1idmapd.conf(5) File Formats Manual idmapd.conf(5)
2
6 idmapd.conf - configuration file for libnfsidmap
7
9 Configuration file for libnfsidmap. Used by idmapd and svcgssd to map
10 NFSv4 name to and from ids.
11
13 The idmapd.conf configuration file consists of several sections, initi‐
14 ated by strings of the form [General] and [Mapping]. Each section may
15 contain lines of the form
16 variable = value
17 The recognized sections and their recognized variables are as follows:
18 [General] section variables
20 Verbosity
21 Verbosity level of debugging (Default: 0)
22 Domain The local NFSv4 domain name. An NFSv4 domain is a namespace
24 with a unique username<->UID and groupname<->GID mapping.
25 (Default: Host's fully-qualified DNS domain name)
26 No-Strip
28 In multi-domain environments, some NFS servers will append the
29 identity management domain to the owner and owner_group in lieu
30 of a true NFSv4 domain. This option can facilitate lookups in
31 such environments. If set to a value other than "none", the
32 nsswitch plugin will first pass the name to the password/group
33 lookup function without stripping the domain off. If that map‐
34 ping fails then the plugin will try again using the old method
35 (comparing the domain in the string to the Domain value, strip‐
36 ping it if it matches, and passing the resulting short name to
37 the lookup function). Valid values are "user", "group", "both",
38 and "none". (Default: "none")
39 Reformat-Group
41 Winbind has a quirk whereby doing a group lookup in UPN format
42 (e.g. staff@americas.example.com) will cause the group to be
43 displayed prefixed with the full domain in uppercase (e.g. AMER‐
44 ICAS.EXAMPLE.COM\staff) instead of in the familiar netbios name
45 format (e.g. AMERICAS\staff). Setting this option to true
46 causes the name to be reformatted before passing it to the group
47 lookup function in order to work around this. This setting is
48 ignored unless No-Strip is set to either "both" or "group".
49 (Default: "false")
50 Local-Realms
52 A comma-separated list of Kerberos realm names that may be con‐
53 sidered equivalent to the local realm name. For example, users
54 juser@ORDER.EDU and juser@MAIL.ORDER.EDU may be considered to be
55 the same user in the specified Domain. (Default: the host's
56 default realm name)
57 Note: If a value is specified here, the default local realm must
58 be included as well.
59 [Mapping] section variables
61 Nobody-User
62 Local user name to be used when a mapping cannot be completed.
63 Nobody-Group
65 Local group name to be used when a mapping cannot be completed.
66 [Translation] section variables
68 Method A comma-separated, ordered list of mapping methods (plug-ins) to
69 use when mapping between NFSv4 names and local IDs. Each speci‐
70 fied method is tried in order until a mapping is found, or there
71 are no more methods to try. The methods included in the default
72 distribution include "nsswitch", "umich_ldap", and "static".
73 (Default: nsswitch)
74 GSS-Methods
76 An optional comma-separated, ordered list of mapping methods
77 (plug-ins) to use when mapping between GSS Authenticated names
78 and local IDs. (Default: the same list as specified for Method)
79 [Static] section variables
81 The "static" translation method uses a static list of GSS-Authenticated
82 names to local user names. Entries in the list are of the form:
83 principal@REALM = localusername
84 [UMICH_SCHEMA] section variables
86 If the "umich_ldap" translation method is specified, the following
87 variables within the [UMICH_SCHEMA] section are used.
88 LDAP_server
90 LDAP server name or address (Required if using UMICH_LDAP)
91 LDAP_base
93 Absolute LDAP search base. (Required if using UMICH_LDAP)
94 LDAP_people_base
96 Absolute LDAP search base for people accounts. (Default: The
97 LDAP_base value)
98 LDAP_group_base
100 Absolute LDAP search base for group accounts. (Default: The
101 LDAP_base value)
102 LDAP_canonicalize_name
104 Whether or not to perform name canonicalization on the name
105 given as LDAP_server (Default: "true")
106 LDAP_use_ssl
108 Set to "true" to enable SSL communication with the LDAP server.
109 (Default: "false")
110 LDAP_ca_cert
112 Location of a trusted CA certificate used when SSL is enabled
113 (Required if LDAP_use_ssl is true and LDAP_tls_reqcert is not
114 set to never)
115 LDAP_tls_reqcert
117 Controls the LDAP server certificate validation behavior. It
118 can take the same values as ldap.conf(5)'s TLS_REQCERT tunable.
119 (Default: "hard")
120 NFSv4_person_objectclass
122 The object class name for people accounts in your local LDAP
123 schema (Default: NFSv4RemotePerson)
124 NFSv4_name_attr
126 Your local schema's attribute name to be used for NFSv4 user
127 names (Default: NFSv4Name)
128 NFSv4_uid_attr
130 Your local schema's attribute name to be used for uidNumber
131 (Default: uidNumber)
132 GSS_principal_attr
134 Your local schema's attribute name for GSSAPI Principal names
135 (Default: GSSAuthName)
136 NFSv4_acctname_attr
138 Your local schema's attribute name to be used for account names
139 (Default: uid)
140 NFSv4_group_objectclass
142 The object class name for group accounts in your local LDAP
143 schema (Default: NFSv4RemoteGroup)
144 NFSv4_gid_attr
146 Your local schema's attribute name to be used for gidNumber
147 (Default: gidNumber)
148 NFSv4_group_attr
150 Your local schema's attribute name to be used for NFSv4 group
151 names (Default: NFSv4Name)
152 LDAP_use_memberof_for_groups
154 Some LDAP servers do a better job with indexing where searching
155 through all the groups searching for the user in the memberuid
156 list. Others like SunOne directory that search can takes min‐
157 utes if there are thousands of groups. So setting LDAP_use_mem‐
158 berof_for_groups to true in the configuration file will use the
159 memberof lists of the account and search through only those
160 groups to obtain gids. (Default: false)
161 NFSv4_member_attr
163 If LDAP_use_memberof_for_groups is true, this is the attribute
164 to be searched for. (Default: memberUid)
165 NFSv4_grouplist_filter
167 An optional search filter for determining group membership. (No
168 Default)
169 LDAP_timeout_seconds
171 Number of seconds before timing out an LDAP request (Default: 4)
172
174 An example /etc/idmapd.conf file:
175 [General]
178 Verbosity = 0
180 Domain = domain.org
181 Local-Realms = DOMAIN.ORG,MY.DOMAIN.ORG,YOUR.DOMAIN.ORG
182 [Mapping]
184 Nobody-User = nfsnobody
186 Nobody-Group = nfsnobody
187 [Translation]
189 Method = umich_ldap,nsswitch
191 GSS-Methods = umich_ldap,static
192 [Static]
194 johndoe@OTHER.DOMAIN.ORG = johnny
196 [UMICH_SCHEMA]
198 LDAP_server = ldap.domain.org
200 LDAP_base = dc=org,dc=domain
201
204 idmapd(8) svcgssd(8)
205
207 Report bugs to <nfsv4@linux-nfs.org>
208 19 Nov 2008 idmapd.conf(5)