1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
Pwcheck
=======
Auxprop
-------
Auxprop-hashed
--------------
Saslauthd
---------
**What is saslauthd?** saslauthd is a daemon which validates
``ldap_servers`` - ``ldap://localhost``
Specify a space separated list of LDAP server URIs of the form **ldap[si]://[name[:port]]**. See the ``ldap.conf`` *URI* option for formatting details.
``ldap_bind_dn`` - none
When simple authentication is desired, specify a distinguished name to use for a simple authenticated bind or a simple unauthenticated bind. Do not specify if an anonymous bind is desired. This option is ignored when the evaluated ``ldap_auth_method`` is ``fastbind``.
``ldap_bind_pw`` - none
``ldap_bind_pw`` is an alias for ``ldap_password``.
``ldap_password`` - none
When simple authentication is desired, specify a password to perform an authenticated bind, or do not specify for an unauthenticated or anonymous bind. When SASL authentication is desired, specify a password to use where required by the underlying SASL mechanism. This option is ignored when the evaluated ``ldap_auth_method`` is ``fastbind``.
``ldap_version`` - 3
Defaults to version *3*. If ``ldap_use_sasl`` or ``ldap_start_tls`` are enabled, this option will be ignored, and will conform to the default value. Version *3* **is** compatible with anonymous binds, simple authenticated binds and simple unauthenticated binds. Version *2* should only be necessary where required by the server.
``ldap_search_base`` - none
When ``ldap_auth_method`` is evaluated as *bind*, ``ldap_search_base`` will be used to search for the user's distinguished name. When ``ldap_auth_method`` is *custom*, ``ldap_search_base`` will be used to find the user's ``ldap_password_attr`` attribute. When ``ldap_auth_method`` is evaluated as *fastbind*, ``ldap_search_base`` is ignored. If ``ldap_search_base`` contains substitution tokens, they will be replaced as specified in the ``ldap_filter`` token expansion rules.
``ldap_filter`` - uid=%u
When ``ldap_auth_method`` is evaluated as *bind*, ``ldap_filter`` will be used to search for the user's distinguished name. When ``ldap_auth_method`` is *custom*, ``ldap_filter`` will become, after token expansion, the user's distinguished name. When ``ldap_auth_method`` is evaluated as *fastbind*, ``ldap_filter`` is ignored.
The following tokens, when contained within the ``ldap_filter`` option, will be substituted with the specified values:
``%%``
is replaced with a literal %.
``%u``
is replaced with the userid to be authenticated.
``%U``
is replaced by the portion of the userid before the first @ character. If an @ character does not exist in the userid, then ``%U`` would function identically to ``%u``. For example, if the userid to be authenticated is *jsmith@example.org*, ``%u`` would be replaced by *jsmith@example.org* and ``%U`` would be replaced by *jsmith*.
``%d``
is replaced by the portion of the userid after the first @ character. If an @ character does not exist in the userid, ``%d`` will be replaced by the ``realm`` value passed to ``saslauthd``. If no ``realm`` value was passed to saslauthd, ``%d`` will be replaced by the configured ``ldap_default_realm``, or by an empty string if ``ldap_default_realm`` is not configured.
``%1-9``
Within a userid which contains an @ character, followed by a domain name, ``%1`` will be replaced by the top level domain, ``%2`` will be replaced by the secondary domain, ``%3`` will be replaced by the tertiary domain, up to and including ``%9`` which would be replaced by the ninth level domain. If no @ character exists in the userid, or if there is no domain name after the @ character, or if the specified hierarchical domain level does not exist, the option is replaced by the ``realm`` value passed to ``saslauthd``. Should no ``realm`` value exist in those scenarios, the option is replaced by the configured ``ldap_default_realm``, or by an empty string if ``ldap_default_realm`` has not been configured.
For example, if the userid to be authenticated is *jsmith@example.org*, ``%1`` would be replaced by *org* and ``%2`` would be replaced by *example*.
``%s``
is replaced by the ``service`` option passed to ``saslauthd``, or by an empty string if no ``service`` option was passed.
``%r``
is replaced by the ``realm`` option passed to ``saslauthd``. If no ``realm`` value was passed to saslauthd, ``%r`` will be replaced by the configured ``ldap_default_realm``, or by an empty string if ``ldap_default_realm`` is not configured.
``ldap_password_attr`` - userPassword
When ``ldap_auth_method`` is evaluated as *custom*, ``ldap_password_attr`` specifies an attribute that will be requested and retrived. If successfully retrived, the authentication request will succeed if the ``ldap_password_attr`` attribute contains a supported password hash, and if the user submitted password matches the hash. When ``ldap_auth_method`` is *bind* or *fastbind*, ``ldap_password_attr`` is ignored.
``ldap_group_dn`` - none
If ``ldap_group_dn`` is specified, group authorization must also succeed (in addition to the prior authentication step), for the user's authentication attempt to be successful. If ``ldap_group_dn`` contains substitution tokens, they will be replaced as specified in the ``ldap_filter`` token expansion rules. One additional token substitution is applicable to ``ldap_group_dn``:
``%D``
is replaced by the distinguished name that was specified, or evaluated, in the authentication step. If ``ldap_use_sasl`` is enabled, the distinguished name will be resolved by performing an ldapwhoami extended operation after a successful authentication. If ``ldap_group_dn`` is specified and ``ldap_use_sasl`` is enabled, but the ldap server does not support the ldapwhoami extended operation, or if the ldapwhoami extended operation fails, then the user's authentication attempt is unsuccessful.
``ldap_group_attr`` - uniqueMember
``ldap_group_attr`` is ignored unless ``ldap_group_dn`` is also specified and ``ldap_group_match_method`` is *attr*. ``ldap_group_attr`` specifies an attribute which contains the authenticating identity's dinstinguished name. See the ``ldap_group_match_method`` entry for additional details.
``ldap_group_filter`` - none
``ldap_group_search_base`` - defaults to the evaluated ``ldap_search_base``
``ldap_group_scope`` - *sub*
``ldap_group_match_method`` - attr
``ldap_default_realm`` - none
``ldap_default_domain`` - none
``ldap_default_domain`` is an alias for ``ldap_default_realm``.
``ldap_auth_method`` - bind
``ldap_timeout`` - 5
``ldap_size_limit`` - 1
``ldap_time_limit`` - 5
``ldap_deref`` - never
``ldap_referrals`` - no
``ldap_restart`` - yes
``ldap_scope`` - sub
``ldap_use_sasl`` - no
``ldap_id`` - none
``ldap_sasl_authc_id`` - none
``ldap_authz_id`` - none
Does not make any sense to supply an authz identity when performing sasl/fastbind.
``ldap_sasl_authz_id`` - none
``ldap_sasl_authz_id`` is an alias for ``ldap_authz_id``.
``ldap_realm`` - none
``ldap_sasl_realm`` -
``ldap_mech`` -
It doesn't make any sense to use a mech that does not require an authname and password, when using fastbind.
``ldap_sasl_mech`` -
``ldap_sasl_secprops`` -
``ldap_start_tls`` -
``ldap_tls_check_peer`` -
``ldap_tls_cacert_file`` -
``ldap_tls_cacert_dir`` -
``ldap_tls_ciphers`` -
``ldap_tls_cert`` -
``ldap_tls_key`` -
``ldap_debug`` -
Authdaemon
----------
Alwaystrue
----------
Auto Transition
---------------
|
