.TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
-.\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.UC 6
.SH NAME
(or file specified by
.BR LDAPCONF ).
.SH OPTIONS
+The configuration options are case-insensitive;
+their value, on a case by case basis, may be case-sensitive.
+.LP
+Blank lines and lines beginning with a hash mark (`#')
+are ignored up to their end.
+.LP
+Valid lines are made of an option's name (a sequence of non-blanks,
+conventionally written in uppercase, although not required),
+followed by a value.
+The value starts with the first non-blank character after
+the option's name, and terminates at the end of the line,
+or at the last sequence of blanks before the end of the line.
+The tokenization of the value, if any, is delegated to the handler(s)
+for that option, if any. Quoting values that contain blanks
+may be incorrect, as the quotes would become part of the value.
+For example,
+
+ URI "ldap:// ldaps://"
+
+is incorrect, while
+
+ URI ldap:// ldaps://
+
+is correct (note the absence of the double quotes).
+.LP
+A line cannot be longer than LINE_MAX, which should be more than 2000 bytes
+on all platforms.
+There is no mechanism to split a long line on multiple lines, either for
+beautification or to overcome the above limit.
+.LP
The different configuration options are:
.TP
.B URI <ldap[s]://[name[:port]] ...>
Specifies the URI(s) of an LDAP server(s) to which the
.I LDAP
library should connect. The URI scheme may be either
-.BR ldap or
+.B ldap
+or
.B ldaps
which refer to LDAP over TCP and LDAP over SSL (TLS) respectively.
Each server's name can be specified as a
.B BINDDN <dn>
Specifies the default bind DN to use when performing ldap operations.
The bind DN must be specified as a Distinguished Name in LDAP format.
-This is a user\-only option.
+.B This is a user\-only option.
.TP
.B HOST <name[:port] ...>
Specifies the name(s) of an LDAP server(s) to which the
is deprecated in favor of
.BR URI.
.TP
+.B REFERRALS <on/true/yes/off/false/no>
+Specifies if the client should automatically follow referrals returned
+by LDAP servers.
+The default is on.
+Note that the command line tools
+.BR ldapsearch (1)
+&co always override this option.
+.TP
.B SIZELIMIT <integer>
Specifies a size limit to use when performing searches. The
number should be a non-negative integer. \fISIZELIMIT\fP of zero (0)
.TP
.B SASL_MECH <mechanism>
Specifies the SASL mechanism to use.
-This is a user\-only option.
+.B This is a user\-only option.
.TP
.B SASL_REALM <realm>
Specifies the SASL realm.
-This is a user\-only option.
+.B This is a user\-only option.
.TP
.B SASL_AUTHCID <authcid>
Specifies the authentication identity.
-This is a user\-only option.
+.B This is a user\-only option.
.TP
.B SASL_AUTHZID <authcid>
Specifies the proxy authorization identity.
-This is a user\-only option.
+.B This is a user\-only option.
.TP
.B SASL_SECPROPS <properties>
Specifies Cyrus SASL security properties. The
are more options you can specify. These options are used when an
.B ldaps:// URI
is selected (by default or otherwise) or when the application
-negotiates TLS by issuing the LDAP Start TLS operation.
+negotiates TLS by issuing the LDAP StartTLS operation.
.TP
.B TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
-This is a user\-only option.
+.B This is a user\-only option.
.TP
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
stored in the
.B TLS_CERT
file. Currently, the private key must not be protected with a password, so
-it is of critical importance that the key file is protected carefully. This
-is a user\-only option.
+it is of critical importance that the key file is protected carefully.
+.B This is a user\-only option.
.TP
.B TLS_CIPHER_SUITE <cipher-suite-spec>
Specifies acceptable cipher suite and preference order.
certificate is provided, or a bad certificate is provided, the session
is immediately terminated. This is the default setting.
.RE
+.TP
+.B TLS_CRLCHECK <level>
+Specifies if the Certificate Revocation List (CRL) of the CA should be
+used to verify if the server certificates have not been revoked. This
+requires
+.B TLS_CACERTDIR
+parameter to be set.
+.B <level>
+can be specified as one of the following keywords:
+.RS
+.TP
+.B none
+No CRL checks are performed
+.TP
+.B peer
+Check the CRL of the peer certificate
+.TP
+.B all
+Check the CRL for a whole certificate chain
+.RE
.SH "ENVIRONMENT VARIABLES"
.TP
LDAPNOINIT
.I $CWD/ldaprc
local ldap configuration file
.SH "SEE ALSO"
-.BR ldap (3)
+.BR ldap (3),
+.BR openssl (1),
+.BR sasl (3)
.SH AUTHOR
Kurt Zeilenga, The OpenLDAP Project
.SH ACKNOWLEDGEMENTS