ypserv(4) File Formats ypserv(4)NAMEypserv - configuration file for NIS to LDAP transition daemons
SYNOPSIS
/etc/default/ypserv
DESCRIPTION
The ypserv file specifies configuration information for the ypserv(1M)
daemon. Configuration information can come from LDAP or be specified in
the ypserv file.
You can create a simple ypserv file by running inityp2l(1M). The
ypserv file can then be customized as required.
A related NISLDAPmapping file contains mapping information that con‐
verts NIS entries into LDAP entries. See the NISLDAPmapping(4) man page
for an overview of the setup that is needed to map NIS data to or from
LDAP.
EXTENDED DESCRIPTION
The ypserv(1M) server recognizes the attributes that follow. Values
specified for these attributes in the ypserv file, including any empty
values, override values that are obtained from LDAP. However, the
nisLDAPconfig* values are read from the ypserv file only
Attributes
The following are attributes that are used for initial configuration.
nisLDAPconfigDN
The DN for configuration information. If nisLDAPconfigDN is empty,
all other nisLDAPConfig* values are ignored.
nisLDAPconfigPreferredServerList
The list of servers to use for the configuration phase. There is no
default value. The following is an example of a value for nisLDAP‐
configPreferredServerList:
nisLDAPconfigPreferredServerList=127.0.0.1:389
nisLDAPconfigAuthenticationMethod
The authentication method used to obtain the configuration informa‐
tion. The recognized values for nisLDAPconfigAuthenticationMethod
are:
none No authentication attempted
simple Password of proxy user sent in the clear to the
LDAP server
sasl/cram-md5 Use SASL/CRAM-MD5 authentication. This authenti‐
cation method may not be supported by all LDAP
servers. A password must be supplied.
sasl/digest-md5 Use SASL/DIGEST-MD5 authentication. The
SASL/CRAM-MD5authentication method may not be
supported by all LDAP servers. A password must
be supplied.
nisLDAPconfigAuthenticationMethod has no default value. The follow‐
ing is an example of a value for nisLDAPconfigAuthenticationMethod:
nisLDAPconfigAuthenticationMethod=simple
nisLDAPconfigTLS
The transport layer security used for the connection to the server.
The recognized values are:
none No encryption of transport layer data. The default value is
none.
ssl SSL encryption of transport layer data. A certificate is
required.
Export and import control restrictions might limit the availability
of transport layer security.
nisLDAPconfigTLSCertificateDBPath
The name of the directory that contains the certificate database.
The default path is /var/yp.
nisLDAPconfigProxyUser
The proxy user used to obtain configuration information. nisLDAP‐
configProxyUser has no default value. If the value ends with a
comma, the value of the nisLDAPconfigDN attribute is appended. For
example:
nisLDAPconfigProxyUser=cn=nisAdmin,ou=People,
nisLDAPconfigProxyPassword
The password that should be supplied to LDAP for the proxy user
when the authentication method requires one. To avoid exposing this
password publicly on the machine, the password should only appear
in the configuration file, and the file should have an appropriate
owner, group, and file mode. nisLDAPconfigProxyPassword has no
default value.
The following are attributes used for data retrieval. The object class
name used for these attributes is nisLDAPconfig.
preferredServerList
The list of servers to use to read or to write mapped NIS data from
or to LDAP. preferredServerList has no default value. For example:
preferredServerList=127.0.0.1:389
authenticationMethod
The authentication method to use to read or to write mapped NIS
data from or to LDAP. For recognized values, see the LDAPconfigAu‐
thenticationMethod attribute. authenticationMethod has no default
value. For example:
authenticationMethod=simple
nisLDAPTLS
The transport layer security to use to read or to write NIS data
from or to LDAP. For recognized values, see the nisLDAPconfigTLS
attribute. The default value is none. Export and import control
restrictions might limit the availability of transport layer secu‐
rity.
nisLDAPTLSCertificateDBPath
The name of the directory that contains the certificate DB. For
recognized and default values for nisLDAPTLSCertificateDBPath, see
the nisLDAPconfigTLSCertificateDBPath attribute.
nisLDAPproxyUser
Proxy user used by ypserv(1M), ypxfrd(1M) and yppasswdd(1M) to read
or to write from or to LDAP. Assumed to have the appropriate per‐
mission to read and modify LDAP data. There is no default value. If
the value ends in a comma, the value of the context for the current
domain, as defined by a nisLDAPdomainContext attribute, is
appended. See NISLDAPmapping(4). For example:
nisLDAPproxyUser=cn=nisAdmin,ou=People,
nisLDAPproxyPassword
The password that should be supplied to LDAP for the proxy user
when the authentication method so requires. To avoid exposing this
password publicly on the machine, the password should only appear
in the configuration file, and the file must have an appropriate
owner, group, and file mode. nisLDAPproxyPassword has no default
value.
nisLDAPsearchTimeout
Establishes the timeout for the LDAP search operation. The default
value for nisLDAPsearchTimeout is 180 seconds.
nisLDAPbindTimeout
nisLDAPmodifyTimeout
nisLDAPaddTimeout
nisLDAPdeleteTimeout
Establish timeouts for LDAP bind, modify, add, and delete opera‐
tions, respectively. The default value is 15 seconds for each
attribute. Decimal values are allowed.
nisLDAPsearchTimeLimit
Establish a value for the LDAP_OPT_TIMELIMIT option, which suggests
a time limit for the search operation on the LDAP server. The
server may impose its own constraints on possible values. See your
LDAP server documentation. The default is the nisLDAPsearchTimeout
value. Only integer values are allowed.
Since the nisLDAPsearchTimeout limits the amount of time the client
ypserv will wait for completion of a search operation, do not set
the value of nisLDAPsearchTimeLimit larger than the value of
nisLDAPsearchTimeout.
nisLDAPsearchSizeLimit
Establish a value for the LDAP_OPT_SIZELIMIT option, which suggests
a size limit, in bytes, for the search results on the LDAP server.
The server may impose its own constraints on possible values. See
your LDAP server documentation. The default value for
nisLDAPsearchSizeLimit is zero, which means the size limit is
unlimited. Only integer values are allowed.
nisLDAPfollowReferral
Determines if the ypserv should follow referrals or not. Recognized
values for nisLDAPfollowReferral are yes and no. The default value
for nisLDAPfollowReferral is no.
The following attributes specify the action to be taken when some event
occurs. The values are all of the form event=action. The default action
is the first one listed for each event.
nisLDAPretrieveErrorAction
If an error occurs while trying to retrieve an entry from LDAP, one
of the following actions can be selected:
use_cached Retry the retrieval the number of time specified by
nisLDAPretrieveErrorAttempts, with the nisLDAPre‐
trieveErrorTimeout value controlling the wait between
each attempt.
If all attempts fail, then a warning is logged and
the value currently in the cache is returned to the
client.
fail Proceed as for use_cached, but if all attempts fail,
a YPERR_YPERR error is returned to the client.
nisLDAPretrieveErrorAttempts
The number of times a failed retrieval should be retried. The
default value for nisLDAPretrieveErrorAttempts is unlimited. While
retries are made the ypserv daemon will be prevented from servicing
further requests .nisLDAPretrieveErrorAttempts values other than 1
should be used with caution.
nisLDAPretrieveErrorTimeout
The timeout in seconds between each new attempt to retrieve LDAP
data. The default value for nisLDAPretrieveErrorTimeout is 15 sec‐
onds.
nisLDAPstoreErrorAction
An error occurred while trying to store data to the LDAP reposi‐
tory.
retry Retry operation nisLDAPstoreErrorAttempts times with
nisLDAPstoreErrorTimeout seconds between each attempt.
While retries are made, the NIS daemon will be prevented
from servicing further requests. Use with caution.
fail Return YPERR_YPERR error to the client.
nisLDAPstoreErrorAttempts
The number of times a failed attempt to store should be retried.
The default value for nisLDAPstoreErrorAttempts is unlimited. The
value for nisLDAPstoreErrorAttempts is ignored unless nisLDAP‐
storeErrorAction=retry.
nisLDAPstoreErrortimeout
The timeout, in seconds, between each new attempt to store LDAP
data. The default value for nisLDAPstoreErrortimeout is 15 sec‐
onds. The nisLDAPstoreErrortimeout value is ignored unless
nisLDAPstoreErrorAction=retry.
Storing Configuration Attributes in LDAP
Most attributes described on this man page, as well as those described
on NISLDAPmapping(4), can be stored in LDAP. In order to do so, you
will need to add the following definitions to your LDAP server, which
are described here in LDIF format suitable for use by ldapadd(1). The
attribute and objectclass OIDs are examples only.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' \
DESC 'Preferred LDAP server host addresses used by DUA' \
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' \
DESC 'Authentication method used to contact the DSA' \
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 \
NAME 'nisLDAPTLS' \
DESC 'Transport Layer Security' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.1 \
NAME 'nisLDAPTLSCertificateDBPath' \
DESC 'Certificate file' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.2 \
NAME 'nisLDAPproxyUser' \
DESC 'Proxy user for data store/retrieval' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.3 \
NAME 'nisLDAPproxyPassword' \
DESC 'Password/key/shared secret for proxy user' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.6 \
NAME 'nisLDAPretrieveErrorAction' \
DESC 'Action following an LDAP search error' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.7 \
NAME 'nisLDAPretrieveErrorAttempts' \
DESC 'Number of times to retry an LDAP search' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.8 \
NAME 'nisLDAPretrieveErrorTimeout' \
DESC 'Timeout between each search attempt' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.9 \
NAME 'nisLDAPstoreErrorAction' \
DESC 'Action following an LDAP store error' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.10 \
NAME 'nisLDAPstoreErrorAttempts' \
DESC 'Number of times to retry an LDAP store' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.11 \
NAME 'nisLDAPstoreErrorTimeout' \
DESC 'Timeout between each store attempt' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.12 \
NAME 'nisLDAPdomainContext' \
DESC 'Context for a single domain' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.13 \
NAME 'nisLDAPyppasswddDomains' \
DESC 'List of domains for which password changes are made' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.14 \
NAME 'nisLDAPdatabaseIdMapping' \
DESC 'Defines a database id for a NIS object' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.15 \
NAME 'nisLDAPentryTtl' \
DESC 'TTL for cached objects derived from LDAP' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.16 \
NAME 'nisLDAPobjectDN' \
DESC 'Location in LDAP tree where NIS data is stored' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.17 ) \
NAME 'nisLDAPnameFields' \
DESC 'Rules for breaking NIS entries into fields' \e
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.18 ) \
NAME 'nisLDAPsplitFields' \
DESC 'Rules for breaking fields into sub fields' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.19 \
NAME 'nisLDAPattributeFromField' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.20 \
NAME 'nisLDAPfieldFromAttribute' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.21 \
NAME 'nisLDAPrepeatedFieldSeparators' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.22 \
NAME 'nisLDAPcommentChar' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.23 \
NAME 'nisLDAPmapFlags' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 NAME 'nisLDAPconfig' \
DESC 'NIS/LDAP mapping configuration' \
SUP top STRUCTURAL \
MAY ( cn $ preferredServerList $
authenticationMethod $ nisLDAPTLS $
nisLDAPTLSCertificateDBPath $
nisLDAPproxyUser $ nisLDAPproxyPassword $
nisLDAPretrieveErrorAction $
nisLDAPretrieveErrorAttempts $
nisLDAPretrieveErrorTimeout $
nisLDAPstoreErrorAction $
nisLDAPstoreErrorAttempts $
nisLDAPstoreErrorTimeout $
nisLDAPdomainContext $
nisLDAPyppasswddDomains $
nisLDAPdatabaseIdMapping $
nisLDAPentryTtl $
nisLDAPobjectDN $
nisLDAPnameFields $
nisLDAPsplitFields $
nisLDAPattributeFromField $
nisLDAPfieldFromAttribute $
nisLDAPrepeatedFieldSeparators $
nisLDAPcommentChar $
nisLDAPmapFlags ) )
Create a file containing the following LDIF data. Substitute your
actual nisLDAPconfigDN for configDN:
dn: configDN
objectClass: top
objectClass: nisLDAPconfig
Use this file as input to the ldapadd(1) command in order to create the
NIS to LDAP configuration entry. Initially, the entry is empty. You can
use the ldapmodify(1) command to add configuration attributes.
EXAMPLES
Example 1 Creating a NIS to LDAP Configuration Entry
To set the server list to port 389 on 127.0.0.1, create the following
file and use it as input to ldapmodify(1):
dn: configDN
preferredServerList: 127.0.0.1:389
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWypu │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Obsolete │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOldapadd(1), ldapmodify(1), inityp2l(1M), yppasswdd(1M), ypserv(1M),
ypxfrd(1M), NIS+LDAPmapping(4), attributes(5)SunOS 5.10 9 Aug 2004 ypserv(4)
