OpenBSD manual page server

Manual Page Search Parameters

LOGIN_LDAP(8) System Manager's Manual LOGIN_LDAP(8)

login_ldapcontact LDAP directory server for authentication

login_ldap [-d] [-s service] [-v name=value] user [class]

The login_ldap utility contacts an LDAP server to authenticate a user.

Available options are:

Print debugging information.
Specify the service. Currently only “login” and “response” are supported. The challenge service is not supported, but it is not an error to specify this service. If this happens login_ldap will request the response service.
This option is for compatibility and is ignored.

login_ldap searches for the user on the LDAP server based on the filter parameters in the configuration file. If the user is found it will try to bind to it using the supplied password.

login_ldap uses the ldap-conffile login.conf(5) variable to determine the location of the configuration file. If no ldap-conffile can be found it will fall back to /etc/login_ldap.conf. The configuration file must be owned by root with group auth and permissions 0640.

The login_ldap.conf file takes one key value pair per line separated by a ‘=’. No spaces are allowed between the ‘=’ and value. The key may have leading and trailing whitespaces. Empty lines and lines starting with a ‘#’ are ignored.

The login_ldap utility requires the following variables:

host
The hostname of the LDAP server or an LDAP URL. The LDAP URL is described in the following format:

[protocol://]host[:port]

The following protocols are supported:

ldap
Connect with TCP in plain text. This is the default.
ldaps
Connect with TLS. The default port is 636.
ldap+tls
Connect with TCP and enable TLS using the StartTLS operation.

Multiple host entries are supported and are tried in order of appearance.

basedn
Point in the LDAP server's Directory Information Tree login_ldap should begin searching for user objects. This option can be omitted if the binddn points directly to the user entry.
binddn
DN used by login_ldap to bind to the LDAP server. If no basedn is set this is used to bind directly to the user and uses the user supplied password. Use FORMAT FILTERS to specify the username in this case.

If basedn is set it's used together with bindpw to bind to the LDAP server and search for the user entry based on filter and scope. If binddn is omitted and basedn is set an anonymous bind is used to search for the user entry.

In most cases, you will need to configure additional options. The following entries to login_ldap.conf are also recognised by login_ldap and are optional:

bindpw
Password used by login_ldap to bind to the LDAP server. Leave this out for a passwordless bind.
filter
LDAP search filter (in accordance with RFC 1558) which identifies the objectclasses and attributes necessary for login_ldap to locate the user object. See the FILTER FORMATS section for details.
timeout
Time in seconds to wait for the LDAP server to respond to a query. The default is 60 seconds per query, with up to four queries occurring.
scope
The directory scope when performing the user lookup (first pass) search. Acceptable values are:

base
Base object search
one
One level search
sub
Full subtree search

The default is sub if scope is unspecified.

cacert
The pathname of the CA used for SSL certificates.
cacertdir
The directory containing the certificates of trusted CAs.

An additional groupcheck can be performed to verify the user is allowed to log in. This can be done by specifying gbasedn, gfilter and optionally gscope. See basedn, filter and scope for semantics. These checks are performed by the binddn user.

The following format specifiers are valid for the filter:

%u
Username. The username of the user to be authenticated as specified by the user argument.
%h
Hostname. The hostname of the host the user is trying to authenticate on, as returned by gethostname(3) and displayed by hostname(1).
%d
The dn of the user attempting authentication as returned from the first pass of the search. This option is only available to gfilter and gbasedn.
%%
A literal ‘%’ character.

/etc/examples/login_ldap.conf
Example configuration file.

ldap(1), login(1), login.conf(5), ldapd(8), ypldap(8)

The login_ldap utility first appeared in OpenBSD 3.3 ports and was later mostly rewritten by Martijn van Duren <martijn@openbsd.org> and imported into OpenBSD 6.8.

The login_ldap utility was originally written by:

Peter Werner <peterw@ifost.org.au>
Michael Erdely <merdely@openbsd.org>

As there is no SASL support, passwords are sent to the LDAP server. TLS should be used to protect the password in transit.

September 12, 2020 OpenBSD-6.8