ldap.conf(4)ldap.conf(4)NAMEldap.conf - Lightweight Directory Access Protocol configuration file
SYNOPSIS
/var/ns/ldap.conf
DESCRIPTION
This file controls the behavior of the Lightweight Directory Access
Protocol (LDAP) client implementation for nsd. It is read by the
initialization routine of the ldap(7P) library when the nsd daemon is
started, or sent the SIGHUP signal. This file contains information about
remote LDAP daemons database schemas, and format rules.
The file is made up of comment lines, table entries, server entries and
the domain command. Comment lines begin with either a '#' or a ';'
character, and are ignored by the parser. Table entries begin with the
keyword table followed by the name of the table, and a series of
attributes. Table entries are separated by one or more blank lines.
Server entries begin with the keyword server, and are followed by a
series of attributes. Server entries are separated by one or more blank
lines.
domain [domainname]
The domain command changes the domain context. Each of the
following entries and command lines set information for this domain.
If the domainname is not given then it sets the context for the
default, or null, domain.
server hostname[:port]
A given domain may specify one or more LDAP servers to send requests
to. hostname refers to the hostname of the LDAP server. The
hostname may be given directly as an IP address. If no port number
is given, the default LDAP port (389) is assumed. The attribute,
attribute value pairs following the server keyword define attributes
for a particular server. Attributes include:
base Defines the distinguished name (dn) of the base for the LDAP
search.
scope Defines the depth used in searching for LDAP entries. The
value may be one of the following: subtree - will search all
entries below the base (default), onelevel - will search one
level below base, and sbase - will search only at the base
level.
binddn Specifies the distinguished name used in binding to the
server. This attribute is optional.
bindpwd Specifies the password used in binding to the server. This
attribute is also optional.
regsub attribute {regex} {substitutions}
The regsub command causes the results of lookups of the LDAP
attribute named by attribute, which have a value that matches the
regular expression regex, to have the matched portion of their value
Page 1
ldap.conf(4)ldap.conf(4)
substituted according to the expression substitution.
regex accepts the regular expression syntax described in regex(3G)
with the exception that the '}' character must be back-quoted in
order to be accepted as part of the regular expression.
substitution is a string which will replace the portion of value of
attribute that was matched by regex. If the '&' character appears in
substitution, it will be replaced by the entire matched substring.
If substitution contains any of the variable names \1...\9, the
variable name will be replaced by the corresponding parethesized
grouping from the match made against regex. If there is no group
corresponding to the variable \n, a literal n is produced. Each of
the special characters that denote substitution expansion variables
can be produced literally by back-quoting them.
If more that one regsub command is specified for the same attribute,
each is applied in turn until a successful substitution can be made.
If no substitutions can be made, the value is passed through
unmodified.
table tablename
The table entries define the way in which the LDAP library responds
to a particular request from the nsd daemon. tablename defines the
name of the map requested. The attribute list must include the
following three items:
filter_lookup
Defines the LDAP filter used for lookup type searches made
against this map. The filter may contain one (or more)
strings "%s" which will be replaced by the key requested (or
a split of the key, split by the characters ",", "/" or
".".).
filter_list
Defines the LDAP filter used for list type searches made
against this map.
format Defines the way in which LDAP responses are formatted into
output strings. Alphanumeric strings conforming to the LDAP
attribute protocol are replaced by server responses for that
attribute. If an attribute is placed inside of brackets,
and followed by a separator (eg. (MEMBERUID,)+), then
multiple responses of that attribute will be added to the
output string. If the special string "KEY" is used in the
format attribute, this string will be replaced with the key
requested by the nsd daemon.
In addition, the attribute list may optionally contain any of the
following items:
require attribute
The argument to the require keyword is the name of an LDAP
attribute that appears in a format string. A output string
Page 2
ldap.conf(4)ldap.conf(4)
will be included in the library response only if the value
of the corresponding attribute is non-null after any
applicable regsub expansions have been performed.
default In the case of a split key (i.e. two substitutions in the
filter), the second substitution may be given a default
value with this attribute.
single_line
If this tag is set, multiple entries returned for a
particular query will be placed on a single output line.
The value for this tag may be null. If it is not null, the
value is interpreted as a prefix string conforming to the
format syntax defined above. This string will be placed
before the formatted output corresponding to individual LDAP
entries.
EXAMPLE
Part of an example ldap.conf file follow, demonstrating the domain
command, server and table entries:
domain foo.com
server test.foo.com:390
base "o=Your Organization Name, c=US"
binddn "cn=root, o=Your Organization Name, c=US"
bindpwd secret
table group.byname
filter (&(OBJECTCLASS=POSIXGROUP)(CN=%s))
format "CN:GROUPPASSWORD:POSIXGIDNUMBER:(MEMBERUID,)+"
FILES
/var/ns/ldap.conf
SEE ALSOnsd(1M), ldap(7P), regex(3G)
IRIX Admin: Networking and Mail
Page 3
