<ldapauth baserdn="ou=People,dc=brainbox,dc=cc"
          attribute="uid"
          server="ldap://brainwave.brainbox.cc"
          allowpattern="Guest*"
          killreason="Access denied"
          searchscope="subtree"
          binddn="cn=Manager,dc=brainbox,dc=cc"
          bindauth="mysecretpass"
          verbose="yes"
          userfield="no">

The variables in the tag have the following meanings:

• baserdn indicates the base Distinguished Name to search in for users.
• attribute indicates the attribute which is used to locate a user account by name. On POSIX systems this is usually 'uid'.
• server indicates the LDAP server to connect to. The ldap:// style scheme before the hostname proper is MANDITORY. If your openldap libraries support it, you may use the ldaps:// scheme to indicate an SSL conenction.
• allowpattern allows you to specify a wildcard mask which will always be allowed to connect regardless of if they have an account, for example guest users.
• killreason indicates the QUIT reason to give to users if they fail to authenticate.
• searchscope indicates the depth of search to perform. The default is 'subtree', supported types are 'subtree', 'base' and 'onelevel'. Subtree recursively searches the entire tree from the starting point given as baserdn, which is recommended.
• verbose when set causes an oper notice to be sent out for every failed authentication to the server, with an error string from the LDAP server.
• binddn and bindauth indicate the Distinguished Name to bind to for searching, and the password for the distinguished name. Some LDAP servers will allow anonymous searching in which case these two values do not need defining, otherwise they should be set similar to the examples above.
• userfield If set to yes, then the connecting user's username/ident field is used as the username field for the LDAP search. The default, with this option set to no, is to use the user's nickname as the username for the LDAP search. (IMPORTANT: It is recommended that you do not run m_ident.so on a server where this value is set to YES. If you do, you may complicate matters for users trying to connect to your server, as the username field may vary in value depending on how long after connecting they authenticate to the LDAP server.)

PASS :password

It is important to note that many LDAP systems will have case sensitive usernames, this will mean that the nickname used to connect to IRC must also match the case of the username, even though IRC nicknames themselves are not case sensitive!

The user will not be prompted for their password, if this is not clear enough to your users, you should place it into the kill message. It is highly recommended that if you are using a system such as this, you should disable nick changing once users are connected with the following syntax in your configuration file:

<disabled commands="NICK">

With such a setting in place, you can be sure that everyone who connects is registered, and they cannot possibly impersonate others. Beware of mixing this system with other systems which may force user nickchanges. If a users nick is changed when such a system is in place, they will be unable to change it back without reconnecting!

When a user is authenticated, the SASL LDAP bind type is used, which in short means the authentication is left to the LDAP server, allowing support for practically any authentication method you may be using internally.

This module is an 'extra' module. This means that by default it is not compiled when you type make to build your IRCd. To enable this module follow these steps.