Please correct me if I am wrong.
These questions are stemming from a Red Hat Linux Server.
/etc/openldap/ldap.conf # this config file is openldap server's ldap config file?
/etc/ldap.conf # This config file is for ldap's clients?
If I want to test test if LDAP is configured with TLS/SSL with this command ldapsearch -d -1 -x -LLL -ZZ, do I need a ldap client config file?
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
On 06/24/13 13:48 -0400, Rodney Simioni wrote:
These questions are stemming from a Red Hat Linux Server.
/etc/openldap/ldap.conf # this config file is openldap server's ldap config file?
That file would be utilized by the OpenLDAP clients and client libraries. Do 'man ldap.conf' and reference the FILES section to confirm.
/etc/ldap.conf # This config file is for ldap's clients?
I would guess that file was placed by PADL software, such as libnss-ldap or libpam-ldap, and likely has no effect on your ldapsearch command.
If I want to test test if LDAP is configured with TLS/SSL with this command ldapsearch -d -1 -x -LLL -ZZ, do I need a ldap client config file?
Yes, for at least the default URI you want to search against.
Rodney Simioni wrote:
/etc/openldap/ldap.conf # this config file is openldap server's ldap config file?
No, it's a LDAP client config. Mostly likely for OpenLDAP ldap* command-line tools but sometimes also for other components.
/etc/ldap.conf # This config file is for ldap's clients?
Sometimes it's used for LDAP clients like pam_ldap, sudo-ldap etc. It also might affect the behaviour of clients implement in a scripting language which uses OpenLDAP client libs through C wrapper modules (like php-ldap, python-ldap, etc.)
The way various software and distributions deal with ldap.conf in several directories is a mess and entirely depends on how the software author / Linux distributor built the client software.
If I want to test test if LDAP is configured with TLS/SSL with this command ldapsearch -d -1 -x -LLL -ZZ, do I need a ldap client config file?
A host parameter is missing (see -H) in the example above. The OpenLDAP command-line tools all have options for specifying all LDAP parameters you might need.
Ciao, Michael.
Michael Ströder wrote:
Rodney Simioni wrote:
/etc/openldap/ldap.conf # this config file is openldap server's ldap config file?
No, it's a LDAP client config. Mostly likely for OpenLDAP ldap* command-line tools but sometimes also for other components.
/etc/ldap.conf # This config file is for ldap's clients?
Sometimes it's used for LDAP clients like pam_ldap, sudo-ldap etc. It also might affect the behaviour of clients implement in a scripting language which uses OpenLDAP client libs through C wrapper modules (like php-ldap, python-ldap, etc.)
Not quite. There is no specific config file for OpenLDAP command line tools. The /etc/openldap/ldap.conf is a config for libldap, and as such it affects everything that uses libldap - command line tools, scripting modules, whatever.
/etc/ldap.conf was used by pam_ldap/nss_ldap, certainly. Possibly by some other things too, and yes it's a mess. pam_ldap/nss_ldap are now obsolete/unmaintained. You should be using nssov or nss-pam-ldapd now, and neither of them use /etc/ldap.conf.
The way various software and distributions deal with ldap.conf in several directories is a mess and entirely depends on how the software author / Linux distributor built the client software.
Howard Chu wrote:
Michael Ströder wrote:
Rodney Simioni wrote:
/etc/openldap/ldap.conf # this config file is openldap server's ldap config file?
No, it's a LDAP client config. Mostly likely for OpenLDAP ldap* command-line tools but sometimes also for other components.
/etc/ldap.conf # This config file is for ldap's clients?
Sometimes it's used for LDAP clients like pam_ldap, sudo-ldap etc. It also might affect the behaviour of clients implement in a scripting language which uses OpenLDAP client libs through C wrapper modules (like php-ldap, python-ldap, etc.)
Not quite. There is no specific config file for OpenLDAP command line tools. The /etc/openldap/ldap.conf is a config for libldap, and as such it affects everything that uses libldap - command line tools, scripting modules, whatever.
Just to add: Some applications (e.g. web2ldap) turn off processing ldap.conf by setting env var LDAPNOINIT=1 to prevent side effects to application configuration.
[..] and yes it's a mess.
Especially since some software adds other configuration non-OpenLDAP directives (e.g. sudo-ldap). So even for me it's sometimes hard to sort out which file/directive affects what...
Ciao, Michael.
openldap-technical@openldap.org
-
Dan White -
Howard Chu -
Michael Ströder -
Rodney Simioni