Skip to content

Ldap

users.ldap.base

The distinguished name of the search base. Type: string

Example

"dc=example,dc=org"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.bind.distinguishedName

The distinguished name to bind to the LDAP server with. If this is not specified, an anonymous bind will be done.

Type: string

Default

""

Example

"cn=admin,dc=example,dc=com"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.bind.passwordFile

The path to a file containing the credentials to use when binding to the LDAP server (if not binding anonymously).

Type: string

Default

"/etc/ldap/bind.password"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.bind.policy

Specifies the policy to use for reconnecting to an unavailable LDAP server. The default is hard_open, which reconnects if opening the connection to the directory server failed. By contrast, hard_init reconnects if initializing the connection failed. Initializing may not actually contact the directory server, and it is possible that a malformed configuration file will trigger reconnection. If soft is specified, then nss_ldap will return immediately on server failure. All hard reconnect policies block with exponential backoff before retrying.

Type: one of "hard_open", "hard_init", "soft"

Default

"hard_open"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.bind.timeLimit

Specifies the time limit (in seconds) to use when connecting to the directory server. This is distinct from the time limit specified in {option}users.ldap.timeLimit and affects the initial server connection only.

Type: signed integer

Default

30

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.daemon.enable

Whether to let the nslcd daemon (nss-pam-ldapd) handle the LDAP lookups for NSS and PAM. This can improve performance, and if you need to bind to the LDAP server with a password, it increases security, since only the nslcd user needs to have access to the bindpw file, not everyone that uses NSS and/or PAM. If this option is enabled, a local nscd user is created automatically, and the nslcd service is started automatically when the network get up.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.daemon.extraConfig

Extra configuration options that will be added verbatim at the end of the nslcd configuration file (nslcd.conf(5)).

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.daemon.rootpwmoddn

The distinguished name to use to bind to the LDAP server when the root user tries to modify a user's password.

Type: string

Default

""

Example

"cn=admin,dc=example,dc=com"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.daemon.rootpwmodpwFile

The path to a file containing the credentials with which to bind to the LDAP server if the root user tries to change a user's password.

Type: string

Default

""

Example

"/run/keys/nslcd.rootpwmodpw"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.enable

Whether to enable authentication against an LDAP server. Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.extraConfig

Extra configuration options that will be added verbatim at the end of the ldap configuration file (ldap.conf(5)). If {option}users.ldap.daemon is enabled, this configuration will not be used. In that case, use {option}users.ldap.daemon.extraConfig instead.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.loginPam

Whether to include authentication against LDAP in login PAM. Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.nsswitch

Whether to include lookup against LDAP in NSS. Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.server

The URL of the LDAP server. Type: string

Example

"ldap://ldap.example.org/"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.timeLimit

Specifies the time limit (in seconds) to use when performing searches. A value of zero (0), which is the default, is to wait indefinitely for searches to be completed.

Type: signed integer

Default

0

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix

users.ldap.useTLS

If enabled, use TLS (encryption) over an LDAP (port 389) connection. The alternative is to specify an LDAPS server (port 636) in {option}users.ldap.server or to forego security.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/ldap.nix