etc/ldap.conf
# /etc/ldap.conf
#
# This is the configuration file for OpenSSH LDAP Public Keys (ssh-ldap-pubkey).
#
# This file actually uses a subset of directives from configuration file of the
# LDAP nameservice switch library and the LDAP PAM module, so the same file can
# be used for all these services.
#
# Specifies the URI(s) of the LDAP server(s) to connect to. The URI scheme may
# be ldap, or ldaps, specifying LDAP over TCP or SSL respectively. A port
# number can be specified; the default port number for the selected protocol
# is used if omitted.
uri ldap://localhost
# The distinguished name of the search base.
base dc=example,dc=org
# The LDAP version to use. Default is 3 if supported by client library.
#ldap_version 3
# Enable SASL and specify mechanism to use (currently supported: GSSAPI).
#sasl GSSAPI
# The distinguished name to bind to the server with.
# Default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=org
# The credentials to bind with. Default is no credential.
#bindpw secret
# The search scope; sub, one, or base.
scope one
# Specifies if the client should automatically follow referrals returned
# by LDAP servers. This must be typically disabled for Active Directory.
# Default is "on".
referrals off
# Search timelimit in seconds (0 for indefinite).
timelimit 5
# Bind/connect timelimit (0 for indefinite).
bind_timelimit 5
# The filter to use when retrieving user information, additional to the login
# attribute value assertion (pam_login_attribute=<login>).
#pam_filter objectclass=posixAccount
# The user ID attribute (defaults to 'uid').
#pam_login_attribute uid
# RFC2307bis naming contexts
# Syntax is:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub} and filter is a filter to be &'d with the
# default filter.
nss_base_passwd ou=People,dc=example,dc=org?one
# CA certificates for server certificate verification.
tls_cacertdir /etc/ssl/certs
# Name of LDAP attribute used for SSH public keys.
pubkey_attr sshPublicKey