unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

ypserv(4)                        File Formats                        ypserv(4)



NAME
       ypserv - configuration file for NIS to LDAP transition daemons

SYNOPSIS
       /etc/default/ypserv

DESCRIPTION
       The  ypserv file specifies configuration information for the ypserv(1M)
       daemon. Configuration information can come from LDAP or be specified in
       the ypserv file.

       You  can  create  a  simple  ypserv  file by running inityp2l(1M).  The
       ypserv file can then be customized as required.

       A related NISLDAPmapping file contains mapping  information  that  con-
       verts NIS entries into LDAP entries. See the NISLDAPmapping(4) man page
       for an overview of the setup that is needed to map NIS data to or  from
       LDAP.

EXTENDED DESCRIPTION
       The  ypserv(1M)  server  recognizes  the attributes that follow. Values
       specified for these attributes in the ypserv file, including any  empty
       values,  override  values  that  are  obtained  from LDAP. However, the
       nisLDAPconfig* values are read from the ypserv file only

   Attributes
       The following are attributes that are used for initial configuration.

       nisLDAPconfigDN

           The DN for configuration information. If nisLDAPconfigDN is  empty,
           all other nisLDAPConfig* values are ignored.



       nisLDAPconfigPreferredServerList

           The list of servers to use for the configuration phase. There is no
           default value. The following is an example of a value for  nisLDAP-
           configPreferredServerList:


           nisLDAPconfigPreferredServerList=127.0.0.1:389



       nisLDAPconfigAuthenticationMethod

           The authentication method used to obtain the configuration informa-
           tion. The recognized values  for  nisLDAPconfigAuthenticationMethod
           are:


           none                    No authentication attempted




           simple                  Password of proxy user sent in the clear to
                                   the LDAP server



           sasl/cram-md5           Use  SASL/CRAM-MD5   authentication.   This
                                   authentication  method may not be supported
                                   by all LDAP servers.  A  password  must  be
                                   supplied.



           sasl/digest-md5         Use   SASL/DIGEST-MD5  authentication.  The
                                   SASL/CRAM-MD5authentication method may  not
                                   be  supported  by all LDAP servers. A pass-
                                   word must be supplied.


           nisLDAPconfigAuthenticationMethod has no default value. The follow-
           ing is an example of a value for nisLDAPconfigAuthenticationMethod:


           nisLDAPconfigAuthenticationMethod=simple


       nisLDAPconfigTLS

           The transport layer security used for the connection to the server.
           The recognized values are:


           none            No encryption of transport layer data. The  default
                           value is none.




           ssl             SSL  encryption of transport layer data. A certifi-
                           cate is required.


           Export and import control restrictions might limit the availability
           of transport layer security.


       nisLDAPconfigTLSCertificateDBPath

           The  name  of the directory that contains the certificate database.
           The default path is /var/yp.



       nisLDAPconfigProxyUser

           The proxy user used to obtain configuration  information.  nisLDAP-
           configProxyUser  has  no  default  value.  If the value ends with a
           comma, the value of the nisLDAPconfigDN attribute is appended.  For
           example:


           nisLDAPconfigProxyUser=cn=nisAdmin,ou=People,



       nisLDAPconfigProxyPassword

           The  password  that  should  be supplied to LDAP for the proxy user
           when the authentication method requires one. To avoid exposing this
           password  publicly  on the machine, the password should only appear
           in the configuration file, and the file should have an  appropriate
           owner,  group,  and  file  mode.  nisLDAPconfigProxyPassword has no
           default value.



       The following are attributes used for data retrieval.  The object class
       name used for these attributes is nisLDAPconfig.

       preferredServerList

           The list of servers to use to read or to write mapped NIS data from
           or to LDAP. preferredServerList has no default value. For example:


           preferredServerList=127.0.0.1:389



       authenticationMethod

           The authentication method to use to read or  to  write  mapped  NIS
           data  from or to LDAP. For recognized values, see the LDAPconfigAu-
           thenticationMethod attribute. authenticationMethod has  no  default
           value. For example:


           authenticationMethod=simple



       nisLDAPTLS

           The  transport  layer  security to use to read or to write NIS data
           from or to LDAP.  For recognized values, see  the  nisLDAPconfigTLS
           attribute.   The  default  value is none. Export and import control
           restrictions might limit the availability of transport layer  secu-
           rity.



       nisLDAPTLSCertificateDBPath

           The  name  of  the  directory that contains the certificate DB. For
           recognized and default values for nisLDAPTLSCertificateDBPath,  see
           the nisLDAPconfigTLSCertificateDBPath attribute.



       nisLDAPproxyUser

           Proxy user used by ypserv(1M), ypxfrd(1M) and yppasswdd(1M) to read
           or to write from or to LDAP. Assumed to have the  appropriate  per-
           mission to read and modify LDAP data. There is no default value. If
           the value ends in a comma, the value of the context for the current
           domain,   as   defined  by  a  nisLDAPdomainContext  attribute,  is
           appended. See NISLDAPmapping(4). For example:


           nisLDAPproxyUser=cn=nisAdmin,ou=People,



       nisLDAPproxyPassword

           The password that should be supplied to LDAP  for  the  proxy  user
           when  the authentication method so requires. To avoid exposing this
           password publicly on the machine, the password should  only  appear
           in  the  configuration  file, and the file must have an appropriate
           owner, group, and file mode. nisLDAPproxyPassword  has  no  default
           value.



       nisLDAPsearchTimeout

           Establishes  the timeout for the LDAP search operation. The default
           value for nisLDAPsearchTimeout is 180 seconds.



       nisLDAPbindTimeout
       nisLDAPmodifyTimeout
       nisLDAPaddTimeout
       nisLDAPdeleteTimeout

           Establish timeouts for LDAP bind, modify, add,  and  delete  opera-
           tions,  respectively.   The  default  value  is 15 seconds for each
           attribute. Decimal values are allowed.






       nisLDAPsearchTimeLimit

           Establish a value for the LDAP_OPT_TIMELIMIT option, which suggests
           a  time  limit  for  the  search  operation on the LDAP server. The
           server may impose its own constraints on possible values. See  your
           LDAP  server documentation. The default is the nisLDAPsearchTimeout
           value. Only integer values are allowed.

           Since the nisLDAPsearchTimeout limits the amount of time the client
           ypserv  will  wait for completion of a search operation, do not set
           the value  of  nisLDAPsearchTimeLimit  larger  than  the  value  of
           nisLDAPsearchTimeout.



       nisLDAPsearchSizeLimit

           Establish a value for the LDAP_OPT_SIZELIMIT option, which suggests
           a size limit, in bytes, for the search results on the LDAP  server.
           The  server  may impose its own constraints on possible values. See
           your   LDAP   server   documentation.   The   default   value   for
           nisLDAPsearchSizeLimit  is  zero,  which  means  the  size limit is
           unlimited. Only integer values are allowed.



       nisLDAPfollowReferral

           Determines if the ypserv should follow referrals or not. Recognized
           values  for nisLDAPfollowReferral are yes and no. The default value
           for nisLDAPfollowReferral is no.



       The following attributes specify the action to be taken when some event
       occurs. The values are all of the form event=action. The default action
       is the first one listed for each event.

       nisLDAPretrieveErrorAction

           If an error occurs while trying to retrieve an entry from LDAP, one
           of the following actions can be selected:


           use_cached      Retry the retrieval the number of time specified by
                           nisLDAPretrieveErrorAttempts, with  the  nisLDAPre-
                           trieveErrorTimeout   value   controlling  the  wait
                           between each attempt.

                           If all attempts fail, then a warning is logged  and
                           the value currently in the cache is returned to the
                           client.




           fail            Proceed as for  use_cached,  but  if  all  attempts
                           fail,  a  YPERR_YPERR  error  is  returned  to  the
                           client.



       nisLDAPretrieveErrorAttempts

           The number of times a failed  retrieval  should  be  retried.   The
           default value for nisLDAPretrieveErrorAttempts is unlimited.  While
           retries are made the ypserv daemon will be prevented from servicing
           further  requests .nisLDAPretrieveErrorAttempts values other than 1
           should be used with caution.



       nisLDAPretrieveErrorTimeout

           The timeout in seconds between each new attempt  to  retrieve  LDAP
           data.  The default value for nisLDAPretrieveErrorTimeout is 15 sec-
           onds.



       nisLDAPstoreErrorAction

           An error occurred while trying to store data to  the  LDAP  reposi-
           tory.


           retry           Retry   operation  nisLDAPstoreErrorAttempts  times
                           with nisLDAPstoreErrorTimeout seconds between  each
                           attempt.  While  retries  are  made, the NIS daemon
                           will be prevented from servicing further  requests.
                           Use with caution.




           fail            Return YPERR_YPERR error to the client.



       nisLDAPstoreErrorAttempts

           The  number  of  times a failed attempt to store should be retried.
           The default value for nisLDAPstoreErrorAttempts is unlimited.   The
           value  for  nisLDAPstoreErrorAttempts  is  ignored  unless nisLDAP-
           storeErrorAction=retry.



       nisLDAPstoreErrortimeout

           The timeout, in seconds, between each new  attempt  to  store  LDAP
           data.   The  default  value for nisLDAPstoreErrortimeout is 15 sec-
           onds.   The  nisLDAPstoreErrortimeout  value  is   ignored   unless
           nisLDAPstoreErrorAction=retry.



   Storing Configuration Attributes in LDAP
       Most  attributes described on this man page, as well as those described
       on NISLDAPmapping(4), can be stored in LDAP. In order  to  do  so,  you
       will  need  to add the following definitions to your LDAP server, which
       are described here in LDIF format suitable for use by ldapadd(1).   The
       attribute and objectclass OIDs are examples only.

       dn: cn=schema
       changetype: modify
       add: attributetypes
       attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' \
                 DESC 'Preferred LDAP server host addresses used by DUA' \
                 EQUALITY caseIgnoreMatch           SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
       attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' \
                 DESC 'Authentication method used to contact the DSA' \
                 EQUALITY caseIgnoreMatch           SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

       dn: cn=schema
            changetype: modify
            add: attributetypes
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 \
                      NAME 'nisLDAPTLS' \
                      DESC 'Transport Layer Security' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.1 \
                      NAME 'nisLDAPTLSCertificateDBPath' \
                      DESC 'Certificate file' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.2 \
                      NAME 'nisLDAPproxyUser' \
                      DESC 'Proxy user for data store/retrieval' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.3 \
                      NAME 'nisLDAPproxyPassword' \
                      DESC 'Password/key/shared secret for proxy user' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.6 \
                      NAME 'nisLDAPretrieveErrorAction' \
                      DESC 'Action following an LDAP search error' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.7 \
                      NAME 'nisLDAPretrieveErrorAttempts' \
                      DESC 'Number of times to retry an LDAP search' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.8 \
                      NAME 'nisLDAPretrieveErrorTimeout' \
                      DESC 'Timeout between each search attempt' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.9 \
                      NAME 'nisLDAPstoreErrorAction' \
                      DESC 'Action following an LDAP store error' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.10 \
                      NAME 'nisLDAPstoreErrorAttempts' \
                      DESC 'Number of times to retry an LDAP store' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.11 \
                      NAME 'nisLDAPstoreErrorTimeout' \
                      DESC 'Timeout between each store attempt' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.12 \
                      NAME 'nisLDAPdomainContext' \
                      DESC 'Context for a single domain' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.13 \
                      NAME 'nisLDAPyppasswddDomains' \
                      DESC 'List of domains for which password changes are made' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.14 \
                      NAME 'nisLDAPdatabaseIdMapping' \
                      DESC 'Defines a database id for a NIS object' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.15 \
                      NAME 'nisLDAPentryTtl' \
                      DESC 'TTL for cached objects derived from LDAP' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.16 \
                      NAME 'nisLDAPobjectDN' \
                      DESC 'Location in LDAP tree where NIS data is stored' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.17 ) \
                      NAME 'nisLDAPnameFields' \
                      DESC 'Rules for breaking NIS entries into fields' \e
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.18 ) \
                      NAME 'nisLDAPsplitFields' \
                      DESC 'Rules for breaking fields into sub fields' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.19 \
                      NAME 'nisLDAPattributeFromField' \
                      DESC 'Rules for mapping fields to LDAP attributes' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.20 \
                      NAME 'nisLDAPfieldFromAttribute' \
                      DESC 'Rules for mapping fields to LDAP attributes' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.21 \
                      NAME 'nisLDAPrepeatedFieldSeparators' \
                      DESC 'Rules for mapping fields to LDAP attributes' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.22 \
                      NAME 'nisLDAPcommentChar' \
                      DESC 'Rules for mapping fields to LDAP attributes' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

            attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.23 \
                      NAME 'nisLDAPmapFlags' \
                      DESC 'Rules for mapping fields to LDAP attributes' \
                      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

            dn: cn=schema
            changetype: modify
            add: objectclasses
            objectclasses:  ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 NAME 'nisLDAPconfig' \
                      DESC 'NIS/LDAP mapping configuration' \
                      SUP top STRUCTURAL \
                      MAY ( cn $ preferredServerList $
                        authenticationMethod $ nisLDAPTLS $
                        nisLDAPTLSCertificateDBPath $
                        nisLDAPproxyUser $ nisLDAPproxyPassword $
                        nisLDAPretrieveErrorAction $
                        nisLDAPretrieveErrorAttempts $
                        nisLDAPretrieveErrorTimeout $
                        nisLDAPstoreErrorAction $
                        nisLDAPstoreErrorAttempts $
                        nisLDAPstoreErrorTimeout $
                        nisLDAPdomainContext $
                        nisLDAPyppasswddDomains $
                        nisLDAPdatabaseIdMapping $
                        nisLDAPentryTtl $
                        nisLDAPobjectDN $
                        nisLDAPnameFields $
                        nisLDAPsplitFields $
                        nisLDAPattributeFromField $
                        nisLDAPfieldFromAttribute $
                        nisLDAPrepeatedFieldSeparators $
                        nisLDAPcommentChar $
                        nisLDAPmapFlags ) )


       Create  a  file  containing  the  following  LDIF data. Substitute your
       actual nisLDAPconfigDN for configDN:

       dn: configDN
       objectClass: top
       objectClass: nisLDAPconfig


       Use this file as input to the ldapadd(1) command in order to create the
       NIS to LDAP configuration entry. Initially, the entry is empty. You can
       use the ldapmodify(1) command to add configuration attributes.

EXAMPLES
       Example 1: Creating a NIS to LDAP Configuration Entry

       To set the server list to port 389 on 127.0.0.1, create  the  following
       file and use it as input to ldapmodify(1):

       dn: configDN
       preferredServerList: 127.0.0.1:389


ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()     allbox;     cw(2.750000i)|    cw(2.750000i)    lw(2.750000i)|
       lw(2.750000i).   ATTRIBUTE  TYPEATTRIBUTE   VALUE   AvailabilitySUNWypu
       Interface StabilityObsolete


SEE ALSO
       ldapadd(1),  ldapmodify(1),  inityp2l(1M),  yppasswdd(1M),  ypserv(1M),
       ypxfrd(1M), NIS+LDAPmapping(4), attributes(5)

       System Administration Guide: Naming and Directory Services  (DNS,  NIS,
       and LDAP)



SunOS 5.10                        9 Aug 2004                         ypserv(4)