# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://ldap.local

# The search base that will be used for all queries.
base passwd ou=Persons,dc=tika,dc=stderr,dc=nl
base shadow ou=Persons,dc=tika,dc=stderr,dc=nl
base group ou=Groups,dc=tika,dc=stderr,dc=nl

filter passwd (objectClass=maroesjaSystemIdentity)
filter shadow (objectClass=maroesjaSystemIdentity)
filter group (objectClass=maroesjaSystemGroup)

# Note that this uses maroesjaSystemLoginIdentity instead of
# maroesjaSystemIdentity above. This is important, since maroesjaSystemIdenties
# should show up in NSS, but should not be allowed to authenticate. They'll
# probably miss other attributes too, like host or uidNumber, but this makes
# sure they can never login.
pam_authz_search (&(objectClass=maroesjaSystemLoginIdentity)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))

# This is needed with nss-pam-ldapd before 0.8.4
map group uniqueMember member

# When root wants to change the password of an LDAP user, do a bind as this
# user (the password will be prompted)
rootpwmoddn cn=admin,dc=tika,dc=stderr,dc=nl