.TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
-.\" Copyright 1998-2002 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.UC 6
.SH NAME
.SH SYNOPSIS
ETCDIR/ldap.conf, .ldaprc
.SH DESCRIPTION
+If the environment variable \fBLDAPNOINIT\fP is defined, all
+defaulting is disabled.
+.LP
The
.I ldap.conf
configuration file is used to set system-wide defaults to be applied when
running
.I ldap
-clients. If the environment variable \fBLDAPNOINIT\fP is defined, all
-defaulting is disabled.
+clients.
.LP
Users may create an optional configuration file,
.I ldaprc
.I ldaprc
in the current working directory is also used.
.LP
+.LP
Additional configuration files can be specified using
the \fBLDAPCONF\fP and \fBLDAPRC\fP environment variables.
\fBLDAPCONF\fP may be set to the path of a configuration file. This
.SH OPTIONS
The different configuration options are:
.TP
+.B URI <ldap[s]://[name[:port]] ...>
+Specifies the URI(s) of an LDAP server(s) to which the
+.I LDAP
+library should connect. The URI scheme may be either
+.BR ldap or
+.B ldaps
+which refer to LDAP over TCP and LDAP over SSL (TLS) respectively.
+Each server's name can be specified as a
+domain-style name or an IP address literal. Optionally, the
+server's name can followed by a ':' and the port number the LDAP
+server is listening on. If no port number is provided, the default
+port for the scheme is used (389 for ldap://, 636 for ldaps://).
+A space separated list of URIs may be provided.
+.TP
.B BASE <base>
Specifies the default base DN to use when performing ldap operations.
The base must be specified as a Distinguished Name in LDAP format.
.TP
.B HOST <name[:port] ...>
Specifies the name(s) of an LDAP server(s) to which the
-.I ldap
+.I LDAP
library should connect. Each server's name can be specified as a
domain-style name or an IP address and optionally followed by a ':' and
the port number the ldap server is listening on. A space separated
list of hosts may be provided.
+.B HOST
+is deprecated in favor of
+.BR URI .
.TP
.B PORT <port>
Specifies the default port used when connecting to LDAP servers(s).
The port may be specified as a number.
+.B PORT
+is deprecated in favor of
+.BR URI.
+.TP
+.B SIZELIMIT <integer>
+Specifies a size limit to use when performing searches. The
+number should be a non-negative integer. \fISIZELIMIT\fP of zero (0)
+specifies unlimited search size.
+.TP
+.B TIMELIMIT <integer>
+Specifies a time limit to use when performing searches. The
+number should be a non-negative integer. \fITIMELIMIT\fP of zero (0)
+specifies unlimited search time to be used.
+.TP
+.B DEREF <when>
+Specifies how alias dereferencing is done when performing a search. The
+.B <when>
+can be specified as one of the following keywords:
+.RS
+.TP
+.B never
+Aliases are never dereferenced. This is the default.
+.TP
+.B searching
+Aliases are dereferenced in subordinates of the base object, but
+not in locating the base object of the search.
+.TP
+.B finding
+Aliases are only dereferenced when locating the base object of the search.
+.TP
+.B always
+Aliases are dereferenced both in searching and in locating the base object
+of the search.
+.RE
+.SH SASL OPTIONS
+If OpenLDAP is built with Simple Authentication and Security Layer support,
+there are more options you can specify.
+.TP
+.B SASL_MECH <mechanism>
+Specifies the SASL mechanism to use.
+This is a user\-only option.
+.TP
+.B SASL_REALM <realm>
+Specifies the SASL realm.
+This is a user\-only option.
+.TP
+.B SASL_AUTHCID <authcid>
+Specifies the authentication identity.
+This is a user\-only option.
+.TP
+.B SASL_AUTHZID <authcid>
+Specifies the proxy authorization identity.
+This is a user\-only option.
.TP
.B SASL_SECPROPS <properties>
Specifies Cyrus SASL security properties. The
specifies the maximum security layer receive buffer
size allowed. 0 disables security layers. The default is 65536.
.RE
-.TP
-.B SIZELIMIT <integer>
-Specifies a size limit to use when performing searches. The
-number should be a non-negative integer. \fISIZELIMIT\fP of zero (0)
-specifies unlimited search size.
-.TP
-.B TIMELIMIT <integer>
-Specifies a time limit to use when performing searches. The
-number should be a non-negative integer. \fITIMELIMIT\fP of zero (0)
-specifies unlimited search time to be used.
-.TP
-.B DEREF <when>
-Specifies how alias dereferencing is done when performing a search. The
-.B <when>
-can be specified as one of the following keywords:
-.RS
-.TP
-.B never
-Aliases are never dereferenced. This is the default.
-.TP
-.B searching
-Aliases are dereferenced in subordinates of the base object, but
-not in locating the base object of the search.
-.TP
-.B finding
-Aliases are only dereferenced when locating the base object of the search.
-.TP
-.B always
-Aliases are dereferenced both in searching and in locating the base object
-of the search.
.SH TLS OPTIONS
-If OpenLDAP is built with support for Transport Layer Security, there
-are more options you can specify.
-.TP
-.B TLS <level>
-Specifies whether client connections should use TLS by default. The
-.B <level>
-can be specified as one of the following keywords:
-.RS
-.TP
-.B never
-This is the default. Connections will be opened in the clear unless
-TLS is explicitly specified (e.g. using an "ldaps://" URL.)
-.TP
-.B hard
-All connections will be established with TLS.
-Note that using this option effectively makes the library open every
-session as an ldaps session and is incompatible with the LDAPv3 StartTLS
-request.
-.RE
+If OpenLDAP is built with Transport Layer Security support, there
+are more options you can specify. These options are used when an
+.B ldaps:// URI
+is selected (by default or otherwise) or when the application
+negotiates TLS by issuing the LDAP Start TLS operation.
.TP
.B TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate
.B TLS_CACERTDIR.
.TP
.B TLS_CERT <filename>
-Specifies the file that contains the client certificate. This is
-a user\-only option.
+Specifies the file that contains the client certificate.
+This is a user\-only option.
.TP
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
These keywords are equivalent. The server certificate is requested. If no
certificate is provided, or a bad certificate is provided, the session
is immediately terminated. This is the default setting.
+.RE
.SH "ENVIRONMENT VARIABLES"
.TP
LDAPNOINIT