Download raw body.
invalid login_ldap.conf example
It's worth noting that Active Directory computer objects also derive from the 'user' objectClass and you probably wish to exclude those. The recommended way [1] to search for user accounts only is to use '(&(objectClass=user)(objectCategory=person))', although in practice everything which has objectCategory=person also has objectClass=user, so the login_ldap.conf filter line can be written as: +# Filter for Microsoft Active Directory accounts +#filter=(&(objectCategory=person)(sAMAccountName=%u)) -Andrew [1] https://learn.microsoft.com/en-us/windows/win32/ad/deciding-what-to-find On Mon, Feb 16, 2026 at 10:59 AM Chaz Kettleson <chaz@pyr3x.com> wrote: > > On Mon, Feb 16, 2026 at 04:20:40PM +0100, Claudio Jeker wrote: > > On Mon, Feb 16, 2026 at 09:49:54AM -0500, Chaz Kettleson wrote: > > > Hello, > > > > > > I've been playing with setting up LDAP with ldapd(8) for authentication. > > > Using the example login_ldap.conf there is a colon and line continuation > > > between binddn and bindpw. Initially I thought this was for a > > > 'user:password' setup, but it appears that is not the case. I've been > > > able to get it to work by removing the ':\'. Adding 'ldap' as an > > > authentication style in login.conf, authentication succeeds. > > > > > > While we are here, update the example to be more in line with other > > > examples using "example.com". Also, use posixAccount/uid instead of the > > > more AD specific user/sAMAccountName. This is also in line with what the > > > example ypldap.conf uses. > > > > > > -- > > > Chaz > > > > > > diff --git i/etc/examples/login_ldap.conf w/etc/examples/login_ldap.conf > > > index 4f4e9381b4b..ab5f7203d15 100644 > > > --- i/etc/examples/login_ldap.conf > > > +++ w/etc/examples/login_ldap.conf > > > @@ -2,7 +2,7 @@ host=ldap+tls://1.2.3.4:8389 > > > host=ldap://localhost > > > cacert=/etc/ssl/ca-ldap.pem > > > scope=sub > > > -basedn=dc=openbsd,dc=org > > > -binddn=cn=admin,dc=openbsd,dc=org:\ > > > +basedn=dc=example,dc=com > > > +binddn=cn=admin,dc=example,dc=com > > > bindpw=password > > > -filter=(&(objectClass=user)(sAMAccountName=%u)) > > > +filter=(&(objectClass=posixAccount)(uid=%u)) > > > > > > > This file format supports comments with '#' so maybe the example file > > should include both filters with a comment. > > Apart from the OK from me. > > > > -- > > :wq Claudio > > > > Sure. > > -- > Chaz > > diff --git i/etc/examples/login_ldap.conf w/etc/examples/login_ldap.conf > index 4f4e9381b4b..3254fc26d59 100644 > --- i/etc/examples/login_ldap.conf > +++ w/etc/examples/login_ldap.conf > @@ -2,7 +2,10 @@ host=ldap+tls://1.2.3.4:8389 > host=ldap://localhost > cacert=/etc/ssl/ca-ldap.pem > scope=sub > -basedn=dc=openbsd,dc=org > -binddn=cn=admin,dc=openbsd,dc=org:\ > +basedn=dc=example,dc=com > +binddn=cn=admin,dc=example,dc=com > bindpw=password > -filter=(&(objectClass=user)(sAMAccountName=%u)) > +# Filter for RFC 2307 POSIX accounts > +filter=(&(objectClass=posixAccount)(uid=%u)) > +# Filter for Microsoft Active Directory accounts > +#filter=(&(objectClass=user)(sAMAccountName=%u)) >
invalid login_ldap.conf example