GNU Dico Manual (split by node):   Section:   Chapter:FastBack: Dicod   Up: Authentication   FastForward: Modules   Contents: Table of ContentsIndex: Concept Index

4.3.3.2 LDAP Databases.

To configure LDAP user database, you need first to load the ‘ldap’ module (see LDAP module):

load-module ldap;

The URL of the database is: ‘ldap://host[:port]’, where host is the host name or IP address of the LDAP server, and optional port specifies the port number it is listening on (by default, port 389 is assumed).

The password-resource statement specifies the name of an attribute containing the password, and the group-resource supplies the name of the attribute with the group name.

Additional configuration data are supplied in the options statement, whose argument is a whitespace-separated list of assignments:

base=base

Sets base DN.

binddn=dn

Sets the DN to bind as.

passwd=string

Sets the password.

tls=bool

When set to ‘yes’, enables the use of TLS encryption.

debug=number

Sets OpenLDAP debug level.

user-filter=filter

A LDAP filter to select the objects describing this user. Any occurrence of ‘$user’ in filter is replaced with the actual user name, as obtained during the authentication. This variable expansion occurs much the same way as in shell. In particular, the variable is expanded only unless it is immediately followed by an alphanumeric character. For example, it occurs in:

(uid=$user)

and

(uid=$user.1)

But it does not occur in

(uid=$users)

If it is necessary to expand the variable in such a context, enclose its name in curly braces:

(uid=${user}s)
group-filter=filter

A LDAP filter that selects the user groups. The filter is expanded as in user-filter.

The following example shows a LDAP user database configured for base DN ‘example.com’ which uses ‘posixAccount’ and ‘posixGroup’ objects from ‘nis.schema’:

user-db "ldap://localhost" {
  password-resource userPassword;
  group-resource cn;
  options "user-filter=(uid=$user) "
          "group-filter=(&(objectClass=posixGroup)"
                       "(memberuid=$user)) "
          "base=dc=example,dc=com";
}

A note on password usage is in order here. Most authentication methods require the passwords to be stored in the database in plain text form. The use of encrypted passwords (e.g. MD5 or SHA1) is possible only with ‘LOGIN’ and ‘PLAIN’ GSASL authentication methods.

GNU Dico Manual (split by node):   Section:   Chapter:FastBack: Dicod   Up: Authentication   FastForward: Modules   Contents: Table of ContentsIndex: Concept Index