unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OpenBSD-5.7)
Page:
Section:
Apropos / Subsearch:
optional field

LDAPD.CONF(5)               BSD File Formats Manual              LDAPD.CONF(5)

NAME
     ldapd.conf -- Lightweight Directory Access Protocol daemon configuration
     file

DESCRIPTION
     ldapd.conf is the configuration file for the LDAP daemon ldapd(8).

     The current line can be extended over multiple lines using a backslash
     ('\').  Comments can be put anywhere in the file using a hash mark ('#'),
     and extend to the end of the current line.  Care should be taken when
     commenting out multi-line text: the comment is effective until the end of
     the entire block.

     Argument names not beginning with a letter, digit, or underscore must be
     quoted.  Arguments containing whitespace should be surrounded by double
     quotes (").

     Macros can be defined that will later be expanded in context.  Macro
     names must start with a letter, digit, or underscore, and may contain any
     of those characters.  Macro names may not be reserved words (for example
     listen, namespace, port).  Macros are not expanded inside quotes.

     For example:

           wan_if = "fxp0"
           listen on $wan_if
           listen on $wan_if tls

     Additional configuration files can be included with the include keyword,
     for example:

           include "/etc/ldap/sub.namespace.conf"

     Additional schema files can be included with the schema keyword, for
     example:

           schema "/etc/ldap/inetorgperson.schema"

     The syntax of ldapd.conf is described below.

GLOBAL CONFIGURATION
     listen on interface [port port] [tls | ldaps | secure] [certificate name]
             Specify an interface and port to listen on.  An IP address,
             domain name or absolute path may be used in place of interface.
             An absolute path is used to listen on a unix domain socket.

             Secured connections are provided either using STARTTLS (tls), by
             default on port 389, or LDAPS (ldaps), by default on port 636.
             Creation of certificates is documented in starttls(8).  If no
             certificate name is specified, the /etc/ldap/certs directory is
             searched for a file named by joining the interface name with a
             .crt extension, e.g. /etc/ldap/certs/fxp0.crt.

             If the certificate name is an absolute path, a .crt and .key
             extension is appended to form the certificate path and key path
             respectively.

             Only secured connections accept plain text password authentica-
             tion.  Connections using TLS or unix domain sockets are always
             considered secured.  The secure keyword can be used to mark an
             otherwise insecure connection secured, e.g. if IPsec is used.

     referral URL
             Specify a default referral.  If no namespace matches the base DN
             in a request, the request is delegated to another LDAP server
             instead of returning an error.

             This option can be given multiple times, in which case the URLs
             are considered equal.  Clients may choose to follow any of the
             referral URLs.

             The URL format has the following format:

                   ldap://ldap.example.com
                   ldaps://ldap.example.com:3890

     rootdn dn
             Specify the distinguished name of the root user for all names-
             paces.  The root user is always allowed to read and write entries
             in all local namespaces.

     rootpw password
             Password for the root user.  Specified either in plain text, or
             in hashed format.  See AUTHENTICATION in ldapd(8).

     schema filename
             Add schema definitions from the specified file.  For a descrip-
             tion of the schema file syntax see SCHEMA below.

NAMESPACES
     A namespace is a subtree of the global X.500 DIT (Directory Information
     Tree), also known as a naming context.  All entries' distinguished names
     (DN) has the same suffix, which is used to identify the namespace.  The
     suffix should consist of the domain components, in reverse order, of your
     domain name, as recommended by RFC 2247.

           namespace "dc=example,dc=com" {
                   rootdn "cn=admin,dc=example,dc=com"
                   rootpw "secret"
           }

     When matching requests against namespace suffixes, the most specific
     match is used.  Each namespace stores data in a separate database file.

     A namespace has the following configuration properties:

     referral URL
             Specify a referral to return for requests matching the suffix.

     rootdn dn
             Specify the distinguished name of the root user for the names-
             pace.  The root user is always allowed to read and write entries
             in the namespace.  The distinguished name must have the same suf-
             fix as the namespace.

     rootpw password
             Password for the root user.  Specified either in plain text, or
             in hashed format.  See AUTHENTICATION in ldapd(8).

     index attribute
             Maintain an index on the specified attribute.  This index can be
             used for equality, presence, prefix substring and range searches.
             ldapd(8) will update the index on each modification.  If you add
             an index to an existing namespace, you need to run ldapctl(8) to
             index the existing entries.

     fsync on | off
             If off, data will not be forced to disk after each commit.  Dis-
             abling fsync can increase write speed substantially, but may lead
             to data loss.  The default value is on.

     cache-size size
             Set the cache size for data entries.  The size is specified in
             number of pages.  Note that more than the configured number of
             pages may exist in the cache, as dirty pages and pages referenced
             by cursors are excluded from cache expiration.

             Cached pages are expired in a least recently used (LRU) order.

     index-cache-size size
             Set the cache size for the index database.

     relax schema
             Disables checking of required and optional object attributes
             against schema.  All attributes and values are matched as case-
             insensitive strings.  All attributes are considered multi-valued.

     strict schema
             Enables checking of required and optional object attributes
             against schema.  This is the default.

     allow | deny
             Allow or deny access to parts of the namespace.

             Each request to the ldapd(8) daemon evaluates the filter rules in
             sequential order, from first to last.  The last matching rule
             decides what action is taken.  If no rule matches the request,
             the default action is to allow the request.  The root DN is
             always allowed to perform any request.

             The allow/deny statement operates on all access types by default.
             This can be restricted by an access type specification:

             read access
                     Restricts the filter rule to search operations.

             write access
                     Restricts the filter rule to add, delete and modify oper-
                     ations.

             bind access
                     Restricts the filter rule to bind operations.

             The scope of the filter rule can be restricted by the to keyword:

             to subtree DN
                     The filter rule applies to the distinguished name, as
                     well as for all its descendants.

             to children of DN
                     The filter rule applies to all the direct children of the
                     distinguished name.

             to DN   The filter rule applies to the distinguished name only.

             to any  The filter rule applies to any distinguished name in the
                     namespace.  This is the default if no scope is specified.

             to root
                     The filter rule applies to the root DSE.

             Finally, the filter rule can match a bind DN:

             by any  The filter rule matches by any bind dn, including anony-
                     mous binds.

             by DN   The filter rule matches only if the requestor has previ-
                     ously performed a bind as the specified distinguished
                     name.

             by self
                     The filter rule matches only if the requestor has previ-
                     ously performed a bind as the distinguished name that is
                     being requested.  Typically used to allow users to modify
                     their own data.

     use compression [level level]
             Enable compression of entries and optionally specify compression
             level (0 - 9).  By default, no compression is used.

SCHEMA
     Schema files define the structure and format of entries in the directory
     tree.  There are three types of definitions in a schema file:

     attributetype
             (oid [NAME name] [DESC description] [OBSOLETE] [SUP oid]
             [EQUALITY oid] [ORDERING oid] [SUBSTR oid] [SYNTAX oid]
             [SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION] [USAGE
             {userApplications | directoryOperation | distributedOperation |
             dSAOperation}])

             An attribute type definition specifies the syntax of attribute
             values, whether it allows multiple values and how it can be com-
             pared in search requests.  For a complete description of
             attribute type definitions, see section 4.1.2 in RFC 4512.

     objectclass
             (oid [NAME name] [DESC description] [OBSOLETE] [SUP oids]
             [{ABSTRACT | STRUCTURAL | AUXILIARY}] [MUST oids] [MAY oids])

             An object class definition specifies which attributes are
             required and which are allowed.  For a complete description of
             object class definitions, see section 4.1.1 in RFC 4512.

     objectidentifier symbolic-name OID
             Defines a symbolic name for the object identifier.  A symbolic
             name can be used in place of a numeric OID in definitions of
             attribute types, object classes and other symbolic OIDs.  A
             descendant OID can be defined in terms of another symbolic OID by
             appending a numeric OID after a colon, for example:

                   objectidentifier MyOidRoot 1.2.3.4
                   objectidentifier MyOidAttributes MyOidRoot:5.6
                   objectidentifier MyOidObjects MyOidRoot:7

             This would define MyOidAttributes as a symbolic name for the OID
             1.2.3.4.5.6, and MyOidObjects for 1.2.3.4.7.

FILES
     /etc/ldapd.conf          Default ldapd(8) configuration file.
     /etc/ldap/*.schema       Default schema definition files.

SEE ALSO
     ldapctl(8), ldapd(8)

STANDARDS
     K. Zeilenga, Lightweight Directory Access Protocol (LDAP): Directory
     Information Models, RFC 4512, June 2006.

HISTORY
     The ldapd.conf file format first appeared in OpenBSD 4.8.

BSD                              June 11, 2014                             BSD