#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#

# Your LDAP server. Must be resolvable without using LDAP.
host	127.0.0.1

# The distinguished name of the search base.
base	dc=example,dc=com

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version	3

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
pam_password	crypt

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=ldapadmin,dc=example,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
bindpw secret

nss_map_attribute	uniqueMember member

#--- SSL/TLS setting ---#
# OpenLDAP SSL mechanism
# 2007-07-20, chhaas: wegen den folgenden Fehlern in /var/log/messages
# pam_ldap: ldap_starttls_s: Connect error
# saslauthd: pam_ldap: ldap_result Can't contact LDAP server
# pam_ldap: ldap_simple_bind Can't contact LDAP server
# muss SSL explizit deaktiviert werden:
# ssl on
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
# ssl start_tls
# 2007-07-20, chhaas:
ssl off

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
# tls_checkpeer yes
tls_checkpeer no

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertdir /etc/ssl/certs
tls_cacertfile /etc/ssl/certs/ca_cert.pem

# SSL cipher suite
# See man ciphers for syntax
tls_ciphers ALL:TLSv1:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP

# Client certificate and key
# Use these, if your server requires client authentication.
tls_cert /etc/ssl/certs/station7_cert.pem
tls_key /etc/ssl/private/station7_key.pem