Unix/Linux Go Back    


OpenDarwin 7.2.1 - man page for ldap.conf (opendarwin section 5)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


LDAP.CONF(5)									     LDAP.CONF(5)

NAME
       ldap.conf, .ldaprc - ldap configuration file

SYNOPSIS
       /etc/openldap/ldap.conf, .ldaprc

DESCRIPTION
       If the environment variable LDAPNOINIT is defined, all defaulting is disabled.

       The  ldap.conf  configuration  file is used to set system-wide defaults to be applied when
       running ldap clients.

       Users may create an optional configuration file, ldaprc or .ldaprc, in their  home  direc-
       tory which will be used to override the system-wide defaults file.  The file ldaprc in the
       current working directory is also used.

       Additional configuration files can be specified using the LDAPCONF and LDAPRC  environment
       variables.   LDAPCONF  may  be  set to the path of a configuration file.  This path can be
       absolute or relative to the current working directory.  The LDAPRC, if defined, should  be
       the basename of a file in the current working directory or in the user's home directory.

       Environmental  variables may also be used to augment the file based defaults.  The name of
       the variable is the option name with an added prefix of LDAP.  For example, to define BASE
       via the environment, set the variable LDAPBASE to the desired value.

       Some options are user-only.  Such options are ignored if present in the ldap.conf (or file
       specified by LDAPCONF).

OPTIONS
       The different configuration options are:

       BASE <base>
	      Specifies the default base DN to use when performing  ldap  operations.	The  base
	      must be specified as a Distinguished Name in LDAP format.

       BINDDN <dn>
	      Specifies  the default bind DN to use when performing ldap operations.  The bind DN
	      must be specified as a Distinguished Name in LDAP  format.   This  is  a	user-only
	      option.

       HOST <name[:port] ...>
	      Specifies  the  name(s)  of an LDAP server(s) to which the ldap library should con-
	      nect.  Each server's name can be specified as a domain-style name or an IP  address
	      and  optionally  followed by a ':' and the port number the ldap server is listening
	      on.  A space separated list of hosts may be provided.  HOST is deprecated in  favor
	      of URI.

       PORT <port>
	      Specifies  the  default port used when connecting to LDAP servers(s).  The port may
	      be specified as a number.  PORT is deprecated in favor of URI.

       SIZELIMIT <integer>
	      Specifies a size limit to use when performing searches.  The  number  should  be	a
	      non-negative integer.  SIZELIMIT of zero (0) specifies unlimited search size.

       TIMELIMIT <integer>
	      Specifies  a  time  limit  to use when performing searches.  The number should be a
	      non-negative integer.  TIMELIMIT of zero (0) specifies unlimited search time to  be
	      used.

       DEREF <when>
	      Specifies  how alias dereferencing is done when performing a search. The <when> can
	      be specified as one of the following keywords:

	      never  Aliases are never dereferenced. This is the default.

	      searching
		     Aliases are dereferenced in subordinates of the  base  object,  but  not  in
		     locating the base object of the search.

	      finding
		     Aliases are only dereferenced when locating the base object of the search.

	      always Aliases  are  dereferenced both in searching and in locating the base object
		     of the search.

SASL OPTIONS
       If OpenLDAP is built with Simple Authentication and Security Layer support, there are more
       options you can specify.

       SASL_MECH <mechanism>
	      Specifies the SASL mechanism to use.  This is a user-only option.

       SASL_REALM <realm>
	      Specifies the SASL realm.  This is a user-only option.

       SASL_AUTHCID <authcid>
	      Specifies the authentication identity.  This is a user-only option.

       SASL_AUTHZID <authcid>
	      Specifies the proxy authorization identity.  This is a user-only option.

       SASL_SECPROPS <properties>
	      Specifies  Cyrus	SASL  security properties. The <properties> can be specified as a
	      comma-separated list of the following:

	      none   (without any other properties) causes  the  properties  defaults  ("noanony-
		     mous,noplain") to be cleared.

	      noplain
		     disables mechanisms susceptible to simple passive attacks.

	      noactive
		     disables mechanisms susceptible to active attacks.

	      nodict disables mechanisms susceptible to passive dictionary attacks.

	      noanonymous
		     disables mechanisms which support anonymous login.

	      forwardsec
		     requires forward secrecy between sessions.

	      passcred
		     requires  mechanisms  which  pass	client credentials (and allows mechanisms
		     which can pass credentials to do so).

	      minssf=<factor>
		     specifies the minimum acceptable security	strength  factor  as  an  integer
		     approximating  the  effective  key  length  used  for  encryption.  0 (zero)
		     implies no protection, 1 implies integrity protection only, 56 allows DES or
		     other  weak  ciphers,  112  allows  triple DES and other strong ciphers, 128
		     allows RC4, Blowfish and other modern strong ciphers.  The default is 0.

	      maxssf=<factor>
		     specifies the maximum acceptable security strength factor as an integer (see
		     minssf description).  The default is INT_MAX.

	      maxbufsize=<factor>
		     specifies	the  maximum  security layer receive buffer size allowed.  0 dis-
		     ables security layers.  The default is 65536.

       SIZELIMIT <integer>
	      Specifies a size limit to use when performing searches.  The  number  should  be	a
	      non-negative integer.  SIZELIMIT of zero (0) specifies unlimited search size.

       TIMELIMIT <integer>
	      Specifies  a  time  limit  to use when performing searches.  The number should be a
	      non-negative integer.  TIMELIMIT of zero (0) specifies unlimited search time to  be
	      used.

       DEREF <when>
	      Specifies  how alias dereferencing is done when performing a search. The <when> can
	      be specified as one of the following keywords:

	      never  Aliases are never dereferenced. This is the default.

	      searching
		     Aliases are dereferenced in subordinates of the  base  object,  but  not  in
		     locating the base object of the search.

	      finding
		     Aliases are only dereferenced when locating the base object of the search.

	      always Aliases  are  dereferenced both in searching and in locating the base object
		     of the search.

TLS OPTIONS
       If OpenLDAP is built with Transport Layer Security support, there are more options you can
       specify.   These  options  are used when an ldaps:// URI is selected (by default or other-
       wise) or when the application negotiates TLS by issuing the LDAP Start TLS operation.

       TLS_CACERT <filename>
	      Specifies the file that contains certificates for all of the  Certificate  Authori-
	      ties the client will recognize.

       TLS_CACERTDIR <path>
	      Specifies  the path of a directory that contains Certificate Authority certificates
	      in separate individual files. The TLS_CACERT is always used before TLS_CACERTDIR.

       TLS_CERT <filename>
	      Specifies the file that contains	the  client  certificate.  This  is  a	user-only
	      option.

       TLS_KEY <filename>
	      Specifies  the  file  that  contains  the  private key that matches the certificate
	      stored in the TLS_CERT file. Currently, the private key must not be protected  with
	      a  password,  so	it is of critical importance that the key file is protected care-
	      fully. This is a user-only option.

       TLS_RANDFILE <filename>
	      Specifies the file to obtain random bits from when /dev/[u]random is not available.
	      Generally  set to the name of the EGD/PRNGD socket.  The environment variable RAND-
	      FILE can also be used to specify the filename.

       TLS_REQCERT <level>
	      Specifies what checks to perform on server certificates in a TLS session,  if  any.
	      The <level> can be specified as one of the following keywords:

	      never  The client will not request or check any server certificate.

	      allow  The server certificate is requested. If no certificate is provided, the ses-
		     sion proceeds normally. If a bad certificate is provided, it will be ignored
		     and the session proceeds normally.

	      try    The server certificate is requested. If no certificate is provided, the ses-
		     sion proceeds normally. If a bad certificate is  provided,  the  session  is
		     immediately terminated.

	      demand | hard
		     These  keywords  are  equivalent. The server certificate is requested. If no
		     certificate is provided, or a bad certificate is provided,  the  session  is
		     immediately terminated. This is the default setting.

ENVIRONMENT VARIABLES
       LDAPNOINIT
	      disable all defaulting

       LDAPCONF
	      path of a configuration file

       LDAPRC basename of ldaprc file in $HOME or $CWD

       LDAP<option-name>
	      Set <option-name> as from ldap.conf

FILES
       /etc/openldap/ldap.conf
	      system-wide ldap configuration file

       $HOME/ldaprc, $HOME/.ldaprc
	      user ldap configuration file

       $CWD/ldaprc
	      local ldap configuration file

SEE ALSO
       ldap(3)

AUTHOR
       Kurt Zeilenga, The OpenLDAP Project

ACKNOWLEDGEMENTS
       OpenLDAP  is  developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
       OpenLDAP is derived from University of Michigan LDAP 3.3 Release.

4.3 Berkeley Distribution		   RELEASEDATE				     LDAP.CONF(5)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 02:41 AM.