1idmapd.conf(5) File Formats Manual idmapd.conf(5)
2
6 idmapd.conf - configuration file for libnfsidmap
7
9 Configuration file for libnfsidmap. Used by idmapd and svcgssd to map
10 NFSv4 name to and from ids.
11
13 The idmapd.conf configuration file consists of several sections, initi‐
14 ated by strings of the form [General] and [Mapping]. Each section may
15 contain lines of the form
16 variable = value
17 The recognized sections and their recognized variables are as follows:
18 [General] section variables
20 Verbosity
21 Verbosity level of debugging (Default: 0)
22 Domain The local NFSv4 domain name. An NFSv4 domain is a namespace
24 with a unique username<->UID and groupname<->GID mapping.
25 (Default: Host's fully-qualified DNS domain name)
26 No-Strip
28 In multi-domain environments, some NFS servers will append the
29 identity management domain to the owner and owner_group in lieu
30 of a true NFSv4 domain. This option can facilitate lookups in
31 such environments. If set to a value other than "none", the
32 nsswitch plugin will first pass the name to the password/group
33 lookup function without stripping the domain off. If that map‐
34 ping fails then the plugin will try again using the old method
35 (comparing the domain in the string to the Domain value, strip‐
36 ping it if it matches, and passing the resulting short name to
37 the lookup function). Valid values are "user", "group", "both",
38 and "none". (Default: "none")
39 Reformat-Group
41 Winbind has a quirk whereby doing a group lookup in UPN format
42 (e.g. staff@americas.example.com) will cause the group to be
43 displayed prefixed with the full domain in uppercase (e.g. AMER‐
44 ICAS.EXAMPLE.COM\staff) instead of in the familiar netbios name
45 format (e.g. AMERICAS\staff). Setting this option to true
46 causes the name to be reformatted before passing it to the group
47 lookup function in order to work around this. This setting is
48 ignored unless No-Strip is set to either "both" or "group".
49 (Default: "false")
50 Local-Realms
52 A comma-separated list of Kerberos realm names that may be con‐
53 sidered equivalent to the local realm name. For example, users
54 juser@ORDER.EDU and juser@MAIL.ORDER.EDU may be considered to be
55 the same user in the specified Domain. (Default: the host's
56 default realm name)
57 Note: If a value is specified here, the default local realm must
58 be included as well.
59 [Mapping] section variables
61 Nobody-User
62 Local user name to be used when a mapping cannot be completed.
63 Nobody-Group
65 Local group name to be used when a mapping cannot be completed.
66 [Translation] section variables
68 Method A comma-separated, ordered list of mapping methods (plug-ins) to
69 use when mapping between NFSv4 names and local IDs. Each speci‐
70 fied method is tried in order until a mapping is found, or there
71 are no more methods to try. The methods included in the default
72 distribution include "nsswitch", "umich_ldap", and "static".
73 (Default: nsswitch)
74 GSS-Methods
76 An optional comma-separated, ordered list of mapping methods
77 (plug-ins) to use when mapping between GSS Authenticated names
78 and local IDs. (Default: the same list as specified for Method)
79 [Static] section variables
81 The "static" translation method uses a static list of GSS-Authenticated
82 names to local user names. Entries in the list are of the form:
83 principal@REALM = localusername
84 [REGEX] section variables
86 If the "regex" translation method is specified, the following variables
87 within the [REGEX] section are used to map between NFS4 names and local
88 IDs.
89 User-Regex
91 Case-insensitive regular expression that extracts the local user
92 name from an NFSv4 name. Multiple expressions may be concate‐
93 nated with '|'. The first match will be used. There is no
94 default. A basic regular expression for domain DOMAIN.ORG and
95 realm MY.DOMAIN.ORG would be:
96 ^DOMAIN\([^@]+)@MY.DOMAIN.ORG$
97 Group-Regex
99 Case-insensitive regular expression that extracts the local
100 group name from an NFSv4 name. Multiple expressions may be con‐
101 catenated with '|'. The first match will be used. There is no
102 default. A basic regular expression for domain DOMAIN.ORG and
103 realm MY.DOMAIN.ORG would be:
104 ^([^@]+)@DOMAIN.ORG@MY.DOMAIN.ORG$|^DOMAIN\([^@]+)@MY.DOMAIN.ORG$
105 Prepend-Before-User
107 Constant string to put before a local user name when building an
108 NFSv4 name. Usually this is the short domain name followed by
109 '´. (Default: none)
110 Append-After-User
112 Constant string to put after a local user name when building an
113 NFSv4 name. Usually this is '@' followed by the default realm.
114 (Default: none)
115 Prepend-Before-Group
117 Constant string to put before a local group name when building
118 an NFSv4 name. Usually not used. (Default: none)
119 Append-After-Group
121 Constant string to put before a local group name when building
122 an NFSv4 name. Usually this is '@' followed by the domain name
123 followed by another '@' and the default realm. (Default: none)
124 Group-Name-Prefix
126 Constant string that is prepended to a local group name when
127 converting it to an NFSv4 name. If an NFSv4 group name has this
128 prefix it is removed when converting it to a local group name.
129 With this group names of a central directory can be shortened
130 for an isolated organizational unit if all groups have a common
131 prefix. (Default: none)
132 Group-Name-No-Prefix-Regex
134 Case-insensitive regular expression to exclude groups from
135 adding and removing the prefix set by Group-Name-Prefix
136 (Default: none)
137 [UMICH_SCHEMA] section variables
139 If the "umich_ldap" translation method is specified, the following
140 variables within the [UMICH_SCHEMA] section are used.
141 LDAP_server
143 LDAP server name or address (Required if using UMICH_LDAP)
144 LDAP_base
146 Absolute LDAP search base. (Required if using UMICH_LDAP)
147 LDAP_people_base
149 Absolute LDAP search base for people accounts. (Default: The
150 LDAP_base value)
151 LDAP_group_base
153 Absolute LDAP search base for group accounts. (Default: The
154 LDAP_base value)
155 LDAP_canonicalize_name
157 Whether or not to perform name canonicalization on the name
158 given as LDAP_server (Default: "true")
159 LDAP_follow_referrals
161 Whether or not to follow ldap referrals. (Default: "true")
162 LDAP_use_ssl
164 Set to "true" to enable SSL communication with the LDAP server.
165 (Default: "false")
166 LDAP_ca_cert
168 Location of a trusted CA certificate used when SSL is enabled
169 (Required if LDAP_use_ssl is true and LDAP_tls_reqcert is not
170 set to never)
171 LDAP_tls_reqcert
173 Controls the LDAP server certificate validation behavior. It
174 can take the same values as ldap.conf(5)'s TLS_REQCERT tunable.
175 (Default: "hard")
176 LDAP_timeout_seconds
178 Number of seconds before timing out an LDAP request (Default: 4)
179 LDAP_sasl_mech
181 SASL mechanism to be used for sasl authentication. Required if
182 SASL auth is to be used (Default: None)
183 LDAP_realm
185 SASL realm to be used for sasl authentication. (Default: None)
186 LDAP_sasl_authcid
188 Authentication identity to be used for sasl authentication.
189 (Default: None)
190 LDAP_sasl_authzid
192 Authorization identity to be used for sasl authentication.
193 (Default: None)
194 LDAP_sasl_secprops
196 Cyrus SASL security properties. It can the same values as
197 ldap.conf(5)'s sasl_secprops.
198 LDAP_sasl_canonicalize
200 Specifies whether the LDAP server hostname should be canoni‐
201 calised. If set to yes LDAP lib with do a reverse hostname
202 lookup. If this is not set the LDAP library's default will be
203 used. (Default: None)
204 LDAP_sasl_krb5_ccname
206 Path to kerberos credential cache. If it is not set then the
207 value of environment variable KRB5CCNAME will be used. If the
208 environment variable is not set then the default mechanism of
209 kerberos library will be used.
210 NFSv4_person_objectclass
212 The object class name for people accounts in your local LDAP
213 schema (Default: NFSv4RemotePerson)
214 NFSv4_name_attr
216 Your local schema's attribute name to be used for NFSv4 user
217 names (Default: NFSv4Name)
218 NFSv4_uid_attr
220 Your local schema's attribute name to be used for uidNumber
221 (Default: uidNumber)
222 GSS_principal_attr
224 Your local schema's attribute name for GSSAPI Principal names
225 (Default: GSSAuthName)
226 NFSv4_acctname_attr
228 Your local schema's attribute name to be used for account names
229 (Default: uid)
230 NFSv4_group_objectclass
232 The object class name for group accounts in your local LDAP
233 schema (Default: NFSv4RemoteGroup)
234 NFSv4_gid_attr
236 Your local schema's attribute name to be used for gidNumber
237 (Default: gidNumber)
238 NFSv4_group_attr
240 Your local schema's attribute name to be used for NFSv4 group
241 names (Default: NFSv4Name)
242 LDAP_use_memberof_for_groups
244 Some LDAP servers do a better job with indexing where searching
245 through all the groups searching for the user in the memberuid
246 list. Others like SunOne directory that search can takes min‐
247 utes if there are thousands of groups. So setting LDAP_use_mem‐
248 berof_for_groups to true in the configuration file will use the
249 memberof lists of the account and search through only those
250 groups to obtain gids. (Default: false)
251 NFSv4_member_attr
253 If LDAP_use_memberof_for_groups is true, this is the attribute
254 to be searched for. (Default: memberUid)
255 NFSv4_grouplist_filter
257 An optional search filter for determining group membership. (No
258 Default)
259
261 An example /etc/idmapd.conf file:
262 [General]
265 Verbosity = 0
267 Domain = domain.org
268 Local-Realms = DOMAIN.ORG,MY.DOMAIN.ORG,YOUR.DOMAIN.ORG
269 [Mapping]
271 Nobody-User = nfsnobody
273 Nobody-Group = nfsnobody
274 [Translation]
276 Method = umich_ldap,regex,nsswitch
278 GSS-Methods = umich_ldap,regex,static
279 [Static]
281 johndoe@OTHER.DOMAIN.ORG = johnny
283 [Regex]
285 User-Regex = ^DOMAIN\([^@]+)@DOMAIN.ORG$
287 Group-Regex = ^([^@]+)@DOMAIN.ORG@DOMAIN.ORG$|^DOMAIN\([^@]+)@DOMAIN.ORG$
288 Prepend-Before-User = DOMAIN
289 Append-After-User = @DOMAIN.ORG
290 Append-After-Group = @domain.org@domain.org
291 Group-Name-Prefix = sales-
292 Group-Name-No-Prefix-Regex = -personal-group$
293 [UMICH_SCHEMA]
295 LDAP_server = ldap.domain.org
297 LDAP_base = dc=org,dc=domain
298
301 idmapd(8) svcgssd(8)
302
304 Report bugs to <nfsv4@linux-nfs.org>
305 19 Nov 2008 idmapd.conf(5)