ldap — format of ldap component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the ldap component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in ldap configuration directives:
ldap-tls-reqcert-mode (name-usage obligatory)Specifies what checks to perform on LDAP server certificates in a TLS session, if any.
neverThe client (fw) will not request or check any server certificate.
demandThe server certificate is requested. If no certificate is provided, or bad certificate is provided, authentication immediately fails.
ldap-search-scope (name-usage obligatory)Specifies the scope for searching users and groups.
subtreeSearch the subtree of the given node.
onelevelSearch the level that is directly below the given node.
ldap-group-match (name-usage obligatory)How a group name obtained from LDAP is matched in ACL and logged.
shortMatch and log only the first component (CN) of the group name.
domainMatch and log the first component (CN) of the group name with appended '@DOMAIN' (extracted from the DC components of the group distinguished name), for example, Users@EXAMPLE.COM.
Configuration of ldap library component consists of following prototypes:
* ldap-client-auth name { ... }
ldap-client-auth name {
server ... ;
ssl { ... }
bindinfo ... ;
kerberos ... ;
users ... ;
groups ... ;
active-directory ... ;
}
LDAP Client authorisation attributes.
Server identification and description of its attributes.
Item server required.
Items BINDINFO a KERBEROS are mutually exclusive.
Item BINDINFO or KERBEROS required.
Pair of items USERS and GROUPS or item ACTIVE-DIRECTORY required.
Item ACTIVE-DIRECTORY is mutually exclusive with USERS and GROUPS.
server uri [timeout timeout];Definition of LDAP server location.
uri (type: str-list)URI of the ldap server. If more than one server is configured, the first accessible server will be used.
timeout timeout (type: uint32, optional, default: 2)Timeout for ldap operations; in seconds.
ssl {
id ... ;
auth-cert ... ;
tls-reqcert ... ;
}
id private-key certificate;Private key and certificate.
private-key (type: name of shared-file, see common(5))The file that contains the private key that matches the certificate stored in the 'certificate' file. The private key must not be protected with a password, so it is of critical importance that the key file is protected carefully.
certificate (type: name of shared-file, see common(5))The file that contains the client certificate.
auth-cert [file file] [dir dir];Certificates of trusted certification authorities.
file file (type: name of shared-file, see common(5), optional, default: NULL)The file that contains certificates for all of the Certificate Authorities the LDAP client will recognize.
dir dir (type: name of shared-dir, see common(5), optional, default: NULL)The directory that contains Certificate Authority certificates in separate individual files. File is always used before dir.
tls-reqcert [tls-reqcert-mode];tls-reqcert-mode (type: ldap-tls-reqcert-mode, optional, default: demand)Specifies what checks to perform on LDAP server certificates in a TLS session, if any.
[End of section ldap-client-auth.ssl description.]
bindinfo binddn bindpasswd;binddn (type: str)Distinguished name (dn) of the user for accessing the LDAP directory.
bindpasswd (type: str)Password for accessing the LDAP directory.
kerberos;Use Kerberos authentication for accessing the LDAP directory. A valid Kerberos ticket is needed.
users dnusers [uname-attr uname-attr] [gidnum-attr gidnum-attr] [search-scope search-scope];Definition of user list properties.
dnusers (type: str)Distinguished name (dn) of the node where the user list is stored within LDAP directory.
uname-attr uname-attr (type: str, optional, default: "uid")Attribute name where user name is stored within the user definition node.
gidnum-attr gidnum-attr (type: str, optional, default: "gidNumber")Attribute name where default group is stored within the user definition node.
search-scope search-scope (type: ldap-search-scope, optional, default: onelevel)Specifies where to search for the users (directly below the dnusers or in the whole subtree of dnusers).
groups dngroups [gidnum-attr gidnum-attr] [gmember-attr gmember-attr] [gname-attr gname-attr] [search-scope search-scope];Distinguished name (dn) of the node where the group list is stored within LDAP directory.
dngroups (type: str)Distinguished name (dn) of the node where group list is stored within LDAP directory.
gidnum-attr gidnum-attr (type: str, optional, default: "gidNumber")Attribute name where group ID is stored within the group definition node.
gmember-attr gmember-attr (type: str, optional, default: "memberUID")Attribute name where members of the group are stored within the group definition node.
gname-attr gname-attr (type: str, optional, default: "cn")Attribute name where group name is stored within the group definition node.
search-scope search-scope (type: ldap-search-scope, optional, default: onelevel)Specifies where to search for the groups (directly below the dngroups or in the whole subtree of dngroups).
active-directory domain [group-match group-match] [users-search-base users-search-base] [users-object users-object] [username-attribute username-attribute] [member-of-attribute member-of-attribute];The LDAP server is Microsoft Windows Active Directory.
domain (type: str)Domain name used by the AD.
group-match group-match (type: ldap-group-match, optional, default: short)How a group name obtained from LDAP is matched in ACL and logged.
users-search-base users-search-base (type: str, optional, default: "")Starting point for the search of users within the AD; if omitted, USERS-SEARCH-BASE is created from DOMAIN.
users-object users-object (type: str, optional, default: "user")Name of the object class for users
username-attribute username-attribute (type: str, optional, default: "sAMAccountName")Attribute where the username is stored
member-of-attribute member-of-attribute (type: str, optional, default: "memberOf")Attribute where the group membership is stored within the user object
[End of section ldap-client-auth description.]