# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldaps://lldap.example.net:6360/

# The search base that will be used for all queries.
base dc=example,dc=net

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn cn=...,ou=people,dc=example,dc=com
bindpw ...

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
tls_reqcert demand
tls_cacertfile /etc/cert-lldap.example.com.pem

# The search scope.
#scope sub

reconnect_invalidate passwd group
nss_initgroups_ignoreusers ALLLOCAL

# Do you have users/groups that aren't for linux?  These filters determine which user/group objects are used.
filter passwd (&(objectClass=posixAccount)(unix-uid=*))
filter group (&(objectClass=groupOfUniqueNames)(unix-gid=*))

# This check is done AFTER authentication, in the pam "account" stage.
# Regardless of if they used a LDAP password, or an SSH key, if they're an LDAP user, they have to pass this check.
pam_authz_search (&(objectClass=posixAccount)(unix-uid=*)(unix-username=$username)(memberOf=cn=YOUR_LOGIN_GROUP_FOR_THIS_MACHINE,ou=groups,dc=example,dc=com))


map passwd uid unix-username
map passwd uidNumber unix-uid
map passwd gidNumber unix-gid
map passwd gecos unix-username
map passwd homeDirectory "/home/${unix-username}"
map passwd loginShell unix-shell

map group gidNumber unix-gid
map group memberUid member

nss_min_uid 1000

pam_password_prohibit_message "Please use the forgot password link on https://lldap.example.com/ to change your password."