Unix/Linux Go Back    


NetBSD 6.1.5 - man page for ldap.conf (netbsd section 5)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


LDAP.CONF(5)									     LDAP.CONF(5)

NAME
       ldap.conf, .ldaprc - LDAP configuration file/environment variables

SYNOPSIS
       /etc/openldap/ldap.conf, ldaprc, .ldaprc, $LDAP<option-name>

DESCRIPTION
       If the environment variable LDAPNOINIT is defined, all defaulting is disabled.

       The  ldap.conf  configuration  file is used to set system-wide defaults to be applied when
       running ldap clients.

       Users may create an optional configuration file, ldaprc or .ldaprc, in their  home  direc-
       tory which will be used to override the system-wide defaults file.  The file ldaprc in the
       current working directory is also used.

       Additional configuration files can be specified using the LDAPCONF and LDAPRC  environment
       variables.   LDAPCONF  may  be  set to the path of a configuration file.  This path can be
       absolute or relative to the current working directory.  The LDAPRC, if defined, should  be
       the basename of a file in the current working directory or in the user's home directory.

       Environmental  variables may also be used to augment the file based defaults.  The name of
       the variable is the option name with an added prefix of LDAP.  For example, to define BASE
       via the environment, set the variable LDAPBASE to the desired value.

       Some options are user-only.  Such options are ignored if present in the ldap.conf (or file
       specified by LDAPCONF).

       Thus the following files and variables are read, in order:
	   variable	$LDAPNOINIT, and if that is not set:
	   system file	/etc/openldap/ldap.conf,
	   user files	$HOME/ldaprc,  $HOME/.ldaprc,  ./ldaprc,
	   system file	$LDAPCONF,
	   user files	$HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC,
	   variables	$LDAP<uppercase option name>.
       Settings late in the list override earlier ones.

SYNTAX
       The configuration options are case-insensitive; their value, on a case by case basis,  may
       be case-sensitive.

       Blank lines are ignored.
       Lines beginning with a hash mark (`#') are comments, and ignored.

       Valid lines are made of an option's name (a sequence of non-blanks, conventionally written
       in uppercase, although not required), followed by a value.   The  value	starts	with  the
       first  non-blank character after the option's name, and terminates at the end of the line,
       or at the last sequence of blanks before the end of the line.   The  tokenization  of  the
       value,  if  any,  is  delegated to the handler(s) for that option, if any.  Quoting values
       that contain blanks may be incorrect, as the quotes would become part of the  value.   For
       example,

	    # Wrong - erroneous quotes:
	    URI     "ldap:// ldaps://"

	    # Right - space-separated list of URIs, without quotes:
	    URI     ldap:// ldaps://

	    # Right - DN syntax needs quoting for Example, Inc:
	    BASE    ou=IT staff,o="Example, Inc",c=US
	    # or:
	    BASE    ou=IT staff,o=Example2C Inc,c=US

	    # Wrong - comment on same line as option:
	    DEREF   never	    # Never follow aliases

       A  line	cannot be longer than LINE_MAX, which should be more than 2000 bytes on all plat-
       forms.  There is no mechanism to split a long line on multiple lines, either for beautifi-
       cation or to overcome the above limit.

OPTIONS
       The different configuration options are:

       URI <ldap[si]://[name[:port]] ...>
	      Specifies the URI(s) of an LDAP server(s) to which the LDAP library should connect.
	      The URI scheme may be any of ldap, ldaps or ldapi, which refer to  LDAP  over  TCP,
	      LDAP  over  SSL  (TLS) and LDAP over IPC (UNIX domain sockets), respectively.  Each
	      server's name can be specified as a domain-style name or	an  IP	address  literal.
	      Optionally,  the	server's  name can followed by a ':' and the port number the LDAP
	      server is listening on.  If no port number is provided, the default  port  for  the
	      scheme is used (389 for ldap://, 636 for ldaps://).  For LDAP over IPC, name is the
	      name of the socket, and no port is required, nor allowed; note that directory sepa-
	      rators  must be URL-encoded, like any other characters that are special to URLs; so
	      the socket

		   /usr/local/var/ldapi

	      must be specified as

		   ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi

	      A space separated list of URIs may be provided.

       BASE <base>
	      Specifies the default base DN to use when performing  ldap  operations.	The  base
	      must be specified as a Distinguished Name in LDAP format.

       BINDDN <dn>
	      Specifies  the default bind DN to use when performing ldap operations.  The bind DN
	      must be specified as a Distinguished Name in LDAP  format.   This  is  a	user-only
	      option.

       DEREF <when>
	      Specifies  how alias dereferencing is done when performing a search. The <when> can
	      be specified as one of the following keywords:

	      never  Aliases are never dereferenced. This is the default.

	      searching
		     Aliases are dereferenced in subordinates of the  base  object,  but  not  in
		     locating the base object of the search.

	      finding
		     Aliases are only dereferenced when locating the base object of the search.

	      always Aliases  are  dereferenced both in searching and in locating the base object
		     of the search.

       HOST <name[:port] ...>
	      Specifies the name(s) of an LDAP server(s) to which the LDAP  library  should  con-
	      nect.   Each server's name can be specified as a domain-style name or an IP address
	      and optionally followed by a ':' and the port number the ldap server  is	listening
	      on.   A space separated list of hosts may be provided.  HOST is deprecated in favor
	      of URI.

       NETWORK_TIMEOUT <integer>
	      Specifies the timeout (in seconds) after which the  poll(2)/select(2)  following	a
	      connect(2) returns in case of no activity.

       PORT <port>
	      Specifies  the  default port used when connecting to LDAP servers(s).  The port may
	      be specified as a number.  PORT is deprecated in favor of URI.

       REFERRALS <on/true/yes/off/false/no>
	      Specifies if the client should automatically  follow  referrals  returned  by  LDAP
	      servers.	 The  default  is on.  Note that the command line tools ldapsearch(1) &co
	      always override this option.

       SIZELIMIT <integer>
	      Specifies a size limit (number of entries) to use when  performing  searches.   The
	      number should be a non-negative integer.	SIZELIMIT of zero (0) specifies a request
	      for unlimited search size.  Please note that the server may still apply any server-
	      side limit on the amount of entries that can be returned by a search operation.

       TIMELIMIT <integer>
	      Specifies  a  time  limit (in seconds) to use when performing searches.  The number
	      should be a non-negative integer.  TIMELIMIT of zero (0) specifies unlimited search
	      time to be used.	Please note that the server may still apply any server-side limit
	      on the duration of a search operation.  VERSION {2|3} Specifies what version of the
	      LDAP protocol should be used.

       TIMEOUT <integer>
	      Specifies  a  timeout  (in seconds) after which calls to synchronous LDAP APIs will
	      abort if no response is received.  Also used for any ldap_result(3) calls  where	a
	      NULL timeout parameter is supplied.

SASL OPTIONS
       If OpenLDAP is built with Simple Authentication and Security Layer support, there are more
       options you can specify.

       SASL_MECH <mechanism>
	      Specifies the SASL mechanism to use.  This is a user-only option.

       SASL_REALM <realm>
	      Specifies the SASL realm.  This is a user-only option.

       SASL_AUTHCID <authcid>
	      Specifies the authentication identity.  This is a user-only option.

       SASL_AUTHZID <authcid>
	      Specifies the proxy authorization identity.  This is a user-only option.

       SASL_SECPROPS <properties>
	      Specifies Cyrus SASL security properties. The <properties> can be  specified  as	a
	      comma-separated list of the following:

	      none   (without  any  other  properties)	causes the properties defaults ("noanony-
		     mous,noplain") to be cleared.

	      noplain
		     disables mechanisms susceptible to simple passive attacks.

	      noactive
		     disables mechanisms susceptible to active attacks.

	      nodict disables mechanisms susceptible to passive dictionary attacks.

	      noanonymous
		     disables mechanisms which support anonymous login.

	      forwardsec
		     requires forward secrecy between sessions.

	      passcred
		     requires mechanisms which pass client  credentials  (and  allows  mechanisms
		     which can pass credentials to do so).

	      minssf=<factor>
		     specifies	the  minimum  acceptable  security  strength factor as an integer
		     approximating the effective  key  length  used  for  encryption.	0  (zero)
		     implies no protection, 1 implies integrity protection only, 56 allows DES or
		     other weak ciphers, 112 allows triple DES	and  other  strong  ciphers,  128
		     allows RC4, Blowfish and other modern strong ciphers.  The default is 0.

	      maxssf=<factor>
		     specifies the maximum acceptable security strength factor as an integer (see
		     minssf description).  The default is INT_MAX.

	      maxbufsize=<factor>
		     specifies the maximum security layer receive buffer size  allowed.   0  dis-
		     ables security layers.  The default is 65536.

GSSAPI OPTIONS
       If OpenLDAP is built with Generic Security Services Application Programming Interface sup-
       port, there are more options you can specify.

       GSSAPI_SIGN <on/true/yes/off/false/no>
	      Specifies if GSSAPI signing (GSS_C_INTEG_FLAG) should be used.  The default is off.

       GSSAPI_ENCRYPT <on/true/yes/off/false/no>
	      Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG	and  GSS_C_CONF_FLAG)  should  be
	      used. The default is off.

       GSSAPI_ALLOW_REMOTE_PRINCIPAL <on/true/yes/off/false/no>
	      Specifies  if GSSAPI based authentification should try to form the target principal
	      name out of the ldapServiceName or dnsHostName attribute	of  the  targets  RootDSE
	      entry. The default is off.

TLS OPTIONS
       If OpenLDAP is built with Transport Layer Security support, there are more options you can
       specify.  These options are used when an ldaps:// URI is selected (by  default  or  other-
       wise) or when the application negotiates TLS by issuing the LDAP StartTLS operation.

       TLS_CACERT <filename>
	      Specifies  the  file that contains certificates for all of the Certificate Authori-
	      ties the client will recognize.

       TLS_CACERTDIR <path>
	      Specifies the path of a directory that contains Certificate Authority  certificates
	      in  separate  individual files. The TLS_CACERT is always used before TLS_CACERTDIR.
	      This parameter is ignored with GNUtls.

       TLS_CERT <filename>
	      Specifies the file that contains the  client  certificate.   This  is  a	user-only
	      option.

       TLS_KEY <filename>
	      Specifies  the  file  that  contains  the  private key that matches the certificate
	      stored in the TLS_CERT file. Currently, the private key must not be protected  with
	      a  password,  so	it is of critical importance that the key file is protected care-
	      fully.  This is a user-only option.

       TLS_CIPHER_SUITE <cipher-suite-spec>
	      Specifies acceptable cipher suite and preference order.  <cipher-suite-spec> should
	      be a cipher specification for OpenSSL, e.g., HIGH:MEDIUM:+SSLv2.

	      To check what ciphers a given spec selects, use:

		   openssl ciphers -v <cipher-suite-spec>

	      To obtain the list of ciphers in GNUtls use:

		   gnutls-cli -l

       TLS_RANDFILE <filename>
	      Specifies the file to obtain random bits from when /dev/[u]random is not available.
	      Generally set to the name of the EGD/PRNGD socket.  The environment variable  RAND-
	      FILE  can  also  be  used  to specify the filename.  This parameter is ignored with
	      GNUtls.

       TLS_REQCERT <level>
	      Specifies what checks to perform on server certificates in a TLS session,  if  any.
	      The <level> can be specified as one of the following keywords:

	      never  The client will not request or check any server certificate.

	      allow  The server certificate is requested. If no certificate is provided, the ses-
		     sion proceeds normally. If a bad certificate is provided, it will be ignored
		     and the session proceeds normally.

	      try    The server certificate is requested. If no certificate is provided, the ses-
		     sion proceeds normally. If a bad certificate is  provided,  the  session  is
		     immediately terminated.

	      demand | hard
		     These  keywords  are  equivalent. The server certificate is requested. If no
		     certificate is provided, or a bad certificate is provided,  the  session  is
		     immediately terminated. This is the default setting.

       TLS_CRLCHECK <level>
	      Specifies if the Certificate Revocation List (CRL) of the CA should be used to ver-
	      ify if the server certificates have not been revoked. This  requires  TLS_CACERTDIR
	      parameter  to be set. This parameter is ignored with GNUtls.  <level> can be speci-
	      fied as one of the following keywords:

	      none   No CRL checks are performed

	      peer   Check the CRL of the peer certificate

	      all    Check the CRL for a whole certificate chain

       TLS_CRLFILE <filename>
	      Specifies the file containing a Certificate Revocation List to be used to verify if
	      the  server  certificates  have  not been revoked. This parameter is only supported
	      with GNUtls.

ENVIRONMENT VARIABLES
       LDAPNOINIT
	      disable all defaulting

       LDAPCONF
	      path of a configuration file

       LDAPRC basename of ldaprc file in $HOME or $CWD

       LDAP<option-name>
	      Set <option-name> as from ldap.conf

FILES
       /etc/openldap/ldap.conf
	      system-wide ldap configuration file

       $HOME/ldaprc, $HOME/.ldaprc
	      user ldap configuration file

       $CWD/ldaprc
	      local ldap configuration file

SEE ALSO
       ldap(3), ldap_set_option(3), ldap_result(3), openssl(1), sasl(3)

AUTHOR
       Kurt Zeilenga, The OpenLDAP Project

ACKNOWLEDGEMENTS
       OpenLDAP Software is developed and maintained by The OpenLDAP  Project  <http://www.openl-
       dap.org/>.  OpenLDAP Software is derived from University of Michigan LDAP 3.3 Release.

OpenLDAP 2.4.23 			    2010/06/30				     LDAP.CONF(5)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 05:04 PM.