1idmapd.conf(5)                File Formats Manual               idmapd.conf(5)
2
3
4

NAME

6       idmapd.conf - configuration file for libnfsidmap
7

SYNOPSIS

9       Configuration  file for libnfsidmap.  Used by idmapd and svcgssd to map
10       NFSv4 name to and from ids.
11

DESCRIPTION

13       The idmapd.conf configuration file consists of several sections, initi‐
14       ated  by strings of the form [General] and [Mapping].  Each section may
15       contain lines of the form
16         variable = value
17       The recognized sections and their recognized variables are as follows:
18
19   [General] section variables
20       Verbosity
21              Verbosity level of debugging (Default: 0)
22
23       Domain The local NFSv4 domain name.  An NFSv4  domain  is  a  namespace
24              with   a  unique  username<->UID  and  groupname<->GID  mapping.
25              (Default: Host's fully-qualified DNS domain name)
26
27       No-Strip
28              In multi-domain environments, some NFS servers will  append  the
29              identity  management domain to the owner and owner_group in lieu
30              of a true NFSv4 domain.  This option can facilitate  lookups  in
31              such  environments.   If  set  to a value other than "none", the
32              nsswitch  plugin will first pass the name to the  password/group
33              lookup  function without stripping the domain off.  If that map‐
34              ping fails then the plugin will try again using the  old  method
35              (comparing  the domain in the string to the Domain value, strip‐
36              ping it if it matches, and passing the resulting short  name  to
37              the lookup function).  Valid values are "user", "group", "both",
38              and "none".  (Default: "none")
39
40       Reformat-Group
41              Winbind has a quirk whereby doing a group lookup in  UPN  format
42              (e.g.  staff@americas.example.com)  will  cause  the group to be
43              displayed prefixed with the full domain in uppercase (e.g. AMER‐
44              ICAS.EXAMPLE.COM\staff)  instead of in the familiar netbios name
45              format (e.g.  AMERICAS\staff).   Setting  this  option  to  true
46              causes the name to be reformatted before passing it to the group
47              lookup function in order to work around this.  This  setting  is
48              ignored  unless  No-Strip  is  set  to either "both" or "group".
49              (Default: "false")
50
51       Local-Realms
52              A comma-separated list of Kerberos realm names that may be  con‐
53              sidered  equivalent to the local realm name.  For example, users
54              juser@ORDER.EDU and juser@MAIL.ORDER.EDU may be considered to be
55              the  same  user  in  the specified Domain.  (Default: the host's
56              default realm name)
57              Note: If a value is specified here, the default local realm must
58              be included as well.
59
60   [Mapping] section variables
61       Nobody-User
62              Local user name to be used when a mapping cannot be completed.
63
64       Nobody-Group
65              Local group name to be used when a mapping cannot be completed.
66
67   [Translation] section variables
68       Method A comma-separated, ordered list of mapping methods (plug-ins) to
69              use when mapping between NFSv4 names and local IDs.  Each speci‐
70              fied method is tried in order until a mapping is found, or there
71              are no more methods to try.  The methods included in the default
72              distribution  include  "nsswitch",  "umich_ldap",  and "static".
73              (Default: nsswitch)
74
75       GSS-Methods
76              An optional comma-separated, ordered  list  of  mapping  methods
77              (plug-ins)  to  use when mapping between GSS Authenticated names
78              and local IDs.  (Default: the same list as specified for Method)
79
80   [Static] section variables
81       The "static" translation method uses a static list of GSS-Authenticated
82       names to local user names.  Entries in the list are of the form:
83        principal@REALM = localusername
84
85   [UMICH_SCHEMA] section variables
86       If  the  "umich_ldap"  translation  method  is specified, the following
87       variables within the [UMICH_SCHEMA] section are used.
88
89       LDAP_server
90              LDAP server name or address (Required if using UMICH_LDAP)
91
92       LDAP_base
93              Absolute LDAP search base.  (Required if using UMICH_LDAP)
94
95       LDAP_people_base
96              Absolute LDAP search base for people  accounts.   (Default:  The
97              LDAP_base value)
98
99       LDAP_group_base
100              Absolute  LDAP  search  base  for group accounts.  (Default: The
101              LDAP_base value)
102
103       LDAP_canonicalize_name
104              Whether or not to perform  name  canonicalization  on  the  name
105              given as LDAP_server (Default: "true")
106
107       LDAP_use_ssl
108              Set  to "true" to enable SSL communication with the LDAP server.
109              (Default: "false")
110
111       LDAP_ca_cert
112              Location of a trusted CA certificate used when  SSL  is  enabled
113              (Required if LDAP_use_ssl is true)
114
115       NFSv4_person_objectclass
116              The  object  class  name  for people accounts in your local LDAP
117              schema (Default: NFSv4RemotePerson)
118
119       NFSv4_name_attr
120              Your local schema's attribute name to be  used  for  NFSv4  user
121              names (Default: NFSv4Name)
122
123       NFSv4_uid_attr
124              Your  local  schema's  attribute  name  to be used for uidNumber
125              (Default: uidNumber)
126
127       GSS_principal_attr
128              Your local schema's attribute name for  GSSAPI  Principal  names
129              (Default: GSSAuthName)
130
131       NFSv4_acctname_attr
132              Your  local schema's attribute name to be used for account names
133              (Default: uid)
134
135       NFSv4_group_objectclass
136              The object class name for group  accounts  in  your  local  LDAP
137              schema (Default: NFSv4RemoteGroup)
138
139       NFSv4_gid_attr
140              Your  local  schema's  attribute  name  to be used for gidNumber
141              (Default: gidNumber)
142
143       NFSv4_group_attr
144              Your local schema's attribute name to be used  for  NFSv4  group
145              names (Default: NFSv4Name)
146
147       LDAP_use_memberof_for_groups
148              Some  LDAP servers do a better job with indexing where searching
149              through all the groups searching for the user in  the  memberuid
150              list.   Others  like SunOne directory that search can takes min‐
151              utes if there are thousands of groups. So setting  LDAP_use_mem‐
152              berof_for_groups  to true in the configuration file will use the
153              memberof lists of the account  and  search  through  only  those
154              groups to obtain gids.  (Default: false)
155
156       NFSv4_member_attr
157              If  LDAP_use_memberof_for_groups  is true, this is the attribute
158              to be searched for.  (Default: memberUid)
159
160       NFSv4_grouplist_filter
161              An optional search filter for determining group membership.  (No
162              Default)
163
164       LDAP_timeout_seconds
165              Number of seconds before timing out an LDAP request (Default: 4)
166

EXAMPLES

168       An example /etc/idmapd.conf file:
169
170
171       [General]
172
173       Verbosity = 0
174       Domain = domain.org
175       Local-Realms = DOMAIN.ORG,MY.DOMAIN.ORG,YOUR.DOMAIN.ORG
176
177       [Mapping]
178
179       Nobody-User = nfsnobody
180       Nobody-Group = nfsnobody
181
182       [Translation]
183
184       Method = umich_ldap,nsswitch
185       GSS-Methods = umich_ldap,static
186
187       [Static]
188
189       johndoe@OTHER.DOMAIN.ORG = johnny
190
191       [UMICH_SCHEMA]
192
193       LDAP_server = ldap.domain.org
194       LDAP_base = dc=org,dc=domain
195
196

SEE ALSO

198       idmapd(8) svcgssd(8)
199

BUGS

201       Report bugs to <nfsv4@linux-nfs.org>
202
203
204
205                                  19 Nov 2008                   idmapd.conf(5)
Impressum