SSH-LDAP.CONF(5) | File Formats Manual | SSH-LDAP.CONF(5) |
NAME¶
ssh-ldap.conf
—
configuration file for ssh-ldap-helper
SYNOPSIS¶
/etc/ssh/ldap.conf |
DESCRIPTION¶
ssh-ldap-helper(8) reads configuration data from
/etc/ssh/ldap.conf (or the file specified with
-f
on the command line). The file contains
keyword-argument pairs, one per line. Lines starting with
‘#
’ and empty lines are interpreted as
comments.
The value starts with the first non-blank character after the keyword's name, and terminates at the end of the line, or at the last sequence of blanks before the end of the line. Quoting values that contain blanks may be incorrect, as the quotes would become part of the value. The possible keywords and their meanings are as follows (note that keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
URI
- The argument(s) are in the form ldap[si]://[name[:port]] and specify the URI(s) of an LDAP server(s) to which the ssh-ldap-helper(8) should connect. The URI scheme may be any of “ldap”, “ldaps” or “ldapi”, which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP over IPC (UNIX domain sockets), respectively. Each server's name can be specified as a domain-style name or an IP address literal. Optionally, the server's name can followed by a ':' and the port number the LDAP server is listening on. If no port number is provided, the default port for the scheme is used (389 for ldap://, 636 for ldaps://). For LDAP over IPC, name is the name of the socket, and no port is required, nor allowed; note that directory separators must be URL-encoded, like any other characters that are special to URLs; A space separated list of URIs may be provided. There is no default.
Base
- Specifies the default base Distinguished Name (DN) to use when performing ldap operations. The base must be specified as a DN in LDAP format. There is no default.
BindDN
- Specifies the default BIND DN to use when connecting to the ldap server. The bind DN must be specified as a Distinguished Name in LDAP format. There is no default.
BindPW
- Specifies the default password to use when connecting to the ldap server
via
BindDN
. There is no default. RootBindDN
- Intentionaly does nothing. Recognized for compatibility reasons.
Host
- The argument(s) specifies the name(s) of an LDAP server(s) to which the
ssh-ldap-helper(8) should connect. Each server's name
can be specified as a domain-style name or an IP address and optionally
followed by a ':' and the port number the ldap server is listening on. A
space-separated list of hosts may be provided. There is no default.
Host
is deprecated in favor ofURI
. Port
- Specifies the default port used when connecting to LDAP servers(s). The
port may be specified as a number. The default port is 389 for ldap:// or
636 for ldaps:// respectively.
Port
is deprecated in favor ofURI
. Scope
- Specifies the starting point of an LDAP search and the depth from the base
DN to which the search should descend. There are three options (values)
that can be assigned to the
Scope parameter:
“base”, “one” and “subtree”. Alias for the subtree is “sub”. The value “base” is used to indicate searching only the entry at the base DN, resulting in only that entry being returned (keeping in mind that it also has to meet the search filter criteria!). The value “one” is used to indicate searching all entries one level under the base DN, but not including the base DN and not including any entries under that one level under the base DN. The value “subtree” is used to indicate searching of all entries at all levels under and including the specified base DN. The default is “subtree”. Deref
- Specifies how alias dereferencing is done when performing a search. There
are four possible values that can be assigned to the
Deref
parameter: “never”, “searching”, “finding”, and “always”. The value “never” means that the aliases are never dereferenced. The value “searching” means that the aliases are dereferenced in subordinates of the base object, but not in locating the base object of the search. The value “finding” means that the aliases are only dereferenced when locating the base object of the search. The value “always” means that the aliases are dereferenced both in searching and in locating the base object of the search. The default is “never”. TimeLimit
- Specifies a time limit (in seconds) to use when performing searches. The
number should be a non-negative integer. A
TimeLimit
of zero (0) specifies that the search time is unlimited. Please note that the server may still apply any server-side limit on the duration of a search operation. The default value is 10. TimeOut
- Is an aliast to
TimeLimit
. Bind_TimeLimit
- Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity. The default value is 10.
Network_TimeOut
- Is an alias to
Bind_TimeLimit
. Ldap_Version
- Specifies what version of the LDAP protocol should be used. The allowed values are 2 or 3. The default is 3.
Version
- Is an alias to
Ldap_Version
. Bind_Policy
- Specifies the policy to use for reconnecting to an unavailable LDAP server. There are 2 available values: “hard” and “soft.” “hard has 2 aliases” “hard_open” and “hard_init”. The value “hard” means that reconects that the ssh-ldap-helper(8) tries to reconnect to the LDAP server 5 times before failure. There is exponential backoff before retrying. The value “soft” means that ssh-ldap-helper(8) fails immediately when it cannot connect to the LDAP seerver. The deault is “hard”.
SSLPath
- Specifies the path to the X.509 certificate database. There is no default.
SSL
- Specifies whether to use SSL/TLS or not. There are three allowed values: “yes”, “no” and “start_tls” Both “true” and “on” are the aliases for “yes”. “false” and “off” are the aliases for “no”. If “start_tls” is specified then StartTLS is used rather than raw LDAP over SSL. The default for ldap:// is “start_tls”, for ldaps:// “yes” and “no” for the ldapi:// . In case of host based configuration the default is “start_tls”.
Referrals
- Specifies if the client should automatically follow referrals returned by LDAP servers. The value can be or “yes” or “no”. “true” and “on” are the aliases for “yes”. “false” and “off” are the aliases for “no”. The default is yes.
Restart
- Specifies whether the LDAP client library should restart the select(2) system call when interrupted. The value can be or “yes” or “no”. “true” and “on” are the aliases for “yes”. “false” and “off” are the aliases for “no”. The default is yes.
TLS_CheckPeer
- Specifies what checks to perform on server certificates in a TLS session, if any. The value can be specified as one of the following keywords: “never”, “hard”, “demand”, “allow” and “try”. “true”, “on” and “yes” are aliases for “hard”. “false”, “off” and “no” are the aliases for “never”. The value “never” means that the client will not request or check any server certificate. The value “allow” means that the server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally. The value “try” means that the server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated. The value “demand” means that the server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. The value “hard” is the same as “demand”. It requires an SSL connection. In the case of the plain conection the session is immediately terminated. The default is “hard”.
TLS_ReqCert
- Is an alias for
TLS_CheckPeer
. TLS_CACertFile
- Specifies the file that contains certificates for all of the Certificate Authorities the client will recognize. There is no default.
TLS_CACert
- Is an alias for
TLS_CACertFile
. TLS_CACertDIR
- Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. The
TLS_CACert
is always used beforeTLS_CACertDir
. The specified directory must be managed with the OpenSSL c_rehash utility. There is no default. TLS_Ciphers
- Specifies acceptable cipher suite and preference order. The value should be a cipher specification for OpenSSL, e.g., “HIGH:MEDIUM:+SSLv2”. The default is “ALL”.
TLS_Cipher_Suite
- Is an alias for
TLS_Ciphers
. TLS_Cert
- Specifies the file that contains the client certificate. There is no default.
TLS_Certificate
- Is an alias for
TLS_Cert
. TLS_Key
- Specifies the file that contains the private key that matches the
certificate stored in the
TLS_Cert
file. Currently, the private key must not be protected with a password, so it is of critical importance that the key file is protected carefully. There is no default. TLS_RandFile
- Specifies the file to obtain random bits from when /dev/[u]random is not available. Generally set to the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. There is no default.
LogDir
- Specifies the directory used for logging by the LDAP client library. There is no default.
Debug
- Specifies the debug level used for logging by the LDAP client library. There is no default.
SSH_Filter
- Specifies the user filter applied on the LDAP search. The default is no filter.
AccountClass
- Specifies the LDAP class used to find user accounts. The default is posixAccount.
search_format
- Specifies the user format of search string in LDAP substituting %u for
user name and %f for additional ssh filter
SSH_Filter
(optional). The default value is (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
FILES¶
- /etc/ssh/ldap.conf
- Ldap configuration file for ssh-ldap-helper(8).
SEE ALSO¶
HISTORY¶
ssh-ldap.conf
first appeared in OpenSSH
5.5 + PKA-LDAP .
AUTHORS¶
Jan F. Chadima ⟨jchadima@redhat.com⟩
May 12, 2010 | Linux 5.14.0-427.18.1.el9_4.x86_64 |