Próximo: Serviços Web, Anterior: Serviços Kerberos, Acima: Serviços [Conteúdo][Índice]
The (gnu services authentication)
module provides the
nslcd-service-type
, which can be used to authenticate against an LDAP
server. In addition to configuring the service itself, you may want to add
ldap
as a name service to the Name Service Switch. Veja Name Service Switch for detailed information.
Here is a simple operating system declaration with a default configuration
of the nslcd-service-type
and a Name Service Switch configuration
that consults the ldap
name service last:
(use-service-modules authentication) (use-modules (gnu system nss)) ... (operating-system ... (services (cons* (service nslcd-service-type) (service dhcp-client-service-type) %base-services)) (name-service-switch (let ((services (list (name-service (name "db")) (name-service (name "files")) (name-service (name "ldap"))))) (name-service-switch (inherit %mdns-host-lookup-nss) (password services) (shadow services) (group services) (netgroup services) (gshadow services)))))
Available nslcd-configuration
fields are:
nslcd-configuration
parameter: package nss-pam-ldapd ¶The nss-pam-ldapd
package to use.
nslcd-configuration
parameter: maybe-number threads ¶The number of threads to start that can handle requests and perform LDAP queries. Each thread opens a separate connection to the LDAP server. The default is to start 5 threads.
Defaults to ‘disabled’.
nslcd-configuration
parameter: string uid ¶This specifies the user id with which the daemon should be run.
Defaults to ‘"nslcd"’.
nslcd-configuration
parameter: string gid ¶This specifies the group id with which the daemon should be run.
Defaults to ‘"nslcd"’.
nslcd-configuration
parameter: log-option log ¶This option controls the way logging is done via a list containing SCHEME and LEVEL. The SCHEME argument may either be the symbols ‘none’ or ‘syslog’, or an absolute file name. The LEVEL argument is optional and specifies the log level. The log level may be one of the following symbols: ‘crit’, ‘error’, ‘warning’, ‘notice’, ‘info’ or ‘debug’. All messages with the specified log level or higher are logged.
Defaults to ‘'("/var/log/nslcd" info)’.
nslcd-configuration
parameter: list uri ¶The list of LDAP server URIs. Normally, only the first server will be used with the following servers as fall-back.
Defaults to ‘'("ldap://localhost:389/")’.
nslcd-configuration
parameter: maybe-string ldap-version ¶The version of the LDAP protocol to use. The default is to use the maximum version supported by the LDAP library.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string binddn ¶Specifies the distinguished name with which to bind to the directory server for lookups. The default is to bind anonymously.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string bindpw ¶Specifies the credentials with which to bind. This option is only applicable when used with binddn.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string rootpwmoddn ¶Specifies the distinguished name to use when the root user tries to modify a user’s password using the PAM module.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string rootpwmodpw ¶Specifies the credentials with which to bind if the root user tries to change a user’s password. This option is only applicable when used with rootpwmoddn
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string sasl-mech ¶Specifies the SASL mechanism to be used when performing SASL authentication.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string sasl-realm ¶Specifies the SASL realm to be used when performing SASL authentication.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string sasl-authcid ¶Specifies the authentication identity to be used when performing SASL authentication.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string sasl-authzid ¶Specifies the authorization identity to be used when performing SASL authentication.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-boolean sasl-canonicalize? ¶Determines whether the LDAP server host name should be canonicalised. If this is enabled the LDAP library will do a reverse host name lookup. By default, it is left up to the LDAP library whether this check is performed or not.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string krb5-ccname ¶Set the name for the GSS-API Kerberos credentials cache.
Defaults to ‘disabled’.
nslcd-configuration
parameter: string base ¶The directory search base.
Defaults to ‘"dc=example,dc=com"’.
nslcd-configuration
parameter: scope-option scope ¶Specifies the search scope (subtree, onelevel, base or children). The default scope is subtree; base scope is almost never useful for name service lookups; children scope is not supported on all servers.
Defaults to ‘'(subtree)’.
nslcd-configuration
parameter: maybe-deref-option deref ¶Specifies the policy for dereferencing aliases. The default policy is to never dereference aliases.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-boolean referrals ¶Specifies whether automatic referral chasing should be enabled. The default behaviour is to chase referrals.
Defaults to ‘disabled’.
nslcd-configuration
parameter: list-of-map-entries maps ¶This option allows for custom attributes to be looked up instead of the default RFC 2307 attributes. It is a list of maps, each consisting of the name of a map, the RFC 2307 attribute to match and the query expression for the attribute as it is available in the directory.
Defaults to ‘'()’.
nslcd-configuration
parameter: list-of-filter-entries filters ¶A list of filters consisting of the name of a map to which the filter applies and an LDAP search filter expression.
Defaults to ‘'()’.
nslcd-configuration
parameter: maybe-number bind-timelimit ¶Specifies the time limit in seconds to use when connecting to the directory server. The default value is 10 seconds.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-number timelimit ¶Specifies the time limit (in seconds) to wait for a response from the LDAP server. A value of zero, which is the default, is to wait indefinitely for searches to be completed.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-number idle-timelimit ¶Specifies the period if inactivity (in seconds) after which the con‐ nection to the LDAP server will be closed. The default is not to time out connections.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-number reconnect-sleeptime ¶Specifies the number of seconds to sleep when connecting to all LDAP servers fails. By default one second is waited between the first failure and the first retry.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-number reconnect-retrytime ¶Specifies the time after which the LDAP server is considered to be permanently unavailable. Once this time is reached retries will be done only once per this time period. The default value is 10 seconds.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-ssl-option ssl ¶Specifies whether to use SSL/TLS or not (the default is not to). If ’start-tls is specified then StartTLS is used rather than raw LDAP over SSL.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-tls-reqcert-option tls-reqcert ¶Specifies what checks to perform on a server-supplied certificate. The meaning of the values is described in the ldap.conf(5) manual page.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string tls-cacertdir ¶Specifies the directory containing X.509 certificates for peer authen‐ tication. This parameter is ignored when using GnuTLS.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string tls-cacertfile ¶Specifies the path to the X.509 certificate for peer authentication.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string tls-randfile ¶Specifies the path to an entropy source. This parameter is ignored when using GnuTLS.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string tls-ciphers ¶Specifies the ciphers to use for TLS as a string.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string tls-cert ¶Specifies the path to the file containing the local certificate for client TLS authentication.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string tls-key ¶Specifies the path to the file containing the private key for client TLS authentication.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-number pagesize ¶Set this to a number greater than 0 to request paged results from the LDAP server in accordance with RFC2696. The default (0) is to not request paged results.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-ignore-users-option nss-initgroups-ignoreusers ¶This option prevents group membership lookups through LDAP for the specified users. Alternatively, the value ’all-local may be used. With that value nslcd builds a full list of non-LDAP users on startup.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-number nss-min-uid ¶This option ensures that LDAP users with a numeric user id lower than the specified value are ignored.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-number nss-uid-offset ¶This option specifies an offset that is added to all LDAP numeric user ids. This can be used to avoid user id collisions with local users.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-number nss-gid-offset ¶This option specifies an offset that is added to all LDAP numeric group ids. This can be used to avoid user id collisions with local groups.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-boolean nss-nested-groups ¶If this option is set, the member attribute of a group may point to another group. Members of nested groups are also returned in the higher level group and parent groups are returned when finding groups for a specific user. The default is not to perform extra searches for nested groups.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-boolean nss-getgrent-skipmembers ¶If this option is set, the group member list is not retrieved when looking up groups. Lookups for finding which groups a user belongs to will remain functional so the user will likely still get the correct groups assigned on login.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-boolean nss-disable-enumeration ¶If this option is set, functions which cause all user/group entries to be loaded from the directory will not succeed in doing so. This can dramatically reduce LDAP server load in situations where there are a great number of users and/or groups. This option is not recommended for most configurations.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string validnames ¶This option can be used to specify how user and group names are verified within the system. This pattern is used to check all user and group names that are requested and returned from LDAP.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-boolean ignorecase ¶This specifies whether or not to perform searches using case-insensitive matching. Enabling this could open up the system to authorization bypass vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow denial of service.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-boolean pam-authc-ppolicy ¶This option specifies whether password policy controls are requested and handled from the LDAP server when performing user authentication.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string pam-authc-search ¶By default nslcd performs an LDAP search with the user’s credentials after BIND (authentication) to ensure that the BIND operation was successful. The default search is a simple check to see if the user’s DN exists. A search filter can be specified that will be used instead. It should return at least one entry.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string pam-authz-search ¶This option allows flexible fine tuning of the authorisation check that should be performed. The search filter specified is executed and if any entries match, access is granted, otherwise access is denied.
Defaults to ‘disabled’.
nslcd-configuration
parameter: maybe-string pam-password-prohibit-message ¶If this option is set password modification using pam_ldap will be denied and the specified message will be presented to the user instead. The message can be used to direct the user to an alternative means of changing their password.
Defaults to ‘disabled’.
nslcd-configuration
parameter: list pam-services ¶List of pam service names for which LDAP authentication should suffice.
Defaults to ‘'()’.
The (gnu services ldap)
module provides the
directory-server-service-type
, which can be used to create and launch
an LDAP server instance.
Here is an example configuration of the
directory-server-service-type
:
(use-service-modules ldap) ... (operating-system ... (services (cons (service directory-server-service-type (directory-server-instance-configuration (slapd (slapd-configuration (root-password "{PBKDF2_SHA256}AAAgAG…ABSOLUTELYSECRET"))))) %base-services)))
The root password should be generated with the pwdhash
utility
that is provided by the 389-ds-base
package.
Note that changes to the directory server configuration will not be applied to existing instances. You will need to back up and restore server data manually. Only new directory server instances will be created upon system reconfiguration.
Available directory-server-instance-configuration
fields are:
package
(default: 389-ds-base
) (type: file-like)The 389-ds-base
package.
config-version
(default: 2
) (type: number)Sets the format version of the configuration file. To use the INF file with
dscreate
, this parameter must be 2.
full-machine-name
(default: "localhost"
) (type: string)Sets the fully qualified hostname (FQDN) of this system.
selinux
(default: #false
) (type: boolean)Enables SELinux detection and integration during the installation of this
instance. If set to #true
, dscreate
auto-detects whether
SELinux is enabled.
strict-host-checking
(default: #true
) (type: boolean)Sets whether the server verifies the forward and reverse record set in the
full-machine-name
parameter. When installing this instance with
GSSAPI authentication behind a load balancer, set this parameter to
#false
.
systemd
(default: #false
) (type: boolean)Enables systemd platform features. If set to #true
,
dscreate
auto-detects whether systemd is installed.
slapd
(type: slapd-configuration)Configuration of slapd.
Available slapd-configuration
fields are:
instance-name
(default: "localhost"
) (type: string)Sets the name of the instance. You can refer to this value in other
parameters of this INF file using the {instance_name}
variable.
Note that this name cannot be changed after the installation!
user
(default: "dirsrv"
) (type: string)Sets the user name the ns-slapd process will use after the service started.
group
(default: "dirsrv"
) (type: string)Sets the group name the ns-slapd process will use after the service started.
port
(default: 389
) (type: number)Sets the TCP port the instance uses for LDAP connections.
secure-port
(default: 636
) (type: number)Sets the TCP port the instance uses for TLS-secured LDAP connections (LDAPS).
root-dn
(default: "cn=Directory Manager"
) (type: string)Sets the Distinquished Name (DN) of the administrator account for this instance.
root-password
(default: "{invalid}YOU-SHOULD-CHANGE-THIS"
) (type: string)Sets the password of the account specified in the root-dn
parameter.
You can either set this parameter to a plain text password
dscreate
hashes during the installation or to a
"{algorithm}hash" string generated by the pwdhash
utility. Note
that setting a plain text password can be a security risk if unprivileged
users can read this INF file!
self-sign-cert
(default: #true
) (type: boolean)Sets whether the setup creates a self-signed certificate and enables TLS encryption during the installation. This is not suitable for production, but it enables administrators to use TLS right after the installation. You can replace the self-signed certificate with a certificate issued by a certificate authority.
self-sign-cert-valid-months
(default: 24
) (type: number)Set the number of months the issued self-signed certificate will be valid.
backup-dir
(default: "/var/lib/dirsrv/slapd-{instance_name}/bak"
) (type: string)Set the backup directory of the instance.
cert-dir
(default: "/etc/dirsrv/slapd-{instance_name}"
) (type: string)Sets the directory of the instance’s Network Security Services (NSS) database.
config-dir
(default: "/etc/dirsrv/slapd-{instance_name}"
) (type: string)Sets the configuration directory of the instance.
db-dir
(default: "/var/lib/dirsrv/slapd-{instance_name}/db"
) (type: string)Sets the database directory of the instance.
initconfig-dir
(default: "/etc/dirsrv/registry"
) (type: string)Sets the directory of the operating system’s rc configuration directory.
ldif-dir
(default: "/var/lib/dirsrv/slapd-{instance_name}/ldif"
) (type: string)Sets the LDIF export and import directory of the instance.
lock-dir
(default: "/var/lock/dirsrv/slapd-{instance_name}"
) (type: string)Sets the lock directory of the instance.
log-dir
(default: "/var/log/dirsrv/slapd-{instance_name}"
) (type: string)Sets the log directory of the instance.
run-dir
(default: "/run/dirsrv"
) (type: string)Sets PID directory of the instance.
schema-dir
(default: "/etc/dirsrv/slapd-{instance_name}/schema"
) (type: string)Sets schema directory of the instance.
tmp-dir
(default: "/tmp"
) (type: string)Sets the temporary directory of the instance.
backend-userroot
(type: backend-userroot-configuration)Configuration of the userroot backend.
Available backend-userroot-configuration
fields are:
create-suffix-entry?
(default: #false
) (type: boolean)Set this parameter to #true
to create a generic root node entry for
the suffix in the database.
require-index?
(default: #false
) (type: boolean)Set this parameter to #true
to refuse unindexed searches in this
database.
sample-entries
(default: "no"
) (type: string)Set this parameter to "yes"
to add latest version of sample entries
to this database. Or, use "001003006"
to use the 1.3.6 version
sample entries. Use this option, for example, to create a database for
testing purposes.
suffix
(type: maybe-string)Sets the root suffix stored in this database. If you do not set the suffix attribute the install process will not create the backend/suffix. You can also create multiple backends/suffixes by duplicating this section.
Próximo: Serviços Web, Anterior: Serviços Kerberos, Acima: Serviços [Conteúdo][Índice]