|LOGIN_LDAP(8)||System Manager's Manual||LOGIN_LDAP(8)|
contact LDAP directory server for authentication
login_ldap utility contacts an LDAP
server to authenticate a user.
Available options are:
login_ldapwill request the response service.
login_ldap searches for the
user on the LDAP server based on the filter parameters
in the configuration file. If the user is found it will try to bind to it
using the supplied password.
login_ldap uses the
login.conf(5) variable to determine
the location of the configuration file. If no
ldap-conffile can be found it will fall back to
/etc/login_ldap.conf. The configuration file must be
owned by root with group auth and permissions 0640.
The login_ldap.conf file takes one key value pair per line separated by a ‘=’. No spaces are allowed between the ‘=’ and value. The key may have leading and trailing whitespaces. Empty lines and lines starting with a ‘#’ are ignored.
login_ldap utility requires the
The following protocols are supported:
Multiple host entries are supported and are tried in order of appearance.
login_ldapshould begin searching for user objects. This option can be omitted if the binddn points directly to the user entry.
login_ldapto bind to the LDAP server. If no basedn is set this is used to bind directly to the user and uses the user supplied password. Use FORMAT FILTERS to specify the username in this case.
If basedn is set it's used together with bindpw to bind to the LDAP server and search for the user entry based on filter and scope. If binddn is omitted and basedn is set an anonymous bind is used to search for the user entry.
In most cases, you will need to configure additional options. The
following entries to login_ldap.conf are also recognised by
login_ldap and are optional:
login_ldapto bind to the LDAP server. Leave this out for a passwordless bind.
login_ldapto locate the user object. See the FILTER FORMATS section for details.
The default is sub if scope is unspecified.
An additional groupcheck can be performed to verify the user is allowed to log in. This can be done by specifying gbasedn, gfilter and optionally gscope. See basedn, filter and scope for semantics. These checks are performed by the binddn user.
The following format specifiers are valid for the filter:
login_ldap utility first appeared in
OpenBSD 3.3 ports and was later mostly rewritten by
Martijn van Duren
and imported into OpenBSD 6.8.
login_ldap utility was originally
As there is no SASL support, passwords are sent to the LDAP server. TLS should be used to protect the password in transit.
|September 12, 2020||OpenBSD-current|