NAME
login_ldap
—
contact LDAP directory server for
authentication
SYNOPSIS
login_ldap |
[-d ] [-s
service] [-v
name=value]
user [class] |
DESCRIPTION
The login_ldap
utility contacts an LDAP
server to authenticate a user.
Available options are:
-d
- Print debugging information.
-s
- Specify the service. Currently only “login” and
“response” are supported. The challenge service is not
supported, but it is not an error to specify this service. If this happens
login_ldap
will request the response service. -v
- This option is for compatibility and is ignored.
login_ldap
searches for the
user on the LDAP server based on the filter parameters
in the configuration file. If the user is found it will try to bind to it
using the supplied password.
login_ldap
uses the
ldap-conffile
login.conf(5) variable to determine the location of the
configuration file. If no ldap-conffile can be found
it will fall back to /etc/login_ldap.conf. The
configuration file must be owned by root with group auth and permissions
0640.
LOGIN_LDAP.CONF VARIABLES
The login_ldap.conf file takes one key value pair per line separated by a ‘=’. No spaces are allowed between the ‘=’ and value. The key may have leading and trailing whitespaces. Empty lines and lines starting with a ‘#’ are ignored.
The login_ldap
utility requires the
following variables:
- host
- The hostname of the LDAP server or an LDAP URL. The LDAP URL is described
in the following format:
[protocol://]host[:port]
The following protocols are supported:
- ldap
- Connect with TCP in plain text. This is the default.
- ldaps
- Connect with TLS. The default port is 636.
- ldap+tls
- Connect with TCP and enable TLS using the StartTLS operation.
Multiple host entries are supported and are tried in order of appearance.
- basedn
- Point in the LDAP server's Directory Information Tree
login_ldap
should begin searching for user objects. This option can be omitted if the binddn points directly to the user entry. - binddn
- DN used by
login_ldap
to bind to the LDAP server. If no basedn is set this is used to bind directly to the user and uses the user supplied password. Use FORMAT FILTERS to specify the username in this case.If basedn is set it's used together with bindpw to bind to the LDAP server and search for the user entry based on filter and scope. If binddn is omitted and basedn is set an anonymous bind is used to search for the user entry.
In most cases, you will need to configure additional options. The
following entries to login_ldap.conf are also recognised by
login_ldap
and are optional:
- bindpw
- Password used by
login_ldap
to bind to the LDAP server. Leave this out for a passwordless bind. - filter
- LDAP search filter (in accordance with RFC 1558) which identifies the
objectclasses and attributes necessary for
login_ldap
to locate the user object. See the FILTER FORMATS section for details. - timeout
- Time in seconds to wait for the LDAP server to respond to a query. The default is 60 seconds per query, with up to four queries occurring.
- scope
- The directory scope when performing the user lookup (first pass) search.
Acceptable values are:
- base
- Base object search
- one
- One level search
- sub
- Full subtree search
The default is sub if scope is unspecified.
- cacert
- The pathname of the CA used for SSL certificates.
- cacertdir
- The directory containing the certificates of trusted CAs.
An additional groupcheck can be performed to verify the user is allowed to log in. This can be done by specifying gbasedn, gfilter and optionally gscope. See basedn, filter and scope for semantics. These checks are performed by the binddn user.
FILTER FORMATS
The following format specifiers are valid for the filter:
- %u
- Username. The username of the user to be authenticated as specified by the user argument.
- %h
- Hostname. The hostname of the host the user is trying to authenticate on, as returned by gethostname(3) and displayed by hostname(1).
- %d
- The dn of the user attempting authentication as returned from the first pass of the search. This option is only available to gfilter and gbasedn.
- %%
- A literal ‘%’ character.
FILES
- /etc/examples/login_ldap.conf
- Example configuration file.
SEE ALSO
HISTORY
The login_ldap
utility first appeared in
OpenBSD 3.3 ports and was later mostly rewritten by
Martijn van Duren
<martijn@openbsd.org>
and imported into OpenBSD 6.8.
AUTHORS
The login_ldap
utility was originally
written by:
Peter Werner
<peterw@ifost.org.au>
Michael Erdely
<merdely@openbsd.org>
CAVEATS
As there is no SASL support, passwords are sent to the LDAP server. TLS should be used to protect the password in transit.