The different configuration options are:
URI <ldap[si]://[name[:port]] ...>
Specifies the URI(s) of an LDAP server(s) to which the
LDAP library should connect. The URI scheme may be any of
ldap, ldaps or ldapi, which refer to LDAP over TCP, LDAP
over SSL (TLS) and LDAP over IPC (UNIX domain sockets),
respectively. Each server's name can be specified as a
domain-style name or an IP address literal. Optionally,
the server's name can followed by a ':' and the port
number the LDAP server is listening on. If no port number
is provided, the default port for the scheme is used (389
for ldap://, 636 for ldaps://). For LDAP over IPC, name
is the name of the socket, and no port is required, nor
allowed; note that directory separators must be URL-
encoded, like any other characters that are special to
URLs; so the socket
/usr/local/var/ldapi
must be specified as
ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi
A space separated list of URIs may be provided.
BASE <base>
Specifies the default base DN to use when performing ldap
operations. The base must be specified as a Distinguished
Name in LDAP format.
BINDDN <dn>
Specifies the default bind DN to use when performing ldap
operations. The bind DN must be specified as a
Distinguished Name in LDAP format. This is a user-only
option.
DEREF <when>
Specifies how alias dereferencing is done when performing
a search. The <when> can be specified as one of the
following keywords:
never Aliases are never dereferenced. This is the
default.
searching
Aliases are dereferenced in subordinates of the
base object, but not in locating the base object of
the search.
finding
Aliases are only dereferenced when locating the
base object of the search.
always Aliases are dereferenced both in searching and in
locating the base object of the search.
HOST <name[:port] ...>
Specifies the name(s) of an LDAP server(s) to which the
LDAP library should connect. Each server's name can be
specified as a domain-style name or an IP address and
optionally followed by a ':' and the port number the ldap
server is listening on. A space separated list of hosts
may be provided. HOST is deprecated in favor of URI.
KEEPALIVE_IDLE
Sets/gets the number of seconds a connection needs to
remain idle before TCP starts sending keepalive probes.
Linux only.
KEEPALIVE_PROBES
Sets/gets the maximum number of keepalive probes TCP
should send before dropping the connection. Linux only.
KEEPALIVE_INTERVAL
Sets/gets the interval in seconds between individual
keepalive probes. Linux only.
NETWORK_TIMEOUT <integer>
Specifies the timeout (in seconds) after which the
poll(2)/select(2) following a connect(2) returns in case
of no activity.
PORT <port>
Specifies the default port used when connecting to LDAP
servers(s). The port may be specified as a number. PORT
is deprecated in favor of URI.
REFERRALS <on/true/yes/off/false/no>
Specifies if the client should automatically follow
referrals returned by LDAP servers. The default is on.
Note that the command line tools ldapsearch(1) &co always
override this option.
SIZELIMIT <integer>
Specifies a size limit (number of entries) to use when
performing searches. The number should be a non-negative
integer. SIZELIMIT of zero (0) specifies a request for
unlimited search size. Please note that the server may
still apply any server-side limit on the amount of entries
that can be returned by a search operation.
SOCKET_BIND_ADDRESSES <IP>
Specifies the source bind IP to be used for connecting to
target LDAP server. Multiple IP addresses must be space
separated. Only one valid IPv4 address and/or one valid
IPv6 address are allowed in the list.
TIMELIMIT <integer>
Specifies a time limit (in seconds) to use when performing
searches. The number should be a non-negative integer.
TIMELIMIT of zero (0) specifies unlimited search time to
be used. Please note that the server may still apply any
server-side limit on the duration of a search operation.
VERSION {2|3}
Specifies what version of the LDAP protocol should be
used.
TIMEOUT <integer>
Specifies a timeout (in seconds) after which calls to
synchronous LDAP APIs will abort if no response is
received. Also used for any ldap_result(3) calls where a
NULL timeout parameter is supplied.
