NAME

login_ldap — contact LDAP directory server for authentication

SYNOPSIS

DESCRIPTION

The login_ldap utility contacts an LDAP server to authenticate a user.

Available options are:

-d

Print debugging information.

-s

Specify the service. Currently only “login” and “response” are supported. The challenge service is not supported, but it is not an error to specify this service. If this happens, login_ldap will request the response service.

-v

This option is for compatibility and is ignored.

login_ldap searches for the user on the LDAP server based on the filter parameters in the configuration file. If the user is found, it will try to bind to it using the supplied password.

login_ldap uses the ldap-conffile login.conf(5) variable to determine the location of the configuration file. If no ldap-conffile can be found, it will fall back to /etc/login_ldap.conf. The configuration file must be owned by root with group auth and permissions 0640.

LOGIN_LDAP.CONF VARIABLES

The login_ldap.conf file takes one key value pair per line separated by a ‘=’. No spaces are allowed between the ‘=’ and value. The key may have leading and trailing whitespaces. Empty lines and lines starting with a ‘#’ are ignored.

The login_ldap utility requires the following variables:

host

The hostname of the LDAP server or an LDAP URL. The LDAP URL is described in the following format:

[protocol://]host[:port]

The following protocols are supported:

ldap

Connect with TCP in plain text. This is the default.

ldaps

Connect with TLS. The default port is 636.

ldap+tls

Connect with TCP and enable TLS using the StartTLS operation.

Multiple host entries are supported and are tried in order of appearance.

basedn

Point in the LDAP server's Directory Information Tree login_ldap should begin searching for user objects. This option can be omitted if the binddn points directly to the user entry.

binddn

DN used by login_ldap to bind to the LDAP server. If no basedn is set, this is used to bind directly to the user and uses the user supplied password. Use FORMAT FILTERS to specify the username in this case.

If basedn is set, it is used together with bindpw to bind to the LDAP server and search for the user entry based on filter and scope. If binddn is omitted and basedn is set, an anonymous bind is used to search for the user entry.

In most cases, you will need to configure additional options. The following entries to login_ldap.conf are also recognised by login_ldap and are optional:

bindpw

Password used by login_ldap to bind to the LDAP server. Leave this out for a passwordless bind.

filter

LDAP search filter (in accordance with RFC 1558) which identifies the objectclasses and attributes necessary for login_ldap to locate the user object. See the FILTER FORMATS section for details.

timeout

Time in seconds to wait for the LDAP server to respond to a query. The default is 60 seconds per query, with up to four queries occurring.

scope

The directory scope when performing the user lookup (first pass) search. Acceptable values are:

base

Base object search

one

One level search

sub

Full subtree search

The default is sub if scope is unspecified.

cacert

The pathname of the CA used for SSL certificates.

cacertdir

The directory containing the certificates of trusted CAs.

An additional groupcheck can be performed to verify the user is allowed to log in. This can be done by specifying gbasedn, gfilter and optionally gscope. See basedn, filter and scope for semantics. These checks are performed by the binddn user.

FILTER FORMATS

The following format specifiers are valid for the filter:

%u

Username. The username of the user to be authenticated as specified by the user argument.

%h

Hostname. The hostname of the host the user is trying to authenticate on, as returned by gethostname(3) and displayed by hostname(1).

%d

The dn of the user attempting authentication as returned from the first pass of the search. This option is only available to gfilter and gbasedn.

%%

A literal ‘%’ character.

FILES

/etc/examples/login_ldap.conf

Example configuration file.

SEE ALSO

ldap(1), login(1), login.conf(5), ldapd(8), ypldap(8)

HISTORY

The login_ldap utility first appeared in OpenBSD 3.3 ports and was later mostly rewritten by Martijn van Duren <martijn@openbsd.org> and imported into OpenBSD 6.8.

AUTHORS

The login_ldap utility was originally written by:

Peter Werner <peterw@ifost.org.au>
Michael Erdely <merdely@openbsd.org>

CAVEATS

As there is no SASL support, passwords are sent to the LDAP server. TLS should be used to protect the password in transit.