X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=doc%2Fman%2Fman5%2Fldap.conf.5;h=5c75bc62c9bae0173ed8d81bb7f66e83f0daad0a;hb=725ca08f8d8ab4be5f7e9a078aeb1e303404e8b0;hp=9904ece2fdc2589a57b72a6e51793ef31a12ff4e;hpb=d66a450344fa50c18d58cca14dd8ab1e85754e9f;p=openldap

diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index 9904ece2fd..5c75bc62c9 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -1,86 +1,284 @@
-.TH LDAP.CONF 5 "29 November 1998" "OpenLDAP LDVERSION"
+.TH LDAP.CONF 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" $OpenLDAP$
+.\" Copyright 1998-2004 The OpenLDAP Foundation All Rights Reserved.
+.\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .UC 6
 .SH NAME
-ldap.conf \- ldap configuration file
+ldap.conf, .ldaprc \- ldap configuration file
 .SH SYNOPSIS
-ETCDIR/ldap.conf
+ETCDIR/ldap.conf, .ldaprc
 .SH DESCRIPTION
+If the environment variable \fBLDAPNOINIT\fP is defined, all
+defaulting is disabled.
+.LP
 The
 .I ldap.conf
 configuration file is used to set system-wide defaults to be applied when
 running
 .I ldap
-clients.  If the environment variable \fBLDAPNOINIT\fP is defined, all
-defaulting is disabled.
+clients.
 .LP
-Each user may specify an optional configuration file,
+Users may create an optional configuration file,
+.I ldaprc
+or
 .IR .ldaprc ,
-in his/her home directory which will be used to override the system-wide
+in their home directory which will be used to override the system-wide
 defaults file.
+The file
+.I ldaprc
+in the current working directory is also used.
+.LP
 .LP
 Additional configuration files can be specified using
 the \fBLDAPCONF\fP and \fBLDAPRC\fP environment variables.
-\fBLDAPCONF\fP may be set the path of a configuration file.  This
-patch can be absolute or relative to current working directory.
-The \fBLDAPRC\fP, if defined, should be a basename of a file
+\fBLDAPCONF\fP may be set to the path of a configuration file.  This
+path can be absolute or relative to the current working directory.
+The \fBLDAPRC\fP, if defined, should be the basename of a file
 in the current working directory or in the user's home directory.
 .LP
 Environmental variables may also be used to augment the file based defaults.
-The name of the option is the as listed but with a prefix of \fBLDAP\fP.
-For example, to define \fBBASE\fP via the environment, define the variable
-\fBLDAPBASE\fP to desired value.
+The name of the variable is the option name with an added prefix of \fBLDAP\fP.
+For example, to define \fBBASE\fP via the environment, set the variable
+\fBLDAPBASE\fP to the desired value.
+.LP
+Some options are user\-only.  Such options are ignored if present
+in the
+.I ldap.conf
+(or file specified by
+.BR LDAPCONF ).
 .SH OPTIONS
 The different configuration options are:
-.TP 1i
-.TP 1i
-\fBBASE <base>\fP
-Used to specify the default base dn to use when performing ldap operations.
+.TP
+.B URI <ldap[s]://[name[:port]] ...>
+Specifies the URI(s) of an LDAP server(s) to which the
+.I LDAP 
+library should connect.  The URI scheme may be either
+.BR ldap or
+.B ldaps 
+which refer to LDAP over TCP and LDAP over SSL (TLS) respectively.
+Each server's name can be specified as a
+domain-style name or an IP address literal.  Optionally, the
+server's name can followed by a ':' and the port number the LDAP
+server is listening on.  If no port number is provided, the default
+port for the scheme is used (389 for ldap://, 636 for ldaps://).
+A space separated list of URIs may be provided.
+.TP
+.B BASE <base>
+Specifies the default base DN to use when performing ldap operations.
 The base must be specified as a Distinguished Name in LDAP format.
-\fBHOST <name[:port] ...>\fP
-Used to specify the name(s) of an LDAP server(s) to which 
-.I ldap 
-library should connect to.  Each server's name can be specified as a
-domain-style name or an IP address and optionally followed a ':' and
+.TP
+.B BINDDN <dn>
+Specifies the default bind DN to use when performing ldap operations.
+The bind DN must be specified as a Distinguished Name in LDAP format.
+This is a user\-only option.
+.TP
+.B HOST <name[:port] ...>
+Specifies the name(s) of an LDAP server(s) to which the
+.I LDAP 
+library should connect.  Each server's name can be specified as a
+domain-style name or an IP address and optionally followed by a ':' and
 the port number the ldap server is listening on.  A space separated
-listed of host may be provided.
-.TP 1i
-\fBPORT <port>\fP
-Used to specify the port used with connecting to LDAP servers(s).
+list of hosts may be provided.
+.B HOST
+is deprecated in favor of
+.BR URI .
+.TP
+.B PORT <port>
+Specifies the default port used when connecting to LDAP servers(s).
 The port may be specified as a number.
-.TP 1i
-\fBSIZELIMIT <integer>\fP
-Used to specify a size limit to use when performing searches.  The
-number should be an non-negative integer.  \fISIZELIMIT\fP of zero (0)
+.B PORT
+is deprecated in favor of
+.BR URI.
+.TP
+.B SIZELIMIT <integer>
+Specifies a size limit to use when performing searches.  The
+number should be a non-negative integer.  \fISIZELIMIT\fP of zero (0)
 specifies unlimited search size.
-.TP 1i
-\fBTIMELIMIT <integer>\fP
-Used to specify a time limit to use when performing searches.  The
-number should be an non-negative integer.  \fITIMELIMIT\fP of zero (0)
+.TP
+.B TIMELIMIT <integer>
+Specifies a time limit to use when performing searches.  The
+number should be a non-negative integer.  \fITIMELIMIT\fP of zero (0)
 specifies unlimited search time to be used.
-.TP 1i
-\fBDEREF <never|searching|finding|always>\fP
-Specify how aliases dereferencing is done.  \fIDEREF\fP should
-be set to one of
-.B never,
-.B always,
-.B search,
-or 
-.B find 
-to specify that aliases are never dereferenced, always dereferenced,
-dereferenced when searching, or dereferenced only when locating the
-base object for the search.  The default is to never dereference aliases.
+.TP
+.B DEREF <when>
+Specifies how alias dereferencing is done when performing a search. The
+.B <when>
+can be specified as one of the following keywords:
+.RS
+.TP
+.B never
+Aliases are never dereferenced. This is the default.
+.TP
+.B searching
+Aliases are dereferenced in subordinates of the base object, but
+not in locating the base object of the search.
+.TP
+.B finding
+Aliases are only dereferenced when locating the base object of the search.
+.TP
+.B always
+Aliases are dereferenced both in searching and in locating the base object
+of the search.
+.RE
+.SH SASL OPTIONS
+If OpenLDAP is built with Simple Authentication and Security Layer support,
+there are more options you can specify.
+.TP
+.B SASL_MECH <mechanism>
+Specifies the SASL mechanism to use.
+This is a user\-only option.
+.TP
+.B SASL_REALM <realm>
+Specifies the SASL realm.
+This is a user\-only option.
+.TP
+.B SASL_AUTHCID <authcid>
+Specifies the authentication identity.
+This is a user\-only option.
+.TP
+.B SASL_AUTHZID <authcid>
+Specifies the proxy authorization identity.
+This is a user\-only option.
+.TP
+.B SASL_SECPROPS <properties>
+Specifies Cyrus SASL security properties. The 
+.B <properties>
+can be specified as a comma-separated list of the following:
+.RS
+.TP
+.B none
+(without any other properties) causes the properties
+defaults ("noanonymous,noplain") to be cleared.
+.TP
+.B noplain
+disables mechanisms susceptible to simple passive attacks.
+.TP
+.B noactive
+disables mechanisms susceptible to active attacks.
+.TP
+.B nodict
+disables mechanisms susceptible to passive dictionary attacks.
+.TP
+.B noanonymous
+disables mechanisms which support anonymous login.
+.TP
+.B forwardsec
+requires forward secrecy between sessions.
+.TP
+.B passcred
+requires mechanisms which pass client credentials (and allows
+mechanisms which can pass credentials to do so).
+.TP
+.B minssf=<factor> 
+specifies the minimum acceptable
+.I security strength factor
+as an integer approximating the effective key length used for
+encryption.  0 (zero) implies no protection, 1 implies integrity
+protection only, 56 allows DES or other weak ciphers, 112
+allows triple DES and other strong ciphers, 128 allows RC4,
+Blowfish and other modern strong ciphers.  The default is 0.
+.TP
+.B maxssf=<factor> 
+specifies the maximum acceptable
+.I security strength factor
+as an integer (see
+.B minssf
+description).  The default is
+.BR INT_MAX .
+.TP
+.B maxbufsize=<factor> 
+specifies the maximum security layer receive buffer
+size allowed.  0 disables security layers.  The default is 65536.
+.RE
+.SH TLS OPTIONS
+If OpenLDAP is built with Transport Layer Security support, there
+are more options you can specify.  These options are used when an
+.B ldaps:// URI
+is selected (by default or otherwise) or when the application
+negotiates TLS by issuing the LDAP Start TLS operation.
+.TP
+.B TLS_CACERT <filename>
+Specifies the file that contains certificates for all of the Certificate
+Authorities the client will recognize.
+.TP
+.B TLS_CACERTDIR <path>
+Specifies the path of a directory that contains Certificate Authority
+certificates in separate individual files. The
+.B TLS_CACERT
+is always used before
+.B TLS_CACERTDIR.
+.TP
+.B TLS_CERT <filename>
+Specifies the file that contains the client certificate.
+This is a user\-only option.
+.TP
+.B TLS_KEY <filename>
+Specifies the file that contains the private key that matches the certificate
+stored in the
+.B TLS_CERT
+file. Currently, the private key must not be protected with a password, so
+it is of critical importance that the key file is protected carefully. This
+is a user\-only option.
+.TP
+.B TLS_RANDFILE <filename>
+Specifies the file to obtain random bits from when /dev/[u]random is
+not available. Generally set to the name of the EGD/PRNGD socket.
+The environment variable RANDFILE can also be used to specify the filename.
+.TP
+.B TLS_REQCERT <level>
+Specifies what checks to perform on server certificates in a TLS session,
+if any. The
+.B <level>
+can be specified as one of the following keywords:
+.RS
+.TP
+.B never
+The client will not request or check any server certificate.
+.TP
+.B allow
+The server certificate is requested. If no certificate is provided,
+the session proceeds normally. If a bad certificate is provided, it will
+be ignored and the session proceeds normally.
+.TP
+.B try
+The server certificate is requested. If no certificate is provided,
+the session proceeds normally. If a bad certificate is provided,
+the session is immediately terminated.
+.TP
+.B demand | hard
+These keywords are equivalent. The server certificate is requested. If no
+certificate is provided, or a bad certificate is provided, the session
+is immediately terminated. This is the default setting.
+.RE
+.SH "ENVIRONMENT VARIABLES"
+.TP
+LDAPNOINIT
+disable all defaulting
+.TP
+LDAPCONF
+path of a configuration file
+.TP
+LDAPRC
+basename of ldaprc file in $HOME or $CWD
+.TP
+LDAP<option-name>
+Set <option-name> as from ldap.conf
 .SH FILES
+.TP
 .I  ETCDIR/ldap.conf
-.LP
-.I  $HOME/.ldaprc
-.LP
-.I  $CWD/.ldaprc
+system-wide ldap configuration file
+.TP
+.I  $HOME/ldaprc, $HOME/.ldaprc
+user ldap configuration file
+.TP
+.I  $CWD/ldaprc
+local ldap configuration file
 .SH "SEE ALSO"
-ldap(3)
+.BR ldap (3)
 .SH AUTHOR
 Kurt Zeilenga, The OpenLDAP Project
 .SH ACKNOWLEDGEMENTS
-.B	OpenLDAP
+.B OpenLDAP
 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
-.B	OpenLDAP
+.B OpenLDAP
 is derived from University of Michigan LDAP 3.3 Release.