ldap.conf.5 16.1 KB
Newer Older
1
.TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
Kurt Zeilenga's avatar
Kurt Zeilenga committed
2
.\" $OpenLDAP$
Quanah Gibson-Mount's avatar
Quanah Gibson-Mount committed
3
.\" Copyright 1998-2021 The OpenLDAP Foundation All Rights Reserved.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
4
.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
5
.SH NAME
6
ldap.conf, .ldaprc \- LDAP configuration file/environment variables
Kurt Zeilenga's avatar
Kurt Zeilenga committed
7
.SH SYNOPSIS
8
ETCDIR/ldap.conf, ldaprc, .ldaprc, $LDAP<option-name>
Kurt Zeilenga's avatar
Kurt Zeilenga committed
9
.SH DESCRIPTION
10
11
12
If the environment variable \fBLDAPNOINIT\fP is defined, all
defaulting is disabled.
.LP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
13
14
15
16
17
The
.I ldap.conf
configuration file is used to set system-wide defaults to be applied when
running
.I ldap
18
clients.
19
.LP
20
21
Users may create an optional configuration file,
.I ldaprc
22
or
Kurt Zeilenga's avatar
Kurt Zeilenga committed
23
.IR .ldaprc ,
24
in their home directory which will be used to override the system-wide
25
defaults file.
26
The file
27
.I ldaprc
28
in the current working directory is also used.
29
.LP
30
.LP
31
32
Additional configuration files can be specified using
the \fBLDAPCONF\fP and \fBLDAPRC\fP environment variables.
33
34
35
\fBLDAPCONF\fP may be set to the path of a configuration file.  This
path can be absolute or relative to the current working directory.
The \fBLDAPRC\fP, if defined, should be the basename of a file
36
37
38
in the current working directory or in the user's home directory.
.LP
Environmental variables may also be used to augment the file based defaults.
39
40
41
The name of the variable is the option name with an added prefix of \fBLDAP\fP.
For example, to define \fBBASE\fP via the environment, set the variable
\fBLDAPBASE\fP to the desired value.
42
.LP
Howard Chu's avatar
Howard Chu committed
43
Some options are user-only.  Such options are ignored if present
44
in the
45
.I ldap.conf
46
47
(or file specified by
.BR LDAPCONF ).
48
49
50
51
52
53
54
55
.LP
Thus the following files and variables are read, in order:
.nf
    variable     $LDAPNOINIT, and if that is not set:
    system file  ETCDIR/ldap.conf,
    user files   $HOME/ldaprc,  $HOME/.ldaprc,  ./ldaprc,
    system file  $LDAPCONF,
    user files   $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC,
56
    variables    $LDAP<uppercase option name>.
57
58
.fi
Settings late in the list override earlier ones.
59
.SH SYNTAX
60
61
The configuration options are case-insensitive;
their value, on a case by case basis, may be case-sensitive.
62
.LP
63
64
65
Blank lines are ignored.
.br
Lines beginning with a hash mark (`#') are comments, and ignored.
66
67
68
69
70
71
72
73
74
75
76
77
.LP
Valid lines are made of an option's name (a sequence of non-blanks,
conventionally written in uppercase, although not required), 
followed by a value.
The value starts with the first non-blank character after 
the option's name, and terminates at the end of the line, 
or at the last sequence of blanks before the end of the line.
The tokenization of the value, if any, is delegated to the handler(s)
for that option, if any.  Quoting values that contain blanks 
may be incorrect, as the quotes would become part of the value.
For example,

78
79
80
.nf
	# Wrong - erroneous quotes:
	URI     "ldap:// ldaps://"
81

82
83
	# Right - space-separated list of URIs, without quotes:
	URI     ldap:// ldaps://
84

85
86
87
	# Right - DN syntax needs quoting for Example, Inc:
	BASE    ou=IT staff,o="Example, Inc",c=US
	# or:
Ondřej Kuzník's avatar
Ondřej Kuzník committed
88
	BASE    ou=IT staff,o=Example\\2C Inc,c=US
89

90
91
92
	# Wrong - comment on same line as option:
	DEREF   never           # Never follow aliases
.fi
93
94
95
96
97
.LP
A line cannot be longer than LINE_MAX, which should be more than 2000 bytes
on all platforms.
There is no mechanism to split a long line on multiple lines, either for
beautification or to overcome the above limit.
98
.SH OPTIONS
Kurt Zeilenga's avatar
Kurt Zeilenga committed
99
The different configuration options are:
100
.TP
Pierangelo Masarati's avatar
Pierangelo Masarati committed
101
.B URI <ldap[si]://[name[:port]] ...>
102
103
Specifies the URI(s) of an LDAP server(s) to which the
.I LDAP 
Pierangelo Masarati's avatar
Pierangelo Masarati committed
104
105
library should connect.  The URI scheme may be any of
.BR ldap ,
106
.B ldaps 
Pierangelo Masarati's avatar
Pierangelo Masarati committed
107
108
109
or
.BR ldapi ,
which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
Pierangelo Masarati's avatar
Pierangelo Masarati committed
110
over IPC (UNIX domain sockets), respectively.
111
112
113
114
115
Each server's name can be specified as a
domain-style name or an IP address literal.  Optionally, the
server's name can followed by a ':' and the port number the LDAP
server is listening on.  If no port number is provided, the default
port for the scheme is used (389 for ldap://, 636 for ldaps://).
Pierangelo Masarati's avatar
Pierangelo Masarati committed
116
For LDAP over IPC,
Pierangelo Masarati's avatar
Pierangelo Masarati committed
117
118
119
.B name 
is the name of the socket, and no
.B port
Pierangelo Masarati's avatar
Pierangelo Masarati committed
120
121
122
is required, nor allowed; note that directory separators must be 
URL-encoded, like any other characters that are special to URLs; 
so the socket
Pierangelo Masarati's avatar
Pierangelo Masarati committed
123
124
125
126
127
128
129

	/usr/local/var/ldapi

must be specified as

	ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi

130
131
A space separated list of URIs may be provided.
.TP
132
133
.B BASE <base>
Specifies the default base DN to use when performing ldap operations.
Kurt Zeilenga's avatar
Kurt Zeilenga committed
134
The base must be specified as a Distinguished Name in LDAP format.
135
136
137
.TP
.B BINDDN <dn>
Specifies the default bind DN to use when performing ldap operations.
138
The bind DN must be specified as a Distinguished Name in LDAP format.
Howard Chu's avatar
Howard Chu committed
139
.B This is a user-only option.
140
.TP
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
.B DEREF <when>
Specifies how alias dereferencing is done when performing a search. The
.B <when>
can be specified as one of the following keywords:
.RS
.TP
.B never
Aliases are never dereferenced. This is the default.
.TP
.B searching
Aliases are dereferenced in subordinates of the base object, but
not in locating the base object of the search.
.TP
.B finding
Aliases are only dereferenced when locating the base object of the search.
.TP
.B always
Aliases are dereferenced both in searching and in locating the base object
of the search.
.RE
.TP
.TP
163
164
.B HOST <name[:port] ...>
Specifies the name(s) of an LDAP server(s) to which the
165
.I LDAP 
166
167
library should connect.  Each server's name can be specified as a
domain-style name or an IP address and optionally followed by a ':' and
Kurt Zeilenga's avatar
Kurt Zeilenga committed
168
the port number the ldap server is listening on.  A space separated
169
list of hosts may be provided.
170
171
.B HOST
is deprecated in favor of
172
.BR URI .
173
.TP
174
175
176
177
178
179
180
181
182
183
184
185
.B _KEEPALIVE_IDLE
Sets/gets the number of seconds a connection needs to remain idle
before TCP starts sending keepalive probes. Linux only.
.TP
.B KEEPALIVE_PROBES
Sets/gets the maximum number of keepalive probes TCP should send
before dropping the connection. Linux only.
.TP
.B KEEPALIVE_INTERVAL
Sets/gets the interval in seconds between individual keepalive probes.
Linux only.
.TP
186
187
188
189
.B NETWORK_TIMEOUT <integer>
Specifies the timeout (in seconds) after which the poll(2)/select(2)
following a connect(2) returns in case of no activity.
.TP
190
191
.B PORT <port>
Specifies the default port used when connecting to LDAP servers(s).
Kurt Zeilenga's avatar
Kurt Zeilenga committed
192
The port may be specified as a number.
193
194
195
196
.B PORT
is deprecated in favor of
.BR URI.
.TP
Hallvard Furuseth's avatar
Hallvard Furuseth committed
197
198
199
200
201
202
203
.B REFERRALS <on/true/yes/off/false/no>
Specifies if the client should automatically follow referrals returned
by LDAP servers.
The default is on.
Note that the command line tools
.BR ldapsearch (1)
&co always override this option.
204
205
206
207
.\" This should only be allowed via ldap_set_option(3)
.\".TP
.\".B RESTART <on/true/yes/off/false/no>
.\"Determines whether the library should implicitly restart connections (FIXME).
208
.TP
209
.B SIZELIMIT <integer>
210
211
212
213
214
Specifies a size limit (number of entries) to use when performing searches.
The number should be a non-negative integer.  \fISIZELIMIT\fP of zero (0)
specifies a request for unlimited search size.  Please note that the server
may still apply any server-side limit on the amount of entries that can be 
returned by a search operation.
215
216
.TP
.B TIMELIMIT <integer>
217
218
219
220
Specifies a time limit (in seconds) to use when performing searches.
The number should be a non-negative integer.  \fITIMELIMIT\fP of zero (0)
specifies unlimited search time to be used.  Please note that the server
may still apply any server-side limit on the duration of a search operation.
221
.TP
222
223
224
225
.B VERSION {2|3}
Specifies what version of the LDAP protocol should be used.
.TP
.B TIMEOUT <integer>
226
227
228
229
Specifies a timeout (in seconds) after which calls to synchronous LDAP
APIs will abort if no response is received.  Also used for any
.BR ldap_result (3)
calls where a NULL timeout parameter is supplied.
230
231
232
233
234
235
236
237
238
239
240
241
.SH SASL OPTIONS
If OpenLDAP is built with Simple Authentication and Security Layer support,
there are more options you can specify.
.TP
.B SASL_MECH <mechanism>
Specifies the SASL mechanism to use.
.TP
.B SASL_REALM <realm>
Specifies the SASL realm.
.TP
.B SASL_AUTHCID <authcid>
Specifies the authentication identity.
Howard Chu's avatar
Howard Chu committed
242
.B This is a user-only option.
243
244
245
.TP
.B SASL_AUTHZID <authcid>
Specifies the proxy authorization identity.
Howard Chu's avatar
Howard Chu committed
246
.B This is a user-only option.
247
248
249
250
251
252
253
.TP
.B SASL_SECPROPS <properties>
Specifies Cyrus SASL security properties. The 
.B <properties>
can be specified as a comma-separated list of the following:
.RS
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
254
.B none
255
(without any other properties) causes the properties
Kurt Zeilenga's avatar
Kurt Zeilenga committed
256
defaults ("noanonymous,noplain") to be cleared.
257
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
258
.B noplain
259
260
disables mechanisms susceptible to simple passive attacks.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
261
.B noactive
262
263
disables mechanisms susceptible to active attacks.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
264
.B nodict
265
266
267
268
269
disables mechanisms susceptible to passive dictionary attacks.
.TP
.B noanonymous
disables mechanisms which support anonymous login.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
270
.B forwardsec
271
272
requires forward secrecy between sessions.
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
273
.B passcred
274
requires mechanisms which pass client credentials (and allows
Kurt Zeilenga's avatar
Kurt Zeilenga committed
275
mechanisms which can pass credentials to do so).
276
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
277
.B minssf=<factor> 
278
specifies the minimum acceptable
Kurt Zeilenga's avatar
Kurt Zeilenga committed
279
.I security strength factor
280
as an integer approximate to effective key length used for
Kurt Zeilenga's avatar
Kurt Zeilenga committed
281
encryption.  0 (zero) implies no protection, 1 implies integrity
282
283
protection only, 128 allows RC4, Blowfish and other similar ciphers,
256 will require modern ciphers.  The default is 0.
284
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
285
.B maxssf=<factor> 
286
specifies the maximum acceptable
Kurt Zeilenga's avatar
Kurt Zeilenga committed
287
.I security strength factor
288
289
290
291
292
as an integer (see
.B minssf
description).  The default is
.BR INT_MAX .
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
293
.B maxbufsize=<factor> 
294
specifies the maximum security layer receive buffer
Kurt Zeilenga's avatar
Kurt Zeilenga committed
295
size allowed.  0 disables security layers.  The default is 65536.
296
.RE
297
298
299
.TP
.B SASL_NOCANON <on/true/yes/off/false/no>
Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off.
300
301
302
.TP
.B SASL_CBINDING <none/tls-unique/tls-endpoint>
The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none.
303
304
305
306
307
308
309
310
311
312
313
314
315
.SH GSSAPI OPTIONS
If OpenLDAP is built with Generic Security Services Application Programming Interface support,
there are more options you can specify.
.TP
.B GSSAPI_SIGN <on/true/yes/off/false/no>
Specifies if GSSAPI signing (GSS_C_INTEG_FLAG) should be used.
The default is off.
.TP
.B GSSAPI_ENCRYPT <on/true/yes/off/false/no>
Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG)
should be used. The default is off.
.TP
.B GSSAPI_ALLOW_REMOTE_PRINCIPAL <on/true/yes/off/false/no>
316
Specifies if GSSAPI based authentication should try to form the
317
318
target principal name out of the ldapServiceName or dnsHostName
attribute of the targets RootDSE entry. The default is off.
319
.SH TLS OPTIONS
320
If OpenLDAP is built with Transport Layer Security support, there
Kurt Zeilenga's avatar
Kurt Zeilenga committed
321
322
323
are more options you can specify.  These options are used when an
.B ldaps:// URI
is selected (by default or otherwise) or when the application
Kurt Zeilenga's avatar
Kurt Zeilenga committed
324
negotiates TLS by issuing the LDAP StartTLS operation.
325
326
327
328
329
330
331
332
.TP
.B TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate
Authorities the client will recognize.
.TP
.B TLS_CACERTDIR <path>
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. The
Howard Chu's avatar
Howard Chu committed
333
334
.B TLS_CACERT
is always used before
335
336
337
.B TLS_CACERTDIR.
.TP
.B TLS_CERT <filename>
338
Specifies the file that contains the client certificate.
Howard Chu's avatar
Howard Chu committed
339
.B This is a user-only option.
340
.TP
341
342
343
344
345
346
.B TLS_ECNAME <name>
Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
ephemeral key exchange.  This option is only used for OpenSSL.
This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification.
.TP
347
348
349
350
351
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
stored in the
.B TLS_CERT
file. Currently, the private key must not be protected with a password, so
352
it is of critical importance that the key file is protected carefully.
Howard Chu's avatar
Howard Chu committed
353
.B This is a user-only option.
354
.TP
355
356
.B TLS_CIPHER_SUITE <cipher-suite-spec>
Specifies acceptable cipher suite and preference order.
Howard Chu's avatar
Howard Chu committed
357
<cipher-suite-spec> should be a cipher specification for 
358
the TLS library in use (OpenSSL or GnuTLS).
359
360
361
362
363
364
365
Example:
.RS
.RS
.TP
.I OpenSSL:
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2
.TP
Howard Chu's avatar
Howard Chu committed
366
.I GnuTLS:
367
368
TLS_CIPHER_SUITE SECURE256:!AES-128-CBC
.RE
369

370
To check what ciphers a given spec selects in OpenSSL, use:
371
372

.nf
Howard Chu's avatar
Howard Chu committed
373
	openssl ciphers \-v <cipher-suite-spec>
374
375
.fi

Howard Chu's avatar
Howard Chu committed
376
With GnuTLS the available specs can be found in the manual page of 
377
378
379
380
381
.BR gnutls\-cli (1)
(see the description of the 
option
.BR \-\-priority ).

Howard Chu's avatar
Howard Chu committed
382
In older versions of GnuTLS, where gnutls\-cli does not support the option
383
\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
384
385

.nf
386
	gnutls\-cli \-l
387
.fi
388
.RE
389
.TP
390
.B TLS_PROTOCOL_MIN <major>[.<minor>]
Howard Chu's avatar
Howard Chu committed
391
Specifies minimum SSL/TLS protocol version that will be negotiated.
392
393
394
395
If the server doesn't support at least that version,
the SSL handshake will fail.
To require TLS 1.x or higher, set this option to 3.(x+1),
e.g.,
396
397
398
399
400

.nf
	TLS_PROTOCOL_MIN 3.2
.fi

401
402
would require TLS 1.1.
Specifying a minimum that is higher than that supported by the
Howard Chu's avatar
Howard Chu committed
403
OpenLDAP implementation will result in it requiring the
404
highest level that it does support.
Howard Chu's avatar
Howard Chu committed
405
This parameter is ignored with GnuTLS.
406
.TP
407
408
409
410
.B TLS_RANDFILE <filename>
Specifies the file to obtain random bits from when /dev/[u]random is
not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
411
This parameter is ignored with GnuTLS.
412
413
.TP
.B TLS_REQCERT <level>
414
415
Specifies what checks to perform on server certificates in a TLS session.
The
416
417
418
419
420
421
422
423
.B <level>
can be specified as one of the following keywords:
.RS
.TP
.B never
The client will not request or check any server certificate.
.TP
.B allow
424
The server certificate is requested. If a bad certificate is provided, it will
425
426
427
be ignored and the session proceeds normally.
.TP
.B try
428
The server certificate is requested. If a bad certificate is provided,
429
430
431
the session is immediately terminated.
.TP
.B demand | hard
432
433
434
These keywords are equivalent and the same as
.BR try .
This is the default setting.
Hallvard Furuseth's avatar
Hallvard Furuseth committed
435
.RE
436
.TP
Howard Chu's avatar
Howard Chu committed
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
.B TLS_REQSAN <level>
Specifies what checks to perform on the subjectAlternativeName
(SAN) extensions in a server certificate when validating the certificate
name against the specified hostname of the server. The
.B <level>
can be specified as one of the following keywords:
.RS
.TP
.B never
The client will not check any SAN in the certificate.
.TP
.B allow
The SAN is checked against the specified hostname. If a SAN is
present but none match the specified hostname, the SANs are ignored
and the usual check against the certificate DN is used.
This is the default setting.
.TP
.B try
The SAN is checked against the specified hostname. If no SAN is present
in the server certificate, the usual check against the certificate DN
is used. If a SAN is present but doesn't match the specified hostname,
the session is immediately terminated. This setting may be preferred
when a mix of certs with and without SANs are in use.
.TP
.B demand | hard
These keywords are equivalent. The SAN is checked against the specified
hostname. If no SAN is present in the server certificate, or no SANs
match, the session is immediately terminated. This setting should be
used when only certificates with SANs are in use.
.RE
.TP
468
469
.B TLS_CRLCHECK <level>
Specifies if the Certificate Revocation List (CRL) of the CA should be 
Hallvard Furuseth's avatar
Hallvard Furuseth committed
470
used to verify if the server certificates have not been revoked. This
471
472
requires
.B TLS_CACERTDIR
473
parameter to be set. This parameter is ignored with GnuTLS.
474
475
476
477
478
479
480
481
482
483
484
485
486
.B <level>
can be specified as one of the following keywords:
.RS
.TP
.B none
No CRL checks are performed
.TP
.B peer
Check the CRL of the peer certificate
.TP
.B all
Check the CRL for a whole certificate chain
.RE
Howard Chu's avatar
Howard Chu committed
487
488
489
490
.TP
.B TLS_CRLFILE <filename>
Specifies the file containing a Certificate Revocation List to be used
to verify if the server certificates have not been revoked. This
491
parameter is only supported with GnuTLS.
492
493
494
495
496
497
498
499
500
501
502
503
504
.SH "ENVIRONMENT VARIABLES"
.TP
LDAPNOINIT
disable all defaulting
.TP
LDAPCONF
path of a configuration file
.TP
LDAPRC
basename of ldaprc file in $HOME or $CWD
.TP
LDAP<option-name>
Set <option-name> as from ldap.conf
Kurt Zeilenga's avatar
Kurt Zeilenga committed
505
.SH FILES
506
.TP
Kurt Zeilenga's avatar
Kurt Zeilenga committed
507
.I  ETCDIR/ldap.conf
508
509
510
511
512
513
514
system-wide ldap configuration file
.TP
.I  $HOME/ldaprc, $HOME/.ldaprc
user ldap configuration file
.TP
.I  $CWD/ldaprc
local ldap configuration file
Kurt Zeilenga's avatar
Kurt Zeilenga committed
515
.SH "SEE ALSO"
Hallvard Furuseth's avatar
Hallvard Furuseth committed
516
.BR ldap (3),
517
518
.BR ldap_set_option (3),
.BR ldap_result (3),
Hallvard Furuseth's avatar
Hallvard Furuseth committed
519
520
.BR openssl (1),
.BR sasl (3)
Kurt Zeilenga's avatar
Kurt Zeilenga committed
521
522
523
.SH AUTHOR
Kurt Zeilenga, The OpenLDAP Project
.SH ACKNOWLEDGEMENTS
Kurt Zeilenga's avatar
Kurt Zeilenga committed
524
.so ../Project