Common LDAP Settings for both auth and sieve

This page lists the common settings for both LDAP Authentication and LDAP Lookup for Sieve Scripts.

See LDAP Settings for auth for the settings specific to LDAP Authentication.

See Pigeonhole Sieve: LDAP Lookup for Sieve Scripts for the settings specific to LDAP Lookup for Sieve Scripts.

Note

The ldap configuration files are opened as root, so should be owned by root and mode 0600.

base

  • Default: <empty>

  • Values: String

LDAP base. %variables (see Config Variables) can be used here.

Example:

base = dc=mail, dc=example, dc=org

debug_level

LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h. Value -1 means everything. You may need to recompile OpenLDAP with debugging enabled to get enough output.

deref

  • Default: never

  • Values: never, searching, finding, always

Specify dereference which is set as an LDAP option.

dn

  • Default: <empty>

  • Values: String

Specify the Distinguished Name (the username used to login to the LDAP server). Leave it commented out to bind anonymously (useful with auth_bind = yes).

Example:

dn = uid=dov-read,dc=ocn,dc=ad,dc=jp,dc=.

dnpass

  • Default: <empty>

  • Values: String

Password for LDAP server, used if dn is specified.

hosts

  • Default: <empty>

  • Values: String

A space separated list of LDAP hosts to connect to. Configure either this setting or uris to specify what LDAP server(s) to connect to. You can also use host:port syntax to use different ports.

Example:

hosts = 10.10.10.10 10.10.10.11 10.10.10.12

See also uris

ldap_version

LDAP protocol version to use. Likely 2 or 3.

ldaprc_path

  • Default: <empty>

  • Values: String

If a non-empty value is set, it will be set to the LDAPRC environment variable.

sasl_authz_id

  • Default: <empty>

  • Values: String

SASL authorization ID, ie. the dnpass is for this “master user”, but the dn is still the logged in user. Normally you want to keep this empty.

sasl_bind

Set yes to use SASL binding instead of the simple binding. Note that this changes ldap_version automatically to be 3 if it’s lower.

sasl_mech

  • Default: <empty>

  • Values: String

SASL mechanism names (a space-separated list of candidate mechanisms) to use.

sasl_realm

  • Default: <empty>

  • Values: String

SASL realm to use.

scope

  • Default: subtree

  • Values: base, onelevel, subtree

This specifies the search scope.

tls

Set to yes to use TLS to connect to the LDAP server.

tls_ca_cert_dir

  • Default: <empty>

  • Values: String

Specify a value for TLS tls_ca_cert_dir option. Currently supported only with OpenLDAP.

tls_ca_cert_file

  • Default: <empty>

  • Values: String

Specify a value for TLS tls_ca_cert_file option. Currently supported only with OpenLDAP.

tls_cert_file

  • Default: <empty>

  • Values: String

Specify a value for TLS tls_cert_file option. Currently supported only with OpenLDAP.

tls_cipher_suite

  • Default: <empty>

  • Values: String

Specify a value for TLS tls_cipher_suite option. Currently supported only with OpenLDAP.

tls_key_file

  • Default: <empty>

  • Values: String

Specify a value for TLS tls_key_file option. Currently supported only with OpenLDAP.

tls_require_cert

  • Default: <empty>

  • Values: never, hard, demand, allow, try

Specify a value for TLS tls_require_cert option. Currently supported only with OpenLDAP.

uris

  • Default: <empty>

  • Values: String

LDAP URIs to use. Configure either this setting or hosts to specify what LDAP server(s) to connect to. Note that this setting isn’t supported by all LDAP libraries. The URIs are in syntax protocol://host:port.

Example:

uris = ldaps://secure.domain.org

See also hosts