1.\" $OpenBSD: ldapd.8,v 1.9 2011/01/28 09:26:22 martinh Exp $ 2.\" 3.\" Copyright (c) 2009, 2010 Martin Hedenfalk <martin@bzero.se> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: January 28 2011 $ 18.Dt LDAPD 8 19.Os 20.Sh NAME 21.Nm ldapd 22.Nd Lightweight Directory Access Protocol daemon 23.Sh SYNOPSIS 24.Nm ldapd 25.Op Fl dnv 26.Oo 27.Fl D Ar macro Ns = Ns Ar value 28.Oc 29.Op Fl f Ar file 30.Op Fl s Ar file 31.Sh DESCRIPTION 32.Nm 33is a daemon which implements version 3 of the LDAP protocol. 34.Pp 35A running 36.Nm 37process can be controlled using the 38.Xr ldapctl 8 39utility. 40.Pp 41The options are as follows: 42.Bl -tag -width Ds 43.It Fl D Ar macro Ns = Ns Ar value 44Define 45.Ar macro 46to be set to 47.Ar value 48on the command line. 49Overrides the definition of 50.Ar macro 51in the configuration file. 52.It Fl d 53Do not daemonize and log to 54.Em stderr . 55.It Fl f Ar file 56Use 57.Ar file 58as the configuration file, instead of the default 59.Pa /etc/ldapd.conf . 60.It Fl n 61Configtest mode. 62Only check the configuration file for validity. 63.It Fl s Ar file 64Specify an alternative location for the socket file. 65.It Fl v 66Produce more verbose output. 67A second 68.Fl v 69together with the 70.Fl d 71flag produces debug traces of decoded BER messages on stderr. 72.El 73.Sh AUTHENTICATION 74.Nm 75can authenticate users via simple binds or SASL with the PLAIN 76mechanism. 77.Pp 78When using simple binds, the bind DN entry must exist in a namespace 79and have a 80.Ic userPassword 81attribute. 82The following formats of the 83.Ic userPassword 84attribute are recognized: 85.Bl -tag -width Ds 86.It Ic {SHA}digest 87Verify the password against the SHA-1 digest. 88.It Ic {SSHA}digest 89Verify the password against the salted SHA-1 digest. 90.It Ic {CRYPT}hash 91Verify the password against the 92.Xr crypt 3 93hash. 94.It Ic {BSDAUTH}username 95Use BSD Authentication with the given username and authentication style 96.Dq auth-ldap . 97This is similar to using SASL PLAIN authentication with 98.Ar username 99as the authentication ID. 100.It Ic {BSDAUTH}username#class 101Same as above, but overrides the login class. 102.El 103.Pp 104Without a prefix, the 105.Ic userPassword 106attribute is compared literally with the provided plain text password. 107.Pp 108When using SASL binds, the authentication ID should be a valid 109username for BSD Authentication. 110.Pp 111For plain text passwords to be accepted, the connection must be 112considered secure, either by using an encrypted connection, or by 113using the 114.Ic secure 115keyword in the configuration file. 116.Sh FILES 117.Bl -tag -width "/var/run/ldapd.sockXXXXXXX" -compact 118.It Pa /etc/ldapd.conf 119default 120.Nm 121configuration file 122.It Pa /var/run/ldapd.sock 123default 124.Nm 125control socket 126.It Pa /var/db/ldap/*.db 127.Nm 128database files 129.El 130.Sh SEE ALSO 131.Xr ldapd.conf 5 , 132.Xr login.conf 5 , 133.Xr ldapctl 8 134.Rs 135.%R RFC 4511 136.%T Lightweight Directory Access Protocol (LDAP): The Protocol 137.%D June 2006 138.Re 139.Rs 140.%R RFC 4512 141.%T Lightweight Directory Access Protocol (LDAP): Directory Information Models 142.%D June 2006 143.Re 144.Sh HISTORY 145The 146.Nm 147program first appeared in 148.Ox 4.8 . 149.Sh CAVEATS 150.Nm 151is not yet fully LDAPv3 compliant. 152