1SSH-LDAP.CONF(5) BSD File Formats Manual SSH-LDAP.CONF(5)
2
4 ssh-ldap.conf — configuration file for ssh-ldap-helper
5
7 /etc/ssh/ldap.conf
8
10 ssh-ldap-helper(8) reads configuration data from /etc/ssh/ldap.conf (or
11 the file specified with -f on the command line). The file contains key‐
12 word-argument pairs, one per line. Lines starting with ‘#’ and empty
13 lines are interpreted as comments.
14 The value starts with the first non-blank character after the keyword's
16 name, and terminates at the end of the line, or at the last sequence of
17 blanks before the end of the line. Quoting values that contain blanks
18 may be incorrect, as the quotes would become part of the value. The pos‐
19 sible keywords and their meanings are as follows (note that keywords are
20 case-insensitive, and arguments, on a case by case basis, may be case-
21 sensitive).
22 URI The argument(s) are in the form ldap[si]://[name[:port]] and
24 specify the URI(s) of an LDAP server(s) to which the
25 ssh-ldap-helper(8) should connect. The URI scheme may be any of
26 “ldap”, “ldaps” or “ldapi”, which refer to LDAP over TCP, LDAP
27 over SSL (TLS) and LDAP over IPC (UNIX domain sockets), respec‐
28 tively. Each server's name can be specified as a domain-style
29 name or an IP address literal. Optionally, the server's name can
30 followed by a ':' and the port number the LDAP server is listen‐
31 ing on. If no port number is provided, the default port for the
32 scheme is used (389 for ldap://, 636 for ldaps://). For LDAP
33 over IPC, name is the name of the socket, and no port is
34 required, nor allowed; note that directory separators must be
35 URL-encoded, like any other characters that are special to URLs;
36 A space separated list of URIs may be provided. There is no
37 default.
38 Base Specifies the default base Distinguished Name (DN) to use when
40 performing ldap operations. The base must be specified as a DN
41 in LDAP format. There is no default.
42 BindDN Specifies the default BIND DN to use when connecting to the ldap
44 server. The bind DN must be specified as a Distinguished Name in
45 LDAP format. There is no default.
46 BindPW Specifies the default password to use when connecting to the ldap
48 server via BindDN. There is no default.
49 RootBindDN
51 Intentionaly does nothing. Recognized for compatibility reasons.
52 Host The argument(s) specifies the name(s) of an LDAP server(s) to
54 which the ssh-ldap-helper(8) should connect. Each server's name
55 can be specified as a domain-style name or an IP address and
56 optionally followed by a ':' and the port number the ldap server
57 is listening on. A space-separated list of hosts may be pro‐
58 vided. There is no default. Host is deprecated in favor of URI.
59 Port Specifies the default port used when connecting to LDAP
61 servers(s). The port may be specified as a number. The default
62 port is 389 for ldap:// or 636 for ldaps:// respectively. Port
63 is deprecated in favor of URI.
64 Scope Specifies the starting point of an LDAP search and the depth from
66 the base DN to which the search should descend. There are three
67 options (values) that can be assigned to the Scope parameter:
68 “base”, “one” and “subtree”. Alias for the subtree is “sub”.
69 The value “base” is used to indicate searching only the entry at
70 the base DN, resulting in only that entry being returned (keeping
71 in mind that it also has to meet the search filter criteria!).
72 The value “one” is used to indicate searching all entries one
73 level under the base DN, but not including the base DN and not
74 including any entries under that one level under the base DN.
75 The value “subtree” is used to indicate searching of all entries
76 at all levels under and including the specified base DN. The
77 default is “subtree”.
78 Deref Specifies how alias dereferencing is done when performing a
80 search. There are four possible values that can be assigned to
81 the Deref parameter: “never”, “searching”, “finding”, and
82 “always”. The value “never” means that the aliases are never
83 dereferenced. The value “searching” means that the aliases are
84 dereferenced in subordinates of the base object, but not in
85 locating the base object of the search. The value “finding”
86 means that the aliases are only dereferenced when locating the
87 base object of the search. The value “always” means that the
88 aliases are dereferenced both in searching and in locating the
89 base object of the search. The default is “never”.
90 TimeLimit
92 Specifies a time limit (in seconds) to use when performing
93 searches. The number should be a non-negative integer. A
94 TimeLimit of zero (0) specifies that the search time is unlim‐
95 ited. Please note that the server may still apply any server-side
96 limit on the duration of a search operation. The default value
97 is 10.
98 TimeOut
100 Is an aliast to TimeLimit.
101 Bind_TimeLimit
103 Specifies the timeout (in seconds) after which the
104 poll(2)/select(2) following a connect(2) returns in case of no
105 activity. The default value is 10.
106 Network_TimeOut
108 Is an alias to Bind_TimeLimit.
109 Ldap_Version
111 Specifies what version of the LDAP protocol should be used. The
112 allowed values are 2 or 3. The default is 3.
113 Version
115 Is an alias to Ldap_Version.
116 Bind_Policy
118 Specifies the policy to use for reconnecting to an unavailable
119 LDAP server. There are 2 available values: “hard” and “soft.”
120 “hard has 2 aliases” “hard_open” and “hard_init”. The value
121 “hard” means that reconects that the ssh-ldap-helper(8) tries to
122 reconnect to the LDAP server 5 times before failure. There is
123 exponential backoff before retrying. The value “soft” means that
124 ssh-ldap-helper(8) fails immediately when it cannot connect to
125 the LDAP seerver. The deault is “hard”.
126 SSLPath
128 Specifies the path to the X.509 certificate database. There is
129 no default.
130 SSL Specifies whether to use SSL/TLS or not. There are three allowed
132 values: “yes”, “no” and “start_tls” Both “true” and “on” are the
133 aliases for “yes”. “false” and “off” are the aliases for “no”.
134 If “start_tls” is specified then StartTLS is used rather than raw
135 LDAP over SSL. The default for ldap:// is “start_tls”, for
136 ldaps:// “yes” and “no” for the ldapi:// . In case of host based
137 configuration the default is “start_tls”.
138 Referrals
140 Specifies if the client should automatically follow referrals
141 returned by LDAP servers. The value can be or “yes” or “no”.
142 “true” and “on” are the aliases for “yes”. “false” and “off” are
143 the aliases for “no”. The default is yes.
144 Restart
146 Specifies whether the LDAP client library should restart the
147 select(2) system call when interrupted. The value can be or
148 “yes” or “no”. “true” and “on” are the aliases for “yes”.
149 “false” and “off” are the aliases for “no”. The default is yes.
150 TLS_CheckPeer
152 Specifies what checks to perform on server certificates in a TLS
153 session, if any. The value can be specified as one of the follow‐
154 ing keywords: “never”, “hard”, “demand”, “allow” and “try”.
155 “true”, “on” and “yes” are aliases for “hard”. “false”, “off”
156 and “no” are the aliases for “never”. The value “never” means
157 that the client will not request or check any server certificate.
158 The value “allow” means that the server certificate is requested.
159 If no certificate is provided, the session proceeds normally. If
160 a bad certificate is provided, it will be ignored and the session
161 proceeds normally. The value “try” means that the server cer‐
162 tificate is requested. If no certificate is provided, the session
163 proceeds normally. If a bad certificate is provided, the session
164 is immediately terminated. The value “demand” means that the
165 server certificate is requested. If no certificate is provided,
166 or a bad certificate is provided, the session is immediately ter‐
167 minated. The value “hard” is the same as “demand”. It requires
168 an SSL connection. In the case of the plain conection the session
169 is immediately terminated. The default is “hard”.
170 TLS_ReqCert
172 Is an alias for TLS_CheckPeer.
173 TLS_CACertFile
175 Specifies the file that contains certificates for all of the Cer‐
176 tificate Authorities the client will recognize. There is no
177 default.
178 TLS_CACert
180 Is an alias for TLS_CACertFile.
181 TLS_CACertDIR
183 Specifies the path of a directory that contains Certificate
184 Authority certificates in separate individual files. The
185 TLS_CACert is always used before TLS_CACertDir. The specified
186 directory must be managed with the OpenSSL c_rehash utility.
187 There is no default.
188 TLS_Ciphers
190 Specifies acceptable cipher suite and preference order. The
191 value should be a cipher specification for OpenSSL, e.g.,
192 “HIGH:MEDIUM:+SSLv2”. The default is “ALL”.
193 TLS_Cipher_Suite
195 Is an alias for TLS_Ciphers.
196 TLS_Cert
198 Specifies the file that contains the client certificate. There
199 is no default.
200 TLS_Certificate
202 Is an alias for TLS_Cert.
203 TLS_Key
205 Specifies the file that contains the private key that matches the
206 certificate stored in the TLS_Cert file. Currently, the private
207 key must not be protected with a password, so it is of critical
208 importance that the key file is protected carefully. There is no
209 default.
210 TLS_RandFile
212 Specifies the file to obtain random bits from when /dev/[u]random
213 is not available. Generally set to the name of the EGD/PRNGD
214 socket. The environment variable RANDFILE can also be used to
215 specify the filename. There is no default.
216 LogDir Specifies the directory used for logging by the LDAP client
218 library. There is no default.
219 Debug Specifies the debug level used for logging by the LDAP client
221 library. There is no default.
222 SSH_Filter
224 Specifies the user filter applied on the LDAP search. The
225 default is no filter.
226 AccountClass
228 Specifies the LDAP class used to find user accounts. The default
229 is posixAccount.
230 search_format
232 Specifies the user format of search string in LDAP substituting
233 %u for user name and %f for additional ssh filter SSH_Filter
234 (optional). The default value is (&(objectclass=%c)(object‐
235 class=ldapPublicKey)(uid=%u)%f)
236
238 /etc/ssh/ldap.conf
239 Ldap configuration file for ssh-ldap-helper(8).
240
242 ldap.conf(5), ssh-ldap-helper(8)
243
245 ssh-ldap.conf first appeared in OpenSSH 5.5 + PKA-LDAP .
246
248 Jan F. Chadima <jchadima@redhat.com>
249BSD June 20, 2019 BSD