LDAPD.CONF(5) OpenBSD Programmer's Manual LDAPD.CONF(5)NAMEldapd.conf - Lightweight Directory Access Protocol daemon configuration
file
DESCRIPTIONldapd.conf is the configuration file for the LDAP daemon ldapd(8).
Comments can be put anywhere in the file using a hash mark (#), and
extend to the end of the current line. Arguments containing whitespace
should be surrounded by double quotes (").
Macros can be defined that will later be expanded in context. Macro
names must start with a letter, and may contain letters, digits and
underscores. Macro names may not be reserved words (for example listen,
namespace, port). Macros are not expanded inside quotes.
For example:
wan_if = "fxp0"
listen on $wan_if
listen on $wan_if tls
Additional configuration files can be included with the include keyword,
for example:
include "/etc/ldap/sub.namespace.conf"
Additional schema files can be included with the schema keyword, for
example:
schema "/etc/ldap/inetorgperson.schema"
The syntax of ldapd.conf is described below.
GLOBAL CONFIGURATION
listen on interface [port port] [tls | ldaps | secure] [certificate name]
Specify an interface and port to listen on. An IP address,
domain name or absolute path may be used in place of interface.
An absolute path is used to listen on a unix domain socket.
Secured connections are provided either using STARTTLS (tls), by
default on port 389, or LDAPS (ldaps), by default on port 636.
Creation of certificates is documented in starttls(8). If no
certificate name is specified, the /etc/ldap/certs directory is
searched for a file named by joining the interface name with a
.crt extension, e.g. /etc/ldap/certs/fxp0.crt.
If the certificate name is an absolute path, a .crt and .key
extension is appended to form the certificate path and key path
respectively.
Only secured connections accept plain text password
authentication. Connections using TLS or unix domain sockets are
always considered secured. The secure keyword can be used to
mark an otherwise insecure connection secured, e.g. if IPsec is
used.
referral URL
Specify a default referral. If no namespace matches the base DN
in a request, the request is delegated to another LDAP server
instead of returning an error.
This option can be given multiple times, in which case the URLs
are considered equal. Clients may choose to follow any of the
referral URLs.
The URL format has the following format:
ldap://ldap.example.com
ldaps://ldap.example.com:3890
rootdn dn
Specify the distinguished name of the root user for all
namespaces. The root user is always allowed to read and write
entries in all local namespaces.
rootpw password
Password for the root user. Specified either in plain text, or
in hashed format. See AUTHENTICATION in ldapd(8).
schema filename
Add schema definitions from the specified file. For a
description of the schema file syntax see SCHEMA below.
NAMESPACES
A namespace is a subtree of the global X.500 DIT (Directory Information
Tree), also known as a naming context. All entries' distinguished names
(DN) has the same suffix, which is used to identify the namespace. The
suffix should consist of the domain components, in reverse order, of your
domain name, as recommended by RFC 2247.
namespace "dc=example,dc=com" {
rootdn "cn=admin,dc=example,dc=com"
rootpw "secret"
}
When matching requests against namespace suffixes, the most specific
match is used. Each namespace stores data in a separate database file.
A namespace has the following configuration properties:
referral URL
Specify a referral to return for requests matching the suffix.
rootdn dn
Specify the distinguished name of the root user for the
namespace. The root user is always allowed to read and write
entries in the namespace. The distinguished name must have the
same suffix as the namespace.
rootpw password
Password for the root user. Specified either in plain text, or
in hashed format. See AUTHENTICATION in ldapd(8).
index attribute
Maintain an index on the specified attribute. This index can be
used for equality, presence, prefix substring and range searches.
ldapd(8) will update the index on each modification. If you add
an index to an existing namespace, you need to run ldapctl(8) to
index the existing entries.
fsync on | off
If off, data will not be forced to disk after each commit.
Disabling fsync can increase write speed substantially, but may
lead to data loss. The default value is on.
cache-size size
Set the cache size for data entries. The size is specified in
number of pages. Note that more than the configured number of
pages may exist in the cache, as dirty pages and pages referenced
by cursors are excluded from cache expiration.
Cached pages are expired in a least recently used (LRU) order.
index-cache-size size
Set the cache size for the index database.
relax schema
Disables checking of required and optional object attributes
against schema. All attributes and values are matched as case-
insensitive strings. All attributes are considered multi-valued.
strict schema
Enables checking of required and optional object attributes
against schema. This is the default.
allow | deny
Allow or deny access to parts of the namespace.
Each request to the ldapd(8) daemon evaluates the filter rules in
sequential order, from first to last. The last matching rule
decides what action is taken. If no rule matches the request,
the default action is to allow the request. The root DN is
always allowed to perform any request.
The allow/deny statement operates on all access types by default.
This can be restricted by an access type specification:
read access
Restricts the filter rule to search operations.
write access
Restricts the filter rule to add, delete and modify
operations.
bind access
Restricts the filter rule to bind operations.
The scope of the filter rule can be restricted by the to keyword:
to subtree DN
The filter rule applies to the distinguished name, as
well as for all its descendants.
to children of DN
The filter rule applies to all the direct children of the
distinguished name.
to DN The filter rule applies to the distinguished name only.
to any The filter rule applies to any distinguished name in the
namespace. This is the default if no scope is specified.
to root
The filter rule applies to the root DSE.
Finally, the filter rule can match a bind DN:
by any The filter rule matches by any bind dn, including
anonymous binds.
by DN The filter rule matches only if the requestor has
previously performed a bind as the specified
distinguished name.
by self
The filter rule matches only if the requestor has
previously performed a bind as the distinguished name
that is being requested. Typically used to allow users
to modify their own data.
use compression [level level]
Enable compression of entries and optionally specify compression
level (0 - 9). By default, no compression is used.
SCHEMA
Schema files define the structure and format of entries in the directory
tree. There are three types of definitions in a schema file:
attributetype
( oid [NAME name] [DESC description] [OBSOLETE] [SUP oid]
[EQUALITY oid] [ORDERING oid] [SUBSTR oid] [SYNTAX oid]
[SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION] [USAGE
{userApplications | directoryOperation | distributedOperation |
dSAOperation}] )
An attribute type definition specifies the syntax of attribute
values, whether it allows multiple values and how it can be
compared in search requests. For a complete description of
attribute type definitions, see section 4.1.2 in RFC 4712.
objectclass
( oid [NAME name] [DESC description] [OBSOLETE] [SUP oids]
[{ABSTRACT | STRUCTURAL | AUXILIARY}] [MUST oids] [MAY oids] )
An object class definition specifies which attributes are
required and which are allowed. For a complete description of
object class definitions, see section 4.1.1 in RFC 4712.
objectidentifier symbolic-name OID
Defines a symbolic name for the object identifier. A symbolic
name can be used in place of a numeric OID in definitions of
attribute types, object classes and other symbolic OIDs. A
descendant OID can be defined in terms of another symbolic OID by
appending a numeric OID after a colon, for example:
objectidentifier MyOidRoot 1.2.3.4
objectidentifier MyOidAttributes MyOidRoot:5.6
objectidentifier MyOidObjects MyOidRoot:7
This would define MyOidAttributes as a symbolic name for the OID
1.2.3.4.5.6, and MyOidObjects for 1.2.3.4.7.
FILES
/etc/ldapd.conf Default ldapd(8) configuration file.
/etc/ldap/*.schema Default schema definition files.
SEE ALSOldapctl(8), ldapd(8)
Lightweight Directory Access Protocol (LDAP): Directory Information
Models, RFC 4512, June 2006.
HISTORY
The ldapd.conf file format first appeared in OpenBSD 4.8.
OpenBSD 4.9 January 28, 2011 OpenBSD 4.9
