nsscache.conf

# Example /etc/nsscache.conf - configuration for nsscache
#
# nsscache loads a config file from the environment variable NSSCACHE_CONFIG
#
# By default this is /etc/nsscache.conf
#
# Commented values are overrideable defaults, uncommented values
# require you to set them.

[DEFAULT]

# Default NSS data source module name
source = ldap

# Default NSS data cache module name; 'files' is compatible with the
# libnss-cache NSS module.  'nssdb' is deprecated, and should not be used for
# new installations.
cache = files

# NSS maps to be cached
maps = passwd, group, shadow, netgroup, automount

# Directory to store our update/modify timestamps
timestamp_dir = /var/lib/nsscache

# Lockfile to use for update/repair operations
#lockfile = /var/run/nsscache

# Defaults for specific modules; prefaced with "modulename_"

##
# ldap module defaults.
#

# Enable to connect to Active Directory. If enabled (set to 1),
# default Active Directory attributes will be used for mapping.
# Leave disabled if connecting to openldap.
#ldap_ad = 1

# LDAP URI to query for NSS data
ldap_uri = ldaps://ldap

# Base for LDAP searches
ldap_base = ou=people,dc=example,dc=com

# Default LDAP search filter for maps
ldap_filter = (objectclass=posixAccount)

# Default LDAP search scope
#ldap_scope = one

# Default LDAP BIND DN, empty string is an anonymous bind
#ldap_bind_dn = ""

# Default LDAP password, empty DN and empty password is used for
# anonymous binds
#ldap_bind_password = ""

# Default timelimit for LDAP queries, in seconds.
# The query will block for this number of seconds, or indefinitely if negative.
#ldap_timelimit = -1

# Default number of retry attempts
#ldap_retry_max = 3

# Default delay in between retry attempts
#ldap_retry_delay = 5

# Default setting for requiring tls certificates, one of:
# never, hard, demand, allow, try
#ldap_tls_require_cert = 'demand'

# Default directoy for trusted CAs
#ldap_tls_cacertdir = '/usr/share/ssl'

# Default filename for trusted CAs
#ldap_tls_cacertfile = '/usr/share/ssl/cert.pem'

# If you wish to use mTLS, set these to the paths of the TLS certificate and key.
#ldap_tls_certfile = ''
#ldap_tls_keyfile = ''

# Should we issue STARTTLS?
#ldap_tls_starttls = 1

# Default uid-like attribute
#ldap_uidattr = 'uid'

# If connecting to openldap, uidNumber and gidNumber
# will be used for mapping. If enabled (set to 1),
# the relative identifier (RID) will be used instead.
# Consider using this for Samba4 AD.
#ldap_use_rid = 0

# Default Offset option to map uidNumber and gidNumber to higher number.
#ldap_offset = 10000

# A Python regex to extract uid components from the uid-like attribute.
# All matching groups are concatenated without spaces.
# For example:  '(.*)@example.com' would return a uid to the left of
# the @example.com domain.  Default is no regex.
#ldap_uidregex = ''

# A Python regex to extract group member components from the member or
# memberOf attributes.  All matching groups are concatenated without spaces.
# For example:  '(.*)@example.com' would return a member without the
# the @example.com domain.  Default is no regex.
#ldap_groupregex = ''

# Replace all users' shells with the specified one.
# Enable for Active Directory since the loginShell
# attribute is not present by default.
#ldap_override_shell='/bin/bash'

# Set directory for all users in passwd under /home.
#ldap_home_dir = 1

# Default uses rfc2307 schema. If rfc2307bis (groups stored as a list of DNs
# in 'member' attr), set this to 1
#ldap_rfc2307bis = 0

# Default uses rfc2307 schema. If rfc2307bis_alt (groups stored as a list of DNs
# in 'uniqueMember' attr), set this to 1
#ldap_rfc2307bis_alt = 0

# Debug logging
#ldap_debug = 3

# SASL
# Use SASL for authentication
#ldap_use_sasl = False

# SASL mechanism. Only 'gssapi' is supported now
#ldap_sasl_mech = 'gssapi'
#ldap_sasl_authzid = ''

##
# nssdb module defaults

# Directory to store nssdb databases.  Current libnss_db code requires
# the path below
nssdb_dir = /var/lib/misc

# Path to `makedb', supplied by the nss_db module
#nssdb_makedb = /usr/bin/makedb

##
# files module defaults

# Directory to store the plain text files
files_dir = /etc

# Suffix used on the files module database files
files_cache_filename_suffix = cache

###
# Optional per-map sections, if present they will override the above
# defaults.  The examples below show you some common values to override
#
# [passwd]
#
# ldap_base = ou=people,dc=example,dc=com

[group]

ldap_base = ou=group,dc=example,dc=com
ldap_filter = (objectclass=posixGroup)
# If ldap_nested_groups is enabled, any groups are members of other groups
# will be expanded recursively.
# Note: This will only work with full updates. Incremental updates will not
# propagate changes in child groups to their parents.
# ldap_nested_groups = 1

[shadow]

ldap_filter = (objectclass=shadowAccount)

[netgroup]

ldap_base = ou=netgroup,dc=example,dc=com
ldap_filter = (objectclass=nisNetgroup)
files_cache_filename_suffix =

[automount]

ldap_base = ou=automounts,dc=example,dc=com
files_cache_filename_suffix =
cache = files

# Files module has an option that lets you leave the local master map alone
# (e.g. /etc/auto.master) so that maps can be enabled/disabled locally.
#
# This also causes nsscache to limit automount updates to only the maps which
# are defined both in the local master map (/etc/auto.master) and in the source
# master map -- versus pulling local copies of all maps defined in the source,
# regardless.  Effectively this makes for local control of which automount maps
# are used and updated.
#
# files_local_automount_master = no

##
## SSH Keys stored in LDAP
##
# For SSH keys stored in LDAP under the sshPublicKey attribute.
# sshd_config should contain a config option for AuthorizedKeysCommand that
# runs a script like:
#
# awk -F: -v name="$1" '$0 ~ name { print $2 }' /etc/sshkey.cache | \
#   tr -d "[']" | \
#   sed -e 's/, /\n/g'
#
# A featureful example is in examples/authorized-keys-command.py

#[sshkey]
#
#ldap_base = ou=people,dc=yourdomain,dc=com

[suffix]
prefix = ""
suffix = ""