nsd_openldap.conf(4) UNIX System V nsd_openldap.conf(4)
NAME
nsd_openldap.conf - OpenLDAP configuration file for NSD
SYNOPSIS
/var/ns/nsd_openldap.conf
DESCRIPTION
This file controls the behavior of the OpenLDAP client
implementation for nsd. It is read by the initialization
routine of the nsd_openldap library when the nsd daemon is
started, or sent the SIGHUP signal. This file contains
information about remote LDAP daemons, database schemas and
format rules.
The file is made up of comment lines, declaration sections
for the server and database configurations, and the use
command. Comment lines being with a #. Declaration
sections begin with the keyword specifying the type of
declaration, followed by an identifier and then the
definition block contained within braces, {}. The order of
the declaration sections and commands is not important.
server
Defines an LDAP server configuration. A server
definition should contain a schema datum and an
openldap_config datum. Optionally, it may also contain
base, domain, number_instance, binddn, password,
search_timeout, open_timeout and reconnect_timeout
attributes:
schema
Nominate the schema definition to use for this
server. This attribute is required.
openldap_config
Specify the location of the OpenLDAP configuration
file to use for this server. This attribute is
required.
base
Specifies the base to use for LDAP queries for
this server. This option overides the BASE
definition in the openldap_config file. This
attribute is optional, but must be defined if
base_prefix is to be used and base is not defined
for the table.
binddn
The DN to use when binding to a server. This
attribute is optional. If binddn is not defined,
an anonymous connection will be made. However if
it is defined but incorrect, the connection will
Page 1 (printed 5/15/05)
nsd_openldap.conf(4) UNIX System V nsd_openldap.conf(4)
fail.
password
The password to use with the binddn to bind to a
server. This attribute is optional.
domain
Specify the domain that this server is for. If
domain is not specified, the server will be used
for the local domain.
number_instance
The number of simultaneous connections that can be
made to this server to avoid requests being queued
waiting for long requests to finish. The default
is 3.
search_timeout
The amount of time, in seconds, to wait for a
response to a query from a server. If not
defined, the default value is 10 seconds.
open_timeout
The amount of time, in seconds, to wait for a
connection to be established with a server. If not
defined, the default value is 5 seconds.
reconnect_timeout
The amount of time, in seconds, to wait before
attempting to reconnect with a server after a
disconnection. If not defined, the default value
is 60 seconds.
schema
Defines a schema object that is simply a collection of
tables, each of which define how queries should be
constructed and results interpreted. A schema
definition should contain one or more table attributes.
table
Nominate a table that this schema uses. Schemas
will typically contain many tables, and must
contain at least one.
table
Defines a table object to be used for translating nsd
queries into an LDAP compatible format, and translating
LDAP responses to be passed back to nsd.
base
Specifies the base to use for LDAP queries for
this table. This option overides the base
Page 2 (printed 5/15/05)
nsd_openldap.conf(4) UNIX System V nsd_openldap.conf(4)
definition in the server section and the BASE
definition used in the openldap_config file. This
can useful when the table is in a completely
different section of the LDAP database.
base_prefix
Specifies a prefix to be added to the base
definition in the server or table section. This
can be useful to restrict the search only a
subsection of the LDAP database.
function
Specifies for what purpose this table is used,
such as group.bymember or password.byuid. A table
may have any arbitrary name, so it is this
attribute that defines when nsd will use it.
attribute
An attribute object is defined within a table
definition and is relevant only in the scope of
the table. Attributes objects are used within the
format string to identify which parts of the
string are plain text, and which should be
replaced by data retrieved from the LDAP server.
filter_lookup
The string that is used by nsd to form a lookup
query to be sent to the LDAP server. The string
is used as defined, except that a %s will be
replaced by the lookup key. This attribute is
required.
filter_list
The string that is used by nsd to form a list
query to be sent to the LDAP server. The string
is used as defined. If a filter_list attribute is
not defined, then list queries will be invalid for
that table.
format
The string that defines how nsd will interpret the
response from an LDAP server to a lookup or list
query. Any attributes defined for this table will
be identified within the format string and
replaced by the relevant data from the LDAP
response. Any text within the format string that
is not part of an attribute object identifier will
be returned to nsd within the query response. A
format string is required for a table object.
single_line
If this tag is set, multiple entries returned for
Page 3 (printed 5/15/05)
nsd_openldap.conf(4) UNIX System V nsd_openldap.conf(4)
a particular query will be placed on a single
output line. The value for this tag may be null.
If it is not null, the value is interpreted as a
prefix string conforming to the format syntax
defined above. This string will be placed before
the formatted output corresponding to individual
LDAP entries.
attribute
Defines an attribute object that is used a table format
string. An attribute object may contain a regsub
attribute and a required attribute.
required
If set to true, a response from an LDAP server
which does not have any data relevant to the
attribute object, will be flagged as invalid. By
default, the required flag is false.
regsub
Associates a regsub object for this attribute.
When data is returned from an LDAP server, it can
be parsed and altered by attribute regsubs.
regsub
Defines rules for textual substitution for an
attribute. When a lookup is done for a particular
attribute, a regsub object can be applied so that parts
of the result are replaced by some text. A regsub
definition should contain one or more match attributes,
a substitution attribute and optionally an ignorecase
attribute.
match
A regular expression string that is applied to the
data and may match a portion of the data string.
substitution
Defines a string that will be used to substitute
any text that may have formed a match.
ignorecase
If set to true, the regular expression match is
done ignoring the case of either the match string
or the data string. By default, matches are case
sensitive.
use The use command is used to flag that a particular
server definition be activated. Without a use command,
a server definition is ignored. Multiple use commands
can be specified.
Page 4 (printed 5/15/05)
nsd_openldap.conf(4) UNIX System V nsd_openldap.conf(4)
Other global attributes that may be used are:
max_server_count
By default, the maximum number of servers that can be
defined is 20. This is used as a sanity check against
a possibly corrupted or ill specified configuration
file. However, if more than the default number of
servers is needed, then this number can be specified.
max_regex_count
By default, the maximum number of regular expressions
that can be defined is 128. This is used as a sanity
check against a possibly corrupted or ill specified
configuration file. However, if more than the default
number of regular expressions is needed, then this
number can be specified.
EXAMPLE
The following is an example nsd_openldap.conf file, which
defines a single server that will provide group information:
server server_a
{
schema=rfc2307
openldap_config=/var/ns/server_openldap.conf
binddn="cn=Manager,dc=example,dc=com"
password=secret
search_timeout=3
open_timeout=3
}
regsub remove_schemeprefix
{
ignorecase=true
match="^crypt"
match="^md5"
match="^sha"
match="^x-.*"
substitution=""
}
table group.byname
{
attribute CN {}
attribute USERPASSWORD
{
regsub=remove_schemeprefix
}
attribute GIDNUMBER {}
attribute MEMBERUID {}
function=group.byname
Page 5 (printed 5/15/05)
nsd_openldap.conf(4) UNIX System V nsd_openldap.conf(4)
filter_lookup="(&(OBJECTCLASS=POSIXGROUP)(CN=%s))"
filter_list="(OBJECTCLASS=POSIXGROUP)"
format="CN:USERPASSWORD:GIDNUMBER:(MEMBERUID,)"
}
table group.bygid
{
attribute CN {}
attribute USERPASSWORD
{
regsub=remove_schemeprefix
}
attribute GIDNUMBER {}
attribute MEMBERUID {}
function=group.bygid
filter_lookup="(&(OBJECTCLASS=POSIXGROUP)(GIDNUMBER=%s))"
format="CN:USERPASSWORD:GIDNUMBER:(MEMBERUID,)"
}
table group.bymember
{
attribute CN {}
attribute GIDNUMBER {}
attribute MEMBERUID {}
function=group.bymember
filter_lookup="(&(OBJECTCLASS=POSIXGROUP)(MEMBERUID=%s))"
format="GIDNUMBER,"
single_line="KEY:"
}
schema rfc2307
{
table=group.byname
table=group.bygid
table=group.bymember
}
use server_a
CAVEATS
When binding to an LDAP server, the number of responses to a
particular query may be limited to 500, if the client does
not use the rootdn for the binddn.
FILES
/var/ns/nsd_openldap.conf
SEE ALSO
nsd(1m), nsd_openldap(7), regex(3g).
Page 6 (printed 5/15/05)
