ldap.conf - Configures the interface for authenticating end users via LDAP
The configuration directives are as follows:
server(s)to connect to in order to authenticate users via LDAP. You can provide a list of hosts, each on its own line. If no ':port' is specified, port 389 is used by default.
Note: It is strongly advised that you specify two or more LDAP servers. This is done by separating the URLs with spaces, for example:
ldap://myhost1:389 ldap://myhost2:389 ldap://myhost3:389
To use an encrypted LDAPS connection, simply prefix the host:port with 'ldaps://' (please see example below). For LDAPS connections, port 636 is the default.
<ldap_server> ldaps://localhost:636 </ldap_server>
Note that bind_dn is subject to variable substitution (see Variable Substitution below).
base_dn = "OU=Users,DC=mydomain,DC=com"
The base_dn is also subject to variable substitution (see Variable Substitution below).
Note that the filter is subject to variable substitution (see Variable Substitution below).
Some, but not all, of the configuration options in ldap.conf are subject to variable substitution, which is used to substitute information or values into the configuration directives using a pre-defined syntax. Refer to the individual ldap.conf options to see which of them support variable substitution.
The following variables are available for substitution:
The following additional ldap.conf configuration options are recommended for use by advanced administrators only.
Enables debug logging to the error log. This option generates a significant amount of debugging information and is recommended for use during testing only.
Enables the 'User DN Discovery' phase of the LDAP Authenticator. When enabled, the LDAP Authenticator attempts to auto-discover the User DN, and uses the provided 'ind_dn/bind_password' to connect to the LDAP server to do this discovery. When disabled, the LDAP Authenticator attempts to authenticate directly by using the bind_dn as the User DN, along with the password provided by the user on the login form.
Specifies the index of the 'attribute_mail' LDAP attribute that is returned as the primary email address for the user. Note that if an LDAP query returns less result items than this index, the authentication is considered to have failed.
Copyright (C) 2000-2008 Sophos Group. All rights reserved. Sophos and PureMessage are trademarks of Sophos Plc and Sophos Group.