ssh-ldap.conf

Langue: en

Version: 384366 (fedora - 01/12/10)

Section: 5 (Format de fichier)


BSD mandoc

NAME

ssh-ldap.conf - configuration file for ssh-ldap-helper

SYNOPSIS

/etc/ssh/ldap.conf

DESCRIPTION

ssh-ldap-helper8 reads configuration data from /etc/ssh/ldap.conf (or the file specified with -f on the command line). The file contains keyword-argument pairs, one per line. Lines starting with `#' and empty lines are interpreted as comments.

The value starts with the first non-blank character after the keyword's name, and terminates at the end of the line, or at the last sequence of blanks before the end of the line. Quoting values that contain blanks may be incorrect, as the quotes would become part of the value. The possible keywords and their meanings are as follows (note that keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive). Cm URI The argument(s) are in the form ldap[si]://[name[:port]] and specify the URI(s) of an LDAP server(s) to which the ssh-ldap-helper8 should connect. The URI scheme may be any of ``ldap'' ``ldaps '' or ``ldapi'' which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP over IPC (UNIX domain sockets), respectively. Each server's name can be specified as a domain-style name or an IP address literal. Optionally, the server's name can followed by a ':' and the port number the LDAP server is listening on. If no port number is provided, the default port for the scheme is used (389 for ldap://, 636 for ldaps://). For LDAP over IPC, name is the name of the socket, and no port is required, nor allowed; note that directory separators must be URL-encoded, like any other characters that are special to URLs; A space separated list of URIs may be provided. There is no default. Cm Base Specifies the default base Distinguished Name (DN) to use when performing ldap operations. The base must be specified as a DN in LDAP format. There is no default. Cm BindDN Specifies the default BIND DN to use when connecting to the ldap server. The bind DN must be specified as a Distinguished Name in LDAP format. There is no default. Cm BindPW Specifies the default password to use when connecting to the ldap server via BindDN There is no default. Cm RootBindDN Intentionaly does nothing. Recognized for compatibility reasons. Cm Host The argument(s) specifies the name(s) of an LDAP server(s) to which the ssh-ldap-helper8 should connect. Each server's name can be specified as a domain-style name or an IP address and optionally followed by a ':' and the port number the ldap server is listening on. A space-separated list of hosts may be provided. There is no default. Host is deprecated in favor of URI Cm Port Specifies the default port used when connecting to LDAP servers(s). The port may be specified as a number. The default port is 389 for ldap:// or 636 for ldaps:// respectively. Port is deprecated in favor of URI Cm Scope Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend. There are three options (values) that can be assigned to the Scope parameter: ``base'' ``one'' and ``subtree'' Alias for the subtree is ``sub'' The value ``base'' is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!). The value ``one'' is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN. The value ``subtree'' is used to indicate searching of all entries at all levels under and including the specified base DN. The default is ``subtree'' Cm Deref Specifies how alias dereferencing is done when performing a search. There are four possible values that can be assigned to the Deref parameter: ``never'' ``searching'' ``finding'' and ``always'' The value ``never'' means that the aliases are never dereferenced. The value ``searching'' means that the aliases are dereferenced in subordinates of the base object, but not in locating the base object of the search. The value ``finding'' means that the aliases are only dereferenced when locating the base object of the search. The value ``always'' means that the aliases are dereferenced both in searching and in locating the base object of the search. The default is ``never'' Cm TimeLimit Specifies a time limit (in seconds) to use when performing searches. The number should be a non-negative integer. A TimeLimit of zero (0) specifies that the search time is unlimited. Please note that the server may still apply any server-side limit on the duration of a search operation. The default value is 10. Cm TimeOut Is an aliast to TimeLimit Cm Bind_TimeLimit Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity. The default value is 10. Cm Network_TimeOut Is an alias to Bind_TimeLimit Cm Ldap_Version Specifies what version of the LDAP protocol should be used. The allowed values are 2 or 3. The default is 3. Cm Version Is an alias to Ldap_Version Cm Bind_Policy Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values: ``hard'' and ``soft.'' ``hard has 2 aliases'' ``hard_open'' and ``hard_init'' The value ``hard'' means that reconects that the ssh-ldap-helper8 tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying. The value ``soft'' means that ssh-ldap-helper8 fails immediately when it cannot connect to the LDAP seerver. The deault is ``hard'' Cm SSLPath Specifies the path to the X.509 certificate database. There is no default. Cm SSL Specifies whether to use SSL/TLS or not. There are three allowed values: ``yes'' ``no'' and ``start_tls'' Both ``true'' and ``on'' are the aliases for ``yes'' ``false'' and ``off'' are the aliases for ``no'' If ``start_tls'' is specified then StartTLS is used rather than raw LDAP over SSL. The default for ldap:// is ``start_tls'' for ldaps:// ``yes'' and ``no'' for the ldapi:// . In case of host based configuration the default is ``start_tls'' Cm Referrals Specifies if the client should automatically follow referrals returned by LDAP servers. The value can be or ``yes'' or ``no'' ``true'' and ``on'' are the aliases for ``yes'' ``false'' and ``off'' are the aliases for ``no'' The default is yes. Cm Restart Specifies whether the LDAP client library should restart the select(2) system call when interrupted. The value can be or ``yes'' or ``no'' ``true'' and ``on'' are the aliases for ``yes'' ``false'' and ``off'' are the aliases for ``no'' The default is yes. Cm TLS_CheckPeer Specifies what checks to perform on server certificates in a TLS session, if any. The value can be specified as one of the following keywords: ``never'' ``hard'' ``demand'' ``allow'' and ``try'' ``true'' ``on'' and ``yes'' are aliases for ``hard'' ``false'' ``off'' and ``no'' are the aliases for ``never'' The value ``never'' means that the client will not request or check any server certificate. The value ``allow'' means that the server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally. The value ``try'' means that the server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated. The value ``demand'' means that the server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. The value ``hard'' is the same as ``demand'' It requires an SSL connection. In the case of the plain conection the session is immediately terminated. The default is ``hard'' Cm TLS_ReqCert Is an alias for TLS_CheckPeer Cm TLS_CACertFile Specifies the file that contains certificates for all of the Certificate Authorities the client will recognize. There is no default. Cm TLS_CACert Is an alias for TLS_CACertFile Cm TLS_CACertDIR Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. The TLS_CACert is always used before TLS_CACertDir The specified directory must be managed with the OpenSSL c_rehash utility. There is no default. Cm TLS_Ciphers Specifies acceptable cipher suite and preference order. The value should be a cipher specification for OpenSSL, e.g., ``HIGH:MEDIUM:+SSLv2'' The default is ``ALL'' Cm TLS_Cipher_Suite Is an alias for TLS_Ciphers Cm TLS_Cert Specifies the file that contains the client certificate. There is no default. Cm TLS_Certificate Is an alias for TLS_Cert Cm TLS_Key Specifies the file that contains the private key that matches the certificate stored in the TLS_Cert file. Currently, the private key must not be protected with a password, so it is of critical importance that the key file is protected carefully. There is no default. Cm TLS_RandFile Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. There is no default. Cm LogDir Specifies the directory used for logging by the LDAP client library. There is no default. Cm Debug Specifies the debug level used for logging by the LDAP client library. There is no default. Cm SSH_Filter Specifies the user filter applied on the LDAP serch. The default is no filter.

FILES

/etc/ssh/ldap.conf
Ldap configuration file for ssh-ldap-helper8.

SEE ALSO

ldap.conf5, ssh-ldap-helper8

HISTORY

/etc/ssh/ldap.conf first appeared in OpenSSH 5.5 + PKA-LDAP .

AUTHORS

An Jan F. Chadima Aq jchadima@redhat.com