Template: nslcd/ldap-uris Type: string _Description: LDAP server URI: Please enter the Uniform Resource Identifier of the LDAP server. The format is "ldap://:/". Alternatively, "ldaps://" or "ldapi://" can be used. The port number is optional. . When using an ldap or ldaps scheme it is recommended to use an IP address to avoid failures when domain name services are unavailable. . Multiple URIs can be separated by spaces. Template: nslcd/ldap-base Type: string _Description: LDAP server search base: Please enter the distinguished name of the LDAP search base. Many sites use the components of their domain names for this purpose. For example, the domain "example.net" would use "dc=example,dc=net" as the distinguished name of the search base. Template: nslcd/ldap-auth-type Type: select __Choices: none, simple, SASL _Description: LDAP authentication to use: Please choose what type of authentication the LDAP database should require (if any): . * none: no authentication; * simple: simple bind DN and password authentication; * SASL: any Simple Authentication and Security Layer mechanism. Template: nslcd/ldap-binddn Type: string _Description: LDAP database user: Please enter the name of the account that will be used to log in to the LDAP database. This value should be specified as a DN (distinguished name). Template: nslcd/ldap-bindpw Type: password _Description: LDAP user password: Please enter the password that will be used to log in to the LDAP database. Template: nslcd/ldap-sasl-mech Type: select Choices: auto, LOGIN, PLAIN, NTLM, CRAM-MD5, DIGEST-MD5, SCRAM, GSSAPI, SKEY, OTP, EXTERNAL _Description: SASL mechanism to use: Please choose the SASL mechanism that will be used to authenticate to the LDAP database: . * auto: auto-negotiation; * LOGIN: deprecated in favor of PLAIN; * PLAIN: simple cleartext password mechanism; * NTLM: NT LAN Manager authentication mechanism; * CRAM-MD5: challenge-response scheme based on HMAC-MD5; * DIGEST-MD5: HTTP Digest compatible challenge-response scheme; * SCRAM: salted challenge-response mechanism; * GSSAPI: used for Kerberos; * SKEY: S/KEY mechanism (obsoleted by OTP); * OTP: One Time Password mechanism; * EXTERNAL: authentication is implicit in the context. Template: nslcd/ldap-sasl-realm Type: string _Description: SASL realm: Please enter the SASL realm that will be used to authenticate to the LDAP database. . The realm is appended to authentication and authorization identities. . For GSSAPI, this can be left blank to use information from the Kerberos credentials cache. Template: nslcd/ldap-sasl-authcid Type: string _Description: SASL authentication identity: Please enter the SASL authentication identity that will be used to authenticate to the LDAP database. . This is the login used in LOGIN, PLAIN, CRAM-MD5, and DIGEST-MD5 mechanisms. Template: nslcd/ldap-sasl-authzid Type: string _Description: SASL proxy authorization identity: Please enter the proxy authorization identity that will be used to authenticate to the LDAP database. . This is the object in the name of which the LDAP request is done. This value should be specified as a DN (distinguished name). Template: nslcd/ldap-sasl-secprops Type: string _Description: Cyrus SASL security properties: Please enter the Cyrus SASL security properties. . Allowed values are described in the ldap.conf(5) manual page in the SASL OPTIONS section. Template: nslcd/ldap-sasl-krb5-ccname Type: string Default: /var/run/nslcd/nslcd.tkt _Description: Kerberos credential cache file path: Please enter the GSSAPI/Kerberos credential cache file name that will be used. Template: nslcd/ldap-starttls Type: boolean _Description: Use StartTLS? Please choose whether the connection to the LDAP server should use StartTLS to encrypt the connection. Template: nslcd/ldap-reqcert Type: select __Choices: never, allow, try, demand _Description: Check server's SSL certificate: When an encrypted connection is used, a server certificate can be requested and checked. Please choose whether lookups should be configured to require a certificate, and whether certificates should be checked for validity: . * never: no certificate will be requested or checked; * allow: a certificate will be requested, but it is not required or checked; * try: a certificate will be requested and checked, but if no certificate is provided, it is ignored; * demand: a certificate will be requested, required, and checked. . If certificate checking is enabled, at least one of the tls_cacertdir or tls_cacertfile options must be put in /etc/nslcd.conf.