SSH-LDAP.CONF(5) BSD File Formats Manual SSH-LDAP.CONF(5)NAMEssh-ldap.conf — configuration file for ssh-ldap-helper
SYNOPSIS
/etc/ssh/ldap.conf
DESCRIPTIONssh-ldap-helper(8) reads configuration data from /etc/ssh/ldap.conf (or
the file specified with -f on the command line). The file contains key‐
word-argument pairs, one per line. Lines starting with ‘#’ and empty
lines are interpreted as comments.
The value starts with the first non-blank character after the keyword's
name, and terminates at the end of the line, or at the last sequence of
blanks before the end of the line. Quoting values that contain blanks
may be incorrect, as the quotes would become part of the value. The pos‐
sible keywords and their meanings are as follows (note that keywords are
case-insensitive, and arguments, on a case by case basis, may be case-
sensitive).
URI The argument(s) are in the form ldap[si]://[name[:port]] and
specify the URI(s) of an LDAP server(s) to which the
ssh-ldap-helper(8) should connect. The URI scheme may be any of
“ldap”, “ldaps” or “ldapi”, which refer to LDAP over TCP, LDAP
over SSL (TLS) and LDAP over IPC (UNIX domain sockets), respec‐
tively. Each server's name can be specified as a domain-style
name or an IP address literal. Optionally, the server's name can
followed by a ':' and the port number the LDAP server is listen‐
ing on. If no port number is provided, the default port for the
scheme is used (389 for ldap://, 636 for ldaps://). For LDAP
over IPC, name is the name of the socket, and no port is
required, nor allowed; note that directory separators must be
URL-encoded, like any other characters that are special to URLs;
A space separated list of URIs may be provided. There is no
default.
Base Specifies the default base Distinguished Name (DN) to use when
performing ldap operations. The base must be specified as a DN
in LDAP format. There is no default.
BindDN Specifies the default BIND DN to use when connecting to the ldap
server. The bind DN must be specified as a Distinguished Name in
LDAP format. There is no default.
BindPW Specifies the default password to use when connecting to the ldap
server via BindDN. There is no default.
RootBindDN
Intentionaly does nothing. Recognized for compatibility reasons.
Host The argument(s) specifies the name(s) of an LDAP server(s) to
which the ssh-ldap-helper(8) should connect. Each server's name
can be specified as a domain-style name or an IP address and
optionally followed by a ':' and the port number the ldap server
is listening on. A space-separated list of hosts may be pro‐
vided. There is no default. Host is deprecated in favor of URI.
Port Specifies the default port used when connecting to LDAP
servers(s). The port may be specified as a number. The default
port is 389 for ldap:// or 636 for ldaps:// respectively. Port
is deprecated in favor of URI.
Scope Specifies the starting point of an LDAP search and the depth from
the base DN to which the search should descend. There are three
options (values) that can be assigned to the Scope parameter:
“base”, “one” and “subtree”. Alias for the subtree is “sub”.
The value “base” is used to indicate searching only the entry at
the base DN, resulting in only that entry being returned (keeping
in mind that it also has to meet the search filter criteria!).
The value “one” is used to indicate searching all entries one
level under the base DN, but not including the base DN and not
including any entries under that one level under the base DN.
The value “subtree” is used to indicate searching of all entries
at all levels under and including the specified base DN. The
default is “subtree”.
Deref Specifies how alias dereferencing is done when performing a
search. There are four possible values that can be assigned to
the Deref parameter: “never”, “searching”, “finding”, and
“always”. The value “never” means that the aliases are never
dereferenced. The value “searching” means that the aliases are
dereferenced in subordinates of the base object, but not in
locating the base object of the search. The value “finding”
means that the aliases are only dereferenced when locating the
base object of the search. The value “always” means that the
aliases are dereferenced both in searching and in locating the
base object of the search. The default is “never”.
TimeLimit
Specifies a time limit (in seconds) to use when performing
searches. The number should be a non-negative integer. A
TimeLimit of zero (0) specifies that the search time is unlim‐
ited. Please note that the server may still apply any server-side
limit on the duration of a search operation. The default value
is 10.
TimeOut
Is an aliast to TimeLimit.
Bind_TimeLimit
Specifies the timeout (in seconds) after which the
poll(2)/select(2) following a connect(2) returns in case of no
activity. The default value is 10.
Network_TimeOut
Is an alias to Bind_TimeLimit.
Ldap_Version
Specifies what version of the LDAP protocol should be used. The
allowed values are 2 or 3. The default is 3.
Version
Is an alias to Ldap_Version.
Bind_Policy
Specifies the policy to use for reconnecting to an unavailable
LDAP server. There are 2 available values: “hard” and “soft.”
“hard has 2 aliases” “hard_open” and “hard_init”. The value
“hard” means that reconects that the ssh-ldap-helper(8) tries to
reconnect to the LDAP server 5 times before failure. There is
exponential backoff before retrying. The value “soft” means that
ssh-ldap-helper(8) fails immediately when it cannot connect to
the LDAP seerver. The deault is “hard”.
SSLPath
Specifies the path to the X.509 certificate database. There is
no default.
SSL Specifies whether to use SSL/TLS or not. There are three allowed
values: “yes”, “no” and “start_tls” Both “true” and “on” are the
aliases for “yes”. “false” and “off” are the aliases for “no”.
If “start_tls” is specified then StartTLS is used rather than raw
LDAP over SSL. The default for ldap:// is “start_tls”, for
ldaps:// “yes” and “no” for the ldapi:// . In case of host based
configuration the default is “start_tls”.
Referrals
Specifies if the client should automatically follow referrals
returned by LDAP servers. The value can be or “yes” or “no”.
“true” and “on” are the aliases for “yes”. “false” and “off” are
the aliases for “no”. The default is yes.
Restart
Specifies whether the LDAP client library should restart the
select(2) system call when interrupted. The value can be or
“yes” or “no”. “true” and “on” are the aliases for “yes”.
“false” and “off” are the aliases for “no”. The default is yes.
TLS_CheckPeer
Specifies what checks to perform on server certificates in a TLS
session, if any. The value can be specified as one of the follow‐
ing keywords: “never”, “hard”, “demand”, “allow” and “try”.
“true”, “on” and “yes” are aliases for “hard”. “false”, “off”
and “no” are the aliases for “never”. The value “never” means
that the client will not request or check any server certificate.
The value “allow” means that the server certificate is requested.
If no certificate is provided, the session proceeds normally. If
a bad certificate is provided, it will be ignored and the session
proceeds normally. The value “try” means that the server cer‐
tificate is requested. If no certificate is provided, the session
proceeds normally. If a bad certificate is provided, the session
is immediately terminated. The value “demand” means that the
server certificate is requested. If no certificate is provided,
or a bad certificate is provided, the session is immediately ter‐
minated. The value “hard” is the same as “demand”. It requires
an SSL connection. In the case of the plain conection the session
is immediately terminated. The default is “hard”.
TLS_ReqCert
Is an alias for TLS_CheckPeer.
TLS_CACertFile
Specifies the file that contains certificates for all of the Cer‐
tificate Authorities the client will recognize. There is no
default.
TLS_CACert
Is an alias for TLS_CACertFile.
TLS_CACertDIR
Specifies the path of a directory that contains Certificate
Authority certificates in separate individual files. The
TLS_CACert is always used before TLS_CACertDir. The specified
directory must be managed with the OpenSSL c_rehash utility.
There is no default.
TLS_Ciphers
Specifies acceptable cipher suite and preference order. The
value should be a cipher specification for OpenSSL, e.g.,
“HIGH:MEDIUM:+SSLv2”. The default is “ALL”.
TLS_Cipher_Suite
Is an alias for TLS_Ciphers.
TLS_Cert
Specifies the file that contains the client certificate. There
is no default.
TLS_Certificate
Is an alias for TLS_Cert.
TLS_Key
Specifies the file that contains the private key that matches the
certificate stored in the TLS_Cert file. Currently, the private
key must not be protected with a password, so it is of critical
importance that the key file is protected carefully. There is no
default.
TLS_RandFile
Specifies the file to obtain random bits from when /dev/[u]random
is not available. Generally set to the name of the EGD/PRNGD
socket. The environment variable RANDFILE can also be used to
specify the filename. There is no default.
LogDir Specifies the directory used for logging by the LDAP client
library. There is no default.
Debug Specifies the debug level used for logging by the LDAP client
library. There is no default.
SSH_Filter
Specifies the user filter applied on the LDAP serch. The default
is no filter.
FILES
/etc/ssh/ldap.conf
Ldap configuration file for ssh-ldap-helper(8).
SEE ALSOldap.conf(5), ssh-ldap-helper(8)HISTORYssh-ldap.conf first appeared in OpenSSH 5.5 + PKA-LDAP .
AUTHORS
Jan F. Chadima ⟨jchadima@redhat.com⟩
BSD June 5, 2024 BSD