Kapisi/roles/Password/templates/nscld.conf.j2

# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldap://{{ ldap['server'] }}/

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

# The distinguished name of the search base.
base {{ ldap['orgdn'] }}

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn {{ ldap['binduser'] }},{{ ldap['userou'] }},{{ ldap['orgdn'] }}

# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
bindpw {{ secrets['Sora']['bindpassword'] }}

# The distinguished name to perform password modifications by root by.
rootpwmoddn cn=root,{{ ldap['orgdn'] }}

# The default search scope.
scope sub
#filter (&(!(pwdReset=TRUE))(objectClass=person))
#scope one
#scope base

# Customize certain database lookups.
base   group  {{ ldap['groupou'] }},{{ ldap['orgdn'] }}
base   passwd {{ ldap['userou'] }},{{ ldap['orgdn'] }}
base   shadow {{ ldap['userou'] }},{{ ldap['orgdn'] }}
#scope  group  onelevel
scope  hosts  sub

# Bind/connect timelimit.
#bind_timelimit 30

# Search timelimit.
#timelimit 30

# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600

# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never

# CA certificates for server certificate verification
#tls_cacertdir /etc/ssl/certs
#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
Updates for Raspberry Pi 12 Bookworm 2024-07-23 14:18:32 -05:00			`# This is the configuration file for the LDAP nameservice`
			`# switch library's nslcd daemon. It configures the mapping`
			`# between NSS names (see /etc/nsswitch.conf) and LDAP`
			`# information in the directory.`
			`# See the manual page nslcd.conf(5) for more information.`

			`# The user and group nslcd should run as.`
			`uid nslcd`
			`gid nslcd`

			`# The uri pointing to the LDAP server to use for name lookups.`
			`# Multiple entries may be specified. The address that is used`
			`# here should be resolvable without using LDAP (obviously).`
			`#uri ldap://127.0.0.1/`
			`#uri ldaps://127.0.0.1/`
			`#uri ldapi://%2fvar%2frun%2fldapi_sock/`
			`# Note: %2f encodes the '/' used as directory separator`
			`uri ldap://{{ ldap['server'] }}/`

			`# The LDAP version to use (defaults to 3`
			`# if supported by client library)`
			`#ldap_version 3`

			`# The distinguished name of the search base.`
			`base {{ ldap['orgdn'] }}`

			`# The distinguished name to bind to the server with.`
			`# Optional: default is to bind anonymously.`
			`binddn {{ ldap['binduser'] }},{{ ldap['userou'] }},{{ ldap['orgdn'] }}`

			`# The credentials to bind with.`
			`# Optional: default is no credentials.`
			`# Note that if you set a bindpw you should check the permissions of this file.`
			`bindpw {{ secrets['Sora']['bindpassword'] }}`

			`# The distinguished name to perform password modifications by root by.`
			`rootpwmoddn cn=root,{{ ldap['orgdn'] }}`

			`# The default search scope.`
			`scope sub`
			`#filter (&(!(pwdReset=TRUE))(objectClass=person))`
			`#scope one`
			`#scope base`

			`# Customize certain database lookups.`
			`base group {{ ldap['groupou'] }},{{ ldap['orgdn'] }}`
			`base passwd {{ ldap['userou'] }},{{ ldap['orgdn'] }}`
			`base shadow {{ ldap['userou'] }},{{ ldap['orgdn'] }}`
			`#scope group onelevel`
			`scope hosts sub`

			`# Bind/connect timelimit.`
			`#bind_timelimit 30`

			`# Search timelimit.`
			`#timelimit 30`

			`# Idle timelimit. nslcd will close connections if the`
			`# server has not been contacted for the number of seconds.`
			`#idle_timelimit 3600`

			`# Use StartTLS without verifying the server certificate.`
			`#ssl start_tls`
			`#tls_reqcert never`

			`# CA certificates for server certificate verification`
			`#tls_cacertdir /etc/ssl/certs`
			`#tls_cacertfile /etc/ssl/ca.cert`

			`# Seed the PRNG if /dev/urandom is not provided`
			`#tls_randfile /var/run/egd-pool`

			`# SSL cipher suite`
			`# See man ciphers for syntax`
			`#tls_ciphers TLSv1`

			`# Client certificate and key`
			`# Use these, if your server requires client authentication.`
			`#tls_cert`
			`#tls_key`