The file nslcd.conf contains the configuration information for running nslcd (see nslcd(8)). The file contains options, one on each line, defining the way NSS lookups and PAM actions are mapped to LDAP lookups.
Alternatively, the value DNS may be used to try to lookup the server using DNS SRV records. By default the current domain is used but another domain can be queried by using the DNS:DOMAIN syntax. To convert SRV records for port 389 into an ldaps:// URI, DNSLDAPS can be used.
When using the ldapi scheme, %2f should be used to escape slashes (e.g. ldapi://%2fvar%2frun%2fslapd%2fldapi/), although most of the time this should not be needed.
This option may be specified multiple times and/or with more URIs on the line, separated by spaces. Normally, only the first server will be used with the following servers as fall-back (see bind_timelimit below).
If LDAP lookups are used for host name resolution, any host names should be specified as an IP address or name that can be resolved without using LDAP.
Note that currently this DN needs to exist as a real entry in the LDAP directory.
A global search base may be specified or a MAP-specific one. If no MAP-specific search bases are defined the global ones are used.
If, instead of a DN, the value DOMAIN is specified, the host's DNS domain is used to construct a search base. A value of "" can be used to indicate an empty search base (quotes are not otherwise supported for base values and not all LDAP server configurations support this).
If this value is not defined an attempt is made to look it up in the configured LDAP server. If the LDAP server is unavailable during start-up nslcd will not start.
If the NEWATTRIBUTE is presented in quotes (") it is treated as an expression which will be evaluated to build up the actual value used. See the section on attribute mapping expressions below for more details.
Only some attributes for group, passwd and shadow entries may be mapped with an expression (because other attributes may be used in search filters). For group entries only the userPassword attribute may be mapped with an expression. For passwd entries the following attributes may be mapped with an expression: userPassword, gidNumber, gecos, homeDirectory and loginShell. For shadow entries the following attributes may be mapped with an expression: userPassword, shadowLastChange, shadowMin, shadowMax, shadowWarning, shadowInactive, shadowExpire and shadowFlag.
The uidNumber and gidNumber attributes in the passwd and group maps may be mapped to the objectSid followed by the domain SID to derive numeric user and group ids from the SID (e.g. objectSid:S-1-5-21-3623811015-3361044348-30300820).
By default all userPassword attributes are mapped to the unmatchable password ("*") to avoid accidentally leaking password information.
Note that the reconnect logic as described above is the mechanism that is used between nslcd and the LDAP server. The mechanism between the NSS and PAM client libraries on one end and nslcd on the other is simpler with a fixed compiled-in time out of a 10 seconds for writing to nslcd and a time out of 60 seconds for reading answers. nslcd itself has a read time out of 0.5 seconds and a write time out of 60 seconds.
This is useful for LDAP servers that contain a lot of entries (e.g. more than 500) and limit the number of entries that are returned with one request. For OpenLDAP servers you may need to set sizelimit size.prtotal=unlimited for allowing more entries to be returned over multiple pages.
Alternatively, the value ALLLOCAL may be used. With that value nslcd builds a full list of non-LDAP users on startup.
The value from the nss_min_uid option is evaluated after applying the offset.
This can offer a speed-up on systems that have very large groups. It has the downside of returning inconsistent information about group membership which may confuse some applications. This option is not recommended for most configurations.
This can dramatically reduce LDAP server load in situations where there are a great number of users and/or groups. This is typically used in situations where user/program access to enumerate the entire directory is undesirable, and changing the behavior of the user/program is not possible. This option is not recommended for most configurations.
The regular expression should be specified as a POSIX extended regular expression. The expression itself needs to be separated by slash (/) characters and the 'i' flag may be appended at the end to indicate that the match should be case-insensitive. The default value is /^[a-z0-9._@$()]([a-z0-9._@$() \\~-]*[a-z0-9._@$()~-])?$/i
A search filter can be specified that will be used instead. The same substitutions as with the pam_authz_search option will be performed and the search should at least return one entry.
The value BASE may be used to force the default search for the user DN.
The value NONE may be used to indicate that no search should be performed after BIND. Note that some LDAP servers do not always return a correct error code as a result of a failed BIND operation (e.g. when an empty password is supplied).
The search filter can contain the following variable references: $username, $service, $ruser, $rhost, $tty, $hostname, $fqdn, $domain, $dn, and $uid. These references are substituted in the search filter using the same syntax as described in the section on attribute mapping expressions below.
For example, to check that the user has a proper authorizedService value if the attribute is present (this almost emulates the pam_check_service_attr option in PADL's pam_ldap):
(&(objectClass=posixAccount)(uid=$username)(|(authorizedService=$service)(!(authorizedService=*))))
The pam_check_host_attr option can be emulated with:
(&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))
This option may be specified multiple times and all specified searches should at least return one entry for access to be granted.
DB can refer to one of the nsswitch maps, in which case nscd is contacted to flush its cache for the specified database. If DB is nfsidmap, nfsidmap is contacted to clear its cache.
Using this option ensures that external caches are cleared of incorrect information (typically the absence of users) that may be present due to unavailability of the LDAP server.
The first TIME value specifies the time to keep found entries in the cache. The second TIME value specifies to the time to remember that a particular entry was not found. If the second parameter is absent, it is assumed to be the same as the first.
Time values are specified as a number followed by an s for seconds, m for minutes, h for hours or d for days. Use 0 or off to disable the cache.
Currently, only the dn2uid cache is supported that is used to remember DN to username lookups that are used when the member attribute is used. The default time value for this cache is 15m.
Only the # matching expression is supported in nslcd and only with the ? wildcard symbol. The pynslcd implementation supports full matching.
Quote ("), dollar ($) and backslash (\) characters should be escaped with a backslash (\).
The expressions are inspected to automatically fetch the appropriate attributes from LDAP. Some examples to demonstrate how these expressions may be used in attribute mapping: