1NSDBPARAMS(8) System Manager's Manual NSDBPARAMS(8)
3
7 nsdbparams - manage local NSDB connection parameter database
8
10 nsdbparams delete [-?d] [-g gid] [-r nsdbport] [-u uid] nsdbname
11 nsdbparams list [-?d] [-u uid] [-g gid]
13 nsdbparams show [-?d] [-g gid] [-r nsdbport] [-u uid] nsdbname
15 nsdbparams update [-?d] [-D def-binddn] [-e def-nce] [-f certfile] [-g
17 gid] [-R y|n] [-r nsdbport] [-t sectype] [-u uid] nsdbname
18
20 RFC 5716 introduces the Federated File System (FedFS, for short).
21 FedFS is an extensible standardized mechanism by which system adminis‐
22 trators construct a coherent namespace across multiple file servers
23 using file system referrals. For further details, see fedfs(7).
24 The bulk of FedFS metadata is stored on one or more LDAP servers.
26 These servers are known as namespace databases, or NSDBs, for short.
27 An NSDB client is any system that communicates with an NSDB. This can
28 be either a fileserver or an NSDB administrative client.
29 On NSDB clients, a small local database stores information about how to
31 connect to each NSDB node. These NSDB connection parameters are used
32 when an NSDB client contacts an NSDB node to perform file server opera‐
33 tions or when executing NSDB administrative commands.
34 The settings in this database effect only the behavior of the local
36 NSDB client. They have no effect on the operation of NSDBs nodes.
37
39 The nsdbparams(8) command is one way FedFS domain administrators can
40 manage a system's local NSDB connection parameter database. This data‐
41 base stores connection security preferences and default settings, such
42 as the preferred bind DN and the location of the NSDB container entry,
43 for each NSDB the local system knows about.
44 Some NSDB connection parameters are also remotely accessible via
46 rpc.fedfsd(8). The nsdbparams(8) command allows complete access to the
47 local system's NSDB database including access to some parameters which
48 are not accessible to clients of rpc.fedfsd(8).
49 Typically rpc.fedfsd(8) runs only on FedFS-enabled file servers. FedFS
51 administrators can manage NSDB connection parameters with nsdbparams(8)
52 on a system that is not running rpc.fedfsd(8), such as a system that is
53 acting only as a FedFS administrative client. Connection parameters
54 for NSDBs must be stored in the local NSDB connection parameter data‐
55 base before FedFS junction resolution and NSDB administrative commands
56 can work.
57 Operation
59 The NSDB connection parameter database is stored in a directory (typi‐
60 cally /var/lib/fedfs) that is owned by a special UID and GID. There‐
61 fore, this command must be run as root. During operation, nsdb‐
62 params(8) drops its root privileges, running as the special user and
63 group instead.
64 The default value of these special IDs is determined when nsdbparams(8)
66 is built. They can also be specified at run time using the --uid or
67 --gid command line options.
68 When executing a subcommand, nsdbparams(8) verifies that the local NSDB
70 connection parameter database exists and is accessible. If it does not
71 exist, nsdbparams(8) attempts to create and initialize a new connection
72 parameter database. If it cannot, the subcommand fails.
73 Subcommands
75 Valid nsdbparams(8) subcommands are:
76 delete Remove the connection parameters for the specified NSDB from the
78 local NSDB connection parameter database. If this subcommand
79 succeeds, subsequent attempts to access the specified NSDB on
80 the local system fail.
81 list Display a list of all NSDBs in the local NSDB connection parame‐
83 ter database. An abbreviated form of the connection parameters
84 for each known NSDB are shown. This subcommand does not take an
85 NSDB domain name parameter.
86 update Update the connection parameters for the specified NSDB in the
88 local NSDB connection parameter database. Use this subcommand
89 to add a new entry for an NSDB to the local connection parameter
90 database, or to modify an existing entry in the database.
91 show Display the recorded connection parameters for the specified
93 NSDB. This subcommand displays all known settings for the spec‐
94 ified NSDB stored in the local NSDB connection parameter data‐
95 base.
96 The NSDB domain name and IP port number pair are used as the primary
98 key to identify an NSDB to the NSDB connection parameter database. The
99 subcommands delete, update, and show require that an NSDB domain name
100 be specified as a positional parameter. If no NSDB port number is pro‐
101 vided on the command line, the nsdbparams(8) command uses the default
102 LDAP port (389).
103 The database matches NSDB domain names and ports by exact value.
105 Details on NSDB connection parameters database entry matching can be
106 found in nsdb-parameters(7).
107 Command line options
109 -d, --debug
110 Enables debugging messages during subcommand operation. This
111 option is valid for all subcommands.
112 -D, --binddn=bind-DN
114 Specifies the default LDAP distinguished name to use when bind‐
115 ing to the specified NSDB for administrative operations. This
116 option is valid for the update subcommand.
117 -e, --nce=NCE-DN
119 Specifies the default LDAP distinguished name of the NSDB con‐
120 tainer entry for the specified NSDB for administrative opera‐
121 tions. This option is valid for the update subcommand.
122 -f, --certfile=pathname
124 Specifies the pathname of a local file containing security data
125 appropriate for the --sectype specified on the command line.
126 The specified file may be deleted after the command succeeds.
127 Details on security data can be found in nsdb-parameters(7).
128 This option is valid for the update subcommand.
129 -g, --gid=id
131 Specifies the numeric or text GID that the nsdbparams(8) command
132 runs as after dropping root privileges. By default, the GID for
133 the group fedfs is used. If that group doesn't exist, then the
134 GID for nobody is used instead. This option is valid for all
135 subcommands.
136 -?, --help
138 Displays nsdbparams(8) version information and a subcommand
139 usage message on stderr. This option is valid for all subcom‐
140 mands.
141 -r, --nsdbport=NSDB-port
143 Specifies the IP port for the specified NSDB. The default value
144 if this option is not specified is 389. This option is valid
145 for any subcommand that requires an NSDB domain name to be spec‐
146 ified.
147 -R, --referral=[yes|no]
149 Specifies whether or not the local system should follow LDAP
150 referrals received from the specified NSDB. This option is
151 valid for the update subcommand.
152 -t, --sectype=security-type
154 Specifies the FedFS connection security type to use when con‐
155 necting to the specified NSDB. Valid values for security-type
156 are 0, none, FEDFS_SEC_NONE, 1, tls, or FEDFS_SEC_TLS. This
157 option is valid for the update subcommand.
158 -u, --uid=id
160 Specifies the numeric or text UID that nsdbparams(8) runs as
161 after dropping root privileges. By default, the UID for the
162 user fedfs is used. If that user doesn't exist, then the UID
163 for nobody is used instead. This option is valid for all sub‐
164 commands.
165
167 You can change connection security types used to contact an NSDB node
168 using the update subcommand. Simply specify the new security type with
169 the --sectype option. Specifying the NONE type removes existing stored
170 certificate material for that NSDB node. Specifying the TLS type
171 replaces existing stored certificate material with new material speci‐
172 fied with the --certfile option.
173
175 If there is an NSDB called nsdb.example.net, the first command you
176 might issue on a new administrative client might be:
177 # nsdbparams update nsdb.example.net
179 You can view the new connection parameter entry with
181 # nsdbparams show nsdb.example.net
183 The result of this command would look like:
185 nsdb.example.net:389:
187 connection security: FEDFS_SEC_NONE
188 follow referrals: no
189 To set up TLS security, use the update subcommand and specify the
191 --sectype and --certfile options. For instance, if an x.509 certifi‐
192 cate for nsdb.example.net were contained in a local file called
193 /tmp/nsdb.pem, you might use:
194 # nsdbparams update -t tls -f /tmp/nsdb.pem nsdb.example.net
196 To switch from TLS security back to no connection security for this
198 NSDB, you might use:
199 # nsdbparams update nsdb.example.net -t none
201
203 /var/lib/fedfs/nsdbparam.sqlite3
204 database of NSDB connection parameters
205 /var/lib/fedfs/nsdbcerts
207 local directory that stores x.509 certificates for NSDBs
208
210 fedfs(7), nsdb-parameters(7), rpc.fedfsd(8)
211 RFC 5661 for a description of NFS version 4 referrals
213 RFC 5716 for FedFS requirements and overview
215
217 This page is part of the fedfs-utils package. A description of the
218 project and information about reporting bugs can be found at
219 http://wiki.linux-nfs.org/wiki/index.php/FedFsUtilsProject.
220
222 Chuck Lever <chuck.lever@oracle.com>
223 3 February 2014 NSDBPARAMS(8)