1SSH-LDAP.CONF(5)            BSD File Formats Manual           SSH-LDAP.CONF(5)
2

NAME

4     ssh-ldap.conf — configuration file for ssh-ldap-helper
5

SYNOPSIS

7     /etc/ssh/ldap.conf
8

DESCRIPTION

10     ssh-ldap-helper(8) reads configuration data from /etc/ssh/ldap.conf (or
11     the file specified with -f on the command line).  The file contains key‐
12     word-argument pairs, one per line.  Lines starting with ‘#’ and empty
13     lines are interpreted as comments.
14
15     The value starts with the first non-blank character after the keyword's
16     name, and terminates at the end of the line, or at the last sequence of
17     blanks before the end of the line.  Quoting values that contain blanks
18     may be incorrect, as the quotes would become part of the value.  The pos‐
19     sible keywords and their meanings are as follows (note that keywords are
20     case-insensitive, and arguments, on a case by case basis, may be case-
21     sensitive).
22
23     URI     The argument(s) are in the form ldap[si]://[name[:port]] and
24             specify the URI(s) of an LDAP server(s) to which the
25             ssh-ldap-helper(8) should connect. The URI scheme may be any of
26             “ldap”, “ldaps” or “ldapi”, which refer to LDAP over TCP, LDAP
27             over SSL (TLS) and LDAP over IPC (UNIX domain sockets), respec‐
28             tively.  Each server's name can be specified as a domain-style
29             name or an IP address literal.  Optionally, the server's name can
30             followed by a ':' and the port number the LDAP server is listen‐
31             ing on.  If no port number is provided, the default port for the
32             scheme is used (389 for ldap://, 636 for ldaps://).  For LDAP
33             over IPC, name is the name of the socket, and no port is
34             required, nor allowed; note that directory separators must be
35             URL-encoded, like any other characters that are special to URLs;
36             A space separated list of URIs may be provided.  There is no
37             default.
38
39     Base    Specifies the default base Distinguished Name (DN) to use when
40             performing ldap operations.  The base must be specified as a DN
41             in LDAP format.  There is no default.
42
43     BindDN  Specifies the default BIND DN to use when connecting to the ldap
44             server.  The bind DN must be specified as a Distinguished Name in
45             LDAP format.  There is no default.
46
47     BindPW  Specifies the default password to use when connecting to the ldap
48             server via BindDN.  There is no default.
49
50     RootBindDN
51             Intentionaly does nothing. Recognized for compatibility reasons.
52
53     Host    The argument(s) specifies the name(s) of an LDAP server(s) to
54             which the ssh-ldap-helper(8) should connect.  Each server's name
55             can be specified as a domain-style name or an IP address and
56             optionally followed by a ':' and the port number the ldap server
57             is listening on.  A space-separated list of hosts may be pro‐
58             vided.  There is no default.  Host is deprecated in favor of URI.
59
60     Port    Specifies the default port used when connecting to LDAP
61             servers(s).  The port may be specified as a number.  The default
62             port is 389 for ldap:// or 636 for ldaps:// respectively.  Port
63             is deprecated in favor of URI.
64
65     Scope   Specifies the starting point of an LDAP search and the depth from
66             the base DN to which the search should descend.  There are three
67             options (values) that can be assigned to the Scope parameter:
68             “base”, “one” and “subtree”.  Alias for the subtree is “sub”.
69             The value “base” is used to indicate searching only the entry at
70             the base DN, resulting in only that entry being returned (keeping
71             in mind that it also has to meet the search filter criteria!).
72             The value “one” is used to indicate searching all entries one
73             level under the base DN, but not including the base DN and not
74             including any entries under that one level under the base DN.
75             The value “subtree” is used to indicate searching of all entries
76             at all levels under and including the specified base DN.  The
77             default is “subtree”.
78
79     Deref   Specifies how alias dereferencing is done when performing a
80             search. There are four possible values that can be assigned to
81             the Deref parameter: “never”, “searching”, “finding”, and
82             “always”.  The value “never” means that the aliases are never
83             dereferenced.  The value “searching” means that the aliases are
84             dereferenced in subordinates of the base object, but not in
85             locating the base object of the search.  The value “finding”
86             means that the aliases are only dereferenced when locating the
87             base object of the search.  The value “always” means that the
88             aliases are dereferenced both in searching and in locating the
89             base object of the search.  The default is “never”.
90
91     TimeLimit
92             Specifies a time limit (in seconds) to use when performing
93             searches.  The number should be a non-negative integer. A
94             TimeLimit of zero (0) specifies that the search time is unlim‐
95             ited. Please note that the server may still apply any server-side
96             limit on the duration of a search operation.  The default value
97             is 10.
98
99     TimeOut
100             Is an aliast to TimeLimit.
101
102     Bind_TimeLimit
103             Specifies the timeout (in seconds) after which the
104             poll(2)/select(2) following a connect(2) returns in case of no
105             activity.  The default value is 10.
106
107     Network_TimeOut
108             Is an alias to Bind_TimeLimit.
109
110     Ldap_Version
111             Specifies what version of the LDAP protocol should be used.  The
112             allowed values are 2 or 3. The default is 3.
113
114     Version
115             Is an alias to Ldap_Version.
116
117     Bind_Policy
118             Specifies the policy to use for reconnecting to an unavailable
119             LDAP server. There are 2 available values: “hard” and “soft.”
120             “hard has 2 aliases” “hard_open” and “hard_init”.  The value
121             “hard” means that reconects that the ssh-ldap-helper(8) tries to
122             reconnect to the LDAP server 5 times before failure. There is
123             exponential backoff before retrying.  The value “soft” means that
124             ssh-ldap-helper(8) fails immediately when it cannot connect to
125             the LDAP seerver.  The deault is “hard”.
126
127     SSLPath
128             Specifies the path to the X.509 certificate database.  There is
129             no default.
130
131     SSL     Specifies whether to use SSL/TLS or not.  There are three allowed
132             values: “yes”, “no” and “start_tls” Both “true” and “on” are the
133             aliases for “yes”.  “false” and “off” are the aliases for “no”.
134             If “start_tls” is specified then StartTLS is used rather than raw
135             LDAP over SSL.  The default for ldap:// is “start_tls”, for
136             ldaps:// “yes” and “no” for the ldapi:// .  In case of host based
137             configuration the default is “start_tls”.
138
139     Referrals
140             Specifies if the client should automatically follow referrals
141             returned by LDAP servers.  The value can be or “yes” or “no”.
142             “true” and “on” are the aliases for “yes”.  “false” and “off” are
143             the aliases for “no”.  The default is yes.
144
145     Restart
146             Specifies whether the LDAP client library should restart the
147             select(2) system call when interrupted.  The value can be or
148             “yes” or “no”.  “true” and “on” are the aliases for “yes”.
149             “false” and “off” are the aliases for “no”.  The default is yes.
150
151     TLS_CheckPeer
152             Specifies what checks to perform on server certificates in a TLS
153             session, if any. The value can be specified as one of the follow‐
154             ing keywords: “never”, “hard”, “demand”, “allow” and “try”.
155             “true”, “on” and “yes” are aliases for “hard”.  “false”, “off”
156             and “no” are the aliases for “never”.  The value “never” means
157             that the client will not request or check any server certificate.
158             The value “allow” means that the server certificate is requested.
159             If no certificate is provided, the session proceeds normally. If
160             a bad certificate is provided, it will be ignored and the session
161             proceeds normally.  The value “try” means that the server cer‐
162             tificate is requested. If no certificate is provided, the session
163             proceeds normally. If a bad certificate is provided, the session
164             is immediately terminated.  The value “demand” means that the
165             server certificate is requested. If no certificate is provided,
166             or a bad certificate is provided, the session is immediately ter‐
167             minated.  The value “hard” is the same as “demand”.  It requires
168             an SSL connection. In the case of the plain conection the session
169             is immediately terminated.  The default is “hard”.
170
171     TLS_ReqCert
172             Is an alias for TLS_CheckPeer.
173
174     TLS_CACertFile
175             Specifies the file that contains certificates for all of the Cer‐
176             tificate Authorities the client will recognize.  There is no
177             default.
178
179     TLS_CACert
180             Is an alias for TLS_CACertFile.
181
182     TLS_CACertDIR
183             Specifies the path of a directory that contains Certificate
184             Authority certificates in separate individual files. The
185             TLS_CACert is always used before TLS_CACertDir.  The specified
186             directory must be managed with the OpenSSL c_rehash utility.
187             There is no default.
188
189     TLS_Ciphers
190             Specifies acceptable cipher suite and preference order.  The
191             value should be a cipher specification for OpenSSL, e.g.,
192             “HIGH:MEDIUM:+SSLv2”.  The default is “ALL”.
193
194     TLS_Cipher_Suite
195             Is an alias for TLS_Ciphers.
196
197     TLS_Cert
198             Specifies the file that contains the client certificate.  There
199             is no default.
200
201     TLS_Certificate
202             Is an alias for TLS_Cert.
203
204     TLS_Key
205             Specifies the file that contains the private key that matches the
206             certificate stored in the TLS_Cert file. Currently, the private
207             key must not be protected with a password, so it is of critical
208             importance that the key file is protected carefully.  There is no
209             default.
210
211     TLS_RandFile
212             Specifies the file to obtain random bits from when /dev/[u]random
213             is not available. Generally set to the name of the EGD/PRNGD
214             socket.  The environment variable RANDFILE can also be used to
215             specify the filename.  There is no default.
216
217     LogDir  Specifies the directory used for logging by the LDAP client
218             library.  There is no default.
219
220     Debug   Specifies the debug level used for logging by the LDAP client
221             library.  There is no default.
222
223     SSH_Filter
224             Specifies the user filter applied on the LDAP search.  The
225             default is no filter.
226
227     AccountClass
228             Specifies the LDAP class used to find user accounts.  The default
229             is posixAccount.
230
231     search_format
232             Specifies the user format of search string in LDAP substituting
233             %u for user name and %f for additional ssh filter SSH_Filter
234             (optional).  The default value is (&(objectclass=%c)(object‐
235             class=ldapPublicKey)(uid=%u)%f)
236

FILES

238     /etc/ssh/ldap.conf
239             Ldap configuration file for ssh-ldap-helper(8).
240

SEE ALSO

242     ldap.conf(5), ssh-ldap-helper(8)
243

HISTORY

245     ssh-ldap.conf first appeared in OpenSSH 5.5 + PKA-LDAP .
246

AUTHORS

248     Jan F. Chadima <jchadima@redhat.com>
249
250BSD                              June 20, 2019                             BSD
Impressum