.TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
-.\" Copyright 1998-2008 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2014 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.SH NAME
ldap.conf, .ldaprc \- LDAP configuration file/environment variables
For example, to define \fBBASE\fP via the environment, set the variable
\fBLDAPBASE\fP to the desired value.
.LP
-Some options are user\-only. Such options are ignored if present
+Some options are user-only. Such options are ignored if present
in the
.I ldap.conf
(or file specified by
user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc,
system file $LDAPCONF,
user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC,
- variables $LDAP<option-name>.
+ variables $LDAP<uppercase option name>.
.fi
Settings late in the list override earlier ones.
-.SH OPTIONS
+.SH SYNTAX
The configuration options are case-insensitive;
their value, on a case by case basis, may be case-sensitive.
.LP
-Blank lines and lines beginning with a hash mark (`#')
-are ignored up to their end.
+Blank lines are ignored.
+.br
+Lines beginning with a hash mark (`#') are comments, and ignored.
.LP
Valid lines are made of an option's name (a sequence of non-blanks,
conventionally written in uppercase, although not required),
may be incorrect, as the quotes would become part of the value.
For example,
- URI "ldap:// ldaps://"
+.nf
+ # Wrong - erroneous quotes:
+ URI "ldap:// ldaps://"
-is incorrect, while
+ # Right - space-separated list of URIs, without quotes:
+ URI ldap:// ldaps://
- URI ldap:// ldaps://
+ # Right - DN syntax needs quoting for Example, Inc:
+ BASE ou=IT staff,o="Example, Inc",c=US
+ # or:
+ BASE ou=IT staff,o=Example2C Inc,c=US
-is correct (note the absence of the double quotes).
+ # Wrong - comment on same line as option:
+ DEREF never # Never follow aliases
+.fi
.LP
A line cannot be longer than LINE_MAX, which should be more than 2000 bytes
on all platforms.
There is no mechanism to split a long line on multiple lines, either for
beautification or to overcome the above limit.
-.LP
+.SH OPTIONS
The different configuration options are:
.TP
.B URI <ldap[si]://[name[:port]] ...>
.B BINDDN <dn>
Specifies the default bind DN to use when performing ldap operations.
The bind DN must be specified as a Distinguished Name in LDAP format.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B DEREF <when>
Specifies how alias dereferencing is done when performing a search. The
.\"Determines whether the library should implicitly restart connections (FIXME).
.TP
.B SIZELIMIT <integer>
-Specifies a size limit to use when performing searches. The
-number should be a non-negative integer. \fISIZELIMIT\fP of zero (0)
-specifies unlimited search size.
+Specifies a size limit (number of entries) to use when performing searches.
+The number should be a non-negative integer. \fISIZELIMIT\fP of zero (0)
+specifies a request for unlimited search size. Please note that the server
+may still apply any server-side limit on the amount of entries that can be
+returned by a search operation.
.TP
.B TIMELIMIT <integer>
-Specifies a time limit to use when performing searches. The
-number should be a non-negative integer. \fITIMELIMIT\fP of zero (0)
-specifies unlimited search time to be used.
+Specifies a time limit (in seconds) to use when performing searches.
+The number should be a non-negative integer. \fITIMELIMIT\fP of zero (0)
+specifies unlimited search time to be used. Please note that the server
+may still apply any server-side limit on the duration of a search operation.
.B VERSION {2|3}
Specifies what version of the LDAP protocol should be used.
.TP
.TP
.B SASL_MECH <mechanism>
Specifies the SASL mechanism to use.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B SASL_REALM <realm>
Specifies the SASL realm.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B SASL_AUTHCID <authcid>
Specifies the authentication identity.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B SASL_AUTHZID <authcid>
Specifies the proxy authorization identity.
-.B This is a user\-only option.
+.B This is a user-only option.
.TP
.B SASL_SECPROPS <properties>
Specifies Cyrus SASL security properties. The
specifies the maximum security layer receive buffer
size allowed. 0 disables security layers. The default is 65536.
.RE
+.SH GSSAPI OPTIONS
+If OpenLDAP is built with Generic Security Services Application Programming Interface support,
+there are more options you can specify.
+.TP
+.B GSSAPI_SIGN <on/true/yes/off/false/no>
+Specifies if GSSAPI signing (GSS_C_INTEG_FLAG) should be used.
+The default is off.
+.TP
+.B GSSAPI_ENCRYPT <on/true/yes/off/false/no>
+Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG)
+should be used. The default is off.
+.TP
+.B GSSAPI_ALLOW_REMOTE_PRINCIPAL <on/true/yes/off/false/no>
+Specifies if GSSAPI based authentication should try to form the
+target principal name out of the ldapServiceName or dnsHostName
+attribute of the targets RootDSE entry. The default is off.
.SH TLS OPTIONS
If OpenLDAP is built with Transport Layer Security support, there
are more options you can specify. These options are used when an
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
-This parameter is ignored with GNUtls.
+This parameter is ignored with GnuTLS.
+
+When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
+database. If <path> contains a Mozilla NSS cert/key database and
+CA cert files, OpenLDAP will use the cert/key database and will
+ignore the CA cert files.
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
-.B This is a user\-only option.
+.B This is a user-only option.
+
+When using Mozilla NSS, if using a cert/key database (specified with
+TLS_CACERTDIR), TLS_CERT specifies the name of the certificate to use:
+.nf
+ TLS_CERT Certificate for Sam Carter
+.fi
+If using a token other than the internal built in token, specify the
+token name first, followed by a colon:
+.nf
+ TLS_CERT my hardware device:Certificate for Sam Carter
+.fi
+Use certutil -L to list the certificates by name:
+.nf
+ certutil -d /path/to/certdbdir -L
+.fi
.TP
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
.B TLS_CERT
file. Currently, the private key must not be protected with a password, so
it is of critical importance that the key file is protected carefully.
-.B This is a user\-only option.
+.B This is a user-only option.
+
+When using Mozilla NSS, TLS_KEY specifies the name of a file that contains
+the password for the key for the certificate specified with TLS_CERT. The
+modutil command can be used to turn off password protection for the cert/key
+database. For example, if TLS_CACERTDIR specifies /home/scarter/.moznss as
+the location of the cert/key database, use modutil to change the password
+to the empty string:
+.nf
+ modutil -dbdir ~/.moznss -changepw 'NSS Certificate DB'
+.fi
+You must have the old password, if any. Ignore the WARNING about the running
+browser. Press 'Enter' for the new password.
+
.TP
.B TLS_CIPHER_SUITE <cipher-suite-spec>
Specifies acceptable cipher suite and preference order.
-<cipher-suite-spec> should be a cipher specification for OpenSSL,
-e.g., HIGH:MEDIUM:+SSLv2.
+<cipher-suite-spec> should be a cipher specification for
+the TLS library in use (OpenSSL, GnuTLS, or Mozilla NSS).
+Example:
+.RS
+.RS
+.TP
+.I OpenSSL:
+TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2
+.TP
+.I GnuTLS:
+TLS_CIPHER_SUITE SECURE256:!AES-128-CBC
+.RE
+
+To check what ciphers a given spec selects in OpenSSL, use:
+
+.nf
+ openssl ciphers \-v <cipher-suite-spec>
+.fi
+
+With GnuTLS the available specs can be found in the manual page of
+.BR gnutls\-cli (1)
+(see the description of the
+option
+.BR \-\-priority ).
+
+In older versions of GnuTLS, where gnutls\-cli does not support the option
+\-\-priority, you can obtain the \(em more limited \(em list of ciphers by calling:
+
+.nf
+ gnutls\-cli \-l
+.fi
+
+When using Mozilla NSS, the OpenSSL cipher suite specifications are used and
+translated into the format used internally by Mozilla NSS. There isn't an easy
+way to list the cipher suites from the command line. The authoritative list
+is in the source code for Mozilla NSS in the file sslinfo.c in the structure
+.nf
+ static const SSLCipherSuiteInfo suiteInfo[]
+.fi
+.RE
+.TP
+.B TLS_PROTOCOL_MIN <major>[.<minor>]
+Specifies minimum SSL/TLS protocol version that will be negotiated.
+If the server doesn't support at least that version,
+the SSL handshake will fail.
+To require TLS 1.x or higher, set this option to 3.(x+1),
+e.g.,
+
+.nf
+ TLS_PROTOCOL_MIN 3.2
+.fi
+
+would require TLS 1.1.
+Specifying a minimum that is higher than that supported by the
+OpenLDAP implementation will result in it requiring the
+highest level that it does support.
+This parameter is ignored with GnuTLS.
.TP
.B TLS_RANDFILE <filename>
Specifies the file to obtain random bits from when /dev/[u]random is
not available. Generally set to the name of the EGD/PRNGD socket.
The environment variable RANDFILE can also be used to specify the filename.
-This parameter is ignored with GNUtls.
+This parameter is ignored with GnuTLS and Mozilla NSS.
.TP
.B TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS session,
used to verify if the server certificates have not been revoked. This
requires
.B TLS_CACERTDIR
-parameter to be set. This parameter is ignored with GNUtls.
+parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
.B <level>
can be specified as one of the following keywords:
.RS
.B TLS_CRLFILE <filename>
Specifies the file containing a Certificate Revocation List to be used
to verify if the server certificates have not been revoked. This
-parameter is only supported with GNUtls.
+parameter is only supported with GnuTLS and Mozilla NSS.
.SH "ENVIRONMENT VARIABLES"
.TP
LDAPNOINIT
projects / openldap / blobdiff