X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fldap.conf.5;h=475ab37f15aed82c61b7bb7ae19ad47a00222cf6;hb=0e104da454c0f59c6d3195add38c935179de2cb3;hp=51f774fb4483643486267db5cbfe79e0a199c297;hpb=97cf957e2903b2659febc808b66a549a43df5268;p=openldap diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 index 51f774fb44..475ab37f15 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 @@ -1,6 +1,6 @@ .TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION" .\" $OpenLDAP$ -.\" Copyright 1998-2012 The OpenLDAP Foundation All Rights Reserved. +.\" Copyright 1998-2014 The OpenLDAP Foundation All Rights Reserved. .\" Copying restrictions apply. See COPYRIGHT/LICENSE. .SH NAME ldap.conf, .ldaprc \- LDAP configuration file/environment variables @@ -297,7 +297,7 @@ Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG) should be used. The default is off. .TP .B GSSAPI_ALLOW_REMOTE_PRINCIPAL -Specifies if GSSAPI based authentification should try to form the +Specifies if GSSAPI based authentication should try to form the target principal name out of the ldapServiceName or dnsHostName attribute of the targets RootDSE entry. The default is off. .SH TLS OPTIONS @@ -354,7 +354,7 @@ it is of critical importance that the key file is protected carefully. When using Mozilla NSS, TLS_KEY specifies the name of a file that contains the password for the key for the certificate specified with TLS_CERT. The modutil command can be used to turn off password protection for the cert/key -database. For example, if TLS_CACERTDIR specifes /home/scarter/.moznss as +database. For example, if TLS_CACERTDIR specifies /home/scarter/.moznss as the location of the cert/key database, use modutil to change the password to the empty string: .nf @@ -407,6 +407,23 @@ is in the source code for Mozilla NSS in the file sslinfo.c in the structure .fi .RE .TP +.B TLS_PROTOCOL_MIN [.] +Specifies minimum SSL/TLS protocol version that will be negotiated. +If the server doesn't support at least that version, +the SSL handshake will fail. +To require TLS 1.x or higher, set this option to 3.(x+1), +e.g., + +.nf + TLS_PROTOCOL_MIN 3.2 +.fi + +would require TLS 1.1. +Specifying a minimum that is higher than that supported by the +OpenLDAP implementation will result in it requiring the +highest level that it does support. +This parameter is ignored with GnuTLS. +.TP .B TLS_RANDFILE Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket.