LinuxGuruz
  • Last 5 Forum Topics
    Replies
    Views
    Last post


The Web Only This Site
  • BOOKMARK

  • ADD TO FAVORITES

  • REFERENCES


  • MARC

    Mailing list ARChives
    - Search by -
     Subjects
     Authors
     Bodies





    FOLDOC

    Computing Dictionary




  • Text Link Ads






  • LINUX man pages
  • Linux Man Page Viewer


    The following form allows you to view linux man pages.

    Command:

    ldap.conf

    
    
    

    SYNOPSIS

           /etc/openldap/ldap.conf, ldaprc, .ldaprc, $LDAP<option-name>
    
    
    

    DESCRIPTION

           If  the  environment  variable LDAPNOINIT is defined, all defaulting is
           disabled.
    
           The ldap.conf configuration file is used to set system-wide defaults to
           be applied when running ldap clients.
    
           Users  may create an optional configuration file, ldaprc or .ldaprc, in
           their home directory which will be used  to  override  the  system-wide
           defaults  file.   The  file  ldaprc in the current working directory is
           also used.
    
           Additional configuration files can be specified using the LDAPCONF  and
           LDAPRC  environment  variables.   LDAPCONF  may be set to the path of a
           configuration file.  This path can be absolute or relative to the  cur-
           rent working directory.  The LDAPRC, if defined, should be the basename
           of a file in the current working directory or in the user's home direc-
           tory.
    
           Environmental  variables  may  also  be  used to augment the file based
           defaults.  The name of the variable is the option name  with  an  added
           prefix  of  LDAP.  For example, to define BASE via the environment, set
           the variable LDAPBASE to the desired value.
    
           Some options are user-only.  Such options are ignored if present in the
           ldap.conf (or file specified by LDAPCONF).
    
           Thus the following files and variables are read, in order:
               variable     $LDAPNOINIT, and if that is not set:
               system file  /etc/openldap/ldap.conf,
               user files   $HOME/ldaprc,  $HOME/.ldaprc,  ./ldaprc,
               system file  $LDAPCONF,
               user files   $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC,
               variables    $LDAP<uppercase option name>.
           Settings late in the list override earlier ones.
    
    
    

    SYNTAX

           The  configuration options are case-insensitive; their value, on a case
           by case basis, may be case-sensitive.
    
           Blank lines are ignored.
           Lines beginning with a hash mark ('#') are comments, and ignored.
    
           Valid lines are made of an option's name  (a  sequence  of  non-blanks,
           conventionally  written  in uppercase, although not required), followed
           by a value.  The value starts with the first non-blank character  after
           the  option's  name,  and  terminates at the end of the line, or at the
           last sequence of blanks before the end of the line.   The  tokenization
    
                # Wrong - comment on same line as option:
                DEREF   never           # Never follow aliases
    
           A  line  cannot be longer than LINE_MAX, which should be more than 2000
           bytes on all platforms.  There is no mechanism to split a long line  on
           multiple  lines,  either  for  beautification  or to overcome the above
           limit.
    
    
    

    OPTIONS

           The different configuration options are:
    
           URI <ldap[si]://[name[:port]] ...>
                  Specifies the URI(s) of an LDAP  server(s)  to  which  the  LDAP
                  library  should  connect.   The  URI  scheme may be any of ldap,
                  ldaps or ldapi, which refer to LDAP  over  TCP,  LDAP  over  SSL
                  (TLS)  and  LDAP  over  IPC (UNIX domain sockets), respectively.
                  Each server's name can be specified as a domain-style name or an
                  IP  address literal.  Optionally, the server's name can followed
                  by a ':' and the port number the LDAP server  is  listening  on.
                  If  no  port number is provided, the default port for the scheme
                  is used (389 for ldap://, 636 for ldaps://).  For LDAP over IPC,
                  name  is  the  name  of the socket, and no port is required, nor
                  allowed; note that directory  separators  must  be  URL-encoded,
                  like  any  other  characters  that  are  special to URLs; so the
                  socket
    
                       /usr/local/var/ldapi
    
                  must be specified as
    
                       ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
    
                  A space separated list of URIs may be provided.
    
           BASE <base>
                  Specifies the default base DN to use when performing ldap opera-
                  tions.   The  base  must be specified as a Distinguished Name in
                  LDAP format.
    
           BINDDN <dn>
                  Specifies the default bind DN to use when performing ldap opera-
                  tions.  The bind DN must be specified as a Distinguished Name in
                  LDAP format.  This is a user-only option.
    
           DEREF <when>
                  Specifies how alias dereferencing  is  done  when  performing  a
                  search. The <when> can be specified as one of the following key-
                  words:
    
                  never  Aliases are never dereferenced. This is the default.
    
                  Specifies the name(s) of an LDAP server(s) to  which  the
                  LDAP  library  should connect.  Each server's name can be
                  specified as a domain-style name or  an  IP  address  and
                  optionally followed by a ':' and the port number the ldap
                  server is listening on.  A space separated list of  hosts
                  may be provided.  HOST is deprecated in favor of URI.
    
           NETWORK_TIMEOUT <integer>
                  Specifies  the  timeout  (in  seconds)  after  which  the
                  poll(2)/select(2) following a connect(2) returns in  case
                  of no activity.
    
           PORT <port>
                  Specifies  the  default port used when connecting to LDAP
                  servers(s).  The port may be specified as a number.  PORT
                  is deprecated in favor of URI.
    
           REFERRALS <on/true/yes/off/false/no>
                  Specifies  if  the  client  should  automatically  follow
                  referrals returned by LDAP servers.  The default  is  on.
                  Note that the command line tools ldapsearch(1) &co always
                  override this option.
    
           SIZELIMIT <integer>
                  Specifies a size limit (number of entries)  to  use  when
                  performing searches.  The number should be a non-negative
                  integer.  SIZELIMIT of zero (0) specifies a  request  for
                  unlimited  search  size.  Please note that the server may
                  still apply  any  server-side  limit  on  the  amount  of
                  entries that can be returned by a search operation.
    
           TIMELIMIT <integer>
                  Specifies  a time limit (in seconds) to use when perform-
                  ing searches.  The number should be a non-negative  inte-
                  ger.   TIMELIMIT  of  zero (0) specifies unlimited search
                  time to be used.  Please note that the server  may  still
                  apply  any  server-side limit on the duration of a search
                  operation.  VERSION {2|3} Specifies what version  of  the
                  LDAP protocol should be used.
    
           TIMEOUT <integer>
                  Specifies  a  timeout  (in  seconds) after which calls to
                  synchronous LDAP  APIs  will  abort  if  no  response  is
                  received.  Also used for any ldap_result(3) calls where a
                  NULL timeout parameter is supplied.
    
    
    

    SASL OPTIONS

           If OpenLDAP is built with  Simple  Authentication  and  Security
           Layer support, there are more options you can specify.
    
           SASL_MECH <mechanism>
                  Specifies the SASL mechanism to use.  This is a user-only
                  Specifies Cyrus SASL security  properties.  The  <proper-
                  ties>  can  be specified as a comma-separated list of the
                  following:
    
                  none   (without any other properties) causes the  proper-
                         ties   defaults   ("noanonymous,noplain")   to  be
                         cleared.
    
                  noplain
                         disables mechanisms susceptible to simple  passive
                         attacks.
    
                  noactive
                         disables mechanisms susceptible to active attacks.
    
                  nodict disables mechanisms susceptible to passive dictio-
                         nary attacks.
    
                  noanonymous
                         disables mechanisms which support anonymous login.
    
                  forwardsec
                         requires forward secrecy between sessions.
    
                  passcred
                         requires mechanisms which pass client  credentials
                         (and  allows mechanisms which can pass credentials
                         to do so).
    
                  minssf=<factor>
                         specifies the minimum acceptable security strength
                         factor  as  an integer approximating the effective
                         key length used for encryption.  0 (zero)  implies
                         no  protection,  1  implies  integrity  protection
                         only, 56 allows DES or  other  weak  ciphers,  112
                         allows  triple  DES  and other strong ciphers, 128
                         allows  RC4,  Blowfish  and  other  modern  strong
                         ciphers.  The default is 0.
    
                  maxssf=<factor>
                         specifies the maximum acceptable security strength
                         factor as an  integer  (see  minssf  description).
                         The default is INT_MAX.
    
                  maxbufsize=<factor>
                         specifies   the  maximum  security  layer  receive
                         buffer size allowed.  0 disables security  layers.
                         The default is 65536.
    
           SASL_NOCANON <on/true/yes/off/false/no>
                  Do  not  perform reverse DNS lookups to canonicalize SASL
                  host names. The default is off.
    
           GSSAPI_ALLOW_REMOTE_PRINCIPAL <on/true/yes/off/false/no>
                  Specifies if GSSAPI based authentication  should  try  to
                  form the target principal name out of the ldapServiceName
                  or dnsHostName attribute of the  targets  RootDSE  entry.
                  The default is off.
    
    
    

    TLS OPTIONS

           If  OpenLDAP  is  built  with  Transport Layer Security support,
           there are more options you can specify.  These options are  used
           when  an  ldaps://  URI is selected (by default or otherwise) or
           when the application negotiates TLS by issuing the LDAP StartTLS
           operation.
    
           TLS_CACERT <filename>
                  Specifies  the file that contains certificates for all of
                  the Certificate Authorities the client will recognize.
    
           TLS_CACERTDIR <path>
                  Specifies the path of a directory that contains  Certifi-
                  cate Authority certificates in separate individual files.
                  The TLS_CACERT is always used before TLS_CACERTDIR.  This
                  parameter is ignored with GnuTLS.
    
                  When  using Mozilla NSS, <path> may contain a Mozilla NSS
                  cert/key database.  If  <path>  contains  a  Mozilla  NSS
                  cert/key  database  and  CA cert files, OpenLDAP will use
                  the cert/key database and will ignore the CA cert  files.
    
           TLS_CERT <filename>
                  Specifies  the file that contains the client certificate.
                  This is a user-only option.
    
                  When using Mozilla NSS,  if  using  a  cert/key  database
                  (specified  with  TLS_CACERTDIR),  TLS_CERT specifies the
                  name of the certificate to use:
                       TLS_CERT Certificate for Sam Carter
                  If using a token other than the internal built in  token,
                  specify the token name first, followed by a colon:
                       TLS_CERT my hardware device:Certificate for Sam Carter
                  Use certutil -L to list the certificates by name:
                       certutil -d /path/to/certdbdir -L
    
           TLS_KEY <filename>
                  Specifies  the  file  that  contains the private key that
                  matches the certificate stored in the TLS_CERT file. Cur-
                  rently,  the  private  key  must  not be protected with a
                  password, so it is of critical importance  that  the  key
                  file is protected carefully.  This is a user-only option.
    
                  When using Mozilla NSS, TLS_KEY specifies the name  of  a
                  file  that contains the password for the key for the cer-
                  tificate specified with TLS_CERT.   The  modutil  command
                  the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS).
                  Example:
    
                         OpenSSL:
                                 TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2
    
                         GnuTLS:
                                 TLS_CIPHER_SUITE SECURE256:!AES-128-CBC
    
                  To check what ciphers a given spec  selects  in  OpenSSL,
                  use:
    
                       openssl ciphers -v <cipher-suite-spec>
    
                  With  GnuTLS the available specs can be found in the man-
                  ual page of gnutls-cli(1) (see  the  description  of  the
                  option --priority).
    
                  In  older  versions  of GnuTLS, where gnutls-cli does not
                  support the option --priority, you can obtain the --  more
                  limited -- list of ciphers by calling:
    
                       gnutls-cli -l
    
                  When using Mozilla NSS, the OpenSSL cipher suite specifi-
                  cations are used and  translated  into  the  format  used
                  internally  by  Mozilla  NSS.  There isn't an easy way to
                  list the  cipher  suites  from  the  command  line.   The
                  authoritative  list is in the source code for Mozilla NSS
                  in the file sslinfo.c in the structure
                          static const SSLCipherSuiteInfo suiteInfo[]
    
           TLS_PROTOCOL_MIN <major>[.<minor>]
                  Specifies minimum SSL/TLS protocol version that  will  be
                  negotiated.   If the server doesn't support at least that
                  version, the SSL handshake will fail.  To require TLS 1.x
                  or higher, set this option to 3.(x+1), e.g.,
    
                       TLS_PROTOCOL_MIN 3.2
    
                  would  require  TLS  1.1.   Specifying  a minimum that is
                  higher than that supported by the OpenLDAP implementation
                  will  result  in  it  requiring the highest level that it
                  does support.  This parameter is ignored with GnuTLS.
    
           TLS_RANDFILE <filename>
                  Specifies the  file  to  obtain  random  bits  from  when
                  /dev/[u]random  is  not  available.  Generally set to the
                  name of the EGD/PRNGD socket.  The  environment  variable
                  RANDFILE  can also be used to specify the filename.  This
                  parameter is ignored with GnuTLS and Mozilla NSS.
    
                         terminated.
    
                  demand | hard
                         These  keywords  are  equivalent  and semantically
                         same as try.  This is the default setting.
    
           TLS_CRLCHECK <level>
                  Specifies if the Certificate Revocation List (CRL) of the
                  CA  should  be  used to verify if the server certificates
                  have not been revoked. This requires TLS_CACERTDIR param-
                  eter to be set. This parameter is ignored with GnuTLS and
                  Mozilla NSS.  <level> can be specified as one of the fol-
                  lowing keywords:
    
                  none   No CRL checks are performed
    
                  peer   Check the CRL of the peer certificate
    
                  all    Check the CRL for a whole certificate chain
    
           TLS_CRLFILE <filename>
                  Specifies  the  file  containing a Certificate Revocation
                  List to be used to verify if the server certificates have
                  not  been  revoked. This parameter is only supported with
                  GnuTLS and Mozilla NSS.
    
    
    

    ENVIRONMENT VARIABLES

           LDAPNOINIT
                  disable all defaulting
    
           LDAPCONF
                  path of a configuration file
    
           LDAPRC basename of ldaprc file in $HOME or $CWD
    
           LDAP<option-name>
                  Set <option-name> as from ldap.conf
    
    
    

    FILES

           /etc/openldap/ldap.conf
                  system-wide ldap configuration file
    
           $HOME/ldaprc, $HOME/.ldaprc
                  user ldap configuration file
    
           $CWD/ldaprc
                  local ldap configuration file
    
    
    

    SEE ALSO

           ldap(3), ldap_set_option(3), ldap_result(3), openssl(1), sasl(3)
    
    
    

    AUTHOR

    
    
  • MORE RESOURCE


  • Linux

    The Distributions





    Linux

    The Software





    Linux

    The News



  • MARKETING






  • Toll Free

webmaster@linuxguruz.com
Copyright © 1999 - 2016 by LinuxGuruz