LDAPD.CONF(5) - File Formats Manual

LDAPD.CONF(5) - File Formats Manual #

LDAPD.CONF(5) - File Formats Manual

NAME #

ldapd.conf - LDAP daemon configuration file

DESCRIPTION #

ldapd.conf is the configuration file for the LDAP daemon ldapd(8).

The current line can be extended over multiple lines using a backslash (’\’). Comments can be put anywhere in the file using a hash mark (’#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.

Argument names not beginning with a letter, digit, or underscore must be quoted. Arguments containing whitespace should be surrounded by double quotes (").

Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words (for example listen, namespace, port). Macros are not expanded inside quotes.

For example:

wan_if = "fxp0"
listen on $wan_if
listen on $wan_if tls

Additional configuration files can be included with the include keyword, for example:

include "/etc/ldap/sub.namespace.conf"

Additional schema files can be included with the schema keyword, for example:

schema "/etc/ldap/inetorgperson.schema"

The syntax of ldapd.conf is described below.

GLOBAL CONFIGURATION #

listen on interface [port port] [legacy] [tls | ldaps | secure] [certificate name]

Specify an interface and port to listen on. An IP address, domain name or absolute path may be used in place of interface. An absolute path is used to listen on a unix domain socket.

Secured connections are provided either using STARTTLS (tls), by default on port 389, or LDAPS (ldaps), by default on port 636. tls and ldaps connections will use the defaults from libtls. If compatibility with the insecure TLSv1.0 and TLSv1.1 protocols and ciphers is required, they can be enabled with the legacy keyword. Creation of certificates is documented in starttls(8). If no certificate name is specified, the /etc/ldap/certs directory is searched for a file named by joining the interface name with a .crt extension, e.g. /etc/ldap/certs/fxp0.crt.

If the certificate name is an absolute path, a .crt and .key extension are appended to form the certificate path and key path respectively.

Only secured connections accept plain text password authentication. Connections using TLS or unix domain sockets are always considered secured. The secure keyword can be used to mark an otherwise insecure connection secured, e.g. if IPsec is used.

referral URL

Specify a default referral. If no namespace matches the base DN in a request, the request is delegated to another LDAP server instead of returning an error.

This option can be given multiple times, in which case the URLs are considered equal. Clients may choose to follow any of the referral URLs.

The URL has the following format:

ldap://ldap.example.com ldaps://ldap.example.com:3890

rootdn dn

Specify the distinguished name of the root user for all namespaces. The root user is always allowed to read and write entries in all local namespaces.

rootpw password

Password for the root user. Specified either in plain text, or in hashed format. See AUTHENTICATION in ldapd(8).

schema filename

Add schema definitions from the specified file. For a description of the schema file syntax see SCHEMA below.

NAMESPACES #

A namespace is a subtree of the global X.500 DIT (Directory Information Tree), also known as a naming context. All entries’ distinguished names (DN) have the same suffix, which is used to identify the namespace. The suffix should consist of the domain components, in reverse order, of your domain name, as recommended by RFC 2247.

namespace "dc=example,dc=com" {
	rootdn "cn=admin,dc=example,dc=com"
	rootpw "secret"
}

When matching requests against namespace suffixes, the most specific match is used. Each namespace stores data in a separate database file.

A namespace has the following configuration properties:

referral URL

Specify a referral to return for requests matching the suffix.

rootdn dn

Specify the distinguished name of the root user for the namespace. The root user is always allowed to read and write entries in the namespace. The distinguished name must have the same suffix as the namespace.

rootpw password

Password for the root user. Specified either in plain text, or in hashed format. See AUTHENTICATION in ldapd(8).

index attribute

Maintain an index on the specified attribute. This index can be used for equality, presence, prefix substring and range searches. ldapd(8) will update the index on each modification. If you add an index to an existing namespace, you need to run ldapctl(8) to index the existing entries.

fsync on | off

If off, data will not be forced to disk after each commit. Disabling fsync can increase write speed substantially, but may lead to data loss. The default value is on.

cache-size size

Set the cache size for data entries. The size is specified in number of pages. Note that more than the configured number of pages may exist in the cache, as dirty pages and pages referenced by cursors are excluded from cache expiration.

Cached pages are expired in a least recently used (LRU) order.

index-cache-size size

Set the cache size for the index database.

relax schema

Disables checking of required and optional object attributes against schema. All attributes and values are matched as case-insensitive strings. All attributes are considered multi-valued.

strict schema

Enables checking of required and optional object attributes against schema. This is the default.

allow | deny

Allow or deny access to parts of the namespace.

Each request to the ldapd(8) daemon evaluates the filter rules in sequential order, from first to last. The last matching rule decides what action is taken. If no rule matches the request, the default action is to allow the request. The root DN is always allowed to perform any request.

The allow/deny statement operates on all access types by default. This can be restricted by an access type specification:

read access

Restricts the filter rule to search operations.

write access

Restricts the filter rule to add, delete and modify operations.

bind access

Restricts the filter rule to bind operations.

The scope of the filter rule can be restricted by the to keyword:

to subtree DN

The filter rule applies to the distinguished name, as well as for all its descendants.

to children of DN

The filter rule applies to all the direct children of the distinguished name.

to DN

The filter rule applies to the distinguished name only.

to any

The filter rule applies to any distinguished name in the namespace. This is the default if no scope is specified.

to root

The filter rule applies to the root DSE.

The scope can be restricted to an optional attribute:

attribute name

The filter rule applies to the specified attribute.

Finally, the filter rule can match a bind DN:

by any

The filter rule matches by any bind dn, including anonymous binds.

by DN

The filter rule matches only if the requestor has previously performed a bind as the specified distinguished name.

by self

The filter rule matches only if the requestor has previously performed a bind as the distinguished name that is being requested. Typically used to allow users to modify their own data.

use compression [level level]

Enable compression of entries and optionally specify compression level (0 - 9). By default, no compression is used.

SCHEMA #

Schema files define the structure and format of entries in the directory tree. There are three types of definitions in a schema file:

attributetype

(oid [NAME name] [DESC description] [OBSOLETE] [SUP oid] [EQUALITY oid] [ORDERING oid] [SUBSTR oid] [SYNTAX oid] [SINGLE-VALUE] [COLLECTIVE] [NO-USER-MODIFICATION] [USAGE {userApplications | directoryOperation | distributedOperation | dSAOperation}])

An attribute type definition specifies the syntax of attribute values, whether it allows multiple values and how it can be compared in search requests. For a complete description of attribute type definitions, see section 4.1.2 in RFC 4512.

objectclass

(oid [NAME name] [DESC description] [OBSOLETE] [SUP oids] [{ABSTRACT | STRUCTURAL | AUXILIARY}] [MUST oids] [MAY oids])

An object class definition specifies which attributes are required and which are allowed. For a complete description of object class definitions, see section 4.1.1 in RFC 4512.

objectidentifier symbolic-name OID

Defines a symbolic name for the object identifier. A symbolic name can be used in place of a numeric OID in definitions of attribute types, object classes and other symbolic OIDs. A descendant OID can be defined in terms of another symbolic OID by appending a numeric OID after a colon, for example:

objectidentifier MyOidRoot 1.2.3.4 objectidentifier MyOidAttributes MyOidRoot:5.6 objectidentifier MyOidObjects MyOidRoot:7

This would define MyOidAttributes as a symbolic name for the OID 1.2.3.4.5.6, and MyOidObjects for 1.2.3.4.7.

FILES #

/etc/ldapd.conf

Default ldapd(8) configuration file.

/etc/examples/ldapd.conf

Example configuration file.

/etc/ldap/*.schema

Default schema definition files.

/etc/ldap/certs/

Default directory for TLS certificates.

SEE ALSO #

ldapctl(8), ldapd(8)

STANDARDS #

K. Zeilenga, Lightweight Directory Access Protocol (LDAP): Directory Information Models, RFC 4512, June 2006.

HISTORY #

The ldapd.conf file format first appeared in OpenBSD 4.8.

OpenBSD 7.5 - March 2, 2023