Previous: Text Authentication Database, Up: Authentication [Contents][Index]
To configure LDAP user database, you need first to load the ‘ldap’ module (see LDAP module):
load-module ldap;
The URL of the database is: ‘ldap://host[:port]’, where host is the host name or IP address of the LDAP server, and optional port specifies the port number it is listening on (by default, port 389 is assumed).
The password-resource
statement specifies the name of an
attribute containing the password, and the group-resource
supplies the name of the attribute with the group name.
Additional configuration data are supplied in the options
statement, whose argument is a whitespace-separated list of
assignments:
Sets base DN.
Sets the DN to bind as.
Sets the password.
When set to ‘yes’, enables the use of TLS encryption.
Sets OpenLDAP debug level.
A LDAP filter to select the objects describing this user. Any occurrence of ‘$user’ in filter is replaced with the actual user name, as obtained during the authentication. This variable expansion occurs much the same way as in shell. In particular, the variable is expanded only unless it is immediately followed by an alphanumeric character. For example, it occurs in:
(uid=$user)
and
(uid=$user.1)
But it does not occur in
(uid=$users)
If it is necessary to expand the variable in such a context, enclose its name in curly braces:
(uid=${user}s)
A LDAP filter that selects the user groups. The
filter is expanded as in user-filter
.
The following example shows a LDAP user database configured for base DN ‘example.com’ which uses ‘posixAccount’ and ‘posixGroup’ objects from ‘nis.schema’:
user-db "ldap://localhost" { password-resource userPassword; group-resource cn; options "user-filter=(uid=$user) " "group-filter=(&(objectClass=posixGroup)" "(memberuid=$user)) " "base=dc=example,dc=com"; }
A note on password usage is in order here. Most authentication methods require the passwords to be stored in the database in plain text form. The use of encrypted passwords (e.g. MD5 or SHA1) is possible only with ‘LOGIN’ and ‘PLAIN’ GSASL authentication methods.
Previous: Text Authentication Database, Up: Authentication [Contents][Index]