Scroll to navigation

SSH-LDAP.CONF(5) File Formats Manual SSH-LDAP.CONF(5)

NAME

ssh-ldap.confconfiguration file for ssh-ldap-helper

SYNOPSIS

/etc/ssh/ldap.conf

DESCRIPTION

ssh-ldap-helper(8) reads configuration data from /etc/ssh/ldap.conf (or the file specified with -f on the command line). The file contains keyword-argument pairs, one per line. Lines starting with ‘#’ and empty lines are interpreted as comments.

The value starts with the first non-blank character after the keyword's name, and terminates at the end of the line, or at the last sequence of blanks before the end of the line. Quoting values that contain blanks may be incorrect, as the quotes would become part of the value. The possible keywords and their meanings are as follows (note that keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).

The argument(s) are in the form ldap[si]://[name[:port]] and specify the URI(s) of an LDAP server(s) to which the ssh-ldap-helper(8) should connect. The URI scheme may be any of “ldap”, “ldaps” or “ldapi”, which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP over IPC (UNIX domain sockets), respectively. Each server's name can be specified as a domain-style name or an IP address literal. Optionally, the server's name can followed by a ':' and the port number the LDAP server is listening on. If no port number is provided, the default port for the scheme is used (389 for ldap://, 636 for ldaps://). For LDAP over IPC, name is the name of the socket, and no port is required, nor allowed; note that directory separators must be URL-encoded, like any other characters that are special to URLs; A space separated list of URIs may be provided. There is no default.
Specifies the default base Distinguished Name (DN) to use when performing ldap operations. The base must be specified as a DN in LDAP format. There is no default.
Specifies the default BIND DN to use when connecting to the ldap server. The bind DN must be specified as a Distinguished Name in LDAP format. There is no default.
Specifies the default password to use when connecting to the ldap server via BindDN. There is no default.
Intentionally does nothing. Recognized for compatibility reasons.
The argument(s) specifies the name(s) of an LDAP server(s) to which the ssh-ldap-helper(8) should connect. Each server's name can be specified as a domain-style name or an IP address and optionally followed by a ':' and the port number the ldap server is listening on. A space-separated list of hosts may be provided. There is no default. Host is deprecated in favor of URI.
Specifies the default port used when connecting to LDAP servers(s). The port may be specified as a number. The default port is 389 for ldap:// or 636 for ldaps:// respectively. Port is deprecated in favor of URI.
Specifies the starting point of an LDAP search and the depth from the base DN to which the search should descend. There are three options (values) that can be assigned to the Scope parameter: “base”, “one” and “subtree”. Alias for the subtree is “sub”. The value “base” is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!). The value “one” is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN. The value “subtree” is used to indicate searching of all entries at all levels under and including the specified base DN. The default is “subtree”.
Specifies how alias dereferencing is done when performing a search. There are four possible values that can be assigned to the Deref parameter: “never”, “searching”, “finding”, and “always”. The value “never” means that the aliases are never dereferenced. The value “searching” means that the aliases are dereferenced in subordinates of the base object, but not in locating the base object of the search. The value “finding” means that the aliases are only dereferenced when locating the base object of the search. The value “always” means that the aliases are dereferenced both in searching and in locating the base object of the search. The default is “never”.
Specifies a time limit (in seconds) to use when performing searches. The number should be a non-negative integer. A TimeLimit of zero (0) specifies that the search time is unlimited. Please note that the server may still apply any server-side limit on the duration of a search operation. The default value is 10.
Is an aliast to TimeLimit.
Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity. The default value is 10.
Is an alias to Bind_TimeLimit.
Specifies what version of the LDAP protocol should be used. The allowed values are 2 or 3. The default is 3.
Is an alias to Ldap_Version.
Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values: “hard” and “soft.” “hard has 2 aliases” “hard_open” and “hard_init”. The value “hard” means that reconnects that the ssh-ldap-helper(8) tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying. The value “soft” means that ssh-ldap-helper(8) fails immediately when it cannot connect to the LDAP server. The default is “hard”.
Specifies the path to the X.509 certificate database. There is no default.
Specifies whether to use SSL/TLS or not. There are three allowed values: “yes”, “no” and “start_tls” Both “true” and “on” are the aliases for “yes”. “false” and “off” are the aliases for “no”. If “start_tls” is specified then StartTLS is used rather than raw LDAP over SSL. The default for ldap:// is “start_tls”, for ldaps:// “yes” and “no” for the ldapi:// . In case of host based configuration the default is “start_tls”.
Specifies if the client should automatically follow referrals returned by LDAP servers. The value can be or “yes” or “no”. “true” and “on” are the aliases for “yes”. “false” and “off” are the aliases for “no”. The default is yes.
Specifies whether the LDAP client library should restart the select(2) system call when interrupted. The value can be or “yes” or “no”. “true” and “on” are the aliases for “yes”. “false” and “off” are the aliases for “no”. The default is yes.
Specifies what checks to perform on server certificates in a TLS session, if any. The value can be specified as one of the following keywords: “never”, “hard”, “demand”, “allow” and “try”. “true”, “on” and “yes” are aliases for “hard”. “false”, “off” and “no” are the aliases for “never”. The value “never” means that the client will not request or check any server certificate. The value “allow” means that the server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally. The value “try” means that the server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated. The value “demand” means that the server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. The value “hard” is the same as “demand”. It requires an SSL connection. In the case of the plain connection the session is immediately terminated. The default is “hard”.
Is an alias for TLS_CheckPeer.
Specifies the file that contains certificates for all of the Certificate Authorities the client will recognize. There is no default.
Is an alias for TLS_CACertFile.
Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. The TLS_CACert is always used before TLS_CACertDir. The specified directory must be managed with the OpenSSL c_rehash utility. There is no default.
Specifies acceptable cipher suite and preference order. The value should be a cipher specification for OpenSSL, e.g., “HIGH:MEDIUM:+SSLv2”. The default is “ALL”.
Is an alias for TLS_Ciphers.
Specifies the file that contains the client certificate. There is no default.
Is an alias for TLS_Cert.
Specifies the file that contains the private key that matches the certificate stored in the TLS_Cert file. Currently, the private key must not be protected with a password, so it is of critical importance that the key file is protected carefully. There is no default.
Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. There is no default.
Specifies the directory used for logging by the LDAP client library. There is no default.
Specifies the debug level used for logging by the LDAP client library. There is no default.
Specifies the user filter applied on the LDAP search. The default is no filter.
Specifies the user format of search string in LDAP substituting %u for user name and %f for additional ssh filter SSH_Filter (optional). The default value is (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%u)%f)

FILES

/etc/ssh/ldap.conf
Ldap configuration file for ssh-ldap-helper(8).

SEE ALSO

ldap.conf(5), ssh-ldap-helper(8)

HISTORY

ssh-ldap.conf first appeared in OpenSSH 5.5 + PKA-LDAP .

AUTHORS

Jan F. Chadima ⟨jchadima@redhat.com⟩

May 12, 2010 Linux 5.14.0-427.18.1.el9_4.x86_64