1idmapd.conf(5) File Formats Manual idmapd.conf(5)
2
6 idmapd.conf - configuration file for libnfsidmap
7
9 Configuration file for libnfsidmap. Used by idmapd and svcgssd to map
10 NFSv4 name to and from ids.
11
13 The idmapd.conf configuration file consists of several sections, initi‐
14 ated by strings of the form [General] and [Mapping]. Each section may
15 contain lines of the form
16 variable = value
17 The recognized sections and their recognized variables are as follows:
18 [General] section variables
20 Verbosity
21 Verbosity level of debugging (Default: 0)
22 Domain The local NFSv4 domain name. An NFSv4 domain is a namespace
24 with a unique username<->UID and groupname<->GID mapping.
25 (Default: Host's fully-qualified DNS domain name)
26 No-Strip
28 In multi-domain environments, some NFS servers will append the
29 identity management domain to the owner and owner_group in lieu
30 of a true NFSv4 domain. This option can facilitate lookups in
31 such environments. If set to a value other than "none", the
32 nsswitch plugin will first pass the name to the password/group
33 lookup function without stripping the domain off. If that map‐
34 ping fails then the plugin will try again using the old method
35 (comparing the domain in the string to the Domain value, strip‐
36 ping it if it matches, and passing the resulting short name to
37 the lookup function). Valid values are "user", "group", "both",
38 and "none". (Default: "none")
39 Reformat-Group
41 Winbind has a quirk whereby doing a group lookup in UPN format
42 (e.g. staff@americas.example.com) will cause the group to be
43 displayed prefixed with the full domain in uppercase (e.g. AMER‐
44 ICAS.EXAMPLE.COM\staff) instead of in the familiar netbios name
45 format (e.g. AMERICAS\staff). Setting this option to true
46 causes the name to be reformatted before passing it to the group
47 lookup function in order to work around this. This setting is
48 ignored unless No-Strip is set to either "both" or "group".
49 (Default: "false")
50 Local-Realms
52 A comma-separated list of Kerberos realm names that may be con‐
53 sidered equivalent to the local realm name. For example, users
54 juser@ORDER.EDU and juser@MAIL.ORDER.EDU may be considered to be
55 the same user in the specified Domain. (Default: the host's
56 default realm name)
57 Note: If a value is specified here, the default local realm must
58 be included as well.
59 [Mapping] section variables
61 Nobody-User
62 Local user name to be used when a mapping cannot be completed.
63 Nobody-Group
65 Local group name to be used when a mapping cannot be completed.
66 [Translation] section variables
68 Method A comma-separated, ordered list of mapping methods (plug-ins) to
69 use when mapping between NFSv4 names and local IDs. Each speci‐
70 fied method is tried in order until a mapping is found, or there
71 are no more methods to try. The methods included in the default
72 distribution include "nsswitch", "umich_ldap", and "static".
73 (Default: nsswitch)
74 GSS-Methods
76 An optional comma-separated, ordered list of mapping methods
77 (plug-ins) to use when mapping between GSS Authenticated names
78 and local IDs. (Default: the same list as specified for Method)
79 [Static] section variables
81 The "static" translation method uses a static list of GSS-Authenticated
82 names to local user names. Entries in the list are of the form:
83 principal@REALM = localusername
84 [UMICH_SCHEMA] section variables
86 If the "umich_ldap" translation method is specified, the following
87 variables within the [UMICH_SCHEMA] section are used.
88 LDAP_server
90 LDAP server name or address (Required if using UMICH_LDAP)
91 LDAP_base
93 Absolute LDAP search base. (Required if using UMICH_LDAP)
94 LDAP_people_base
96 Absolute LDAP search base for people accounts. (Default: The
97 LDAP_base value)
98 LDAP_group_base
100 Absolute LDAP search base for group accounts. (Default: The
101 LDAP_base value)
102 LDAP_canonicalize_name
104 Whether or not to perform name canonicalization on the name
105 given as LDAP_server (Default: "true")
106 LDAP_use_ssl
108 Set to "true" to enable SSL communication with the LDAP server.
109 (Default: "false")
110 LDAP_ca_cert
112 Location of a trusted CA certificate used when SSL is enabled
113 (Required if LDAP_use_ssl is true)
114 NFSv4_person_objectclass
116 The object class name for people accounts in your local LDAP
117 schema (Default: NFSv4RemotePerson)
118 NFSv4_name_attr
120 Your local schema's attribute name to be used for NFSv4 user
121 names (Default: NFSv4Name)
122 NFSv4_uid_attr
124 Your local schema's attribute name to be used for uidNumber
125 (Default: uidNumber)
126 GSS_principal_attr
128 Your local schema's attribute name for GSSAPI Principal names
129 (Default: GSSAuthName)
130 NFSv4_acctname_attr
132 Your local schema's attribute name to be used for account names
133 (Default: uid)
134 NFSv4_group_objectclass
136 The object class name for group accounts in your local LDAP
137 schema (Default: NFSv4RemoteGroup)
138 NFSv4_gid_attr
140 Your local schema's attribute name to be used for gidNumber
141 (Default: gidNumber)
142 NFSv4_group_attr
144 Your local schema's attribute name to be used for NFSv4 group
145 names (Default: NFSv4Name)
146 LDAP_use_memberof_for_groups
148 Some LDAP servers do a better job with indexing where searching
149 through all the groups searching for the user in the memberuid
150 list. Others like SunOne directory that search can takes min‐
151 utes if there are thousands of groups. So setting LDAP_use_mem‐
152 berof_for_groups to true in the configuration file will use the
153 memberof lists of the account and search through only those
154 groups to obtain gids. (Default: false)
155 NFSv4_member_attr
157 If LDAP_use_memberof_for_groups is true, this is the attribute
158 to be searched for. (Default: memberUid)
159 NFSv4_grouplist_filter
161 An optional search filter for determining group membership. (No
162 Default)
163 LDAP_timeout_seconds
165 Number of seconds before timing out an LDAP request (Default: 4)
166
168 An example /etc/idmapd.conf file:
169 [General]
172 Verbosity = 0
174 Domain = domain.org
175 Local-Realms = DOMAIN.ORG,MY.DOMAIN.ORG,YOUR.DOMAIN.ORG
176 [Mapping]
178 Nobody-User = nfsnobody
180 Nobody-Group = nfsnobody
181 [Translation]
183 Method = umich_ldap,nsswitch
185 GSS-Methods = umich_ldap,static
186 [Static]
188 johndoe@OTHER.DOMAIN.ORG = johnny
190 [UMICH_SCHEMA]
192 LDAP_server = ldap.domain.org
194 LDAP_base = dc=org,dc=domain
195
198 idmapd(8) svcgssd(8)
199
201 Report bugs to <nfsv4@linux-nfs.org>
202 19 Nov 2008 idmapd.conf(5)