Section: File Formats (5)
If the environment variable LDAPNOINIT is defined, all defaulting is disabled.
The ldap.conf configuration file is used to set system-wide defaults to be applied when running ldap clients.
Users may create an optional configuration file, ldaprc or .ldaprc, in their home directory which will be used to override the system-wide defaults file. The file ldaprc in the current working directory is also used.
Additional configuration files can be specified using the LDAPCONF and LDAPRC environment variables. LDAPCONF may be set to the path of a configuration file. This path can be absolute or relative to the current working directory. The LDAPRC, if defined, should be the basename of a file in the current working directory or in the user's home directory.
Environmental variables may also be used to augment the file based defaults. The name of the variable is the option name with an added prefix of LDAP. For example, to define BASE via the environment, set the variable LDAPBASE to the desired value.
Some options are user-only. Such options are ignored if present in the ldap.conf (or file specified by LDAPCONF).
Thus the following files and variables are read, in order:
variable $LDAPNOINIT, and if that is not set: system file /etc/ldap/ldap.conf, user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc, system file $LDAPCONF, user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC, variables $LDAP<uppercase option name>.
The configuration options are case-insensitive; their value, on a case by case basis, may be case-sensitive.
Blank lines are ignored.
Lines beginning with a hash mark (`#') are comments, and ignored.
Valid lines are made of an option's name (a sequence of non-blanks, conventionally written in uppercase, although not required), followed by a value. The value starts with the first non-blank character after the option's name, and terminates at the end of the line, or at the last sequence of blanks before the end of the line. The tokenization of the value, if any, is delegated to the handler(s) for that option, if any. Quoting values that contain blanks may be incorrect, as the quotes would become part of the value. For example,
# Wrong - erroneous quotes: URI "ldap:// ldaps://" # Right - space-separated list of URIs, without quotes: URI ldap:// ldaps:// # Right - DN syntax needs quoting for Example, Inc: BASE ou=IT staff,o="Example, Inc",c=US # or: BASE ou=IT staff,o=Example2C Inc,c=US # Wrong - comment on same line as option: DEREF never # Never follow aliases
A line cannot be longer than LINE_MAX, which should be more than 2000 bytes on all platforms. There is no mechanism to split a long line on multiple lines, either for beautification or to overcome the above limit.
The different configuration options are:
must be specified as
A space separated list of URIs may be provided.
If OpenLDAP is built with Simple Authentication and Security Layer support, there are more options you can specify.
If OpenLDAP is built with Generic Security Services Application Programming Interface support, there are more options you can specify.
If OpenLDAP is built with Transport Layer Security support, there are more options you can specify. These options are used when an ldaps:// URI is selected (by default or otherwise) or when the application negotiates TLS by issuing the LDAP StartTLS operation.
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key database. If <path> contains a Mozilla NSS cert/key database and CA cert files, OpenLDAP will use the cert/key database and will ignore the CA cert files.
When using Mozilla NSS, if using a cert/key database (specified with TLS_CACERTDIR), TLS_CERT specifies the name of the certificate to use:
TLS_CERT Certificate for Sam Carter
If using a token other than the internal built in token, specify the token name first, followed by a colon:
TLS_CERT my hardware device:Certificate for Sam Carter
Use certutil -L to list the certificates by name:
certutil -d /path/to/certdbdir -L:
When using Mozilla NSS, TLS_KEY specifies the name of a file that contains the password for the key for the certificate specified with TLS_CERT. The modutil command can be used to turn off password protection for the cert/key database. For example, if TLS_CACERTDIR specifies /home/scarter/.moznss as the location of the cert/key database, use modutil to change the password to the empty string:
modutil -dbdir ~/.moznss -changepw 'NSS Certificate DB'
You must have the old password, if any. Ignore the WARNING about the running browser. Press 'Enter' for the new password.:
To check what ciphers a given spec selects in OpenSSL, use:
openssl ciphers -v <cipher-suite-spec>
In older versions of GnuTLS, where gnutls-cli does not support the option --priority, you can obtain the --- more limited --- list of ciphers by calling:
When using Mozilla NSS, the OpenSSL cipher suite specifications are used and translated into the format used internally by Mozilla NSS. There isn't an easy way to list the cipher suites from the command line. The authoritative list is in the source code for Mozilla NSS in the file sslinfo.c in the structure
static const SSLCipherSuiteInfo suiteInfo:
would require TLS 1.1. Specifying a minimum that is higher than that supported by the OpenLDAP implementation will result in it requiring the highest level that it does support. This parameter is ignored with GnuTLS.
OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software is derived from University of Michigan LDAP 3.3 Release.
Tutoriais de Tecnologia Web