NAME
ldapd.conf
—
Lightweight Directory Access Protocol
daemon configuration file
DESCRIPTION
ldapd.conf
is the configuration file for
the LDAP daemon ldapd(8).
The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.
Argument names not beginning with a letter, digit, or underscore must be quoted. Arguments containing whitespace should be surrounded by double quotes (").
Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words (for example listen, namespace, port). Macros are not expanded inside quotes.
For example:
wan_if = "fxp0" listen on $wan_if listen on $wan_if tls
Additional configuration files can be included with the
include
keyword, for example:
include "/etc/ldap/sub.namespace.conf"
Additional schema files can be included with the
schema
keyword, for example:
schema "/etc/ldap/inetorgperson.schema"
The syntax of ldapd.conf
is described
below.
GLOBAL CONFIGURATION
listen on
interface [port
port] [legacy
] [tls
|ldaps
|secure
] [certificate
name]- Specify an interface and port
to listen on. An IP address, domain name or absolute path may be used in
place of interface. An absolute path is used to
listen on a unix domain socket.
Secured connections are provided either using STARTTLS (
tls
), by default on port 389, or LDAPS (ldaps
), by default on port 636.tls
andldaps
connections will use the defaults from libtls. If compatibility with the insecure TLSv1.0 and TLSv1.1 protocols and ciphers is required, they can be enabled with thelegacy
keyword. Creation of certificates is documented in starttls(8). If no certificate name is specified, the /etc/ldap/certs directory is searched for a file named by joining the interface name with a .crt extension, e.g. /etc/ldap/certs/fxp0.crt.If the certificate name is an absolute path, a .crt and .key extension are appended to form the certificate path and key path respectively.
Only secured connections accept plain text password authentication. Connections using TLS or unix domain sockets are always considered secured. The
secure
keyword can be used to mark an otherwise insecure connection secured, e.g. if IPsec is used. - referral URL
- Specify a default referral. If no namespace matches the base DN in a
request, the request is delegated to another LDAP server instead of
returning an error.
This option can be given multiple times, in which case the URLs are considered equal. Clients may choose to follow any of the referral URLs.
The URL has the following format:
ldap://ldap.example.com ldaps://ldap.example.com:3890
- rootdn dn
- Specify the distinguished name of the root user for all namespaces. The root user is always allowed to read and write entries in all local namespaces.
- rootpw password
- Password for the root user. Specified either in plain text, or in hashed format. See AUTHENTICATION in ldapd(8).
- schema filename
- Add schema definitions from the specified file. For a description of the schema file syntax see SCHEMA below.
NAMESPACES
A namespace is a subtree of the global X.500 DIT (Directory Information Tree), also known as a naming context. All entries' distinguished names (DN) have the same suffix, which is used to identify the namespace. The suffix should consist of the domain components, in reverse order, of your domain name, as recommended by RFC 2247.
namespace "dc=example,dc=com" { rootdn "cn=admin,dc=example,dc=com" rootpw "secret" }
When matching requests against namespace suffixes, the most specific match is used. Each namespace stores data in a separate database file.
A namespace has the following configuration properties:
- referral URL
- Specify a referral to return for requests matching the suffix.
- rootdn dn
- Specify the distinguished name of the root user for the namespace. The root user is always allowed to read and write entries in the namespace. The distinguished name must have the same suffix as the namespace.
- rootpw password
- Password for the root user. Specified either in plain text, or in hashed format. See AUTHENTICATION in ldapd(8).
- index attribute
- Maintain an index on the specified attribute. This index can be used for equality, presence, prefix substring and range searches. ldapd(8) will update the index on each modification. If you add an index to an existing namespace, you need to run ldapctl(8) to index the existing entries.
- fsync on | off
- If off, data will not be forced to disk after each commit. Disabling fsync can increase write speed substantially, but may lead to data loss. The default value is on.
- cache-size size
- Set the cache size for data entries. The size is
specified in number of pages. Note that more than the configured number of
pages may exist in the cache, as dirty pages and pages referenced by
cursors are excluded from cache expiration.
Cached pages are expired in a least recently used (LRU) order.
- index-cache-size size
- Set the cache size for the index database.
- relax schema
- Disables checking of required and optional object attributes against schema. All attributes and values are matched as case-insensitive strings. All attributes are considered multi-valued.
- strict schema
- Enables checking of required and optional object attributes against schema. This is the default.
allow
|deny
- Allow or deny access to parts of the namespace.
Each request to the ldapd(8) daemon evaluates the filter rules in sequential order, from first to last. The last matching rule decides what action is taken. If no rule matches the request, the default action is to allow the request. The root DN is always allowed to perform any request.
The allow/deny statement operates on all access types by default. This can be restricted by an access type specification:
- read access
- Restricts the filter rule to search operations.
- write access
- Restricts the filter rule to add, delete and modify operations.
- bind access
- Restricts the filter rule to bind operations.
The scope of the filter rule can be restricted by the to keyword:
- to subtree DN
- The filter rule applies to the distinguished name, as well as for all its descendants.
- to children of DN
- The filter rule applies to all the direct children of the distinguished name.
- to DN
- The filter rule applies to the distinguished name only.
- to any
- The filter rule applies to any distinguished name in the namespace. This is the default if no scope is specified.
- to root
- The filter rule applies to the root DSE.
The scope can be restricted to an optional attribute:
- attribute name
- The filter rule applies to the specified attribute.
Finally, the filter rule can match a bind DN:
- by any
- The filter rule matches by any bind dn, including anonymous binds.
- by DN
- The filter rule matches only if the requestor has previously performed a bind as the specified distinguished name.
- by self
- The filter rule matches only if the requestor has previously performed a bind as the distinguished name that is being requested. Typically used to allow users to modify their own data.
- use compression [level level]
- Enable compression of entries and optionally specify compression level (0 - 9). By default, no compression is used.
SCHEMA
Schema files define the structure and format of entries in the directory tree. There are three types of definitions in a schema file:
- attributetype
- (oid [NAME name] [DESC description] [OBSOLETE] [SUP
oid] [EQUALITY oid] [ORDERING oid] [SUBSTR oid] [SYNTAX oid]
[SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION] [USAGE
{userApplications | directoryOperation | distributedOperation |
dSAOperation}])
An attribute type definition specifies the syntax of attribute values, whether it allows multiple values and how it can be compared in search requests. For a complete description of attribute type definitions, see section 4.1.2 in RFC 4512.
- objectclass
- (oid [NAME name] [DESC description] [OBSOLETE] [SUP
oids] [{ABSTRACT | STRUCTURAL | AUXILIARY}] [MUST oids] [MAY oids])
An object class definition specifies which attributes are required and which are allowed. For a complete description of object class definitions, see section 4.1.1 in RFC 4512.
- objectidentifier symbolic-name OID
- Defines a symbolic name for the object identifier. A symbolic name can be
used in place of a numeric OID in definitions of attribute types, object
classes and other symbolic OIDs. A descendant OID can be defined in terms
of another symbolic OID by appending a numeric OID after a colon, for
example:
objectidentifier MyOidRoot 1.2.3.4 objectidentifier MyOidAttributes MyOidRoot:5.6 objectidentifier MyOidObjects MyOidRoot:7
This would define MyOidAttributes as a symbolic name for the OID 1.2.3.4.5.6, and MyOidObjects for 1.2.3.4.7.
FILES
- /etc/ldapd.conf
- Default ldapd(8) configuration file.
- /etc/examples/ldapd.conf
- Example configuration file.
- /etc/ldap/*.schema
- Default schema definition files.
- /etc/ldap/certs/
- Default directory for TLS certificates.
SEE ALSO
STANDARDS
K. Zeilenga, Lightweight Directory Access Protocol (LDAP): Directory Information Models, RFC 4512, June 2006.
HISTORY
The ldapd.conf
file format first appeared
in OpenBSD 4.8.