1SSH-LDAP.CONF(5) BSD File Formats Manual SSH-LDAP.CONF(5)
2
4 ssh-ldap.conf — configuration file for ssh-ldap-helper
5
7 /etc/ssh/ldap.conf
8
10 ssh-ldap-helper(8) reads configuration data from /etc/ssh/ldap.conf (or
11 the file specified with -f on the command line). The file contains key‐
12 word-argument pairs, one per line. Lines starting with ‘#’ and empty
13 lines are interpreted as comments.
14 The value starts with the first non-blank character after the keyword's
16 name, and terminates at the end of the line, or at the last sequence of
17 blanks before the end of the line. Quoting values that contain blanks
18 may be incorrect, as the quotes would become part of the value. The pos‐
19 sible keywords and their meanings are as follows (note that keywords are
20 case-insensitive, and arguments, on a case by case basis, may be case-
21 sensitive).
22 The argument(s) are in the form ldap[si]://[name[:port]] and specify the
23 URI(s) of an LDAP server(s) to which the ssh-ldap-helper(8) should con‐
24 nect. The URI scheme may be any of “ldap”, “ldaps” or “ldapi”, which
25 refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP over IPC (UNIX
26 domain sockets), respectively. Each server's name can be specified as a
27 domain-style name or an IP address literal. Optionally, the server's
28 name can followed by a ':' and the port number the LDAP server is listen‐
29 ing on. If no port number is provided, the default port for the scheme
30 is used (389 for ldap://, 636 for ldaps://). For LDAP over IPC, name is
31 the name of the socket, and no port is required, nor allowed; note that
32 directory separators must be URL-encoded, like any other characters that
33 are special to URLs; A space separated list of URIs may be provided.
34 There is no default.
35 Specifies the default base Distinguished Name (DN) to use when performing
36 ldap operations. The base must be specified as a DN in LDAP format.
37 There is no default.
38 Specifies the default BIND DN to use when connecting to the ldap server.
39 The bind DN must be specified as a Distinguished Name in LDAP format.
40 There is no default.
41 Specifies the default password to use when connecting to the ldap server
42 via BindDN. There is no default.
43 Intentionaly does nothing. Recognized for compatibility reasons.
44 The argument(s) specifies the name(s) of an LDAP server(s) to which the
45 ssh-ldap-helper(8) should connect. Each server's name can be specified
46 as a domain-style name or an IP address and optionally followed by a ':'
47 and the port number the ldap server is listening on. A space-separated
48 list of hosts may be provided. There is no default. Host is deprecated
49 in favor of URI.
50 Specifies the default port used when connecting to LDAP servers(s). The
51 port may be specified as a number. The default port is 389 for ldap://
52 or 636 for ldaps:// respectively. Port is deprecated in favor of URI.
53 Specifies the starting point of an LDAP search and the depth from the
54 base DN to which the search should descend. There are three options
55 (values) that can be assigned to the Scope parameter: “base”, “one” and
56 “subtree”. Alias for the subtree is “sub”. The value “base” is used to
57 indicate searching only the entry at the base DN, resulting in only that
58 entry being returned (keeping in mind that it also has to meet the search
59 filter criteria!). The value “one” is used to indicate searching all
60 entries one level under the base DN, but not including the base DN and
61 not including any entries under that one level under the base DN. The
62 value “subtree” is used to indicate searching of all entries at all lev‐
63 els under and including the specified base DN. The default is “subtree”.
64 Specifies how alias dereferencing is done when performing a search. There
65 are four possible values that can be assigned to the Deref parameter:
66 “never”, “searching”, “finding”, and “always”. The value “never” means
67 that the aliases are never dereferenced. The value “searching” means
68 that the aliases are dereferenced in subordinates of the base object, but
69 not in locating the base object of the search. The value “finding” means
70 that the aliases are only dereferenced when locating the base object of
71 the search. The value “always” means that the aliases are dereferenced
72 both in searching and in locating the base object of the search. The
73 default is “never”.
74 Specifies a time limit (in seconds) to use when performing searches. The
75 number should be a non-negative integer. A TimeLimit of zero (0) speci‐
76 fies that the search time is unlimited. Please note that the server may
77 still apply any server-side limit on the duration of a search operation.
78 The default value is 10.
79 Is an aliast to TimeLimit.
80 Specifies the timeout (in seconds) after which the poll(2)/select(2) fol‐
81 lowing a connect(2) returns in case of no activity. The default value is
82 10.
83 Is an alias to Bind_TimeLimit.
84 Specifies what version of the LDAP protocol should be used. The allowed
85 values are 2 or 3. The default is 3.
86 Is an alias to Ldap_Version.
87 Specifies the policy to use for reconnecting to an unavailable LDAP
88 server. There are 2 available values: “hard” and “soft.” “hard has 2
89 aliases” “hard_open” and “hard_init”. The value “hard” means that
90 reconects that the ssh-ldap-helper(8) tries to reconnect to the LDAP
91 server 5 times before failure. There is exponential backoff before retry‐
92 ing. The value “soft” means that ssh-ldap-helper(8) fails immediately
93 when it cannot connect to the LDAP seerver. The deault is “hard”.
94 Specifies the path to the X.509 certificate database. There is no
95 default.
96 Specifies whether to use SSL/TLS or not. There are three allowed values:
97 “yes”, “no” and “start_tls” Both “true” and “on” are the aliases for
98 “yes”. “false” and “off” are the aliases for “no”. If is specified then
99 StartTLS is used rather than raw LDAP over SSL. The default for ldap://
100 is “start_tls”, for ldaps:// “yes” and “no” for the ldapi:// . In case
101 of host based configuration the default is “start_tls”.
102 Specifies if the client should automatically follow referrals returned by
103 LDAP servers. The value can be or “yes” or “no”. “true” and “on” are
104 the aliases for “yes”. “false” and “off” are the aliases for “no”. The
105 default is yes.
106 Specifies whether the LDAP client library should restart the select(2)
107 system call when interrupted. The value can be or “yes” or “no”. “true”
108 and “on” are the aliases for “yes”. “false” and “off” are the aliases
109 for “no”. The default is yes.
110 Specifies what checks to perform on server certificates in a TLS session,
111 if any. The value can be specified as one of the following keywords:
112 “never”, “hard”, “demand”, “allow” and “try”. “true”, “on” and “yes” are
113 aliases for “hard”. “false”, “off” and “no” are the aliases for “never”.
114 The value “never” means that the client will not request or check any
115 server certificate. The value “allow” means that the server certificate
116 is requested. If no certificate is provided, the session proceeds nor‐
117 mally. If a bad certificate is provided, it will be ignored and the ses‐
118 sion proceeds normally. The value “try” means that the server certifi‐
119 cate is requested. If no certificate is provided, the session proceeds
120 normally. If a bad certificate is provided, the session is immediately
121 terminated. The value “demand” means that the server certificate is
122 requested. If no certificate is provided, or a bad certificate is pro‐
123 vided, the session is immediately terminated. The value “hard” is the
124 same as “demand”. It requires an SSL connection. In the case of the
125 plain conection the session is immediately terminated. The default is
126 “hard”.
127 Is an alias for TLS_CheckPeer.
128 Specifies the file that contains certificates for all of the Certificate
129 Authorities the client will recognize. There is no default.
130 Is an alias for TLS_CACertFile.
131 Specifies the path of a directory that contains Certificate Authority
132 certificates in separate individual files. The TLS_CACert is always used
133 before TLS_CACertDir. The specified directory must be managed with the
134 OpenSSL c_rehash utility. There is no default.
135 Specifies acceptable cipher suite and preference order. The value should
136 be a cipher specification for OpenSSL, e.g., “HIGH:MEDIUM:+SSLv2”. The
137 default is “ALL”.
138 Is an alias for TLS_Ciphers.
139 Specifies the file that contains the client certificate. There is no
140 default.
141 Is an alias for TLS_Cert.
142 Specifies the file that contains the private key that matches the cer‐
143 tificate stored in the TLS_Cert file. Currently, the private key must not
144 be protected with a password, so it is of critical importance that the
145 key file is protected carefully. There is no default.
146 Specifies the file to obtain random bits from when /dev/[u]random is not
147 available. Generally set to the name of the EGD/PRNGD socket. The envi‐
148 ronment variable RANDFILE can also be used to specify the filename.
149 There is no default.
150 Specifies the directory used for logging by the LDAP client library.
151 There is no default.
152 Specifies the debug level used for logging by the LDAP client library.
153 There is no default.
154 Specifies the user filter applied on the LDAP serch. The default is no
155 filter.
156
158 /etc/ssh/ldap.conf
159 Ldap configuration file for ssh-ldap-helper(8).
160
162 ldap.conf(5), ssh-ldap-helper(8)
163
165 ssh-ldap.conf first appeared in OpenSSH 5.5 + PKA-LDAP .
166
168 Jan F. Chadima <jchadima@redhat.com>
169BSD June 22, 2019 BSD