Arthur de Jong nslcd.conf 5 Version @PROGRAM_VERSION@ System Manager's Manual Jun 2014 nslcd.conf configuration file for LDAP nameservice daemon The @PACKAGE_NAME@ package allows LDAP directory servers to be used as a primary source of name service information. (Name service information typically includes users, hosts, groups, and other such data historically stored in flat files or NIS.) The file nslcd.conf contains the configuration information for running nslcd (see nslcd8). The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups. threads NUM Specifies the number of threads to start that can handle requests and perform LDAP queries. Each thread opens a separate connection to the LDAP server. The default is to start 5 threads. yamldir PATH Specifies where hackers.git is checked out to. nss_initgroups_ignoreusers user1,user2,... This option prevents group membership lookups through LDAP for the specified users. This can be useful in case of unavailability of the LDAP server. This option may be specified multiple times. Alternatively, the value ALLLOCAL may be used. With that value nslcd builds a full list of non-LDAP users on startup. nss_min_uid UID This option ensures that LDAP users with a numeric user id lower than the specified value are ignored. Also requests for users with a lower user id are ignored. nss_nested_groups yes|no If this option is set, the member attribute of a group may point to another group. Members of nested groups are also returned in the higher level group and parent groups are returned when finding groups for a specific user. The default is not to perform extra searches for nested groups. validnames REGEX This option can be used to specify how user and group names are verified within the system. This pattern is used to check all user and group names that are requested and returned from LDAP. The regular expression should be specified as a POSIX extended regular expression. The expression itself needs to be separated by slash (/) characters and the 'i' flag may be appended at the end to indicate that the match should be case-insensetive. The default value is /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i ignorecase yes|no This specifies whether or not to perform searches for group, netgroup, passwd, protocols, rpc, services and shadow maps using case-insensitive matching. Setting this to yes could open up the system to authorisation vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow denial of service. The default is to perform case-sensitve filtering of LDAP search results for the above maps. pam_password_prohibit_message "MESSAGE" If this option is set password modification using pam_ldap will be denied and the specified message will be presented to the user instead. The message can be used to direct the user to an alternative means of changing their password. reconnect_invalidate DB,DB,... If this option is set, on start-up and whenever a connection to the LDAP server is re-established after an error the specified caches are flushed. If DB is one of the nsswitch maps, nscd is contacted to flush its cache for the specified database. If DB is nfsidmap, nfsidmap is contacted to clear its cache. Using this option ensures that external caches are cleared of information (typically the absence of users) while the LDAP server was unavailable. @NSLCD_CONF_PATH@ the main configuration file /etc/nsswitch.conf Name Service Switch configuration file nslcd8, nsswitch.conf5 This manual was written by Arthur de Jong <arthur@arthurdejong.org> and is based on the nss_ldap5 manual developed by PADL Software Pty Ltd.