.TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" $OpenLDAP$
-.\" Copyright 1998-2003 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.UC 6
.SH NAME
(or file specified by
.BR LDAPCONF ).
.SH OPTIONS
+The configuration options are case-insensitive;
+their value, on a case by case basis, may be case-sensitive.
The different configuration options are:
.TP
.B URI <ldap[s]://[name[:port]] ...>
Specifies the URI(s) of an LDAP server(s) to which the
.I LDAP
library should connect. The URI scheme may be either
-.BR ldap or
+.B ldap
+or
.B ldaps
which refer to LDAP over TCP and LDAP over SSL (TLS) respectively.
Each server's name can be specified as a
is deprecated in favor of
.BR URI.
.TP
+.B REFERRALS <on/true/yes/off/false/no>
+Specifies if the client should automatically follow referrals returned
+by LDAP servers.
+The default is on.
+Note that the command line tools
+.BR ldapsearch (1)
+&co always override this option.
+.TP
.B SIZELIMIT <integer>
Specifies a size limit to use when performing searches. The
number should be a non-negative integer. \fISIZELIMIT\fP of zero (0)
.RE
.SH TLS OPTIONS
If OpenLDAP is built with Transport Layer Security support, there
-are more options you can specify.
-.TP
-.B TLS <level>
-Specifies whether client connections should use ldaps:// by default.
-This option is deprecated in favor of the
-.B URI
-option. Using the
-.B TLS
-option may break some applications.
-.LP
-The
-.B <level>
-can be specified as one of the following keywords:
-.RS
-.TP
-.B never
-This is the default. Connections will be opened in the clear unless
-TLS is explicitly specified (e.g. using an "ldaps://" URL.)
-.TP
-.B hard
-All connections will be established with TLS.
-Note that using this option effectively makes the library open every
-session as an ldaps session and is incompatible with the LDAPv3 StartTLS
-request.
-.RE
+are more options you can specify. These options are used when an
+.B ldaps:// URI
+is selected (by default or otherwise) or when the application
+negotiates TLS by issuing the LDAP Start TLS operation.
.TP
.B TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate
it is of critical importance that the key file is protected carefully. This
is a user\-only option.
.TP
+.B TLS_CIPHER_SUITE <cipher-suite-spec>
+Specifies acceptable cipher suite and preference order.
+<cipher-suite-spec> should be a cipher specification for OpenSSL,
+e.g., HIGH:MEDIUM:+SSLv2.
+.TP
.B TLS_RANDFILE <filename>
Specifies the file to obtain random bits from when /dev/[u]random is
not available. Generally set to the name of the EGD/PRNGD socket.
certificate is provided, or a bad certificate is provided, the session
is immediately terminated. This is the default setting.
.RE
+.TP
+.B TLS_CRLCHECK <level>
+Specifies if the Certificate Revocation List (CRL) of the CA should be
+used to verify if the server certificates have not been revoked. This
+requires
+.B TLS_CACERTDIR
+parameter to be set.
+.B <level>
+can be specified as one of the following keywords:
+.RS
+.TP
+.B none
+No CRL checks are performed
+.TP
+.B peer
+Check the CRL of the peer certificate
+.TP
+.B all
+Check the CRL for a whole certificate chain
+.RE
.SH "ENVIRONMENT VARIABLES"
.TP
LDAPNOINIT
.I $CWD/ldaprc
local ldap configuration file
.SH "SEE ALSO"
-.BR ldap (3)
+.BR ldap (3),
+.BR openssl (1),
+.BR sasl (3)
.SH AUTHOR
Kurt Zeilenga, The OpenLDAP Project
.SH ACKNOWLEDGEMENTS
-.B OpenLDAP
+.B OpenLDAP
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
-.B OpenLDAP
+.B OpenLDAP
is derived from University of Michigan LDAP 3.3 Release.