - of the nslcd.conf file to only grant access to - the root user. - - - - - - - DN - - - Specifies the distinguished name to use when the root user tries to - modify a user's password using the PAM module. - - - - - - PASSWORD - - - Specifies the credentials with which to bind if the root - user tries to change a user's password. - This option is only applicable when used with - above. - If this option is not specified the PAM module prompts the user for - this password. - If you set this option you should consider changing the permissions - of the nslcd.conf file to only grant access to - the root user. - - - - - - - - - <acronym>SASL</acronym> authentication options - - - - MECHANISM - - - Specifies the SASL mechanism to be used when - performing SASL authentication. - - - - - - REALM - - - Specifies the SASL realm to be used when performing - SASL authentication. - - - - - - AUTHCID - - - Specifies the authentication identity to be used when performing - SASL authentication. - - - - - - AUTHZID - - - Specifies the authorization identity to be used when performing - SASL authentication. - Must be specified in one of the formats: dn:<distinguished name> - or u:<username>. - - - - - - PROPERTIES - - - Specifies Cyrus SASL security properties. - Allowed values are described in the - ldap.conf5 - manual page. - - - - - - yes|no - - - Determines whether the LDAP server host name should - be canonicalised. If this is set to yes the LDAP - library will do a reverse host name lookup. - By default, it is left up to the LDAP library - whether this check is performed or not. - - - - - - - - - Kerberos authentication options - - - - NAME - - - Set the name for the GSS-API Kerberos credentials cache. - - - - - - - - - Search/mapping options - - - - - MAP - DN - - - Specifies the base distinguished name (DN) - to use as search base. - This option may be supplied multiple times and all specified bases - will be searched. - - - A global search base may be specified or a MAP-specific one. - If no MAP-specific search bases are defined the global ones are used. - - - If, instead of a DN, the value - DOMAIN is specified, the host's - DNS domain is used to construct a search base. - - - If this value is not defined an attempt is made to look it up - in the configured LDAP server. Note that if the - LDAP server is unavailable during start-up - nslcd will not start. - - - - - - - MAP - subtree|onelevel|base|children - - - Specifies the search scope (subtree, onelevel, base or children). - The default scope is subtree; base scope is almost never useful for - name service lookups; children scope is not supported on all servers. - - - - - - never|searching|finding|always - - - Specifies the policy for dereferencing aliases. - The default policy is to never dereference aliases. - - - - - - yes|no - - - Specifies whether automatic referral chasing should be enabled. - The default behaviour is to chase referrals. - - - - - - - MAP - FILTER - - - The FILTER - is an LDAP search filter to use for a - specific map. - The default filter is a basic search on the - objectClass for the map (e.g. (objectClass=posixAccount)). - - - - - - - MAP - ATTRIBUTE - NEWATTRIBUTE - - - This option allows for custom attributes to be looked up instead of - the default RFC 2307 attributes. - The MAP may be one of - the supported maps below. - The ATTRIBUTE is the one as - used in RFC 2307 (e.g. userPassword, - ipProtocolNumber, macAddress, etc.). - The NEWATTRIBUTE may be any attribute - as it is available in the directory. - - - If the NEWATTRIBUTE is presented in - quotes (") it is treated as an expression which will be evaluated - to build up the actual value used. - See the section on attribute mapping expressions below for more details. - - - Only some attributes for group, passwd and shadow entries may be mapped - with an expression (because other attributes may be used in search - filters). - For group entries only the userPassword attribute - may be mapped with an expression. - For passwd entries the following attributes may be mapped with an - expression: userPassword, gidNumber, - gecos, homeDirectory and - loginShell. - For shadow entries the following attributes may be mapped with an - expression: userPassword, shadowLastChange, - shadowMin, shadowMax, - shadowWarning, shadowInactive, - shadowExpire and shadowFlag. - - - The uidNumber and gidNumber - attributes in the passwd and group - maps may be mapped to the objectSid followed by - the domain SID to derive numeric user and group ids from the SID - (e.g. objectSid:S-1-5-21-3623811015-3361044348-30300820). - - - By default all userPassword attributes are mapped - to the unmatchable password ("*") to avoid accidentally leaking - password information. - - - - - - - - - Timing/reconnect options - - - - SECONDS - - - Specifies the time limit (in seconds) to use when connecting to the - directory server. - This is distinct from the time limit specified in - and affects the set-up of the connection only. - Note that not all LDAP client libraries have support - for setting the connection time out. - The default is 10 seconds. - - - - - - SECONDS - - - Specifies the time limit (in seconds) to wait for a response from the - LDAP server. - A value of zero (0), which is the default, is to wait indefinitely for - searches to be completed. - - - - - - SECONDS - - - Specifies the period if inactivity (in seconds) after which the - connection to the LDAP server will be closed. - The default is not to time out connections. - - - - - - SECONDS - - - Specifies the number of seconds to sleep when connecting to all - LDAP servers fails. - By default 1 second is waited between the first failure and the first - retry. - - - - - - SECONDS - - - Specifies the time after which the LDAP server is - considered to be permanently unavailable. - Once this time is reached retries will be done only once per this time period. - The default value is 10 seconds. - - - - - - - - Note that the reconnect logic as described above is the mechanism that - is used between nslcd and the LDAP - server. The mechanism between the NSS and - PAM client libraries on one end and - nslcd on the other is simpler with a fixed compiled-in - time out of a 10 seconds for writing to nslcd and - a time out of 60 seconds for reading answers. - nslcd itself has a read time out of 0.5 seconds - and a write time out of 60 seconds. - - - - - - <acronym>SSL</acronym>/<acronym>TLS</acronym> options - - - - on|off|start_tls - - - Specifies whether to use SSL/TLS or not (the default is not to). If - start_tls - is specified then StartTLS is used rather than raw LDAP over SSL. - Not all LDAP client libraries support both SSL, - StartTLS and all related configuration options. - - - - - - never|allow|try|demand|hard - - - Specifies what checks to perform on a server-supplied certificate. - The meaning of the values is described in the - ldap.conf5 - manual page. - At least one of and - is required if peer verification is - enabled. - - - - - - PATH - - - Specifies the directory containing X.509 certificates for peer - authentication. - This parameter is ignored when using GnuTLS. - On Debian OpenLDAP is linked against GnuTLS. - - - - - - PATH - - - Specifies the path to the X.509 certificate for peer authentication. - - - - - - PATH - - - Specifies the path to an entropy source. - This parameter is ignored when using GnuTLS. - On Debian OpenLDAP is linked against GnuTLS. - - - - - - CIPHERS - - - Specifies the ciphers to use for TLS. - See your TLS implementation's - documentation for further information. - - - - - - PATH - - - Specifies the path to the file containing the local certificate for - client TLS authentication. - - - - - - PATH - - - Specifies the path to the file containing the private key for client - TLS authentication. - - - - - - - - - Other options - - - - - - NUMBER - - - Set this to a number greater than 0 to request paged results from - the LDAP server in accordance with RFC2696. - The default (0) is to not request paged results. - - - This is useful for LDAP servers that contain a - lot of entries (e.g. more than 500) and limit the number of entries - that are returned with one request. - For OpenLDAP servers you may need to set - - for allowing more entries to be returned over multiple pages. - - - - - - user1,user2,... - - - This option prevents group membership lookups through - LDAP for the specified users. This can be useful - in case of unavailability of the LDAP server. - This option may be specified multiple times. - - - Alternatively, the value ALLLOCAL may be - used. With that value nslcd builds a full list of - non-LDAP users on startup. - - - - - - UID - - - This option ensures that LDAP users with a numeric - user id lower than the specified value are ignored. Also requests for - users with a lower user id are ignored. - - - - - - yes|no - - - If this option is set, the member attribute of a - group may point to another group. - Members of nested groups are also returned in the higher level group - and parent groups are returned when finding groups for a specific user. - The default is not to perform extra searches for nested groups. - - - - - - REGEX - - - This option can be used to specify how user and group names are - verified within the system. This pattern is used to check all user and - group names that are requested and returned from LDAP. - - - The regular expression should be specified as a POSIX extended regular - expression. The expression itself needs to be separated by slash (/) - characters and the 'i' flag may be appended at the end to indicate - that the match should be case-insensetive. - The default value is - /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i - - - - - - yes|no - - - This specifies whether or not to perform searches for group, - netgroup, passwd, protocols, rpc, services and shadow maps using - case-insensitive matching. - Setting this to yes could open up the system - to authorisation vulnerabilities and introduce nscd cache poisoning - vulnerabilities which allow denial of service. - The default is to perform case-sensitve filtering of LDAP search - results for the above maps. - - - - - - - FILTER - - - This option allows flexible fine tuning of the authorisation check that - should be performed. The search filter specified is executed and - if any entries match, access is granted, otherwise access is denied. - - - The search filter can contain the following variable references: - $username, $service, - $ruser, $rhost, - $tty, $hostname, - $fqdn, - $dn, and $uid. - These references are substituted in the search filter using the - same syntax as described in the section on attribute mapping - expressions below. - - - For example, to check that the user has a proper authorizedService - value if the attribute is present (this almost emulates the - option in PADL's pam_ldap): - (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*)))) - - - The option can be emulated with: - (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))) - - - This option may be specified multiple times and all specified searches - should at least return one entry for access to be granted. - - - - - - - "MESSAGE" - - - If this option is set password modification using pam_ldap will be - denied and the specified message will be presented to the user instead. - The message can be used to direct the user to an alternative means - of changing their password. - - - - - - - DB,DB,... - - - If this option is set, on start-up and whenever a connection to the - LDAP server is re-established after an error - the specified caches are flushed. - - - If DB is one of the nsswitch maps, - nscd is contacted to flush its cache for the - specified database. - - If DB is nfsidmap, - nfsidmap is contacted to clear its cache. - - - Using this option ensures that external caches are cleared of - information (typically the absence of users) while the - LDAP server was unavailable. - - - - - - - CACHE - TIME - TIME - - - Configure the time entries are kept in the specified internal cache. - - - The first TIME value specifies the time - to keep found entries in the cache. - The second TIME value specifies to the - time to remember that a particular entry was not found. - If the second parameter is absent, it is assumed to be the same as - the first. - - - Time values are specified as a number followed by an - s for seconds, m for minutes, - h for hours or d for days. - Use 0 or off to disable the - cache. - - - Currently, only the dn2uid cache is supported - that is used to remember DN to username lookups that are used when the - member attribute is used. - The default time value for this cache is 15m. - - - - - - - - - - - Supported maps - - The following maps are supported. They are referenced as - MAP in the options above. - - - - aliases - - Mail aliases. - Note that most mail servers do not use the NSS - interface for requesting mail aliases and parse - /etc/aliases on their own. - - - - ethers - Ethernet numbers (mac addresses). - - - group - Posix groups. - - - hosts - Host names. - - - netgroup - Host and user groups used for access control. - - - networks - Network numbers. - - - passwd - Posix users. - - - protocols - Protocol definitions (like in /etc/protocols). - - - rpc - Remote procedure call names and numbers. - - - services - Network service names and numbers. - - - shadow - Shadow user password information. - - - - - - Attribute mapping expressions - - For some attributes a mapping expression may be used to construct the - resulting value. - This is currently only possible for attributes that do - not need to be used in search filters. - The expressions are a subset of the double quoted string expressions in the - Bourne (POSIX) shell. - Instead of variable substitution, attribute lookups are done on the current - entry and the attribute value is substituted. - The following expressions are supported: - - - - ${attr} (or $attr for short) - - will substitute the value of the attribute - - - - ${attr:-word} - - (use default) will substitbute the value of the attribute or, if the - attribute is not set or empty substitute the word - - - - ${attr:+word} - - (use alternative) will substitbute word if attribute - is set, otherwise substitute the empty string - - - - ${attr#word} - - remove the shortest possible match of word from the - left of the attribute value - - - - ${attr##word} - - remove the longest possible match of word from the - left of the attribute value (pynslcd only) - - - - ${attr%word} - - remove the shortest possible match of word from the - right of the attribute value (pynslcd only) - - - - ${attr%%word} - - remove the longest possible match of word from the - right of the attribute value (pynslcd only) - - - - - Only the # matching expression is supported in nslcd - and only with the ? wildcard symbol. The pynslcd - implementation supports full matching. - - - Quote ("), dollar ($) and - backslash (\) characters should be escaped with a - backslash (\). - - - The expressions are checked to figure out which attributes to fetch - from LDAP. - Some examples to demonstrate how these expressions may be used in - attribute mapping: - - - - "${shadowFlag:-0}" - - use the shadowFlag attribute, using the - value 0 as default - - - - "${homeDirectory:-/home/$uid}" - - use the uid attribute to build a - homeDirectory value if that attribute is missing - - - - "${isDisabled:+100}" - - if the isDisabled attribute is set, return 100, - otherwise leave value empty - - - - "${userPassword#{crypt\}}" - - strip the {crypt} prefix from the userPassword attribute, returning - the raw hash value - - - - - - - Files - - - /etc/nslcd.conf - the main configuration file - - - /etc/nsswitch.conf - Name Service Switch configuration file - - - - - - See Also - - nslcd8, - nsswitch.conf5 - - - - - Author - This manual was written by Arthur de Jong <arthur@arthurdejong.org> - and is based on the - nss_ldap5 - manual developed by PADL Software Pty Ltd. - - - diff --git a/man/nslcd.conf.5.xml.in b/man/nslcd.conf.5.xml.in new file mode 100644 index 0000000..eefc0b7 --- /dev/null +++ b/man/nslcd.conf.5.xml.in @@ -0,0 +1,337 @@ + + + + + + + + + + Arthur + de Jong + + + + + nslcd.conf + 5 + Version @PROGRAM_VERSION@ + System Manager's Manual + Jun 2014 + + + + nslcd.conf + configuration file for LDAP nameservice daemon + + + + Description + + The @PACKAGE_NAME@ package allows LDAP + directory servers to be used as a primary source of name service + information. (Name service information typically includes users, hosts, + groups, and other such data historically stored in flat files or + NIS.) + + + The file nslcd.conf contains the + configuration information for running nslcd (see + nslcd8). + The file contains options, one on each line, defining the way + NSS lookups and PAM actions + are mapped to LDAP lookups. + + + + + Options + + + Runtime options + + + + NUM + + + Specifies the number of threads to start that can handle requests + and perform LDAP queries. + Each thread opens a separate connection to the LDAP + server. + The default is to start 5 threads. + + + + + + SCHEME LEVEL + + + This option controls the way logging is done. + The SCHEME argument may either be + none, syslog or an absolute + file name. + The LEVEL argument is optional and specifies + the log level. + The log level may be one of: crit, + error, warning, + notice, info or + debug. The default log level is info. + All messages with the specified loglevel or higher are logged. + This option can be supplied multiple times. + If this option is omitted syslog info is assumed. + + + + + + + + + General connection options + + + + PATH + + + Specifies where hackers.git is checked out to. + + + + + + + + + Other options + + + + NUMBER + + + Set this to a number greater than 0 to request paged results from + the LDAP server in accordance with RFC2696. + The default (0) is to not request paged results. + + + This is useful for LDAP servers that contain a + lot of entries (e.g. more than 500) and limit the number of entries + that are returned with one request. + For OpenLDAP servers you may need to set + + for allowing more entries to be returned over multiple pages. + + + + + + user1,user2,... + + + This option prevents group membership lookups through + LDAP for the specified users. This can be useful + in case of unavailability of the LDAP server. + This option may be specified multiple times. + + + Alternatively, the value ALLLOCAL may be + used. With that value nslcd builds a full list of + non-LDAP users on startup. + + + + + + UID + + + This option ensures that LDAP users with a numeric + user id lower than the specified value are ignored. Also requests for + users with a lower user id are ignored. + + + + + + yes|no + + + If this option is set, the member attribute of a + group may point to another group. + Members of nested groups are also returned in the higher level group + and parent groups are returned when finding groups for a specific user. + The default is not to perform extra searches for nested groups. + + + + + + REGEX + + + This option can be used to specify how user and group names are + verified within the system. This pattern is used to check all user and + group names that are requested and returned from LDAP. + + + The regular expression should be specified as a POSIX extended regular + expression. The expression itself needs to be separated by slash (/) + characters and the 'i' flag may be appended at the end to indicate + that the match should be case-insensetive. + The default value is + /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i + + + + + + yes|no + + + This specifies whether or not to perform searches for group, + netgroup, passwd, protocols, rpc, services and shadow maps using + case-insensitive matching. + Setting this to yes could open up the system + to authorisation vulnerabilities and introduce nscd cache poisoning + vulnerabilities which allow denial of service. + The default is to perform case-sensitve filtering of LDAP search + results for the above maps. + + + + + + + FILTER + + + This option allows flexible fine tuning of the authorisation check that + should be performed. The search filter specified is executed and + if any entries match, access is granted, otherwise access is denied. + + + The search filter can contain the following variable references: + $username, $service, + $ruser, $rhost, + $tty, $hostname, + $fqdn, + $dn, and $uid. + These references are substituted in the search filter using the + same syntax as described in the section on attribute mapping + expressions below. + + + For example, to check that the user has a proper authorizedService + value if the attribute is present (this almost emulates the + option in PADL's pam_ldap): + (&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*)))) + + + The option can be emulated with: + (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))) + + + This option may be specified multiple times and all specified searches + should at least return one entry for access to be granted. + + + + + + + "MESSAGE" + + + If this option is set password modification using pam_ldap will be + denied and the specified message will be presented to the user instead. + The message can be used to direct the user to an alternative means + of changing their password. + + + + + + + DB,DB,... + + + If this option is set, on start-up and whenever a connection to the + LDAP server is re-established after an error + the specified caches are flushed. + + + If DB is one of the nsswitch maps, + nscd is contacted to flush its cache for the + specified database. + + If DB is nfsidmap, + nfsidmap is contacted to clear its cache. + + + Using this option ensures that external caches are cleared of + information (typically the absence of users) while the + LDAP server was unavailable. + + + + + + + + + + + Files + + + @NSLCD_CONF_PATH@ + the main configuration file + + + /etc/nsswitch.conf + Name Service Switch configuration file + + + + + + See Also + + nslcd8, + nsswitch.conf5 + + + + + Author + This manual was written by Arthur de Jong <arthur@arthurdejong.org> + and is based on the + nss_ldap5 + manual developed by PADL Software Pty Ltd. + + + -- cgit v1.2.3