1NSDB-PARAMETERS(7) Miscellaneous Information Manual NSDB-PARAMETERS(7)
3
7 nsdb-parameters - NSDB connection parameters
8
10 RFC 5716 introduces the Federated File System (FedFS, for short).
11 FedFS is an extensible standardized mechanism by which system adminis‐
12 trators construct a coherent namespace across multiple file servers
13 using file system referrals. For further details, see fedfs(7).
14 The bulk of FedFS metadata is stored on one or more LDAP servers.
16 These servers are known as namespace databases, or NSDBs, for short.
17 An NSDB client is any system that communicates with an NSDB. This can
18 be either a fileserver or an NSDB administrative client.
19 On NSDB clients, a small local database stores information about how to
21 connect to each NSDB node. These NSDB connection parameters are used
22 when a fileserver contacts an NSDB node to resolve junctions, or when
23 executing NSDB administrative commands.
24 The settings in this database effect only the behavior of NSDB clients
26 on the local system. They have no effect on the operation of NSDB
27 nodes or other NSDB clients.
28
30 Before an NSDB client may communicate with an NSDB node, that client
31 must know how to contact the NSDB. The client's local NSDB connnection
32 parameter database contains the DNS hostname, IP port number, and con‐
33 nection security type of each NSDB node that can be contacted. Admin‐
34 istrators must provide this information in advance.
35 NSDB name equality
37 The local NSDB connection parameter database is indexed by each NSDB
38 node's DNS hostname and IP port number. Two NSDB node names are equiv‐
39 alent if their respective DNS hostnames and port numbers are an exact
40 match.
41 Before matching, the special port value "0" is always mapped to the
43 standard LDAP port "389." Likewise, if no port is specified, "389" is
44 assumed.
45 Upper and lower case are considered equivalent. The IP addresses to
47 which hostnames are bound are not considered when matching.
48 For example, the NSDB "nsdb.example.net:389 would share a database
50 entry with "nsdb.EXAMPLE.NET:0", but not with "nsdb.example.net:636".
51 If "nsdb.example.com:389" maps to 10.0.0.1 and "nsdb.example.net:389"
52 also maps to that address, the database maintains separate entries for
53 each, although the same connection parameters may be set for both
54 entries.
55 Connection security
57 One of two connection security types may be specified in an NSDB con‐
58 nection parameter entry:
59 NONE The local system communicates with the NSDB node in plain-text.
61 The local system performs no authentication of the NSDB node.
62 TLS The local system always uses Transport Layer Security when com‐
64 municating with the NSDB node. The local system authenticates
65 the NSDB node before making requests. Integrity or encryption
66 is used during communication. Requests to the NSDB node fail if
67 a TLS session cannot be established.
68 NONE is a low-overhead mode for use when the network and the NSDB are
70 trusted by all NSDB clients. TLS is a high-security mode for use when
71 NSDBs operate on untrusted public networks, but it requires the addi‐
72 tional burden of creating and distributing x.509 certificates for each
73 NSDB.
74 An NSDB node can operate in one of three security modes:
76 Basic NSDB clients connect to this NSDB node using only FEDFS_SEC_NONE
78 security.
79 Transitional
81 NSDB clients connect to this NSDB node using either
82 FEDFS_SEC_NONE or FEDFS_SEC_TLS security.
83 Secure NSDB clients connect to this NSDB node using only FEDFS_SEC_TLS
85 security.
86 An NSDB client always uses the security type specified in its local
88 NSDB connection parameter database for that NSDB node. For greatest
89 security, it is recommended that NSDB nodes be configured as secure
90 NSDBs (see table above).
91 x.509 certificates
93 Administrators provide the certificate material used to authenticate an
94 NSDB node in a PEM format file that contains an x.509v3 certificate
95 chain.
96 This file may contain just the public certificate of the Certificate
98 Authority (CA) which signed the NSDB's certificate. Or it may contain
99 a chain of certificates that represents the full chain of trust for the
100 NSDB node. A self-signed CA certificate may be used to reduce the bur‐
101 den of setting up NSDBs for your FedFS domain.
102 Either the fedfs-set-nsdb-params(8) command is used to transfer this
104 material to a remote fileserver running a FedFS ADMIN service, or the
105 nsdbparams(8) command is used to install this material in the NSDB con‐
106 nection parameter database on the local system. For both commands, the
107 file containing certificates for one NSDB is specified on the command
108 line with the --certfile option.
109 The certificate material provisioned via these commands is used for no
111 other purpose on the local system than NSDB authentication.
112
114 fedfs(7), nsdbparams(8), rpc.fedfsd(8), fedfs-set-nsdb-params(8)
115 RFC 5661 for a description of NFS version 4 referrals
117 RFC 5716 for FedFS requirements and overview
119
121 This page is part of the fedfs-utils package. A description of the
122 project and information about reporting bugs can be found at
123 http://wiki.linux-nfs.org/wiki/index.php/FedFsUtilsProject.
124
126 Chuck Lever <chuck.lever@oracle.com>
127 3 February 2014 NSDB-PARAMETERS(7)