mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
323 lines
9.6 KiB
Groff
323 lines
9.6 KiB
Groff
.TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
|
|
.\" $OpenLDAP$
|
|
.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
|
|
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
|
|
.UC 6
|
|
.SH NAME
|
|
ldap.conf, .ldaprc \- ldap configuration file
|
|
.SH SYNOPSIS
|
|
ETCDIR/ldap.conf, .ldaprc
|
|
.SH DESCRIPTION
|
|
If the environment variable \fBLDAPNOINIT\fP is defined, all
|
|
defaulting is disabled.
|
|
.LP
|
|
The
|
|
.I ldap.conf
|
|
configuration file is used to set system-wide defaults to be applied when
|
|
running
|
|
.I ldap
|
|
clients.
|
|
.LP
|
|
Users may create an optional configuration file,
|
|
.I ldaprc
|
|
or
|
|
.IR .ldaprc ,
|
|
in their home directory which will be used to override the system-wide
|
|
defaults file.
|
|
The file
|
|
.I ldaprc
|
|
in the current working directory is also used.
|
|
.LP
|
|
.LP
|
|
Additional configuration files can be specified using
|
|
the \fBLDAPCONF\fP and \fBLDAPRC\fP environment variables.
|
|
\fBLDAPCONF\fP may be set to the path of a configuration file. This
|
|
path can be absolute or relative to the current working directory.
|
|
The \fBLDAPRC\fP, if defined, should be the basename of a file
|
|
in the current working directory or in the user's home directory.
|
|
.LP
|
|
Environmental variables may also be used to augment the file based defaults.
|
|
The name of the variable is the option name with an added prefix of \fBLDAP\fP.
|
|
For example, to define \fBBASE\fP via the environment, set the variable
|
|
\fBLDAPBASE\fP to the desired value.
|
|
.LP
|
|
Some options are user\-only. Such options are ignored if present
|
|
in the
|
|
.I ldap.conf
|
|
(or file specified by
|
|
.BR LDAPCONF ).
|
|
.SH OPTIONS
|
|
The configuration options are case-insensitive;
|
|
their value, on a case by case basis, may be case-sensitive.
|
|
The different configuration options are:
|
|
.TP
|
|
.B URI <ldap[s]://[name[:port]] ...>
|
|
Specifies the URI(s) of an LDAP server(s) to which the
|
|
.I LDAP
|
|
library should connect. The URI scheme may be either
|
|
.B ldap
|
|
or
|
|
.B ldaps
|
|
which refer to LDAP over TCP and LDAP over SSL (TLS) respectively.
|
|
Each server's name can be specified as a
|
|
domain-style name or an IP address literal. Optionally, the
|
|
server's name can followed by a ':' and the port number the LDAP
|
|
server is listening on. If no port number is provided, the default
|
|
port for the scheme is used (389 for ldap://, 636 for ldaps://).
|
|
A space separated list of URIs may be provided.
|
|
.TP
|
|
.B BASE <base>
|
|
Specifies the default base DN to use when performing ldap operations.
|
|
The base must be specified as a Distinguished Name in LDAP format.
|
|
.TP
|
|
.B BINDDN <dn>
|
|
Specifies the default bind DN to use when performing ldap operations.
|
|
The bind DN must be specified as a Distinguished Name in LDAP format.
|
|
.B This is a user\-only option.
|
|
.TP
|
|
.B HOST <name[:port] ...>
|
|
Specifies the name(s) of an LDAP server(s) to which the
|
|
.I LDAP
|
|
library should connect. Each server's name can be specified as a
|
|
domain-style name or an IP address and optionally followed by a ':' and
|
|
the port number the ldap server is listening on. A space separated
|
|
list of hosts may be provided.
|
|
.B HOST
|
|
is deprecated in favor of
|
|
.BR URI .
|
|
.TP
|
|
.B PORT <port>
|
|
Specifies the default port used when connecting to LDAP servers(s).
|
|
The port may be specified as a number.
|
|
.B PORT
|
|
is deprecated in favor of
|
|
.BR URI.
|
|
.TP
|
|
.B REFERRALS <on/true/yes/off/false/no>
|
|
Specifies if the client should automatically follow referrals returned
|
|
by LDAP servers.
|
|
The default is on.
|
|
Note that the command line tools
|
|
.BR ldapsearch (1)
|
|
&co always override this option.
|
|
.TP
|
|
.B SIZELIMIT <integer>
|
|
Specifies a size limit to use when performing searches. The
|
|
number should be a non-negative integer. \fISIZELIMIT\fP of zero (0)
|
|
specifies unlimited search size.
|
|
.TP
|
|
.B TIMELIMIT <integer>
|
|
Specifies a time limit to use when performing searches. The
|
|
number should be a non-negative integer. \fITIMELIMIT\fP of zero (0)
|
|
specifies unlimited search time to be used.
|
|
.TP
|
|
.B DEREF <when>
|
|
Specifies how alias dereferencing is done when performing a search. The
|
|
.B <when>
|
|
can be specified as one of the following keywords:
|
|
.RS
|
|
.TP
|
|
.B never
|
|
Aliases are never dereferenced. This is the default.
|
|
.TP
|
|
.B searching
|
|
Aliases are dereferenced in subordinates of the base object, but
|
|
not in locating the base object of the search.
|
|
.TP
|
|
.B finding
|
|
Aliases are only dereferenced when locating the base object of the search.
|
|
.TP
|
|
.B always
|
|
Aliases are dereferenced both in searching and in locating the base object
|
|
of the search.
|
|
.RE
|
|
.SH SASL OPTIONS
|
|
If OpenLDAP is built with Simple Authentication and Security Layer support,
|
|
there are more options you can specify.
|
|
.TP
|
|
.B SASL_MECH <mechanism>
|
|
Specifies the SASL mechanism to use.
|
|
.B This is a user\-only option.
|
|
.TP
|
|
.B SASL_REALM <realm>
|
|
Specifies the SASL realm.
|
|
.B This is a user\-only option.
|
|
.TP
|
|
.B SASL_AUTHCID <authcid>
|
|
Specifies the authentication identity.
|
|
.B This is a user\-only option.
|
|
.TP
|
|
.B SASL_AUTHZID <authcid>
|
|
Specifies the proxy authorization identity.
|
|
.B This is a user\-only option.
|
|
.TP
|
|
.B SASL_SECPROPS <properties>
|
|
Specifies Cyrus SASL security properties. The
|
|
.B <properties>
|
|
can be specified as a comma-separated list of the following:
|
|
.RS
|
|
.TP
|
|
.B none
|
|
(without any other properties) causes the properties
|
|
defaults ("noanonymous,noplain") to be cleared.
|
|
.TP
|
|
.B noplain
|
|
disables mechanisms susceptible to simple passive attacks.
|
|
.TP
|
|
.B noactive
|
|
disables mechanisms susceptible to active attacks.
|
|
.TP
|
|
.B nodict
|
|
disables mechanisms susceptible to passive dictionary attacks.
|
|
.TP
|
|
.B noanonymous
|
|
disables mechanisms which support anonymous login.
|
|
.TP
|
|
.B forwardsec
|
|
requires forward secrecy between sessions.
|
|
.TP
|
|
.B passcred
|
|
requires mechanisms which pass client credentials (and allows
|
|
mechanisms which can pass credentials to do so).
|
|
.TP
|
|
.B minssf=<factor>
|
|
specifies the minimum acceptable
|
|
.I security strength factor
|
|
as an integer approximating the effective key length used for
|
|
encryption. 0 (zero) implies no protection, 1 implies integrity
|
|
protection only, 56 allows DES or other weak ciphers, 112
|
|
allows triple DES and other strong ciphers, 128 allows RC4,
|
|
Blowfish and other modern strong ciphers. The default is 0.
|
|
.TP
|
|
.B maxssf=<factor>
|
|
specifies the maximum acceptable
|
|
.I security strength factor
|
|
as an integer (see
|
|
.B minssf
|
|
description). The default is
|
|
.BR INT_MAX .
|
|
.TP
|
|
.B maxbufsize=<factor>
|
|
specifies the maximum security layer receive buffer
|
|
size allowed. 0 disables security layers. The default is 65536.
|
|
.RE
|
|
.SH TLS OPTIONS
|
|
If OpenLDAP is built with Transport Layer Security support, there
|
|
are more options you can specify. These options are used when an
|
|
.B ldaps:// URI
|
|
is selected (by default or otherwise) or when the application
|
|
negotiates TLS by issuing the LDAP StartTLS operation.
|
|
.TP
|
|
.B TLS_CACERT <filename>
|
|
Specifies the file that contains certificates for all of the Certificate
|
|
Authorities the client will recognize.
|
|
.TP
|
|
.B TLS_CACERTDIR <path>
|
|
Specifies the path of a directory that contains Certificate Authority
|
|
certificates in separate individual files. The
|
|
.B TLS_CACERT
|
|
is always used before
|
|
.B TLS_CACERTDIR.
|
|
.TP
|
|
.B TLS_CERT <filename>
|
|
Specifies the file that contains the client certificate.
|
|
.B This is a user\-only option.
|
|
.TP
|
|
.B TLS_KEY <filename>
|
|
Specifies the file that contains the private key that matches the certificate
|
|
stored in the
|
|
.B TLS_CERT
|
|
file. Currently, the private key must not be protected with a password, so
|
|
it is of critical importance that the key file is protected carefully.
|
|
.B This is a user\-only option.
|
|
.TP
|
|
.B TLS_CIPHER_SUITE <cipher-suite-spec>
|
|
Specifies acceptable cipher suite and preference order.
|
|
<cipher-suite-spec> should be a cipher specification for OpenSSL,
|
|
e.g., HIGH:MEDIUM:+SSLv2.
|
|
.TP
|
|
.B TLS_RANDFILE <filename>
|
|
Specifies the file to obtain random bits from when /dev/[u]random is
|
|
not available. Generally set to the name of the EGD/PRNGD socket.
|
|
The environment variable RANDFILE can also be used to specify the filename.
|
|
.TP
|
|
.B TLS_REQCERT <level>
|
|
Specifies what checks to perform on server certificates in a TLS session,
|
|
if any. The
|
|
.B <level>
|
|
can be specified as one of the following keywords:
|
|
.RS
|
|
.TP
|
|
.B never
|
|
The client will not request or check any server certificate.
|
|
.TP
|
|
.B allow
|
|
The server certificate is requested. If no certificate is provided,
|
|
the session proceeds normally. If a bad certificate is provided, it will
|
|
be ignored and the session proceeds normally.
|
|
.TP
|
|
.B try
|
|
The server certificate is requested. If no certificate is provided,
|
|
the session proceeds normally. If a bad certificate is provided,
|
|
the session is immediately terminated.
|
|
.TP
|
|
.B demand | hard
|
|
These keywords are equivalent. The server certificate is requested. If no
|
|
certificate is provided, or a bad certificate is provided, the session
|
|
is immediately terminated. This is the default setting.
|
|
.RE
|
|
.TP
|
|
.B TLS_CRLCHECK <level>
|
|
Specifies if the Certificate Revocation List (CRL) of the CA should be
|
|
used to verify if the server certificates have not been revoked. This
|
|
requires
|
|
.B TLS_CACERTDIR
|
|
parameter to be set.
|
|
.B <level>
|
|
can be specified as one of the following keywords:
|
|
.RS
|
|
.TP
|
|
.B none
|
|
No CRL checks are performed
|
|
.TP
|
|
.B peer
|
|
Check the CRL of the peer certificate
|
|
.TP
|
|
.B all
|
|
Check the CRL for a whole certificate chain
|
|
.RE
|
|
.SH "ENVIRONMENT VARIABLES"
|
|
.TP
|
|
LDAPNOINIT
|
|
disable all defaulting
|
|
.TP
|
|
LDAPCONF
|
|
path of a configuration file
|
|
.TP
|
|
LDAPRC
|
|
basename of ldaprc file in $HOME or $CWD
|
|
.TP
|
|
LDAP<option-name>
|
|
Set <option-name> as from ldap.conf
|
|
.SH FILES
|
|
.TP
|
|
.I ETCDIR/ldap.conf
|
|
system-wide ldap configuration file
|
|
.TP
|
|
.I $HOME/ldaprc, $HOME/.ldaprc
|
|
user ldap configuration file
|
|
.TP
|
|
.I $CWD/ldaprc
|
|
local ldap configuration file
|
|
.SH "SEE ALSO"
|
|
.BR ldap (3),
|
|
.BR openssl (1),
|
|
.BR sasl (3)
|
|
.SH AUTHOR
|
|
Kurt Zeilenga, The OpenLDAP Project
|
|
.SH ACKNOWLEDGEMENTS
|
|
.B OpenLDAP
|
|
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
|
|
.B OpenLDAP
|
|
is derived from University of Michigan LDAP 3.3 Release.
|