LDAP Client Configuration Options

The LDAP client configuration options are:
cszscss151
The LDAP client configuration options are:
  • URI ldap[s]://[
    servername
    [:
    port
    ]] …
    Defines the URIs of the LDAP servers to which the client connects. The URI scheme can be ldap (LDAP over TCP) or ldaps (LDAP over SSL (TLS)). You can specify each server name as a domain-style name or an IP address literal. Optionally, the server name can be followed by a ‘:’ and the port number on which the LDAP server listens. If you provide no port number, the default port for the scheme is used (389 for ldap, 636 for ldaps).
    The value can be a single URI or a space separated list of URIs. When you define more than one URI, the client attempts to connect to each server in the given order. The client establishes the connection to the first server that accepts the connection.
  • BASE
    base
    Defines the default base DN to use when performing LDAP operations.
    Format:
    The base is a Distinguished Name in LDAP format.
  • BINDDN
    dn
    Defines the default bind DN to use when performing LDAP operations.
    This is a user-only option.
    Format:
    The dn is a Distinguished Name in LDAP format.
  • DEREF {never|searching|finding|always}
    Specifies how alias dereferencing is done when performing a search. The argument is one of the following keywords:
    • never
      Specifies that aliases are never dereferenced. This is the default.
    • searching
      Specifies that aliases are dereferenced in subordinates of the base object, but not in locating the base object of the search.
    • finding
      Specifies that aliases are only dereferenced when locating the base object of the search.
    • always
      Specifies that aliases are dereferenced both in searching and in locating the base object of the search.
  • HOST
    servername
    [:
    port
    ] …
    Defines the names of the LDAP servers to which the client connects. Each server name can be specified as a domain-style name or an IP address literal. Optionally, the server’s name can be followed by a ‘:’ and the port number on which the LDAP server is listening.
    The value can be a single name or a space separated list of names. When you specify more than one host, the client attempts to connect to each server in the given order. The client establishes the connection to the first server that accepts the connection.
    HOST is deprecated in favor of URI.
  • NETWORK_TIMEOUT
    integer
    Specifies the amount of time to wait when connecting to an LDAP server. If the server fails to respond in the specified amount of time the client aborts the attempt.
    Format:
    Seconds
  • PORT
    port
    Specifies the default port used when connecting to LDAP servers.
    Format:
    Number
    Note:
    PORT is deprecated in favor of URI.
  • REFERRALS {
    on
    |true|yes|off|false|no}
    Defines whether the client automatically follows referrals returned by LDAP servers. Command line tools (such as ldapsearch) always override this option.
    Default:
    on
  • SIZELIMIT
    integer
    Specifies the maximum number of entries that searches can return. The server may still apply a server-side limit on the number of entries that are returned by a search operation.
    Format:
    A non-negative integer. A SIZELIMIT of zero (0) specifies a request for unlimited size.
  • TIMELIMIT
    integer
    Specifies the maximum amount of time that the client library waits for a response to an operation. The server may still apply a server-side limit on the duration of a search operation.
    Format:
    A non-negative integer, in seconds. A TIMELIMIT of zero (0) specifies an unlimited search time.
  • VERSION {2|3}
    Specifies the version of the LDAP protocol to use.
  • TLS_CACERT
    filename
    Specifies the file that contains certificates for all of the Certificate Authorities that the client recognizes.
    This option applies to all platforms except z/OS.
  • TLS_CACERTDIR
    path
    Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. This directory must be preprocessed with the OpenSSL c_rehash script before it can be used. This option applies to all platforms except z/OS.
  • TLS_CERT
    filename
    Specifies the file that contains the client certificate.
    This option applies to all platforms except z/OS. This is a user-only option.
  • TLS_KEY
    filename
    Specifies the file that contains the private key that matches the certificate stored in the TLS_CERT file.
    This option applies to all platforms except z/OS. This is a user-only option.
    Protect the private key file carefully by setting permissions to restrict access. Do not password-protect the private key file.
  • TLS_KEYRING
    ringname
    Specifies the name of the key database HFS file, SAF key ring, or z/OS PKCS #11 token. If you also specify the TLS_KEYRINGPW or TLS_KEYRINGSTASH option, a key database is used; otherwise a SAF key ring or z/OS PKCS #11 token is used.
    This option applies to the z/OS platform only. This is a user-only option.
    Format:
    A SAF key ring name is specified as “userid/keyring”. A PKCS #11 token name is specified as “*TOKEN*/token-name”.
    Default:
    The current userid is used if the userid is omitted.
    When you use an SAF key ring owned by another user, certificate private keys are not available. When you use an SAF key ring, the user invoking the client application must have READ access to the resource “IRR.DIGTCERT.LISTRING” in the FACILITY class. If the key ring is owned by a different user, the user invoking the application must have UPDATE access to this resource. When you use a PKCS #11 token, the user must have READ access to resource “USER.token-name” in the CRYPTOZ class.
  • TLS_KEYRINGPW
    password
    Specifies the password for the key database.
    This option applies to the z/OS platform only. This is a user-only option.
  • TLS_KEYRINGSTASH
    filename
    Specifies the name of the key database password stash file. The stash file name has an extension of “.sth”. If you supply a name without the correct extension, the extension is added automatically.
    This option applies to the z/OS platform only. This is a user-only option.
    If you specify both the TLS_KEYRINGPW and TLS_KEYRINGSTASH options, the TLS_KEYRINGPW option is used and the TLS_KEYRINGSTASH option is ignored.
  • TLS_CERTLABEL
    label
    Specifies the label of the certificate to use.
    This option applies to the z/OS platform only. This is a user-only option.
    Default:
    If the TLS_CERTLABEL option is omitted, the default certificate is used.
    Either the current user owns the selected certificate, or it must be a SITE certificate. If it is a SITE certificate, the current user must have CONTROL access to the resource “IRR.DIGTCERT.GENCERT” in the FACILITY class.
  • TLS_CIPHER_SUITE
    cipher-suite-spec
    Specifies the list of cipher suites that are acceptable to the client application. The LDAP server makes the final decision which cipher suite this session uses. The client provides the
    cipher-suite-spec
    list to limit which cipher suites the server chooses from.
    For a description of how to code this option, see the description of the TLSCipherSuite option in the Global Options section of Customize the Slapd Configuration File.
  • TLS_PROTOCOL_MIN
    version
    (optional) Specifies the minimum SSL/TLS protocol version that will be negotiated. When the client does not support at least this version, the SSL handshake fails.
    The valid values are:
    Value
    Description
    ssl2
    SSL version 2
    ssl3
    SSL version 3
    tls1
    TLS version 1
    tls1.1
    TLS version 1.1
    tls1.2
    TLS version 1.2
    The minimum SSL/TLS protocol version is the minimum version that the server will allow to be negotiated. For example, if the TLS_PROTOCOL_MIN configuration option specifies “tls1.2” and the client supports only TLS 1.1, the client is not allowed to connect to the CA LDAP Server. If the TLS_PROTOCOL_MIN configuration option specifies “tls1.1,” any request for TLS 1.1 or higher is accepted. So, if the client supports TLS 1.2, the connection is at TLS 1.2.
    Previous versions of the CA LDAP clients behaved as if this option were specified with the value “ssl3”, meaning the minimum protocol version was SSLv3. This change in default behavior could result in SSL handshake failures where there were no failures. If a failure occurs, add the TLS_Protocol_Min option to the client's configuration file. The required option is show in the example that follows.
    Default:
    tls1
  • TLS_RANDFILE
    filename
    Specifies the file that provides random bits when /dev/[u]random is not available. Generally you set this option to the name of the EGD/PRNGD socket.
    This option applies to all platforms except z/OS.
  • TLS_REQCERT {never|allow|try|
    demand
    |hard}
    Specifies what checks to perform on server certificates in a TLS session, if any. Specify the level as one of the following keywords:
    • never
      Specifies that the client does not request or check any server certificate.
    • allow
      Specifies that the server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it is ignored and the session proceeds normally.
    • try
      Specifies that the server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session terminates immediately.
    • demand | hard
      Specifies that the server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session terminates immediately. The two keywords are equivalent. This is the default setting.
    With the current implementation of SSL, the cipher suite chosen for the session determines whether the server provides a certificate. If the cipher suite does not require a server certificate, this option is ignored. If the cipher suite requires the server to provide a certificate, then 'never' and 'allow' are effectively the same and indicate that a bad certificate should be ignored. similarly, 'try', 'demand', and 'hard' are effectively the same and indicate that a bad certificate causes the immediate termination of the session.
  • TLS_ENABLEFIPS {on|true|yes|
    off
    |false|no}
    Specifies whether the client enables FIPS mode for all SSL/TLS sessions that it initiates.
    Default:
    off
  • TCPIP_JOBNAME
    jobname
    Specifies the jobname of the TCP/IP stack that all connection requests are routed through.
    This option applies to the z/OS platform only.