OpenBSD manual page server

Manual Page Search Parameters
LDAPD.CONF(5) File Formats Manual LDAPD.CONF(5)

ldapd.confLightweight Directory Access Protocol daemon configuration file

ldapd.conf is the configuration file for the LDAP daemon ldapd(8).

The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.

Argument names not beginning with a letter, digit, or underscore must be quoted. Arguments containing whitespace should be surrounded by double quotes (").

Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words (for example listen, namespace, port). Macros are not expanded inside quotes.

For example:

wan_if = "fxp0"
listen on $wan_if
listen on $wan_if tls

Additional configuration files can be included with the include keyword, for example:

include "/etc/ldap/sub.namespace.conf"

Additional schema files can be included with the schema keyword, for example:

schema "/etc/ldap/inetorgperson.schema"

The syntax of ldapd.conf is described below.

interface [port port] [legacy] [tls | ldaps | secure] [certificate name]
Specify an interface and port to listen on. An IP address, domain name or absolute path may be used in place of interface. An absolute path is used to listen on a unix domain socket.

Secured connections are provided either using STARTTLS (tls), by default on port 389, or LDAPS (ldaps), by default on port 636. tls and ldaps connections will use the defaults from libtls. If compatibility with the insecure TLSv1.0 and TLSv1.1 protocols and ciphers is required, they can be enabled with the legacy keyword. Creation of certificates is documented in starttls(8). If no certificate name is specified, the /etc/ldap/certs directory is searched for a file named by joining the interface name with a .crt extension, e.g. /etc/ldap/certs/fxp0.crt.

If the certificate name is an absolute path, a .crt and .key extension are appended to form the certificate path and key path respectively.

Only secured connections accept plain text password authentication. Connections using TLS or unix domain sockets are always considered secured. The secure keyword can be used to mark an otherwise insecure connection secured, e.g. if IPsec is used.

referral URL
Specify a default referral. If no namespace matches the base DN in a request, the request is delegated to another LDAP server instead of returning an error.

This option can be given multiple times, in which case the URLs are considered equal. Clients may choose to follow any of the referral URLs.

The URL has the following format:

ldap://ldap.example.com
ldaps://ldap.example.com:3890
rootdn dn
Specify the distinguished name of the root user for all namespaces. The root user is always allowed to read and write entries in all local namespaces.
rootpw password
Password for the root user. Specified either in plain text, or in hashed format. See AUTHENTICATION in ldapd(8).
schema filename
Add schema definitions from the specified file. For a description of the schema file syntax see SCHEMA below.

A namespace is a subtree of the global X.500 DIT (Directory Information Tree), also known as a naming context. All entries' distinguished names (DN) have the same suffix, which is used to identify the namespace. The suffix should consist of the domain components, in reverse order, of your domain name, as recommended by RFC 2247.

namespace "dc=example,dc=com" {
	rootdn "cn=admin,dc=example,dc=com"
	rootpw "secret"
}

When matching requests against namespace suffixes, the most specific match is used. Each namespace stores data in a separate database file.

A namespace has the following configuration properties:

referral URL
Specify a referral to return for requests matching the suffix.
rootdn dn
Specify the distinguished name of the root user for the namespace. The root user is always allowed to read and write entries in the namespace. The distinguished name must have the same suffix as the namespace.
rootpw password
Password for the root user. Specified either in plain text, or in hashed format. See AUTHENTICATION in ldapd(8).
index attribute
Maintain an index on the specified attribute. This index can be used for equality, presence, prefix substring and range searches. ldapd(8) will update the index on each modification. If you add an index to an existing namespace, you need to run ldapctl(8) to index the existing entries.
fsync on | off
If off, data will not be forced to disk after each commit. Disabling fsync can increase write speed substantially, but may lead to data loss. The default value is on.
cache-size size
Set the cache size for data entries. The size is specified in number of pages. Note that more than the configured number of pages may exist in the cache, as dirty pages and pages referenced by cursors are excluded from cache expiration.

Cached pages are expired in a least recently used (LRU) order.

index-cache-size size
Set the cache size for the index database.
relax schema
Disables checking of required and optional object attributes against schema. All attributes and values are matched as case-insensitive strings. All attributes are considered multi-valued.
strict schema
Enables checking of required and optional object attributes against schema. This is the default.
|
Allow or deny access to parts of the namespace.

Each request to the ldapd(8) daemon evaluates the filter rules in sequential order, from first to last. The last matching rule decides what action is taken. If no rule matches the request, the default action is to allow the request. The root DN is always allowed to perform any request.

The allow/deny statement operates on all access types by default. This can be restricted by an access type specification:

read access
Restricts the filter rule to search operations.
write access
Restricts the filter rule to add, delete and modify operations.
bind access
Restricts the filter rule to bind operations.

The scope of the filter rule can be restricted by the keyword:

to subtree DN
The filter rule applies to the distinguished name, as well as for all its descendants.
to children of DN
The filter rule applies to all the direct children of the distinguished name.
to DN
The filter rule applies to the distinguished name only.
to any
The filter rule applies to any distinguished name in the namespace. This is the default if no scope is specified.
to root
The filter rule applies to the root DSE.

The scope can be restricted to an optional attribute:

attribute name
The filter rule applies to the specified attribute.

Finally, the filter rule can match a bind DN:

by any
The filter rule matches by any bind dn, including anonymous binds.
by DN
The filter rule matches only if the requestor has previously performed a bind as the specified distinguished name.
by self
The filter rule matches only if the requestor has previously performed a bind as the distinguished name that is being requested. Typically used to allow users to modify their own data.
use compression [level level]
Enable compression of entries and optionally specify compression level (0 - 9). By default, no compression is used.

Schema files define the structure and format of entries in the directory tree. There are three types of definitions in a schema file:

attributetype
(oid [NAME name] [DESC description] [OBSOLETE] [SUP oid] [EQUALITY oid] [ORDERING oid] [SUBSTR oid] [SYNTAX oid] [SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION] [USAGE {userApplications | directoryOperation | distributedOperation | dSAOperation}])

An attribute type definition specifies the syntax of attribute values, whether it allows multiple values and how it can be compared in search requests. For a complete description of attribute type definitions, see section 4.1.2 in RFC 4512.

objectclass
(oid [NAME name] [DESC description] [OBSOLETE] [SUP oids] [{ABSTRACT | STRUCTURAL | AUXILIARY}] [MUST oids] [MAY oids])

An object class definition specifies which attributes are required and which are allowed. For a complete description of object class definitions, see section 4.1.1 in RFC 4512.

objectidentifier symbolic-name OID
Defines a symbolic name for the object identifier. A symbolic name can be used in place of a numeric OID in definitions of attribute types, object classes and other symbolic OIDs. A descendant OID can be defined in terms of another symbolic OID by appending a numeric OID after a colon, for example: 
objectidentifier MyOidRoot 1.2.3.4
objectidentifier MyOidAttributes MyOidRoot:5.6
objectidentifier MyOidObjects MyOidRoot:7

This would define MyOidAttributes as a symbolic name for the OID 1.2.3.4.5.6, and MyOidObjects for 1.2.3.4.7.

/etc/ldapd.conf
Default ldapd(8) configuration file.
/etc/examples/ldapd.conf
Example configuration file.
/etc/ldap/*.schema
Default schema definition files.
/etc/ldap/certs/
Default directory for TLS certificates.

ldapctl(8), ldapd(8)

K. Zeilenga, Lightweight Directory Access Protocol (LDAP): Directory Information Models, RFC 4512, June 2006.

The ldapd.conf file format first appeared in OpenBSD 4.8.

June 24, 2020 OpenBSD-current