Formation Postfix - Configuration LDAP : Différence entre versions

De PedroWiki
(Nouvelle page : = /etc/postfix/ldapusers.conf = server_host = annuaire.insa-rennes.fr server_port = 389 search_base = dc=insa-rennes,dc=fr query_filter = uid=%s result_attribute = uid version...)
 
m
 
(Une révision intermédiaire par le même utilisateur non affichée)
Ligne 16 : Ligne 16 :
 
  query_filter = mail=%s
 
  query_filter = mail=%s
 
  result_attribute = uid
 
  result_attribute = uid
 +
 +
= /etc/pam_ldap.conf =
 +
 +
###DEBCONF###
 +
# the configuration of this file will be done by debconf as long as the
 +
# first line of the file says '###DEBCONF###'
 +
#
 +
# you should use dpkg-reconfigure to configure this file
 +
#
 +
# @(#)$Id: ldap.conf,v 1.36 2005/03/23 08:29:59 lukeh Exp $
 +
#
 +
# This is the configuration file for the LDAP nameservice
 +
# switch library and the LDAP PAM module.
 +
#
 +
# PADL Software
 +
# http://www.padl.com
 +
#
 +
 +
# Your LDAP server. Must be resolvable without using LDAP.
 +
# Multiple hosts may be specified, each separated by a
 +
# space. How long nss_ldap takes to failover depends on
 +
# whether your LDAP client library supports configurable
 +
# network or connect timeouts (see bind_timelimit).
 +
#host 127.0.0.1
 +
 +
#host annuaire.insa-rennes.fr
 +
# The distinguished name of the search base.
 +
'''base dc=insa-rennes,dc=fr'''
 +
 +
# Another way to specify your LDAP server is to provide an
 +
'''uri ldap://annuaire.insa-rennes.fr'''
 +
# Unix Domain Sockets to connect to a local LDAP Server.
 +
#uri ldap://127.0.0.1/
 +
#uri ldaps://127.0.0.1/
 +
#uri ldapi://%2fvar%2frun%2fldapi_sock/
 +
# Note: %2f encodes the '/' used as directory separator
 +
 +
# The LDAP version to use (defaults to 3
 +
# if supported by client library)
 +
'''ldap_version 3'''
 +
# The distinguished name to bind to the server with.
 +
# Optional: default is to bind anonymously.
 +
#binddn cn=proxyuser,dc=padl,dc=com
 +
 +
# The credentials to bind with.
 +
# Optional: default is no credential.
 +
#bindpw secret
 +
 +
# The distinguished name to bind to the server with
 +
# if the effective user ID is root. Password is
 +
# stored in /etc/pam_ldap.secret (mode 600)
 +
#rootbinddn cn=manager,dc=padl,dc=com
 +
 +
# The port.
 +
# Optional: default is 389.
 +
#port 389
 +
 +
# The search scope.
 +
#scope sub
 +
#scope one
 +
#scope base
 +
 +
# Search timelimit
 +
#timelimit 30
 +
 +
# Bind/connect timelimit
 +
#bind_timelimit 30
 +
 +
# Reconnect policy: hard (default) will retry connecting to
 +
# the software with exponential backoff, soft will fail
 +
# immediately.
 +
#bind_policy hard
 +
 +
# Idle timelimit; client will close connections
 +
# (nss_ldap only) if the server has not been contacted
 +
# for the number of seconds specified below.
 +
#idle_timelimit 3600
 +
# Filter to AND with uid=%s
 +
#pam_filter objectclass=account
 +
 +
# The user ID attribute (defaults to uid)
 +
#pam_login_attribute uid
 +
 +
# Search the root DSE for the password policy (works
 +
# with Netscape Directory Server)
 +
#pam_lookup_policy yes
 +
 +
# Check the 'host' attribute for access control
 +
# Default is no; if set to yes, and user has no
 +
# value for the host attribute, and pam_ldap is
 +
# configured for account management (authorization)
 +
# then the user will not be allowed to login.
 +
#pam_check_host_attr yes
 +
 +
# Check the 'authorizedService' attribute for access
 +
# control
 +
# Default is no; if set to yes, and the user has no
 +
# value for the authorizedService attribute, and
 +
# pam_ldap is configured for account management
 +
# (authorization) then the user will not be allowed
 +
# to login.
 +
#pam_check_service_attr yes
 +
 +
# Group to enforce membership of
 +
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
 +
 +
# Group member attribute
 +
#pam_member_attribute uniquemember
 +
 +
# Specify a minium or maximum UID number allowed
 +
#pam_min_uid 0
 +
#pam_max_uid 0
 +
 +
# Template login attribute, default template user
 +
# (can be overriden by value of former attribute
 +
# in user's entry)
 +
#pam_login_attribute userPrincipalName
 +
#pam_template_login_attribute uid
 +
#pam_template_login nobody
 +
 +
# HEADS UP: the pam_crypt, pam_nds_passwd,
 +
# and pam_ad_passwd options are no
 +
# longer supported.
 +
#
 +
# If you are using XAD, you can set pam_password
 +
# to racf, ad, or exop. Make sure that you have
 +
# SSL enabled.
 +
 +
# Do not hash the password at all; presume
 +
# the directory server will do it, if
 +
# necessary. This is the default.
 +
pam_password crypt
 +
 +
# Hash password locally; required for University of
 +
# Michigan LDAP server, and works with Netscape
 +
# Directory Server if you're using the UNIX-Crypt
 +
# hash mechanism and not using the NT Synchronization
 +
# service.
 +
#pam_password crypt
 +
 +
# Remove old password first, then update in
 +
# cleartext. Necessary for use with Novell
 +
# Directory Services (NDS)
 +
#pam_password clear_remove_old
 +
#pam_password nds
 +
 +
# RACF is an alias for the above. For use with
 +
# IBM RACF
 +
#pam_password racf
 +
 +
# Update Active Directory password, by
 +
# creating Unicode password and updating
 +
# unicodePwd attribute.
 +
#pam_password ad
 +
 +
# Use the OpenLDAP password change
 +
# extended operation to update the password.
 +
#pam_password exop
 +
 +
# Redirect users to a URL or somesuch on password
 +
# changes.
 +
#pam_password_prohibit_message Please visit http://internal to change your password.
 +
 +
# RFC2307bis naming contexts
 +
# Syntax:
 +
# nss_base_XXX          base?scope?filter
 +
# where scope is {base,one,sub}
 +
# and filter is a filter to be &'d with the
 +
# default filter.
 +
# You can omit the suffix eg:
 +
# nss_base_passwd      ou=People,
 +
# to append the default base DN but this
 +
# may incur a small performance impact.
 +
#nss_base_passwd        ou=People,dc=padl,dc=com?one
 +
#nss_base_shadow        ou=People,dc=padl,dc=com?one
 +
#nss_base_group        ou=Group,dc=padl,dc=com?one
 +
#nss_base_hosts        ou=Hosts,dc=padl,dc=com?one
 +
#nss_base_services      ou=Services,dc=padl,dc=com?one
 +
#nss_base_networks      ou=Networks,dc=padl,dc=com?one
 +
#nss_base_protocols    ou=Protocols,dc=padl,dc=com?one
 +
#nss_base_rpc          ou=Rpc,dc=padl,dc=com?one
 +
#nss_base_ethers        ou=Ethers,dc=padl,dc=com?one
 +
#nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne
 +
#nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
 +
#nss_base_aliases      ou=Aliases,dc=padl,dc=com?one
 +
#nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one
 +
 +
# attribute/objectclass mapping
 +
# Syntax:
 +
#nss_map_attribute      rfc2307attribute        mapped_attribute
 +
#nss_map_objectclass    rfc2307objectclass      mapped_objectclass
 +
 +
# configure --enable-nds is no longer supported.
 +
# NDS mappings
 +
#nss_map_attribute uniqueMember member
 +
 +
# Services for UNIX 3.5 mappings
 +
#nss_map_objectclass posixAccount User
 +
#nss_map_objectclass shadowAccount User
 +
#nss_map_attribute uid msSFU30Name
 +
#nss_map_attribute uniqueMember msSFU30PosixMember
 +
#nss_map_attribute userPassword msSFU30Password
 +
#nss_map_attribute homeDirectory msSFU30HomeDirectory
 +
#nss_map_attribute homeDirectory msSFUHomeDirectory
 +
#nss_map_objectclass posixGroup Group
 +
#pam_login_attribute msSFU30Name
 +
#pam_filter objectclass=User
 +
#pam_password ad
 +
 +
# configure --enable-mssfu-schema is no longer supported.
 +
# Services for UNIX 2.0 mappings
 +
#nss_map_objectclass posixAccount User
 +
#nss_map_objectclass shadowAccount user
 +
#nss_map_attribute uid msSFUName
 +
#nss_map_attribute uniqueMember posixMember
 +
#nss_map_attribute userPassword msSFUPassword
 +
#nss_map_attribute homeDirectory msSFUHomeDirectory
 +
#nss_map_attribute shadowLastChange pwdLastSet
 +
#nss_map_objectclass posixGroup Group
 +
#nss_map_attribute cn msSFUName
 +
#pam_login_attribute msSFUName
 +
#pam_filter objectclass=User
 +
#pam_password ad
 +
 +
# RFC 2307 (AD) mappings
 +
#nss_map_objectclass posixAccount user
 +
#nss_map_objectclass shadowAccount user
 +
#nss_map_attribute uid sAMAccountName
 +
#nss_map_attribute homeDirectory unixHomeDirectory
 +
#nss_map_attribute shadowLastChange pwdLastSet
 +
#nss_map_objectclass posixGroup group
 +
#nss_map_attribute uniqueMember member
 +
#pam_login_attribute sAMAccountName
 +
#pam_filter objectclass=User
 +
#pam_password ad
 +
 +
# configure --enable-authpassword is no longer supported
 +
# AuthPassword mappings
 +
#nss_map_attribute userPassword authPassword
 +
 +
# AIX SecureWay mappings
 +
#nss_map_objectclass posixAccount aixAccount
 +
#nss_base_passwd ou=aixaccount,?one
 +
#nss_map_attribute uid userName
 +
#nss_map_attribute gidNumber gid
 +
#nss_map_attribute uidNumber uid
 +
#nss_map_attribute userPassword passwordChar
 +
#nss_map_objectclass posixGroup aixAccessGroup
 +
#nss_base_group ou=aixgroup,?one
 +
#nss_map_attribute cn groupName
 +
#nss_map_attribute uniqueMember member
 +
#pam_login_attribute userName
 +
#pam_filter objectclass=aixAccount
 +
#pam_password clear
 +
 +
# Netscape SDK LDAPS
 +
#ssl on
 +
 +
# Netscape SDK SSL options
 +
#sslpath /etc/ssl/certs/cert7.db
 +
 +
# OpenLDAP SSL mechanism
 +
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
 +
#ssl start_tls
 +
#ssl on
 +
# OpenLDAP SSL options
 +
# Require and verify server certificate (yes/no)
 +
# Default is to use libldap's default behavior, which can be configured in
 +
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
 +
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
 +
#tls_checkpeer yes
 +
 +
# CA certificates for server certificate verification
 +
# At least one of these are required if tls_checkpeer is "yes"
 +
#tls_cacertfile /etc/ssl/ca.cert
 +
#tls_cacertdir /etc/ssl/certs
 +
 +
# Seed the PRNG if /dev/urandom is not provided
 +
#tls_randfile /var/run/egd-pool
 +
 +
# SSL cipher suite
 +
# See man ciphers for syntax
 +
#tls_ciphers TLSv1
 +
 +
# Client certificate and key
 +
# Use these, if your server requires client authentication.
 +
#tls_cert
 +
#tls_key
 +
 +
# Disable SASL security layers. This is needed for AD.
 +
#sasl_secprops maxssf=0
 +
 +
# Override the default Kerberos ticket cache location.
 +
#krb5_ccname FILE:/etc/.ldapcache
 +
 +
# SASL mechanism for PAM authentication - use is experimental
 +
# at present and does not support password policy control
 +
#pam_sasl_mech DIGEST-MD5
 +
 +
= /etc/saslauthd.conf =
 +
 +
ldap_servers: ldap://annuaire.insa-rennes.fr
 +
ldap_search_base: dc=insa-rennes,dc=fr
  
 
[[Category:Configuration]]
 
[[Category:Configuration]]
 
[[Category:Postfix]]
 
[[Category:Postfix]]
 
[[Category:LDAP]]
 
[[Category:LDAP]]
 +
[[Category:A MODIFIER]]

Version actuelle datée du 24 septembre 2008 à 08:22

/etc/postfix/ldapusers.conf

server_host = annuaire.insa-rennes.fr
server_port = 389
search_base = dc=insa-rennes,dc=fr
query_filter = uid=%s
result_attribute = uid
version = 3

/etc/postfix/ldap-loginsasl.conf

version = 3
server_host = ldap://annuaire.insa-rennes.fr
server_port = 389
search_base = dc=insa-rennes,dc=fr
query_filter = mail=%s
result_attribute = uid

/etc/pam_ldap.conf

###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure to configure this file
#
# @(#)$Id: ldap.conf,v 1.36 2005/03/23 08:29:59 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1

#host annuaire.insa-rennes.fr
# The distinguished name of the search base.
base dc=insa-rennes,dc=fr

# Another way to specify your LDAP server is to provide an
uri ldap://annuaire.insa-rennes.fr
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/pam_ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# If you are using XAD, you can set pam_password
# to racf, ad, or exop. Make sure that you have
# SSL enabled.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password crypt

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd        ou=People,dc=padl,dc=com?one
#nss_base_shadow        ou=People,dc=padl,dc=com?one
#nss_base_group         ou=Group,dc=padl,dc=com?one
#nss_base_hosts         ou=Hosts,dc=padl,dc=com?one
#nss_base_services      ou=Services,dc=padl,dc=com?one
#nss_base_networks      ou=Networks,dc=padl,dc=com?one
#nss_base_protocols     ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc           ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers        ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases       ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute      rfc2307attribute        mapped_attribute
#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5

/etc/saslauthd.conf

ldap_servers: ldap://annuaire.insa-rennes.fr
ldap_search_base: dc=insa-rennes,dc=fr