unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (Debian-5.0)
Page:
Section:
Apropos / Subsearch:
optional field

LDAP.CONF(5)                  File Formats Manual                 LDAP.CONF(5)



NAME
       ldap.conf, .ldaprc - ldap configuration file

SYNOPSIS
       /etc/ldap/ldap.conf, .ldaprc

DESCRIPTION
       If  the  environment  variable LDAPNOINIT is defined, all defaulting is
       disabled.

       The ldap.conf configuration file is used to set system-wide defaults to
       be applied when running ldap clients.

       Users  may create an optional configuration file, ldaprc or .ldaprc, in
       their home directory which will be used  to  override  the  system-wide
       defaults  file.   The  file  ldaprc in the current working directory is
       also used.

       Additional configuration files can be specified using the LDAPCONF  and
       LDAPRC  environment  variables.   LDAPCONF  may be set to the path of a
       configuration file.  This path can be absolute or relative to the  cur-
       rent working directory.  The LDAPRC, if defined, should be the basename
       of a file in the current working directory or in the user's home direc-
       tory.

       Environmental  variables  may  also  be  used to augment the file based
       defaults.  The name of the variable is the option name  with  an  added
       prefix  of  LDAP.  For example, to define BASE via the environment, set
       the variable LDAPBASE to the desired value.

       Some options are user-only.  Such options are ignored if present in the
       ldap.conf (or file specified by LDAPCONF).

OPTIONS
       The  configuration options are case-insensitive; their value, on a case
       by case basis, may be case-sensitive.

       Blank lines and lines beginning with a hash mark (`#') are  ignored  up
       to their end.

       Valid  lines  are  made  of an option's name (a sequence of non-blanks,
       conventionally written in uppercase, although not  required),  followed
       by  a value.  The value starts with the first non-blank character after
       the option's name, and terminates at the end of the  line,  or  at  the
       last  sequence  of blanks before the end of the line.  The tokenization
       of the value, if any, is delegated to the handler(s) for  that  option,
       if  any.   Quoting  values that contain blanks may be incorrect, as the
       quotes would become part of the value.  For example,

            URI  "ldap:// ldaps://"

       is incorrect, while

            URI  ldap:// ldaps://

       is correct (note the absence of the double quotes).

       A line cannot be longer than LINE_MAX, which should be more  than  2000
       bytes  on all platforms.  There is no mechanism to split a long line on
       multiple lines, either for beautification  or  to  overcome  the  above
       limit.

       The different configuration options are:

       URI <&lt;ldap[si]://[name[:port]] ...>&gt;
              Specifies  the  URI(s)  of  an  LDAP server(s) to which the LDAP
              library should connect.  The URI scheme  may  be  any  of  ldap,
              ldaps  or  ldapi,  which  refer  to LDAP over TCP, LDAP over SSL
              (TLS) and LDAP over IPC  (UNIX  domain  sockets),  respectively.
              Each server's name can be specified as a domain-style name or an
              IP address literal.  Optionally, the server's name can  followed
              by  a  ':'  and the port number the LDAP server is listening on.
              If no port number is provided, the default port for  the  scheme
              is used (389 for ldap://, 636 for ldaps://).  For LDAP over IPC,
              name is the name of the socket, and no  port  is  required,  nor
              allowed;  note  that  directory  separators must be URL-encoded,
              like any other characters that  are  special  to  URLs;  so  the
              socket

                   /usr/local/var/ldapi

              must be specified as

                   ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi

              A space separated list of URIs may be provided.

       BASE <&lt;base>&gt;
              Specifies the default base DN to use when performing ldap opera-
              tions.  The base must be specified as a  Distinguished  Name  in
              LDAP format.

       BINDDN <&lt;dn>&gt;
              Specifies the default bind DN to use when performing ldap opera-
              tions.  The bind DN must be specified as a Distinguished Name in
              LDAP format.  This is a user-only option.

       DEREF <&lt;when>&gt;
              Specifies  how  alias  dereferencing  is  done when performing a
              search. The <&lt;when>&gt; can be specified as one of the following key-
              words:

              never  Aliases are never dereferenced. This is the default.

              searching
                     Aliases  are  dereferenced  in  subordinates  of the base
                     object, but not  in  locating  the  base  object  of  the
                     search.

              finding
                     Aliases  are  only  dereferenced  when  locating the base
                     object of the search.

              always Aliases are dereferenced both in searching and in  locat-
                     ing the base object of the search.


       HOST <&lt;name[:port] ...>&gt;
              Specifies  the  name(s)  of  an LDAP server(s) to which the LDAP
              library should connect.  Each server's name can be specified  as
              a  domain-style name or an IP address and optionally followed by
              a ':' and the port number the ldap server is  listening  on.   A
              space  separated  list of hosts may be provided.  HOST is depre-
              cated in favor of URI.

       NETWORK_TIMEOUT <&lt;integer>&gt;
              Specifies   the   timeout   (in   seconds)   after   which   the
              poll(2)/select(2)  following  a connect(2) returns in case of no
              activity.

       PORT <&lt;port>&gt;
              Specifies  the  default  port  used  when  connecting  to   LDAP
              servers(s).   The  port  may  be specified as a number.  PORT is
              deprecated in favor of URI.

       REFERRALS <&lt;on/true/yes/off/false/no>&gt;
              Specifies if the client should  automatically  follow  referrals
              returned  by  LDAP  servers.   The default is on.  Note that the
              command  line  tools  ldapsearch(1)  &co  always  override  this
              option.

       SIZELIMIT <&lt;integer>&gt;
              Specifies  a  size  limit  to use when performing searches.  The
              number should be a non-negative integer.  SIZELIMIT of zero  (0)
              specifies unlimited search size.

       TIMELIMIT <&lt;integer>&gt;
              Specifies  a  time  limit  to use when performing searches.  The
              number should be a non-negative integer.  TIMELIMIT of zero  (0)
              specifies unlimited search time to be used.  VERSION {2|3} Spec-
              ifies what version of the LDAP protocol should be used.

       TIMEOUT <&lt;integer>&gt;
              Specifies a timeout (in seconds) after which calls  to  synchro-
              nous LDAP APIs will abort if no response is received.  Also used
              for any ldap_result(3) calls where a NULL timeout  parameter  is
              supplied.

SASL OPTIONS
       If OpenLDAP is built with Simple Authentication and Security Layer sup-
       port, there are more options you can specify.

       SASL_MECH <&lt;mechanism>&gt;
              Specifies the SASL  mechanism  to  use.   This  is  a  user-only
              option.

       SASL_REALM <&lt;realm>&gt;
              Specifies the SASL realm.  This is a user-only option.

       SASL_AUTHCID <&lt;authcid>&gt;
              Specifies  the  authentication  identity.   This  is a user-only
              option.

       SASL_AUTHZID <&lt;authcid>&gt;
              Specifies the proxy authorization identity.  This is a user-only
              option.

       SASL_SECPROPS <&lt;properties>&gt;
              Specifies  Cyrus  SASL security properties. The <&lt;properties>&gt; can
              be specified as a comma-separated list of the following:

              none   (without any  other  properties)  causes  the  properties
                     defaults ("noanonymous,noplain") to be cleared.

              noplain
                     disables   mechanisms   susceptible   to  simple  passive
                     attacks.

              noactive
                     disables mechanisms susceptible to active attacks.

              nodict disables mechanisms  susceptible  to  passive  dictionary
                     attacks.

              noanonymous
                     disables mechanisms which support anonymous login.

              forwardsec
                     requires forward secrecy between sessions.

              passcred
                     requires  mechanisms  which  pass client credentials (and
                     allows mechanisms which can pass credentials to do so).

              minssf=<&lt;factor>&gt;
                     specifies the minimum acceptable security strength factor
                     as an integer approximating the effective key length used
                     for  encryption.   0  (zero)  implies  no  protection,  1
                     implies integrity protection only, 56 allows DES or other
                     weak ciphers, 112 allows  triple  DES  and  other  strong
                     ciphers, 128 allows RC4, Blowfish and other modern strong
                     ciphers.  The default is 0.

              maxssf=<&lt;factor>&gt;
                     specifies the maximum acceptable security strength factor
                     as  an  integer (see minssf description).  The default is
                     INT_MAX.

              maxbufsize=<&lt;factor>&gt;
                     specifies the maximum security layer receive buffer  size
                     allowed.   0  disables  security  layers.  The default is
                     65536.

TLS OPTIONS
       If OpenLDAP is built with Transport Layer Security support,  there  are
       more  options you can specify.  These options are used when an ldaps://
       URI is selected (by default or otherwise) or when the application nego-
       tiates TLS by issuing the LDAP StartTLS operation.

       TLS_CACERT <&lt;filename>&gt;
              Specifies  the  file  that  contains certificates for all of the
              Certificate Authorities the client will recognize.

       TLS_CACERTDIR <&lt;path>&gt;
              Specifies the path of  a  directory  that  contains  Certificate
              Authority   certificates   in  separate  individual  files.  The
              TLS_CACERT is always used before TLS_CACERTDIR.  This  parameter
              is ignored with GNUtls.

       TLS_CERT <&lt;filename>&gt;
              Specifies  the  file that contains the client certificate.  This
              is a user-only option.

       TLS_KEY <&lt;filename>&gt;
              Specifies the file that contains the private  key  that  matches
              the certificate stored in the TLS_CERT file. Currently, the pri-
              vate key must not be protected with a  password,  so  it  is  of
              critical  importance  that  the key file is protected carefully.
              This is a user-only option.

       TLS_CIPHER_SUITE <&lt;cipher-suite-spec>&gt;
              Specifies  acceptable  cipher  suite   and   preference   order.
              <cipher-suite-spec>   should   be  a  cipher  specification  for
              OpenSSL, e.g., HIGH:MEDIUM:+SSLv2.

       TLS_RANDFILE <&lt;filename>&gt;
              Specifies the file to obtain random bits from when  /dev/[u]ran-
              dom is not available. Generally set to the name of the EGD/PRNGD
              socket.  The environment variable RANDFILE can also be  used  to
              specify the filename.  This parameter is ignored with GNUtls.

       TLS_REQCERT <&lt;level>&gt;
              Specifies what checks to perform on server certificates in a TLS
              session, if any. The <&lt;level>&gt; can be specified as one of the fol-
              lowing keywords:

              never  The  client will not request or check any server certifi-
                     cate.

              allow  The server certificate is requested. If no certificate is
                     provided,  the  session  proceeds normally. If a bad cer-
                     tificate is provided, it will be ignored and the  session
                     proceeds normally.

              try    The server certificate is requested. If no certificate is
                     provided, the session proceeds normally. If  a  bad  cer-
                     tificate  is  provided, the session is immediately termi-
                     nated.

              demand | hard
                     These keywords are equivalent. The server certificate  is
                     requested.  If  no certificate is provided, or a bad cer-
                     tificate is provided, the session is  immediately  termi-
                     nated. This is the default setting.

       TLS_CRLCHECK <&lt;level>&gt;
              Specifies  if  the  Certificate  Revocation List (CRL) of the CA
              should be used to verify if the  server  certificates  have  not
              been  revoked.  This requires TLS_CACERTDIR parameter to be set.
              This parameter is ignored with GNUtls.  <&lt;level>&gt; can be specified
              as one of the following keywords:

              none   No CRL checks are performed

              peer   Check the CRL of the peer certificate

              all    Check the CRL for a whole certificate chain

       TLS_CRLFILE <&lt;filename>&gt;
              Specifies  the  file containing a Certificate Revocation List to
              be used to verify if  the  server  certificates  have  not  been
              revoked. This parameter is only supported with GNUtls.

ENVIRONMENT VARIABLES
       LDAPNOINIT
              disable all defaulting

       LDAPCONF
              path of a configuration file

       LDAPRC basename of ldaprc file in $HOME or $CWD

       LDAP<option-name>
              Set <option-name> as from ldap.conf

FILES
       /etc/ldap/ldap.conf
              system-wide ldap configuration file

       $HOME/ldaprc, $HOME/.ldaprc
              user ldap configuration file

       $CWD/ldaprc
              local ldap configuration file

SEE ALSO
       ldap(3), ldap_set_option(3), ldap_result(3), openssl(1), sasl(3)

AUTHOR
       Kurt Zeilenga, The OpenLDAP Project

ACKNOWLEDGEMENTS
       OpenLDAP  Software  is developed and maintained by The OpenLDAP Project
       <http://www.openldap.org/>;.  OpenLDAP Software is derived from  Univer-
       sity of Michigan LDAP 3.3 Release.



OpenLDAP 2.4.11                   2008/07/16                      LDAP.CONF(5)