ypserv(4)
NAME
ypserv - configuration file for NIS to LDAP transition dae-
mons
SYNOPSIS
/etc/default/ypserv
DESCRIPTION
The ypserv file specifies configuration information for the
ypserv(1M) daemon. Configuration information can come from
LDAP or be specified in the ypserv file.
You can create a simple ypserv file by running inityp2l(1M).
The ypserv file can then be customized as required.
A related NISLDAPmapping file contains mapping information
that converts NIS entries into LDAP entries. See the
NISLDAPmapping(4) man page for an overview of the setup that
is needed to map NIS data to or from LDAP.
EXTENDED DESCRIPTION
The ypserv(1M) server recognizes the attributes that follow.
Values specified for these attributes in the ypserv file,
including any empty values, override values that are
obtained from LDAP. However, the nisLDAPconfig* values are
read from the ypserv file only
Attributes
The following are attributes that are used for initial con-
figuration.
nisLDAPconfigDN
The DN for configuration information. If nisLDAPcon-
figDN is empty, all other nisLDAPConfig* values are
ignored.
nisLDAPconfigPreferredServerList
The list of servers to use for the configuration
phase. There is no default value. The following is an
example of a value for nisLDAPconfigPreferredServer-
List:
nisLDAPconfigPreferredServerList=127.0.0.1:389
nisLDAPconfigAuthenticationMethod
The authentication method used to obtain the confi-
guration information. The recognized values for
nisLDAPconfigAuthenticationMethod are:
none No authentication attempted
simple
Password of proxy user sent in the clear to the
LDAP server
sasl/cram-md5
Use SASL/CRAM-MD5 authentication. This authenti-
cation method may not be supported by all LDAP
servers. A password must be supplied.
sasl/digest-md5
Use SASL/DIGEST-MD5 authentication. The
SASL/CRAM-MD5authentication method may not be
supported by all LDAP servers. A password must
be supplied.
nisLDAPconfigAuthenticationMethod has no default
value. The following is an example of a value for
nisLDAPconfigAuthenticationMethod:
nisLDAPconfigAuthenticationMethod=simple
nisLDAPconfigTLS
The transport layer security used for the connection
to the server. The recognized values are:
none No encryption of transport layer data. The
default value is none.
ssl SSL encryption of transport layer data. A certi-
ficate is required.
Export and import control restrictions might limit the
availability of transport layer security.
nisLDAPconfigTLSCertificateDBPath
The name of the file that contains the certificate
database.The default path is /var/yp, and the default
file name is cert7.db.
nisLDAPconfigProxyUser
The proxy user used to obtain configuration informa-
tion. nisLDAPconfigProxyUser has no default value. If
the value ends with a comma, the value of the nisLDAP-
configDN attribute is appended. For example:
nisLDAPconfigProxyUser=cn=nisAdmin,ou=People,
nisLDAPconfigProxyPassword
The password that should be supplied to LDAP for the
proxy user when the authentication method requires
one. To avoid exposing this password publicly on the
machine, the password should only appear in the confi-
guration file, and the file should have an appropriate
owner, group, and file mode. nisLDAPconfigProxyPass-
word has no default value.
The following are attributes used for data retrieval. The
object class name used for these attributes is nisLDAPcon-
fig.
preferredServerList
The list of servers to use to read or to write mapped
NIS data from or to LDAP. preferredServerList has no
default value. For example:
preferredServerList=127.0.0.1:389
authenticationMethod
The authentication method to use to reading or to
write mapped NIS data from or to LDAP. For recognized
values, see the LDAPconfigAuthenticationMethod attri-
bute. authenticationMethod has no default value. For
example:
authenticationMethod=simple
nisLDAPTLS
The transport layer security to use to read or to
write NIS data from or to LDAP. For recognized values,
see the nisLDAPconfigTLS attribute. The default value
is one. Export and import control restrictions might
limit the availability of transport layer security.
nisLDAPTLSCertificateDBPath
The name of the file that contains the certificate DB.
For recognized and default values for nisLDAPTLSCerti-
ficateDBPath, see the nisLDAPconfigTLSCertifi-
cateDBPath attribute.
nisLDAPproxyUser
Proxy user used by the ypserv server to read or to
write from or to LDAP. Assumed to have the appropriate
permission to read and modify LDAP data. There is no
default value. If the value ends in a comma, the value
of the context for the current domain, as defined by a
nisLDAPdomainContext attribute, is appended. See
NISLDAPmapping(4). For example:
nisLDAPproxyUser=cn=nisAdmin,ou=People,
nisLDAPproxyPassword
The password that should be supplied to LDAP for the
proxy user when the authentication method so requires.
To avoid exposing this password publicly on the
machine, the password should only appear in the confi-
guration file, and the file must have an appropriate
owner, group, and file mode. nisLDAPproxyPassword has
no default value.
nisLDAPsearchTimeout
Establishes the timeout for the LDAP search operation.
The default value for nisLDAPsearchTimeout is 180
seconds.
nisLDAPbindTimeout
nisLDAPmodifyTimeout
nisLDAPaddTimeout
nisLDAPdeleteTimeout
Establish timeouts for LDAP bind, modify, add, and
delete operations, respectively. The default value for
nisLDAPbindTimeout is 15 seconds for each attribute.
Decimal values are allowed.
nisLDAPsearchTimeLimit
Establish a value for the LDAP_OPT_TIMELIMIT option,
which suggests a time limit for the search operation
on the LDAP server. The server may impose its own con-
straints on possible values. See your LDAP server
documentation. The default is the nisLDAPsearchTimeout
value. Only integer values are allowed.
Since the nisLDAPsearchTimeout limits the amount of
time the client ypserv will wait for completion of a
search operation, do not set the value of nisLDAPsear-
chTimeLimit larger than the value of nisLDAPsear-
chTimeout.
nisLDAPsearchSizeLimit
Establish a value for the LDAP_OPT_SIZELIMIT option,
which suggests a size limit, in bytes, for the search
results on the LDAP server. The server may impose its
own constraints onpossible values. See your LDAP
server documentation. The default value for nisLDAP-
searchSizeLimit is zero, which means the size limit is
unlimited. Only integer values are allowed.
nisLDAPfollowReferral
Determines if the ypserv should follow referrals or
not. Recognized values fornisLDAPfollowReferral are
yes and no. The default value for nisLDAPfollowRefer-
ral is no.
The following attributes specify the action to be taken when
some event occurs. The values are all of the form
event=action. The default action is the first one listed for
each event.
nisLDAPretrieveErrorAction
If an error occurs while trying to retrieve an entry
from LDAP, one of the following actions can be
selected:
use_cached
Retry the retrieval the number of time speci-
fiedby nisLDAPretrieveErrorAttempts, with the
nisLDAPretrieveErrorTimeout value controlling
the wait between each attempt.
If all attempts fail, then a warning is logged
and the value currently in the cache is returned
to the client.
fail Proceed as for use_cached, but if all attempts
fail, a YPERR_YPERR error is returned to the
client.
nisLDAPretrieveErrorAttempts
The number of times a failed retrieval should be
retried. The default value for nisLDAPretrieveErrorAt-
tempts is unlimited. While retries are made the ypserv
daemon will be prevented from servicing further
requests.nisLDAPretrieveErrorAttempts values other
than 1 should be used with caution.
nisLDAPretrieveErrorTimeout
The timeout in seconds between each new attempt to
retrieve LDAP data. The default value for nisLDAPre-
trieveErrorTimeout is 15 seconds.
nisLDAPstoreErrorAction
An error occurred while trying to store data to the
LDAP repository.
retry Retry operation nisLDAPstoreErrorAttempts times
with nisLDAPstoreErrorTimeout seconds between
each attempt. While retries are made, the NIS
daemon will be prevented from servicing further
requests. Use with caution.
fail Return YPERR_YPERR error to the client.
nisLDAPstoreErrorAttempts
The number of times a failed attempt to store should
be retried. The default value for nisLDAPstoreErrorAt-
tempts is unlimited. The value for nisLDAPstoreEr-
rorAttempts is ignored unless
nisLDAPstoreErrorAction=retry.
nisLDAPstoreErrortimeout
The timeout, in seconds, between each new attempt to
store LDAP data. The default value for
nisLDAPstoreErrortimeout is 15 seconds. The
nisLDAPstoreErrortimeout value is ignored unless
nisLDAPstoreErrorAction=retry.
Storing Configuration Attributes in LDAP
Most attributes described on this man page, as well as those
described on NISLDAPmapping(4), can be stored in LDAP. In
order to do so, you will need to add the following defini-
tions to your LDAP server, which are described here in LDIF
format suitable for use by ldapadd(1). The attribute and
objectclass OIDs are examples only.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' \
DESC 'Preferred LDAP server host addresses used by DUA' \
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' \
DESC 'Authentication method used to contact the DSA' \
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 \
NAME 'nisLDAPTLS' \
DESC 'Transport Layer Security' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.1 \
NAME 'nisLDAPTLSCertificateDBPath' \
DESC 'Certificate file' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.2 \
NAME 'nisLDAPproxyUser' \
DESC 'Proxy user for data store/retrieval' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.3 \
NAME 'nisLDAPproxyPassword' \
DESC 'Password/key/shared secret for proxy user' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.6 \
NAME 'nisLDAPretrieveErrorAction' \
DESC 'Action following an LDAP search error' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.7 \
NAME 'nisLDAPretrieveErrorAttempts' \
DESC 'Number of times to retry an LDAP search' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.8 \
NAME 'nisLDAPretrieveErrorTimeout' \
DESC 'Timeout between each search attempt' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.9 \
NAME 'nisLDAPstoreErrorAction' \
DESC 'Action following an LDAP store error' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.10 \
NAME 'nisLDAPstoreErrorAttempts' \
DESC 'Number of times to retry an LDAP store' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.11 \
NAME 'nisLDAPstoreErrorTimeout' \
DESC 'Timeout between each store attempt' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.12 \
NAME 'nisLDAPdomainContext' \
DESC 'Context for a single domain' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.13 \
NAME 'nisLDAPyppasswddDomains' \
DESC 'List of domains for which password changes are made' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.14 \
NAME 'nisLDAPdatabaseIdMapping' \
DESC 'Defines a database id for a NIS object' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.15 \
NAME 'nisLDAPentryTtl' \
DESC 'TTL for cached objects derived from LDAP' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.16 \
NAME 'nisLDAPobjectDN' \
DESC 'Location in LDAP tree where NIS data is stored' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.17 ) \
NAME 'nisLDAPnameFields' \
DESC 'Rules for breaking NIS entries into fields' \e
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.18 ) \
NAME 'nisLDAPsplitFields' \
DESC 'Rules for breaking fields into sub fields' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.19 \
NAME 'nisLDAPattributeFromField' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.20 \
NAME 'nisLDAPfieldFromAttribute' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.21 \
NAME 'nisLDAPrepeatedFieldSeparators' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.22 \
NAME 'nisLDAPcommentChar' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.23 \
NAME 'nisLDAPmapFlags' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 NAME 'nisLDAPconfig' \
DESC 'NIS/LDAP mapping configuration' \
SUP top STRUCTURAL \
MAY ( cn $ preferredServerList $
authenticationMethod $ nisLDAPTLS $
nisLDAPTLSCertificateDBPath $
nisLDAPproxyUser $ nisLDAPproxyPassword $
nisLDAPretrieveErrorAction $
nisLDAPretrieveErrorAttempts $
nisLDAPretrieveErrorTimeout $
nisLDAPstoreErrorAction $
nisLDAPstoreErrorAttempts $
nisLDAPstoreErrorTimeout $
nisLDAPdomainContext $
nisLDAPyppasswddDomains $
nisLDAPdatabaseIdMapping $
nisLDAPentryTtl $
nisLDAPobjectDN $
nisLDAPnameFields $
nisLDAPsplitFields $
nisLDAPattributeFromField $
nisLDAPfieldFromAttribute $
nisLDAPrepeatedFieldSeparators $
nisLDAPcommentChar $
nisLDAPmapFlags ) )
Create a file containing the following LDIF data. Substitute
your actual nisLDAPconfigDN for configDN:
dn: configDN
objectClass: top
objectClass: nisLDAPconfig
Use this file as input to the ldapadd(1) command in order to
create the NIS to LDAP configuration entry. Initially, the
entry is empty. You can use the ldapmodify(1) command to add
configuration attributes.
EXAMPLES
Example 1: Creating a NIS to LDAP Configuration Entry
To set the server list to port 389 on 127.0.0.1, create the
following file and use it as input to ldapmodify(1):
dn: configDN
preferredServerList: 127.0.0.1:389
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWypu |
|_____________________________|_____________________________|
| Interface Stability | Obsolete |
|_____________________________|_____________________________|
SEE ALSO
ldapadd(1), ldapmodify(1), inityp2l(1M), ypserv(1M),
NIS+LDAPmapping(4),attributes(5)
System Administration Guide: Naming and Directory Services
(DNS, NIS, and LDAP)
Man(1) output converted with
man2html