1NISLDAPmapping(4) File Formats NISLDAPmapping(4)
2
3
4
6 NISLDAPmapping - mapping file used by the NIS server components
7
9 /var/yp/NISLDAPmapping
10
11
13 The NISLDAPmapping file specifies the mapping between NIS map entries
14 and equivalent Directory Information Tree (DIT) entries. The syntax of
15 this file is based on the equivalent NIS+ to LDAP mapping file,
16 NIS+LDAPmapping(4).
17
18
19 The presence of /var/yp/NISLDAPmapping on a NIS master server causes
20 that server to obtain NIS data from LDAP. See ypserv(4). If
21 /var/yp/NISLDAPmapping is present but the connection configuration file
22 that is defined in /etc/default/ypserv cannot be found, a warning is
23 logged. See ypserv(1M).
24
25
26 NIS slave servers always obtain their data from a NIS master server,
27 whether or not that server is getting data from LDAP, and ignore the
28 /var/yp/NISLDAPmapping file.
29
30
31 A simple NISLDAPmapping file is created using inityp2l(1M). You can
32 customize your NISLDAPmapping file as you require.
33
34
35 Each attribute defined below can be specified in/var/yp/NISLDAPmap‐
36 pingLDAP or as an LDAP attribute. If both are specified, then the
37 attribute in /var/yp/NISLDAPmapping (including empty values) takes
38 precedence.
39
40
41 A continuation is indicated by a '\' (backslash) in the last position,
42 immediately before the newline of a line. Characters are escaped, that
43 is, exempted from special interpretation, when preceeded by a backslash
44 character.
45
46
47 The '#' (hash) character starts a comment. White space is either ASCII
48 space or a horizontal tab. In general, lines consist of optional white
49 space, an attribute name, at least one white space character, and an
50 attribute value.
51
53 File Syntax
54 Repeated fields, with separator characters, are described by the fol‐
55 lowing syntax:
56
57 One or more entries entry:entry:entry
58
59 entry[":"...]
60
61
62
63 Zero or more entries
64 [entry":"...]
65
66
67
68 Attributes
69 Attributes generally apply to one more more NIS maps. Map names can be
70 specified either on their own,that is in passwd.byname, in which case
71 they apply to all domains, or for individual NIS domains, for example,
72 in passwd.byname,example.sun.uk. Where a map is mentioned in more than
73 one attribute, both versions are applied. If any parts of the
74 attributes are in conflict, the domain specific version takes prece‐
75 dence over the non-domain specific version.
76
77
78 Each domain specific attributes must appear in NISLDAPmapping before
79 any related non-domain specific attribute. If non-domain specific
80 attributes appear first, behavior may be unpredictable. Errors are
81 logged when non-domain specific attributes are found first.
82
83
84 You can associate a group of map names with a databaseId. In effect, a
85 macro is expanded to the group of names. Use this mechanism where the
86 same group of names is used in many attributes or where domain specific
87 map names are used. Then, you can make any changes to the domain name
88 in one place.
89
90
91 Unless otherwise noted, all elements of the syntaxes below may be sur‐
92 rounded by white space. Separator characters and white space must be
93 escaped if they are part of syntactic elements.
94
95
96 The following attributes are recognized.
97
98 nisLDAPdomainContext
99
100 The context to use for a NIS domain.
101
102 The syntax for nisLDAPdomainContext is:
103
104 NISDomainName ":" context
105
106 The following is an example of the nisLDAPdomainContext attribute:
107
108 domain.one : dc=site, dc=company, dc=com
109
110 The mapping file should define the context for each domain before
111 any other attribute makes use of the NISDomainName specified for
112 that domain.
113
114
115 nisLDAPyppasswddDomains
116
117 Lists the domains for which password changes should be made. NIS
118 password change requests do not specify the domains in which any
119 given password should be changed. In traditional NIS this informa‐
120 tion is effectively hard coded in the NIS makefile.
121
122 The syntax for the nisLDAPyppasswddDomains attribute is:
123
124 domainname
125
126 If there are multiple domains, use multiple nisLDAPyppasswddDomain
127 entries withone domainname per entry.
128
129
130 nisLDAPdatabaseIdMapping
131
132 Sets up an alias for a group of NIS map names. There is no default
133 value.
134
135 The syntax for the nisLDAPdatabaseIdMapping attribute is:
136
137 databaseId ":" ["["indexlist"]"] mapname[" "...]
138
139 where
140
141 databaseId = Label identifying a (subset of a) NIS
142 object for mapping purposes.
143 indexlist = fieldspec[","...]
144 fieldspec = fieldname "=" fieldvalue
145 fieldname = The name of a entry field as defined in
146 nisLDAPnameFields.
147 fieldvalue = fieldvaluestring | \" fieldvaluestring \"
148
149 indexlist is used for those cases where it is necessary to select a
150 subset of entries from a NIS map. The subset are those NIS entries
151 that match the indexlist. If there are multiple specifications
152 indexed for a particular NIS map, they are tried in the order
153 retrieved until one matches. Note that retrieval order usually is
154 unspecified for multi-valued LDAP attributes. Hence, if using
155 indexed specifications when nisLDAPdatabaseIdMapping is retrieved
156 from LDAP, make sure that the subset match is unambiguous.
157
158 If the fieldvaluestring contains white space or commas, it must
159 either be surrounded by double quotes, or the special characters
160 must be escaped. Wildcards are allowed in the fieldvaluestring. See
161 Wildcards
162
163 To associate the passwd.byname and passwd.byuid maps with the
164 passwd databaseId:
165
166 passwd:passwd.byname passwd.byuid
167
168 The passwd and passwd.adjunct databaseIds receive special handling.
169 In addition to its normal usage, passwd defines which maps yppass‐
170 wdd is to update when a passwd is changed. In addition to its nor‐
171 mal usage passwd.adjunct defines which maps yppasswdd is to update
172 when an adjunct passwd is changed.
173
174 You may not alias a single map name to a different name, as the
175 results are unpredictable.
176
177
178 nisLDAPentryTtl
179
180 Establish TTLs for NIS entries derived from LDAP.
181
182 The syntax for the nisLDAPentryTtl attribute is:
183
184 mapName[" "...]":"
185 initialTTLlo ":" initialTTLhi ":" runningTTL
186
187 where
188
189 initialTTLlo The lower limit for the initial TTL (in seconds)
190 for data read from LDAP when the ypserv starts. If
191 the initialTTLhi also is specified, the actual ini‐
192 tialTTL will be randomly selected from the interval
193 initialTTLlo to initialTTLhi , inclusive. Leaving
194 the field empty yields the default value of 1800
195 seconds.
196
197
198 initialTTLhi The upper limit for the initial TTL. If left empty,
199 defaults to 5400.
200
201
202 runningTTL The TTL (in seconds) for data retrieved from LDAP
203 while the ypserv is running. Leave the field empty
204 to obtain the default value of 3600 seconds.
205
206 If there is no specification of TTLs for a particular map, the
207 default values are used.
208
209 If the initialTTLlo and initialTTLhi have the same value, the
210 effect will be that all data known to the ypserv at startup times
211 out at the same time. Depending on NIS data lookup patterns, this
212 could cause spikes in ypserv-to-LDAP traffic. In order to avoid
213 that, you can specify different initialTTLlo and initialTTLhi val‐
214 ues, and obtain a spread in initial TTLs.
215
216 The following is an example of the nisLDAPentryTtl attribute used
217 to specify that entries in the NIS host maps read from LDAP should
218 be valid for four hours. When ypserv restarts, the disk database
219 entries are valid for between two and three hours.
220
221 hosts.byname hosts.byaddr:7200:10800:14400
222
223
224
225 nisLDAPobjectDN
226
227 Specifies the connection between a group of NIS maps and the LDAP
228 directory. This attribute also defines the 'order' of the NIS maps.
229 When NIS maps are bulk copied to or from the DIT, they are pro‐
230 cessed in the same order as related nisLDAPobjectDN attributes
231 appear in /var/yp/NISLDAPmapping.
232
233 The syntax for the nisLDAPobjectDN attribute is:
234
235 mapName[" "...] ":" objectDN *( ";" objectDN )
236
237 where
238
239 objectDN = readObjectSpec [":"[writeObjectSpec]]
240 readObjectSpec = [baseAndScope [filterAttrValList]]
241 writeObjectSpec = [baseAndScope [attrValList]]
242 baseAndScope = [baseDN] ["?" [scope]]
243 filterAttrValList = ["?" [filter | attrValList]]]
244 scope = "base" | "one" | "sub"
245 attrValList = attribute "=" value
246 *("," attribute "=" value)
247
248 The baseDN defaults to the value of the nisLDAPdomainContext
249 attribute for the accessed domain. If the baseDN ends in a comma,
250 the nisLDAPdomainContext value is appended.
251
252 scope defaults to one. scope has no meaning and is ignored in a
253 writeObjectSpec.
254
255 The filter is an LDAP search filter and has no default value.
256
257 The attrValList is a list of attribute and value pairs. There is no
258 default value.
259
260 As a convenience, if an attrValList is specified in a readObject‐
261 Spec, it is converted to a search filter by ANDing together the
262 attributes and the values. For example, the attribute and value
263 list:
264
265 objectClass=posixAccount,objectClass=shadowAccount
266
267 is converted to the filter:
268
269 (&(objectClass=posixAccount)\
270 (objectClass=shadowAccount))
271
272 Map entries are mapped by means of the relevant mapping rules in
273 the nisLDAPnameFields and nisLDAPattributeFromField .
274
275 If a writeObjectSpec is omitted, the effect is one of the follow‐
276 ing:
277
278 o If there is no trailing colon after the readObjectSpec,
279 then there is no write at all.
280
281 o If there is a colon after the readObjectSpec, then
282 writeObjectSpec equals readObjectSpec.
283 The following is an example of a nisLDAPobjectDN attribute declara‐
284 tion that gets the hosts.byaddr map entries from the ou=Hosts con‐
285 tainer under the default search base and writes to the same place.
286
287 hosts.byaddr:ou=Hosts,?one?objectClass=ipHost:
288
289 The following is an example of a nisLDAPobjectDN attribute declara‐
290 tion that obtains passwd map entries from the ou=People containers
291 under the default search base, and also from dc=another,dc=domain.
292
293 passwd:ou=People,?one?\
294 objectClass=shadowAccount,\
295 objectClass=posixAccount:;\
296 ou=People,dc=another,dc=domain,?one?\
297 objectClass=shadowAccount,\
298 objectClass=posixAccount
299
300
301
302 nisLDAPnameFields
303
304 Specifies the content of entries in a NIS map and how they should
305 be broken into named fields. nisLDAPnameFields is required because
306 unlike NIS+, NIS maps do not store information in named fields.
307
308 The syntax for the nisLDAPnameFields attribute is as follows:
309
310 "nisLDAPnameFields" mapName ":" "(" matchspec "," fieldNames ")"
311 fieldName = nameOrArrayName[","...]
312 nameOrArrayName = Name of field or 'array' of repeated fields.
313 matchspec = \" formatString \"
314
315 formatString may contains a list of %s and %a elements each of
316 which represents a single named field or a list of repeated fields.
317 A %a field is interpreted as an IPv4 address or an IPv6 address in
318 preferred format. If an IPv6 address in non preferred format is
319 found, then it is converted and a warning is logged.
320
321 Where there are a list of repeated fields, the entire list is
322 stored as one entry. The fields are broken up into individual
323 entries, based on the internal separator, at a latter stage. Other
324 characters represent separators which must be present. Any separa‐
325 tor, including whitespace, specified by the formatString, may be
326 surrounded by a number of whitespace and tab characters. The white‐
327 space and tab characters are ignored.
328
329 Regardless of the content of this entry some fieldNames are
330 reserved:
331
332 rf_key The DBM key value
333
334
335 rf_ipkey The DBM key value handled as an IP address. See
336 the discussion of %a fields.
337
338
339 rf_comment Everything following the first occurance of a
340 symbol. rf_comment is defined by nisLDAPcom‐
341 mentChar.
342
343
344 rf_domain The name of the domain in which the current NIS
345 operation is being carried out.
346
347
348 rf_searchipkey The rf_searchkey value handled as an IP address.
349 See the discussion of %a fields above.
350
351
352 rf_searchkey See the description under nisLDAPattributeFrom‐
353 Field below.
354
355 For example, the rpc.bynumber map has the format:
356
357 name number alias[" "...]
358
359 The NIS to LDAP system is instructed to break it into a name, a
360 number, and an array of alias field by the following entry in the
361 mapping file:
362
363 nisLDAPnameFields rpc.bynumber : \
364 "%s %s %s", name,number,aliases)
365
366
367
368 nisLDAPsplitFields
369
370 Defines how a field, or list of fields, named by nisLDAPnameFields
371 is split into subfields. The original field is compared with each
372 line of this attribute until one matches. When a match is found
373 named subfields are generated. In latter operations subfield names
374 can be used in the same way as other field names.
375
376 The syntax for the nisLDAPsplitFields attribute is as follows:
377
378 "nisLDAPsplitFields" fieldName ":" splitSpec[","...]
379 splitSpec = "(" matchspec "," subFieldNames ")"
380 fieldName = Name of a field from nisLDAPnameFields
381 subFieldNames = subFieldname[","...]
382 matchspec = \" formatString \"
383
384 The netgroup memberTriples can have format (host, user, domain) or
385 groupname. The format is specified by the attribute:
386
387 nisLDAPsplitField memberTriple: \
388 ("(%s,%s,%s)", host, user, domain) , \
389 ("%s", group)
390
391 Later operations can then use field names host, user, domain, group
392 or memberTriple. Because lines are processed in order, if host,
393 user and domain are found, group will not be generated.
394
395 Several maps and databaseIds may contain fields that are to be
396 split in the same way. As a consequence, the names of fields to be
397 split must be unique across all maps and databaseIds.
398
399 Only one level of spliting is supported.That is, a subfield cannot
400 be split into further subfields.
401
402
403 nisLDAPrepeatedFieldSeparators
404
405 Where there is a list of repeated, splitable fields, nisLDAPrepeat‐
406 edFieldSeparators specifies which characters separate instances of
407 the splitable field.
408
409 The syntax for the nisLDAPrepeatedFieldSeparators attribute is as
410 follows:
411
412 "nisLDAPrepeatedFieldSeparators" fieldName \"sepChar[...]\"
413 sepChar = A separator character.
414
415 The default value is space or tab. If repeated splitable fields are
416 adjacent, that is, there is no separating character, then the fol‐
417 lowing should be specified:
418
419 nisLDAPrepeatedFieldSeparators netIdEntry: ""
420
421
422
423 nisLDAPcommentChar
424
425 Specifies which character represents the start of the special com‐
426 ment field in a given NIS map. If this attribute is not present
427 then the default comment character # is used.
428
429 To specify that a map uses a asterix to mark the start of comments.
430
431 nisLDAPcommentChar mapname : '*'
432
433 If a map cannot contain comments, then the following attribute
434 should be specified.
435
436 nisLDAPcommentChar mapname : ''
437
438
439
440 nisLDAPmapFlags
441
442 Indicates if YP_INTERDOMAIN or YP_SECURE entries should be created
443 in a map. Using nisLDAPmapFlags is equivalent to running
444 makedbm(1M) with the -b or the -s option. When a map is created
445 from the contents of the DIT, the mapping file attribute is the
446 only source for the YP_INTERDOMAIN or YP_SECURE entries.
447
448 The syntax for the nisLDAPmapFlags attribute is as follows:
449
450 "nisLDAPmapFlags" mapname ":" ["b"]["s"]
451
452 By default neither entry is created.
453
454
455 nisLDAPfieldFromAttribute
456
457 Specifies how a NIS entries field values are derived from LDAP
458 attribute values.
459
460 The syntax for the nisLDAPfieldFromAttribute attribute is as fol‐
461 lows:
462
463 mapName ":" fieldattrspec *("," fieldattrspec)
464
465 The format of fieldattrspec is shown below at Field and Attribute
466 Conversion Syntax.
467
468 To map by direct copy and assignment the value of the ipHostNumber
469 attribute to the addr named field, for example:
470
471 addr=ipHostNumber
472
473 Formats for the named field and attribute conversion syntax are
474 discussed below, including examples of complex attribute to field
475 conversions.
476
477
478 nisLDAPattributeFromField
479
480 Specifies how an LDAP attribute value is derived from a NIS entriy
481 field value.
482
483 The syntax for the nisLDAPattributeFromField attribute is as fol‐
484 lows:
485
486 mapName ":" fieldattrspec *("," fieldattrspec )
487
488 The format of fieldattrspec is shown below at Field and Attribute
489 Conversion Syntax.
490
491 As a special case, if the dn attribute value derived from a field‐
492 attrspec ends in a comma (","), the domains context from nisLDAPdo‐
493 mainContext is appended.
494
495 Use the following example to map the value of the addr field to the
496 ipHostNumber attribute by direct copy and assignment:
497
498 ipHostNumber=addr
499
500 All relevant attributes, including the dn, must be specified.
501
502 For every map it must be possible to rapidly find a DIT entry based
503 on its key. There are some maps for which a NIS to LDAP mapping for
504 the key is not desirable, so a key mapping cannot be specified. In
505 these cases a mapping that uses the reserved rf_searchkey must be
506 specified. Mappings that use this field name are ignored when
507 information is mapped into the DIT.
508
509
510 Field and Attribute Conversion Syntax
511 The general format of a fieldattrspec is:
512
513 fieldattrspec = lhs "=" rhs
514 lhs = lval | namespeclist
515 rhs = rval | [namespec]
516 namespeclist = namespec | "(" namespec *("," namespec) ")"
517
518
519
520 The lval and rval syntax are defined below at Values. The format of a
521 namespec is:
522
523 namespec
524 ["ldap:"] attrspec [searchTriple] | ["yp:"] fieldname
525 [mapspec]
526
527
528
529 fieldname
530 field | "(" field ")"
531
532
533
534 attrspec
535 attribute | "(" attribute ")"
536
537
538
539 searchTriple
540 ":" [baseDN] ["?" [scope] ["?" [filter]]]
541
542
543
544 baseDN Base DN for search
545
546
547 filter LDAP search filter
548
549
550 mapspec Map name
551
552
553
554 The repository specification in a namespec defaults is as follows:
555
556 o For assignments to a field:
557
558
559 on the LHS yp
560
561
562 on the RHS ldap
563
564
565 NIS field values on the RHS are those that exist before the NIS
566 entry is modified.
567
568 o For assignments to an attribute:
569
570
571 on the LHS ldap
572
573
574 on the RHS yp
575
576
577 Attribute values on the RHS are those that exist before the LDAP
578 entry is modified.
579
580
581 When the field or attribute name is enclosed in parenthesis, it denotes
582 a list of field or attribute values. For attributes, the meaning is the
583 list of all attributes of that name, and the interpretation depends on
584 the context. See the discussion at Values. The list specification is
585 ignored when a searchTriple or mapspec is supplied.
586
587
588 For fields, the fieldname syntax is used to map multiple attribute
589 instances to multiple NIS entries.
590
591
592 The searchTriple can be used to specify an attribute from a location
593 other than the read or write target. The defaultvalues are as follows:
594
595 baseDN If baseDN is omitted, the default is the current objectDN. If
596 the baseDN ends in a comma, the context of the domain is
597 appended from nisLDAPdomainContext .
598
599
600 scope one
601
602
603 filter Empty
604
605
606
607 Similarly, the mapspec can be used to specify a field value from a NIS
608 map other than the one implicitly indicated by the mapName. If
609 searchTriple or mapspec is explicitly specified in a namespec, the
610 retrieval or assignment, whether from or to LDAP or NIS, is performed
611 without checking if read and write are enabled for the LDAP container
612 or NIS map.
613
614
615 The ommision of the namespec in an rhs is only allowed if the lhs is
616 one or more attributes. The effect is to delete the specified
617 attribute(s). In all other situations, an omitted namespec means that
618 the rule is ignored.
619
620
621 The filter can be a value. See Values. For example, to find the ipHost‐
622 Numberthat uses the cn, you specify the following in the filter field:
623
624 ldap:ipHostNumber:?one?("cn=%s", (cname, "%s.*"))
625
626
627
628 In order to remove ambiguity, the unmodified value of a single field or
629 attribute must be specified as the following when used in the filter
630 field.
631
632 ("%s", namespec)
633
634
635
636 If the filter is not specified, the scope will be base, and the baseDN
637 is assumed to be the DN of the entry that contains the attribute to be
638 retrieved or modified. To use previously existing field or attribute
639 values in the mapping rules requires a lookup to find those values.
640 Obviously, this adds to the time required to perform the modification.
641 Also, there is a window between the time when a value is retrieved and
642 then slightly later stored back. If the values have changed in the mean
643 time, the change may be overwritten.
644
645
646 When fieldattrspecs are grouped into rule sets, in the value of a
647 nisLDAPfieldFromAttribute or nisLDAPattributeFromField attribute, the
648 evaluation of the fieldattrspecs proceed in the listed order. However,
649 evaluation may be done in parallel for multiple fieldattrspecs. If
650 there is an error when evaluating a certain fieldattrspec, including
651 retrieval or assignment of entry or field values, the extent to which
652 the other fieldattrspec rules are evaluated is unspecified.
653
654 Wildcards
655 Where wildcard support is available, it is of the following limited
656 form:
657
658 * Matches any number of characters
659
660
661 [x] Matches the character x
662
663
664 [x-y] Matches any character in the range x to y, inclusive
665
666
667
668 Combinations such as [a-cA-C0123] are also allowed, which would match
669 any one of a, b, c, A, B, C, 0, 1, 2, or 3.
670
671 Substring Extraction
672 substringextract = "(" namespec "," matchspec ")"
673 name = field or attribute name
674 matchspec =
675
676
677
678 The matchspec is a string like the sscanf(3C) format string, except
679 that there may be at most one format specifier, a single %s. The output
680 value of the substringextract is the substring that matches the loca‐
681 tion of the %s.
682
683
684 If there is no %s in the formatstring, it must instead be a single
685 character, which is assumed to be a field separator for the namespec.
686 The output values are the field values. Wild cards are supported. If
687 there is no match, the output value is the empty string, " ".
688
689
690 For example, if the fieldcname has the value user.some.domain.name.,
691 the value of the expression:
692
693 (cname, "%s.*")
694
695
696
697 is user, which can be used to extract the user name from a NIS princi‐
698 pal name.
699
700
701 Similarly, use this expression to extract the third of the colon-sepa‐
702 rated fields of the shadow field:
703
704 (shadow, "*:*:%s:*")
705
706
707
708 This form can be used to extract all of the shadow fields. However, a
709 simpler way to specify that special case is:
710
711 (shadow, ":")
712
713
714 Values
715 lval = "(" formatspec "," namespec *("," namespec) ")"
716 rval = "(" formatspec ["," namelist ["," elide] ] ")"
717
718 namelist = name_or_sse *( "," name_or_sse)
719 name_or_sse = namespec | removespec | substringextract
720 removespec = list_or_name "-" namespec
721 list_or_name = "(" namespec ")" | namespec
722 formatspec =
723 formatstring = A string combining text and % field specifications
724 elide =
725 singlechar = Any character
726
727
728
729 The syntax above is used to produce rval values that incorporate field
730 or attribute values, in a manner like sprintf(3C), or to perform
731 assignments to lval like sscanf(3C). One important restriction is that
732 the format specifications,% plus a single character, use the designa‐
733 tions from ber_printf(3LDAP). Thus, while %s is used to extract a
734 string value, %i causes BER conversion from an integer. Formats other
735 than %s, for instance, %i, are only meaningfully defined in simple for‐
736 mat strings without any other text.
737
738
739 The following ber_printf() format characters are recognized:
740
741 b i n o s
742
743
744
745 If there are too few format specifiers, the format string may be
746 repeated as needed.
747
748
749 When used as an lval, there is a combination of pattern matching and
750 assignment, possibly to multiple fields or attributes.
751
752
753 In an assignment to an attribute, if the value of the addr field is
754 1.2.3.4, the rval:
755
756 ("ipNetworkNumber=%s,", addr)
757
758
759
760 produces the value ipNetworkNumber=1.2.3.4,, while:
761
762 ("(%s,%s,%s)", host, user, domain)
763
764
765
766 results in:
767
768 (assuming host="xyzzy", user="-", domain="x.y.z")
769 "(xyzzy,-,x.y.z)"
770
771
772
773 The elide character feature is used with attribute lists. So:
774
775 ("%s,", (mgrprfc822mailmember), ",")
776
777
778
779 concatenates all mgrprfc822mailmember values into one comma-separated
780 string, and then elides the final trailing comma. Thus, for
781
782 mgrprfc822mailmember=usera
783 mgrprfc822mailmember=userb
784 mgrprfc822mailmember=userc
785
786
787
788 the value would be:
789
790 usera,userb,userc
791
792
793
794 As a special case, to combine an LHS extraction with an RHS implicit
795 list creates multiple entries and values. So
796
797 ("(%s,%s,%s)", host, user, domain)=(nisNetgroupTriple)
798
799
800
801 creates one NIS entry for each nisNetgroupTriple value.
802
803
804 The 'removespec' form is used to exclude previously assigned fields
805 values from a list. So, if an LDAP entry contains:
806
807 name: foo
808 cn: foo
809 cn: foo1
810 cn: foo2
811
812
813
814 and the mapping file specifies :
815
816 myName = name, \
817 myAliases = ("%s ", (cn) - yp:myName, " ")
818
819
820
821 then the following assignments are carried out:
822
823 1. Assign value foo to myName
824
825 2. Assign value foo foo1 foo2 to myAliases
826
827 3. Remove value of myName from value myAliases
828
829
830 This results in the field values myName is set to foo, and myAliases is
831 set to foo1 foo2.
832
833 Assignments
834 The assignment syntax, also found at Field and Attribute Conversion
835 Syntax, is as follows:
836
837 fieldattrspec = lhs "=" rhs
838 lhs = lval | namespeclist
839 rhs = rval | namespec
840 namespeclist = namespec | "(" namespec *("," namespec) ")"
841
842
843
844 The general form of a simple assignment, which is a one-to-one mapping
845 of field to attribute, is:
846
847 ("%s", fieldname)=("%s", attrname)
848
849
850
851 As a convenient shorthand, this can also be written as:
852
853 fieldname=attrname
854
855
856
857 A list specification, which is a name enclosed in parenthesis, can be
858 used to make many-to-many assignments. The expression:
859
860 (fieldname)=(attrname)
861
862
863
864 where there are multiple instances of attrname, creates one NIS entry
865 for each such instance, differentiated by their fieldname values. The
866 following combinations of lists are allowed, but they are not particu‐
867 larly useful:
868
869 (attrname)=(fieldname) Equivalent to attrname=fieldname
870
871
872 attrname=(fieldname) Equivalent to attrname=fieldname
873
874
875 (fieldname)=attrname Equivalent to fieldname=attrname
876
877
878 fieldname=(attrname) Equivalent to fieldname=attrname
879
880
881
882 If a multi-valued RHS is assigned to a single-valued LHS, the LHS value
883 will be the first of the RHS values. If the RHS is an attribute list,
884 the first attribute is the first one returned by the LDAP server when
885 queried. Otherwise, the definition of "first"is implementation depen‐
886 dent.
887
888
889 Finally, the LHS can be an explicit list of fields or attributes, such
890 as:
891
892 (name1,name2,name3)
893
894
895
896 If the RHS is single-valued, this assigns the RHS value to all entities
897 in the list. If the RHS is multi-valued, the first value is assigned to
898 the first entity of the list, the second value to the second entity,
899 and so on. Excess values or entities are silently ignored.
900
902 Example 1 Assigning an Attribute Value to a Field
903
904
905 The following example illustrates how to assign the value of the
906 ipHostNumber attribute to the addr field
907
908
909 addr=ipHostNumber
910
911
912 Example 2 Creating Multiple NIS Entries from Multi-Valued LDAP
913 Attributes
914
915
916 An LDAP entry with:
917
918
919 cn=name1
920 cn=name2
921 cn=name3
922
923
924
925 and the following assignments:
926
927
928 cname=cn
929 (name)=(cn)
930
931
932
933 creates three NIS entries. Other attributes and fields are omitted for
934 clarity.
935
936
937 cname=name1, name=name1
938 cname=name1, name=name2
939 cname=name1, name=name3
940
941
942 Example 3 Assigning String Constants
943
944
945 The following expression sets the passwd field to x:
946
947
948 passwd=("x")
949
950
951 Example 4 Splitting Field Values to Multi-Valued Attributes
952
953
954 The expansion field contains a comma-separated list of alias member
955 names. In the following example, the expression assigns each member
956 name to an instance of mgrprfc822mailmember:
957
958
959 (mgrprfc822mailmember)=(expansion, ",")
960
961
963 /var/yp/NISLDAPmapping Mapping file used by the NIS server compo‐
964 nents
965
966
968 See attributes(5) for descriptions of the following attributes:
969
970
971
972
973 ┌─────────────────────────────┬─────────────────────────────┐
974 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
975 ├─────────────────────────────┼─────────────────────────────┤
976 │Availability │SUNWypu │
977 ├─────────────────────────────┼─────────────────────────────┤
978 │Interface Stability │Obsolete │
979 └─────────────────────────────┴─────────────────────────────┘
980
982 inityp2l(1M), makedbm(1M), ypserv(1M), ber_printf(3LDAP), sprintf(3C),
983 sscanf(3C), NIS+LDAPmapping(4), ypserv(4), attributes(5)
984
985
986 System Administration Guide: Naming and Directory Services (DNS, NIS,
987 and LDAP)
988
989
990
991SunOS 5.11 29 Mar 2006 NISLDAPmapping(4)