1.\" $OpenBSD: ldapd.conf.5,v 1.18 2013/08/20 10:13:03 mikeb Exp $ 2.\" 3.\" Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> 4.\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> 5.\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> 6.\" 7.\" Permission to use, copy, modify, and distribute this software for any 8.\" purpose with or without fee is hereby granted, provided that the above 9.\" copyright notice and this permission notice appear in all copies. 10.\" 11.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18.\" 19.\" 20.Dd $Mdocdate: August 20 2013 $ 21.Dt LDAPD.CONF 5 22.Os 23.Sh NAME 24.Nm ldapd.conf 25.Nd Lightweight Directory Access Protocol daemon configuration file 26.Sh DESCRIPTION 27.Nm 28is the configuration file for the LDAP daemon 29.Xr ldapd 8 . 30.Pp 31The current line can be extended over multiple lines using a backslash 32.Pq Sq \e . 33Comments can be put anywhere in the file using a hash mark 34.Pq Sq # , 35and extend to the end of the current line. 36Care should be taken when commenting out multi-line text: 37the comment is effective until the end of the entire block. 38.Pp 39Argument names not beginning with a letter, digit, or underscore 40must be quoted. 41Arguments containing whitespace should be surrounded by double quotes 42.Pq \&" . 43.Pp 44Macros can be defined that will later be expanded in context. 45Macro names must start with a letter, digit, or underscore, 46and may contain any of those characters. 47Macro names may not be reserved words (for example 48.Ar listen , 49.Ar namespace , 50.Ar port ) . 51Macros are not expanded inside quotes. 52.Pp 53For example: 54.Bd -literal -offset indent 55wan_if = "fxp0" 56listen on $wan_if 57listen on $wan_if tls 58.Ed 59.Pp 60Additional configuration files can be included with the 61.Ic include 62keyword, for example: 63.Bd -literal -offset indent 64include "/etc/ldap/sub.namespace.conf" 65.Ed 66.Pp 67Additional schema files can be included with the 68.Ic schema 69keyword, for example: 70.Bd -literal -offset indent 71schema "/etc/ldap/inetorgperson.schema" 72.Ed 73.Pp 74The syntax of 75.Nm 76is described below. 77.Sh GLOBAL CONFIGURATION 78.Bl -tag -width Ds 79.It Xo 80.Ic listen on Ar interface 81.Op Ic port Ar port 82.Op Ic tls | ldaps | secure 83.Op Ic certificate Ar name 84.Xc 85Specify an 86.Ar interface 87and 88.Ar port 89to listen on. 90An IP address, domain name or absolute path may be used in place of 91.Ar interface . 92An absolute path is used to listen on a unix domain socket. 93.Pp 94Secured connections are provided either using STARTTLS 95.Pq Ic tls , 96by default on port 389, 97or LDAPS 98.Pq Ic ldaps , 99by default on port 636. 100Creation of certificates is documented in 101.Xr starttls 8 . 102If no certificate 103.Ar name 104is specified, the 105.Pa /etc/ldap/certs 106directory is searched for a file named by joining 107the interface name with a .crt extension, e.g.\& 108.Pa /etc/ldap/certs/fxp0.crt . 109.Pp 110If the certificate name is an absolute path, a .crt and .key extension 111is appended to form the certificate path and key path respectively. 112.Pp 113Only secured connections accept plain text password authentication. 114Connections using TLS or unix domain sockets are always considered secured. 115The 116.Ic secure 117keyword can be used to mark an otherwise insecure connection 118secured, e.g. if IPsec is used. 119.It referral Ar URL 120Specify a default referral. 121If no namespace matches the base DN in a request, the request is 122delegated to another LDAP server instead of returning an error. 123.Pp 124This option can be given multiple times, in which case the URLs are 125considered equal. 126Clients may choose to follow any of the referral URLs. 127.Pp 128The URL format has the following format: 129.Bd -literal -offset indent 130ldap://ldap.example.com 131ldaps://ldap.example.com:3890 132.Ed 133.It rootdn Ar dn 134Specify the distinguished name of the root user for all namespaces. 135The root user is always allowed to read and write entries in all 136local namespaces. 137.It rootpw Ar password 138Password for the root user. 139Specified either in plain text, or in hashed format. 140See AUTHENTICATION in 141.Xr ldapd 8 . 142.It schema Ar filename 143Add schema definitions from the specified file. 144For a description of the schema file syntax see 145.Sx SCHEMA 146below. 147.El 148.Sh NAMESPACES 149A namespace is a subtree of the global X.500 DIT (Directory Information Tree), 150also known as a naming context. 151All entries' distinguished names (DN) has the same suffix, which is used to 152identify the namespace. 153The suffix should consist of the domain components, in reverse order, of your 154domain name, as recommended by RFC 2247. 155.Bd -literal -offset indent 156namespace "dc=example,dc=com" { 157 rootdn "cn=admin,dc=example,dc=com" 158 rootpw "secret" 159} 160.Ed 161.Pp 162When matching requests against namespace suffixes, the most specific 163match is used. 164Each namespace stores data in a separate database file. 165.Pp 166A namespace has the following configuration properties: 167.Bl -tag -width Ds 168.It referral Ar URL 169Specify a referral to return for requests matching the suffix. 170.It rootdn Ar dn 171Specify the distinguished name of the root user for the namespace. 172The root user is always allowed to read and write entries in the namespace. 173The distinguished name must have the same suffix as the namespace. 174.It rootpw Ar password 175Password for the root user. 176Specified either in plain text, or in hashed format. 177See AUTHENTICATION in 178.Xr ldapd 8 . 179.It index Ar attribute 180Maintain an index on the specified attribute. 181This index can be used for equality, presence, prefix substring and range searches. 182.Xr ldapd 8 183will update the index on each modification. 184If you add an index to an existing namespace, you need to run 185.Xr ldapctl 8 186to index the existing entries. 187.It fsync Ar on | off 188If 189.Ar off , 190data will not be forced to disk after each commit. 191Disabling fsync can increase write speed substantially, but may lead to data 192loss. 193The default value is on. 194.It cache-size Ar size 195Set the cache size for data entries. 196The 197.Ar size 198is specified in number of pages. 199Note that more than the configured number of pages may exist in the cache, as 200dirty pages and pages referenced by cursors are excluded from cache expiration. 201.Pp 202Cached pages are expired in a least recently used (LRU) order. 203.It index-cache-size Ar size 204Set the cache size for the index database. 205.It relax schema 206Disables checking of required and optional object attributes against schema. 207All attributes and values are matched as case-insensitive strings. 208All attributes are considered multi-valued. 209.It strict schema 210Enables checking of required and optional object attributes against schema. 211This is the default. 212.It Ic allow | deny 213Allow or deny access to parts of the namespace. 214.Pp 215Each request to the 216.Xr ldapd 8 217daemon evaluates the filter rules in sequential order, from first to last. 218The last matching rule decides what action is taken. 219If no rule matches the request, the default action is to allow the request. 220The root DN is always allowed to perform any request. 221.Pp 222The allow/deny statement operates on all access types by default. 223This can be restricted by an access type specification: 224.Bl -tag -width Ds 225.It read access 226Restricts the filter rule to search operations. 227.It write access 228Restricts the filter rule to add, delete and modify operations. 229.It bind access 230Restricts the filter rule to bind operations. 231.El 232.Pp 233The scope of the filter rule can be restricted by the 234.Em to 235keyword: 236.Bl -tag -width Ds 237.It to subtree Ar DN 238The filter rule applies to the distinguished name, 239as well as for all its descendants. 240.It to children of Ar DN 241The filter rule applies to all the direct children of the distinguished name. 242.It to Ar DN 243The filter rule applies to the distinguished name only. 244.It to any 245The filter rule applies to any distinguished name in the namespace. 246This is the default if no scope is specified. 247.It to root 248The filter rule applies to the root DSE. 249.El 250.Pp 251Finally, the filter rule can match a bind DN: 252.Bl -tag -width Ds 253.It by any 254The filter rule matches by any bind dn, including anonymous binds. 255.It by Ar DN 256The filter rule matches only if the requestor has previously performed 257a bind as the specified distinguished name. 258.It by self 259The filter rule matches only if the requestor has previously performed 260a bind as the distinguished name that is being requested. 261Typically used to allow users to modify their own data. 262.El 263.It use compression Op level Ar level 264Enable compression of entries and optionally specify compression level (0 - 9). 265By default, no compression is used. 266.El 267.Sh SCHEMA 268Schema files define the structure and format of entries in the directory tree. 269There are three types of definitions in a schema file: 270.Bl -tag -width Ds 271.It attributetype 272.Po 273.Ar oid 274.Op NAME name 275.Op DESC description 276.Op OBSOLETE 277.Op SUP oid 278.Op EQUALITY oid 279.Op ORDERING oid 280.Op SUBSTR oid 281.Op SYNTAX oid 282.Op SINGLE-VALUE 283.Op COLLECTIVE 284.Op NO-USER-MODIFICATION 285.Op USAGE Brq userApplications | directoryOperation | distributedOperation | dSAOperation 286.Pc 287.Pp 288An attribute type definition specifies the syntax of attribute values, whether 289it allows multiple values and how it can be compared in search requests. 290For a complete description of attribute type definitions, see section 2914.1.2 in RFC 4712. 292.It objectclass 293.Po 294.Ar oid 295.Op NAME name 296.Op DESC description 297.Op OBSOLETE 298.Op SUP oids 299.Op Brq ABSTRACT | STRUCTURAL | AUXILIARY 300.Op MUST oids 301.Op MAY oids 302.Pc 303.Pp 304An object class definition specifies which attributes are required 305and which are allowed. 306For a complete description of object class definitions, see section 3074.1.1 in RFC 4712. 308.It objectidentifier Ar symbolic-name Ar OID 309Defines a symbolic name for the object identifier. 310A symbolic name can be used in place of a numeric OID in definitions 311of attribute types, object classes and other symbolic OIDs. 312A descendant OID can be defined in terms of another symbolic OID by appending 313a numeric OID after a colon, for example: 314.Bd -literal -offset indent 315objectidentifier MyOidRoot 1.2.3.4 316objectidentifier MyOidAttributes MyOidRoot:5.6 317objectidentifier MyOidObjects MyOidRoot:7 318.Ed 319.Pp 320This would define MyOidAttributes as a symbolic name for the OID 3211.2.3.4.5.6, and MyOidObjects for 1.2.3.4.7. 322.El 323.Sh FILES 324.Bl -tag -width "/etc/ldap/ldapd.confXXX" -compact 325.It Pa /etc/ldapd.conf 326Default 327.Xr ldapd 8 328configuration file. 329.It Pa /etc/ldap/*.schema 330Default schema definition files. 331.El 332.Sh SEE ALSO 333.Xr ldapctl 8 , 334.Xr ldapd 8 335.Sh STANDARDS 336.Rs 337.%A K. Zeilenga 338.%D June 2006 339.%R RFC 4512 340.%T Lightweight Directory Access Protocol (LDAP): Directory Information Models 341.Re 342.Sh HISTORY 343The 344.Nm 345file format first appeared in 346.Ox 4.8 . 347