1ypserv(4) File Formats ypserv(4)
2
6 ypserv - configuration file for NIS to LDAP transition daemons
7
9 /etc/default/ypserv
10
13 The ypserv file specifies configuration information for the ypserv(1M)
14 daemon. Configuration information can come from LDAP or be specified in
15 the ypserv file.
16 You can create a simple ypserv file by running inityp2l(1M). The ypserv
19 file can then be customized as required.
20 A related NISLDAPmapping file contains mapping information that con‐
23 verts NIS entries into LDAP entries. See the NISLDAPmapping(4) man page
24 for an overview of the setup that is needed to map NIS data to or from
25 LDAP.
26
28 The ypserv(1M) server recognizes the attributes that follow. Values
29 specified for these attributes in the ypserv file, including any empty
30 values, override values that are obtained from LDAP. However, the
31 nisLDAPconfig* values are read from the ypserv file only
32 Attributes
34 The following are attributes that are used for initial configuration.
35 nisLDAPconfigDN
37 The DN for configuration information. If nisLDAPconfigDN is empty,
39 all other nisLDAPConfig* values are ignored.
40 nisLDAPconfigPreferredServerList
43 The list of servers to use for the configuration phase. There is no
45 default value. The following is an example of a value for nisLDAP‐
46 configPreferredServerList:
47 nisLDAPconfigPreferredServerList=127.0.0.1:389
49 nisLDAPconfigAuthenticationMethod
53 The authentication method used to obtain the configuration informa‐
55 tion. The recognized values for nisLDAPconfigAuthenticationMethod
56 are:
57 none No authentication attempted
59 simple Password of proxy user sent in the clear to the
62 LDAP server
63 sasl/cram-md5 Use SASL/CRAM-MD5 authentication. This authenti‐
66 cation method may not be supported by all LDAP
67 servers. A password must be supplied.
68 sasl/digest-md5 Use SASL/DIGEST-MD5 authentication. The
71 SASL/CRAM-MD5authentication method may not be
72 supported by all LDAP servers. A password must
73 be supplied.
74 nisLDAPconfigAuthenticationMethod has no default value. The follow‐
76 ing is an example of a value for nisLDAPconfigAuthenticationMethod:
77 nisLDAPconfigAuthenticationMethod=simple
79 nisLDAPconfigTLS
83 The transport layer security used for the connection to the server.
85 The recognized values are:
86 none No encryption of transport layer data. The default value is
88 none.
89 ssl SSL encryption of transport layer data. A certificate is
92 required.
93 Export and import control restrictions might limit the availability
95 of transport layer security.
96 nisLDAPconfigTLSCertificateDBPath
99 The name of the directory that contains the certificate database.
101 The default path is /var/yp.
102 nisLDAPconfigProxyUser
105 The proxy user used to obtain configuration information. nisLDAP‐
107 configProxyUser has no default value. If the value ends with a
108 comma, the value of the nisLDAPconfigDN attribute is appended. For
109 example:
110 nisLDAPconfigProxyUser=cn=nisAdmin,ou=People,
112 nisLDAPconfigProxyPassword
116 The password that should be supplied to LDAP for the proxy user
118 when the authentication method requires one. To avoid exposing this
119 password publicly on the machine, the password should only appear
120 in the configuration file, and the file should have an appropriate
121 owner, group, and file mode. nisLDAPconfigProxyPassword has no
122 default value.
123 The following are attributes used for data retrieval. The object class
127 name used for these attributes is nisLDAPconfig.
128 preferredServerList
130 The list of servers to use to read or to write mapped NIS data from
132 or to LDAP. preferredServerList has no default value. For example:
133 preferredServerList=127.0.0.1:389
135 authenticationMethod
139 The authentication method to use to read or to write mapped NIS
141 data from or to LDAP. For recognized values, see the LDAPconfigAu‐
142 thenticationMethod attribute. authenticationMethod has no default
143 value. For example:
144 authenticationMethod=simple
146 nisLDAPTLS
150 The transport layer security to use to read or to write NIS data
152 from or to LDAP. For recognized values, see the nisLDAPconfigTLS
153 attribute. The default value is none. Export and import control
154 restrictions might limit the availability of transport layer secu‐
155 rity.
156 nisLDAPTLSCertificateDBPath
159 The name of the directory that contains the certificate DB. For
161 recognized and default values for nisLDAPTLSCertificateDBPath, see
162 the nisLDAPconfigTLSCertificateDBPath attribute.
163 nisLDAPproxyUser
166 Proxy user used by ypserv(1M), ypxfrd(1M) and yppasswdd(1M) to read
168 or to write from or to LDAP. Assumed to have the appropriate per‐
169 mission to read and modify LDAP data. There is no default value. If
170 the value ends in a comma, the value of the context for the current
171 domain, as defined by a nisLDAPdomainContext attribute, is
172 appended. See NISLDAPmapping(4). For example:
173 nisLDAPproxyUser=cn=nisAdmin,ou=People,
175 nisLDAPproxyPassword
179 The password that should be supplied to LDAP for the proxy user
181 when the authentication method so requires. To avoid exposing this
182 password publicly on the machine, the password should only appear
183 in the configuration file, and the file must have an appropriate
184 owner, group, and file mode. nisLDAPproxyPassword has no default
185 value.
186 nisLDAPsearchTimeout
189 Establishes the timeout for the LDAP search operation. The default
191 value for nisLDAPsearchTimeout is 180 seconds.
192 nisLDAPbindTimeout
195 nisLDAPmodifyTimeout
196 nisLDAPaddTimeout
197 nisLDAPdeleteTimeout
198 Establish timeouts for LDAP bind, modify, add, and delete opera‐
200 tions, respectively. The default value is 15 seconds for each
201 attribute. Decimal values are allowed.
202 nisLDAPsearchTimeLimit
205 Establish a value for the LDAP_OPT_TIMELIMIT option, which suggests
207 a time limit for the search operation on the LDAP server. The
208 server may impose its own constraints on possible values. See your
209 LDAP server documentation. The default is the nisLDAPsearchTimeout
210 value. Only integer values are allowed.
211 Since the nisLDAPsearchTimeout limits the amount of time the client
213 ypserv will wait for completion of a search operation, do not set
214 the value of nisLDAPsearchTimeLimit larger than the value of
215 nisLDAPsearchTimeout.
216 nisLDAPsearchSizeLimit
219 Establish a value for the LDAP_OPT_SIZELIMIT option, which suggests
221 a size limit, in bytes, for the search results on the LDAP server.
222 The server may impose its own constraints on possible values. See
223 your LDAP server documentation. The default value for
224 nisLDAPsearchSizeLimit is zero, which means the size limit is
225 unlimited. Only integer values are allowed.
226 nisLDAPfollowReferral
229 Determines if the ypserv should follow referrals or not. Recognized
231 values for nisLDAPfollowReferral are yes and no. The default value
232 for nisLDAPfollowReferral is no.
233 The following attributes specify the action to be taken when some event
237 occurs. The values are all of the form event=action. The default action
238 is the first one listed for each event.
239 nisLDAPretrieveErrorAction
241 If an error occurs while trying to retrieve an entry from LDAP, one
243 of the following actions can be selected:
244 use_cached Retry the retrieval the number of time specified by
246 nisLDAPretrieveErrorAttempts, with the nisLDAPre‐
247 trieveErrorTimeout value controlling the wait between
248 each attempt.
249 If all attempts fail, then a warning is logged and
251 the value currently in the cache is returned to the
252 client.
253 fail Proceed as for use_cached, but if all attempts fail,
256 a YPERR_YPERR error is returned to the client.
257 nisLDAPretrieveErrorAttempts
261 The number of times a failed retrieval should be retried. The
263 default value for nisLDAPretrieveErrorAttempts is unlimited. While
264 retries are made the ypserv daemon will be prevented from servicing
265 further requests .nisLDAPretrieveErrorAttempts values other than 1
266 should be used with caution.
267 nisLDAPretrieveErrorTimeout
270 The timeout in seconds between each new attempt to retrieve LDAP
272 data. The default value for nisLDAPretrieveErrorTimeout is 15 sec‐
273 onds.
274 nisLDAPstoreErrorAction
277 An error occurred while trying to store data to the LDAP reposi‐
279 tory.
280 retry Retry operation nisLDAPstoreErrorAttempts times with
282 nisLDAPstoreErrorTimeout seconds between each attempt.
283 While retries are made, the NIS daemon will be prevented
284 from servicing further requests. Use with caution.
285 fail Return YPERR_YPERR error to the client.
288 nisLDAPstoreErrorAttempts
292 The number of times a failed attempt to store should be retried.
294 The default value for nisLDAPstoreErrorAttempts is unlimited. The
295 value for nisLDAPstoreErrorAttempts is ignored unless nisLDAP‐
296 storeErrorAction=retry.
297 nisLDAPstoreErrortimeout
300 The timeout, in seconds, between each new attempt to store LDAP
302 data. The default value for nisLDAPstoreErrortimeout is 15 seconds.
303 The nisLDAPstoreErrortimeout value is ignored unless nisLDAP‐
304 storeErrorAction=retry.
305 Storing Configuration Attributes in LDAP
308 Most attributes described on this man page, as well as those described
309 on NISLDAPmapping(4), can be stored in LDAP. In order to do so, you
310 will need to add the following definitions to your LDAP server, which
311 are described here in LDIF format suitable for use by ldapadd(1). The
312 attribute and objectclass OIDs are examples only.
313 dn: cn=schema
315 changetype: modify
316 add: attributetypes
317 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' \
318 DESC 'Preferred LDAP server host addresses used by DUA' \
319 EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
320 attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' \
321 DESC 'Authentication method used to contact the DSA' \
322 EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
323 dn: cn=schema
325 changetype: modify
326 add: attributetypes
327 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 \
328 NAME 'nisLDAPTLS' \
329 DESC 'Transport Layer Security' \
330 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
331 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.1 \
332 NAME 'nisLDAPTLSCertificateDBPath' \
333 DESC 'Certificate file' \
334 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
335 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.2 \
336 NAME 'nisLDAPproxyUser' \
337 DESC 'Proxy user for data store/retrieval' \
338 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
339 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.3 \
340 NAME 'nisLDAPproxyPassword' \
341 DESC 'Password/key/shared secret for proxy user' \
342 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
343 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.6 \
344 NAME 'nisLDAPretrieveErrorAction' \
345 DESC 'Action following an LDAP search error' \
346 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
347 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.7 \
348 NAME 'nisLDAPretrieveErrorAttempts' \
349 DESC 'Number of times to retry an LDAP search' \
350 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
351 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.8 \
352 NAME 'nisLDAPretrieveErrorTimeout' \
353 DESC 'Timeout between each search attempt' \
354 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
355 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.9 \
356 NAME 'nisLDAPstoreErrorAction' \
357 DESC 'Action following an LDAP store error' \
358 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
359 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.10 \
360 NAME 'nisLDAPstoreErrorAttempts' \
361 DESC 'Number of times to retry an LDAP store' \
362 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
363 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.11 \
364 NAME 'nisLDAPstoreErrorTimeout' \
365 DESC 'Timeout between each store attempt' \
366 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
367 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.12 \
368 NAME 'nisLDAPdomainContext' \
369 DESC 'Context for a single domain' \
370 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
371 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.13 \
372 NAME 'nisLDAPyppasswddDomains' \
373 DESC 'List of domains for which password changes are made' \
374 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
375 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.14 \
376 NAME 'nisLDAPdatabaseIdMapping' \
377 DESC 'Defines a database id for a NIS object' \
378 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
379 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.15 \
380 NAME 'nisLDAPentryTtl' \
381 DESC 'TTL for cached objects derived from LDAP' \
382 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
383 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.16 \
384 NAME 'nisLDAPobjectDN' \
385 DESC 'Location in LDAP tree where NIS data is stored' \
386 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
387 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.17 ) \
388 NAME 'nisLDAPnameFields' \
389 DESC 'Rules for breaking NIS entries into fields' \e
390 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
391 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.18 ) \
392 NAME 'nisLDAPsplitFields' \
393 DESC 'Rules for breaking fields into sub fields' \
394 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
395 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.19 \
397 NAME 'nisLDAPattributeFromField' \
398 DESC 'Rules for mapping fields to LDAP attributes' \
399 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
400 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.20 \
402 NAME 'nisLDAPfieldFromAttribute' \
403 DESC 'Rules for mapping fields to LDAP attributes' \
404 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
405 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.21 \
407 NAME 'nisLDAPrepeatedFieldSeparators' \
408 DESC 'Rules for mapping fields to LDAP attributes' \
409 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
410 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.22 \
412 NAME 'nisLDAPcommentChar' \
413 DESC 'Rules for mapping fields to LDAP attributes' \
414 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
415 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.23 \
417 NAME 'nisLDAPmapFlags' \
418 DESC 'Rules for mapping fields to LDAP attributes' \
419 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
420 dn: cn=schema
422 changetype: modify
423 add: objectclasses
424 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 NAME 'nisLDAPconfig' \
425 DESC 'NIS/LDAP mapping configuration' \
426 SUP top STRUCTURAL \
427 MAY ( cn $ preferredServerList $
428 authenticationMethod $ nisLDAPTLS $
429 nisLDAPTLSCertificateDBPath $
430 nisLDAPproxyUser $ nisLDAPproxyPassword $
431 nisLDAPretrieveErrorAction $
432 nisLDAPretrieveErrorAttempts $
433 nisLDAPretrieveErrorTimeout $
434 nisLDAPstoreErrorAction $
435 nisLDAPstoreErrorAttempts $
436 nisLDAPstoreErrorTimeout $
437 nisLDAPdomainContext $
438 nisLDAPyppasswddDomains $
439 nisLDAPdatabaseIdMapping $
440 nisLDAPentryTtl $
441 nisLDAPobjectDN $
442 nisLDAPnameFields $
443 nisLDAPsplitFields $
444 nisLDAPattributeFromField $
445 nisLDAPfieldFromAttribute $
446 nisLDAPrepeatedFieldSeparators $
447 nisLDAPcommentChar $
448 nisLDAPmapFlags ) )
449 Create a file containing the following LDIF data. Substitute your
453 actual nisLDAPconfigDN for configDN:
454 dn: configDN
456 objectClass: top
457 objectClass: nisLDAPconfig
458 Use this file as input to the ldapadd(1) command in order to create the
462 NIS to LDAP configuration entry. Initially, the entry is empty. You can
463 use the ldapmodify(1) command to add configuration attributes.
464
466 Example 1 Creating a NIS to LDAP Configuration Entry
467 To set the server list to port 389 on 127.0.0.1, create the following
470 file and use it as input to ldapmodify(1):
471 dn: configDN
474 preferredServerList: 127.0.0.1:389
475
478 See attributes(5) for descriptions of the following attributes:
479 ┌─────────────────────────────┬─────────────────────────────┐
484 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
485 ├─────────────────────────────┼─────────────────────────────┤
486 │Availability │SUNWypu │
487 ├─────────────────────────────┼─────────────────────────────┤
488 │Interface Stability │Obsolete │
489 └─────────────────────────────┴─────────────────────────────┘
490
492 ldapadd(1), ldapmodify(1), inityp2l(1M), yppasswdd(1M), ypserv(1M),
493 ypxfrd(1M), NIS+LDAPmapping(4), attributes(5)
494 System Administration Guide: Naming and Directory Services (DNS, NIS,
497 and LDAP)
498SunOS 5.11 9 Aug 2004 ypserv(4)