aboutsummaryrefslogtreecommitdiff
path: root/doc/smap.texi
diff options
context:
space:
mode:
Diffstat (limited to 'doc/smap.texi')
-rw-r--r--doc/smap.texi123
1 files changed, 92 insertions, 31 deletions
diff --git a/doc/smap.texi b/doc/smap.texi
index 4bc5325..cf9b56f 100644
--- a/doc/smap.texi
+++ b/doc/smap.texi
@@ -2721,4 +2721,4 @@ of SQL modules:
- The @acronym{LDAP} parameters may be configured either globally, when
-loading the module, or locally, when defining a smap database. If a
+ @acronym{LDAP} parameters may be configured either globally, when
+loading the module, or locally, when defining a smap database. If the
database definition lacks some configuration statements, it looks them
@@ -2736,2 +2736,29 @@ the @dfn{negative reply template} to create the response.
+@flindex /etc/ldap.conf
+ The module gets its configuration from the file
+@file{/etc/ldap.conf} and from module and database command line. The
+settings from the command line override those from
+@file{/etc/ldap.conf}. Alternative configuration file can be
+specified using the @option{config-file} option.
+The subsections that follow discuss the keywords meaningful for the
+@command{ldap} module. Unless explicitly stated otherwise, these can
+be used in the command line as well as in the configuration file. For
+compatibility with other @acronym{LDAP} software, keywords in the
+configuration file are case-insensitive. Unrecognized keywords
+appearing in the configuration file are silently ignored. You can use
+the @samp{ldap.2} debug level to get a listing of those. This can be
+useful to trace possible typos.
+
+Unrecognized keywords appearing in the command line are treated as
+errors, as usual.
+
+@kwindex config-file
+The only keyword that can be used only in the command line is
+@option{config-file}:
+
+@table @option
+@item config-file=@var{file}
+ Read configuration from file @var{file} instead of @file{/etc/ldap.conf}.
+@end table
+
@menu
@@ -2744,13 +2771,22 @@ the @dfn{negative reply template} to create the response.
-@flindex /etc/ldap.conf
-The @acronym{LDAP} configuration is read from the file
-@file{/etc/ldap.conf} and from module and database command line. The
-settings from the command line override those from
-@file{/etc/ldap.conf}. Alternative configuration file can be
-specified using the @option{config-file} option.
+The following keywords configure access to the @acronym{LDAP} database:
@table @option
-@kwindex config-file
-@item config-file=@var{file}
- Read configuration from file @var{file} instead of @file{/etc/ldap.conf}.
+@kwindex base
+@item base=@var{string}
+ Sets the default base DN for ldap operations. The base must be
+specified as a Distinguished Name in LDAP format.
+
+@kwindex binddn
+@item binddn=@var{dn}
+ The DN to bind as.
+
+@kwindex bindpw
+@item bindpw=@var{password}
+ Password for @code{binddn}.
+
+@kwindex bindpwfile
+@item bindpwfile=@var{file}
+ Read password from @var{file}. This is a safer alternative to
+@option{bindpw}.
@@ -2774,21 +2810,3 @@ is the pathname of the UNIX socket and @var{port} is not used. Note,
that directory separators must be URL-encoded (using @samp{%2F}
-instead of @samp{/}).
-
-@kwindex base
-@item base=@var{string}
- Sets the default base DN for ldap operations. The base must be
-specified as a Distinguished Name in LDAP format.
-
-@kwindex binddn
-@item binddn=@var{dn}
- The DN to bind as.
-
-@kwindex bindpw
-@item bindpw=@var{password}
- Password for @code{binddn}.
-
-@kwindex bindpwfile
-@item bindpwfile=@var{file}
- Read password from @var{file}. This is a safer alternative to
-@option{bindpw}.
+instead of @samp{/}).
@end table
@@ -2798,2 +2816,5 @@ specified as a Distinguished Name in LDAP format.
+The following keywords configure @acronym{LDAP} lookups and
+replies.
+
@table @option
@@ -2801,5 +2822,33 @@ specified as a Distinguished Name in LDAP format.
@item filter=@var{pattern}
-
+ Specifies @acronym{LDAP} filter. The @var{pattern} can use the
+usual variables (@pxref{expansion}). For example:
+
+@example
+database user ldap filter=(&(objectClass=posixAccount)(uid=$key))
+@end example
+
+There is no default for this option, so it is mandatory.
+@end table
+
+ Replies are configured via the following three keywords:
+
+@table @option
@kwindex positive-reply
@item positive-reply=@var{reply}
+ Defines a positive reply string. It is used when the @acronym{LDAP}
+lookup using the defined filter returned one or more objects. Only
+the first returned object is used. The @var{reply} string can contain
+the basic @command{smap} variables @samp{$db}, @samp{$map}, and
+@samp{$key}. It can also refer to values of any attribute from the
+returned object using the variable notation. For example:
+
+@example
+positive-reply="OK $uid"
+@end example
+
+@noindent
+returns the string @samp{OK} followed by the value of the @option{uid}
+attribute.
+
+The default positive reply string is @samp{OK}.
@@ -2808,4 +2857,16 @@ specified as a Distinguished Name in LDAP format.
+Defines the negative reply string, which is used when the
+@acronym{LDAP} lookup returns empy set of objects. The @var{reply}
+string can contain the basic @command{smap} variables @samp{$db},
+@samp{$map}, and @samp{$key}.
+
+The default negative reply string is @samp{NOTFOUND}.
+
@kwindex onerror-reply
@item onerror-reply=@var{reply}
+Defines the string to be returned if the @acronym{LDAP} lookup fails.
+The @var{reply} argument can contain the basic @command{smap}
+variables @samp{$db}, @samp{$map}, and @samp{$key}.
+
+The default value is @samp{NOTFOUND}.
@end table

Return to:

Send suggestions and report system problems to the System administrator.