X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fldap.conf.5;h=33bd1b9b54b35018611fe2ed78b21b92c53e3c0c;hb=3164c73276a9d4af56c81f315199acecbb207217;hp=64c12fa3190ec69c7034664811c052b08b0334dd;hpb=4ee2ae8f94f2704438c728e0c0ddc10cfa2dfcf2;p=openldap diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 index 64c12fa319..33bd1b9b54 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 @@ -1,8 +1,7 @@ .TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION" .\" $OpenLDAP$ -.\" Copyright 1998-2005 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 1998-2006 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. -.UC 6 .SH NAME ldap.conf, .ldaprc \- ldap configuration file .SH SYNOPSIS @@ -49,21 +48,65 @@ in the .SH OPTIONS The configuration options are case-insensitive; their value, on a case by case basis, may be case-sensitive. +.LP +Blank lines and lines beginning with a hash mark (`#') +are ignored up to their end. +.LP +Valid lines are made of an option's name (a sequence of non-blanks, +conventionally written in uppercase, although not required), +followed by a value. +The value starts with the first non-blank character after +the option's name, and terminates at the end of the line, +or at the last sequence of blanks before the end of the line. +The tokenization of the value, if any, is delegated to the handler(s) +for that option, if any. Quoting values that contain blanks +may be incorrect, as the quotes would become part of the value. +For example, + + URI "ldap:// ldaps://" + +is incorrect, while + + URI ldap:// ldaps:// + +is correct (note the absence of the double quotes). +.LP +A line cannot be longer than LINE_MAX, which should be more than 2000 bytes +on all platforms. +There is no mechanism to split a long line on multiple lines, either for +beautification or to overcome the above limit. +.LP The different configuration options are: .TP -.B URI +.B URI Specifies the URI(s) of an LDAP server(s) to which the .I LDAP -library should connect. The URI scheme may be either -.B ldap -or +library should connect. The URI scheme may be any of +.BR ldap , .B ldaps -which refer to LDAP over TCP and LDAP over SSL (TLS) respectively. +or +.BR ldapi , +which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP +over IPC (UNIX domain sockets), respectively. Each server's name can be specified as a domain-style name or an IP address literal. Optionally, the server's name can followed by a ':' and the port number the LDAP server is listening on. If no port number is provided, the default port for the scheme is used (389 for ldap://, 636 for ldaps://). +For LDAP over IPC, +.B name +is the name of the socket, and no +.B port +is required, nor allowed; note that directory separators must be +URL-encoded, like any other characters that are special to URLs; +so the socket + + /usr/local/var/ldapi + +must be specified as + + ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi + A space separated list of URIs may be provided. .TP .B BASE @@ -73,7 +116,29 @@ The base must be specified as a Distinguished Name in LDAP format. .B BINDDN Specifies the default bind DN to use when performing ldap operations. The bind DN must be specified as a Distinguished Name in LDAP format. -This is a user\-only option. +.B This is a user\-only option. +.TP +.B DEREF +Specifies how alias dereferencing is done when performing a search. The +.B +can be specified as one of the following keywords: +.RS +.TP +.B never +Aliases are never dereferenced. This is the default. +.TP +.B searching +Aliases are dereferenced in subordinates of the base object, but +not in locating the base object of the search. +.TP +.B finding +Aliases are only dereferenced when locating the base object of the search. +.TP +.B always +Aliases are dereferenced both in searching and in locating the base object +of the search. +.RE +.TP .TP .B HOST Specifies the name(s) of an LDAP server(s) to which the @@ -86,6 +151,10 @@ list of hosts may be provided. is deprecated in favor of .BR URI . .TP +.B NETWORK_TIMEOUT +Specifies the timeout (in seconds) after which the poll(2)/select(2) +following a connect(2) returns in case of no activity. +.TP .B PORT Specifies the default port used when connecting to LDAP servers(s). The port may be specified as a number. @@ -100,6 +169,10 @@ The default is on. Note that the command line tools .BR ldapsearch (1) &co always override this option. +.\" This should only be allowed via ldap_set_option(3) +.\".TP +.\".B RESTART +.\"Determines whether the library should implicitly restart connections (FIXME). .TP .B SIZELIMIT Specifies a size limit to use when performing searches. The @@ -110,46 +183,30 @@ specifies unlimited search size. Specifies a time limit to use when performing searches. The number should be a non-negative integer. \fITIMELIMIT\fP of zero (0) specifies unlimited search time to be used. +.B VERSION {2|3} +Specifies what version of the LDAP protocol should be used. .TP -.B DEREF -Specifies how alias dereferencing is done when performing a search. The -.B -can be specified as one of the following keywords: -.RS -.TP -.B never -Aliases are never dereferenced. This is the default. -.TP -.B searching -Aliases are dereferenced in subordinates of the base object, but -not in locating the base object of the search. -.TP -.B finding -Aliases are only dereferenced when locating the base object of the search. -.TP -.B always -Aliases are dereferenced both in searching and in locating the base object -of the search. -.RE +.B TIMEOUT +Specifies a generic timeout (in seconds). Currently ignored. .SH SASL OPTIONS If OpenLDAP is built with Simple Authentication and Security Layer support, there are more options you can specify. .TP .B SASL_MECH Specifies the SASL mechanism to use. -This is a user\-only option. +.B This is a user\-only option. .TP .B SASL_REALM Specifies the SASL realm. -This is a user\-only option. +.B This is a user\-only option. .TP .B SASL_AUTHCID Specifies the authentication identity. -This is a user\-only option. +.B This is a user\-only option. .TP .B SASL_AUTHZID Specifies the proxy authorization identity. -This is a user\-only option. +.B This is a user\-only option. .TP .B SASL_SECPROPS Specifies Cyrus SASL security properties. The @@ -221,15 +278,15 @@ is always used before .TP .B TLS_CERT Specifies the file that contains the client certificate. -This is a user\-only option. +.B This is a user\-only option. .TP .B TLS_KEY Specifies the file that contains the private key that matches the certificate stored in the .B TLS_CERT file. Currently, the private key must not be protected with a password, so -it is of critical importance that the key file is protected carefully. This -is a user\-only option. +it is of critical importance that the key file is protected carefully. +.B This is a user\-only option. .TP .B TLS_CIPHER_SUITE Specifies acceptable cipher suite and preference order.