.TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
-.\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
-.UC 6
.SH NAME
ldap.conf, .ldaprc \- ldap configuration file
.SH SYNOPSIS
.SH OPTIONS
The configuration options are case-insensitive;
their value, on a case by case basis, may be case-sensitive.
+.LP
+Blank lines and lines beginning with a hash mark (`#')
+are ignored up to their end.
+.LP
+Valid lines are made of an option's name (a sequence of non-blanks,
+conventionally written in uppercase, although not required),
+followed by a value.
+The value starts with the first non-blank character after
+the option's name, and terminates at the end of the line,
+or at the last sequence of blanks before the end of the line.
+The tokenization of the value, if any, is delegated to the handler(s)
+for that option, if any. Quoting values that contain blanks
+may be incorrect, as the quotes would become part of the value.
+For example,
+
+ URI "ldap:// ldaps://"
+
+is incorrect, while
+
+ URI ldap:// ldaps://
+
+is correct (note the absence of the double quotes).
+.LP
+A line cannot be longer than LINE_MAX, which should be more than 2000 bytes
+on all platforms.
+There is no mechanism to split a long line on multiple lines, either for
+beautification or to overcome the above limit.
+.LP
The different configuration options are:
.TP
-.B URI <ldap[s]://[name[:port]] ...>
+.B URI <ldap[si]://[name[:port]] ...>
Specifies the URI(s) of an LDAP server(s) to which the
.I LDAP
-library should connect. The URI scheme may be either
-.BR ldap or
+library should connect. The URI scheme may be any of
+.BR ldap ,
.B ldaps
-which refer to LDAP over TCP and LDAP over SSL (TLS) respectively.
+or
+.BR ldapi ,
+which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP
+over IPC (UNIX domain sockets), respectively.
Each server's name can be specified as a
domain-style name or an IP address literal. Optionally, the
server's name can followed by a ':' and the port number the LDAP
server is listening on. If no port number is provided, the default
port for the scheme is used (389 for ldap://, 636 for ldaps://).
+For LDAP over IPC,
+.B name
+is the name of the socket, and no
+.B port
+is required, nor allowed; note that directory separators must be
+URL-encoded, like any other characters that are special to URLs;
+so the socket
+
+ /usr/local/var/ldapi
+
+must be specified as
+
+ ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
+
A space separated list of URIs may be provided.
.TP
.B BASE <base>
.B BINDDN <dn>
Specifies the default bind DN to use when performing ldap operations.
The bind DN must be specified as a Distinguished Name in LDAP format.
-This is a user\-only option.
+.B This is a user\-only option.
+.TP
+.B DEREF <when>
+Specifies how alias dereferencing is done when performing a search. The
+.B <when>
+can be specified as one of the following keywords:
+.RS
+.TP
+.B never
+Aliases are never dereferenced. This is the default.
+.TP
+.B searching
+Aliases are dereferenced in subordinates of the base object, but
+not in locating the base object of the search.
+.TP
+.B finding
+Aliases are only dereferenced when locating the base object of the search.
+.TP
+.B always
+Aliases are dereferenced both in searching and in locating the base object
+of the search.
+.RE
+.TP
.TP
.B HOST <name[:port] ...>
Specifies the name(s) of an LDAP server(s) to which the
is deprecated in favor of
.BR URI .
.TP
+.B NETWORK_TIMEOUT <integer>
+Specifies the timeout (in seconds) after which the poll(2)/select(2)
+following a connect(2) returns in case of no activity.
+.TP
.B PORT <port>
Specifies the default port used when connecting to LDAP servers(s).
The port may be specified as a number.
is deprecated in favor of
.BR URI.
.TP
+.B REFERRALS <on/true/yes/off/false/no>
+Specifies if the client should automatically follow referrals returned
+by LDAP servers.
+The default is on.
+Note that the command line tools
+.BR ldapsearch (1)
+&co always override this option.
+.\" This should only be allowed via ldap_set_option(3)
+.\".TP
+.\".B RESTART <on/true/yes/off/false/no>
+.\"Determines whether the library should implicitly restart connections (FIXME).
+.TP
.B SIZELIMIT <integer>
Specifies a size limit to use when performing searches. The
number should be a non-negative integer. \fISIZELIMIT\fP of zero (0)
Specifies a time limit to use when performing searches. The
number should be a non-negative integer. \fITIMELIMIT\fP of zero (0)
specifies unlimited search time to be used.
+.B VERSION {2|3}
+Specifies what version of the LDAP protocol should be used.
.TP
-.B DEREF <when>
-Specifies how alias dereferencing is done when performing a search. The
-.B <when>
-can be specified as one of the following keywords:
-.RS
-.TP
-.B never
-Aliases are never dereferenced. This is the default.
-.TP
-.B searching
-Aliases are dereferenced in subordinates of the base object, but
-not in locating the base object of the search.
-.TP
-.B finding
-Aliases are only dereferenced when locating the base object of the search.
-.TP
-.B always
-Aliases are dereferenced both in searching and in locating the base object
-of the search.
-.RE
+.B TIMEOUT <integer>
+Specifies a generic timeout (in seconds). Currently ignored.
.SH SASL OPTIONS
If OpenLDAP is built with Simple Authentication and Security Layer support,
there are more options you can specify.
.TP
.B SASL_MECH <mechanism>
Specifies the SASL mechanism to use.
-This is a user\-only option.
+.B This is a user\-only option.
.TP
.B SASL_REALM <realm>
Specifies the SASL realm.
-This is a user\-only option.
+.B This is a user\-only option.
.TP
.B SASL_AUTHCID <authcid>
Specifies the authentication identity.
-This is a user\-only option.
+.B This is a user\-only option.
.TP
.B SASL_AUTHZID <authcid>
Specifies the proxy authorization identity.
-This is a user\-only option.
+.B This is a user\-only option.
.TP
.B SASL_SECPROPS <properties>
Specifies Cyrus SASL security properties. The
are more options you can specify. These options are used when an
.B ldaps:// URI
is selected (by default or otherwise) or when the application
-negotiates TLS by issuing the LDAP Start TLS operation.
+negotiates TLS by issuing the LDAP StartTLS operation.
.TP
.B TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
-This is a user\-only option.
+.B This is a user\-only option.
.TP
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
stored in the
.B TLS_CERT
file. Currently, the private key must not be protected with a password, so
-it is of critical importance that the key file is protected carefully. This
-is a user\-only option.
+it is of critical importance that the key file is protected carefully.
+.B This is a user\-only option.
.TP
.B TLS_CIPHER_SUITE <cipher-suite-spec>
Specifies acceptable cipher suite and preference order.
.TP
.B TLS_CRLCHECK <level>
Specifies if the Certificate Revocation List (CRL) of the CA should be
-used to verify if the server certicates have not been revoked. This
+used to verify if the server certificates have not been revoked. This
requires
.B TLS_CACERTDIR
parameter to be set.
.I $CWD/ldaprc
local ldap configuration file
.SH "SEE ALSO"
-.BR ldap (3)
+.BR ldap (3),
+.BR openssl (1),
+.BR sasl (3)
.SH AUTHOR
Kurt Zeilenga, The OpenLDAP Project
.SH ACKNOWLEDGEMENTS