Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (Debian-5.0)
Apropos / Subsearch:
optional field

nss_ldap(5)                   File Formats Manual                  nss_ldap(5)

       nss_ldap - LDAP nameservice provider

       The nss_ldap module is a set of C library extensions which allows X.500
       and LDAP directory servers to be used as a primary source of name  ser-
       vice  information.  (Name service information typically includes users,
       hosts, groups, and other such data historically stored in flat files or

       Features  of  the PADL nss_ldap module include support for both the RFC
       2307 and RFC 2307bis schema, a common  implementation  across  multiple
       platforms,  Kerberos and SSL security, configurable schema mapping, and
       configuration file compatibility with the pam_ldap(5) module.

       Because LDAP is a hierarchical directory service,  one  can  distribute
       the  information  in  a manner which reflects organizational structure.
       This contrasts with the flat, single domain policy  of  NIS.  LDAP  has
       many  of  the advantages of NIS+ (security and scalability) without the

       nss_ldap will work alongside existing NIS, NIS+, DNS and flat file name
       services.  More  importantly, because it builds as a shared library, it
       is not necessary to recompile any applications  to  take  advantage  of

       The  present  version of nss_ldap supports AIX 4.3.3 and above, FreeBSD
       5.1, HP-UX 11i, Linux and Solaris 2.6 and above. Many  vendors  provide
       their  own LDAP nameservice providers, often also called nss_ldap. This
       manual page applies to the PADL nss_ldap module only. If you are  using
       a vendor provided module, consult the relevant documentation instead.

       The features supported by the version of nss_ldap depend on which flags
       were enabled when the software was built. Most features are enabled  in
       the  configuration file, described below. (The location of the configu-
       ration file is configurable  at  compile  time;  the  default  path  is
       /etc/libnss-ldap.conf.)  Also, some features may be unavailable on cer-
       tain operating systems or with certain LDAP libraries. For more  infor-
       mation, consult your vendor.

       nss_ldap  stores  its configuration in the ldap.conf file, the location
       of which is configurable at compile time.  (It  should  be  noted  that
       some  LDAP client libraries, such as OpenLDAP, also use a configuration
       file of the same name.  nss_ldap supports many of the  same  configura-
       tion file options as OpenLDAP, but it adds several that are specific to
       the functionality it provides.  Additionally, it is not guaranteed that
       nss_ldap  will  continue  to  match the configuration file semantics of
       OpenLDAP.  You may wish to use different files.)

       Configuration file options consist of a keyword followed by a space and
       any arguments. The following options are supported by both nss_ldap and
       the PADL pam_ldap module:

       host <&lt;name:port ...>&gt;
              Specifies the name(s) or IP address(es) of the LDAP server(s) to
              connect to. In the case that nss_ldap is used for host name res-
              olution, each server should be specified as  an  IP  address  or
              name  that can be resolved without using LDAP.  Multiple servers
              may be specified, each separated by a space.  The failover  time
              depends on whether the LDAP client library supports configurable
              network or connect timeouts (see bind_timelimit below).

       base <&lt;base>&gt;
              Specifies the default base distinguished name (DN)  to  use  for

       uri <&lt;ldap[is]://[name[:port]] ...>&gt;
              For  LDAP client libraries that support it, specifies the URI(s)
              of the LDAP server(s) to connect to. The URI scheme may be ldap,
              ldapi,  or  ldaps, specifying LDAP over TCP, IPC and SSL respec-
              tively. If applicable, a  port  number  can  be  specified;  the
              default  port  number for the selected protocol is used if omit-
              ted. This option takes precedence over the host  option;  it  is
              not possible to combine the two.

       ldap_version <&lt;version>&gt;
              Specifies  the  version  of  the LDAP protocol to use. Presently
              version must be 2 or 3. The default is to use the  maximum  ver-
              sion supported by the client library.

       binddn <&lt;binddn>&gt;
              Specifies  the  distinguished  name  with  which  to bind to the
              directory server(s). This option is optional; the default is  to
              bind anonymously.

       bindpw <&lt;bindpw>&gt;
              Specifies  the  cleartext  credentials  with which to bind. This
              option is only applicable  when  used  with  binddn  above.  The
              default  is  no credential (anonymous bind). When binding to the
              directory using SASL or other  authentication  mechanisms  apart
              from simple binds, this option is not used.

       rootbinddn <&lt;binddn>&gt;
              This  option has the same syntax and effect as the binddn option
              above, except it applies when the effective user ID is zero.  If
              not  specified,  then  the  identity specified in binddn is used
              instead. Because the configuration file may be readable by  many
              users,   the   root  bind  DN  credentials  are  stored  in  the
              ldap.secret file instead. This  file  is  usually  in  the  same
              directory as the configuration file.

       port <&lt;port>&gt;
              Specifies  the  port to connect to; this option is used with the
              host option, and is ignored with the uri option.

       scope <&lt;sub|one|base>&gt;
              Specifies the search scope (subtree, one level or base  object).
              The  default scope is subtree; base scope is almost never useful
              for nameservice lookups.

       deref <&lt;never|searching|finding|always>&gt;
              Specifies the policy for dereferencing aliases. The default pol-
              icy is to never dereference aliases.

       timelimit <&lt;timelimit>&gt;
              Specifies  the  time  limit  (in seconds) to use when performing
              searches. A value of zero (0), which is the default, is to  wait
              indefinitely for searches to be completed.

       bind_timelimit <&lt;timelimit>&gt;
              Specifies  the time limit (in seconds) to use when connecting to
              the directory server. This is distinct from the time limit spec-
              ified  in  timelimit  and  affects the initial server connection
              only. (Server connections are otherwise cached.) Only some  LDAP
              client  libraries have the underlying functionality necessary to
              support this option. The default bind timelimit is 30 seconds.

       referrals <&lt;yes|no>&gt;
              Specifies whether automatic referral chasing should be  enabled.
              The default behaviour is specifed by the LDAP client library.

       restart <&lt;yes|no>&gt;
              Specifies  whether  the  LDAP client library should restart the
              select(2) system call when interrupted. This feature is not sup-
              ported by all client libraries.

       logdir <&lt;directory>&gt;
              Specifies  the  directory  used  for  logging by the LDAP client
              library. This feature is not supported by all client libraries.

       debug <&lt;level>&gt;
              Specifies the debug level used for logging by  the  LDAP  client
              library.  This feature is not supported by all client libraries,
              and does not apply to the nss_ldap and  pam_ldap  modules  them-
              selves  (debugging, if any, is configured separately and usually
              at compile time).

       ssl <&lt;on|off|start_tls>&gt;
              Specifies whether to use SSL/TLS or not (the default is not to).
              If  start_tls is specified then StartTLS is used rather than raw
              LDAP over SSL.  Not all LDAP client libraries support  both  SSL
              and StartTLS, and all related configuration options.

       sslpath <&lt;cert7_path>&gt;
              For  the  Netscape  and Mozilla LDAP client libraries only, this
              specifies the path to the X.509 certificate database.

       tls_checkpeer <&lt;yes|no>&gt;
              Specifies whether to require and verify the  server  certificate
              or  not,  when  using  SSL/TLS with the OpenLDAP client library.
              The default is to  use  the  default  behaviour  of  the  client
              library;  for  OpenLDAP 2.0 and earlier it is "no", for OpenLDAP
              2.1 and later it is "yes". At least  one  of  tls_cacertdir  and
              tls_cacertfile is required if peer verification is enabled.

       tls_cacertdir <&lt;certificate_dir>&gt;
              Specifies  the  directory containing X.509 certificates for peer

       tls_cacertfile <&lt;certificate_file>&gt;
              Specifies the path to the X.509 certificate for peer authentica-

       tls_randfile <&lt;entropy_file>&gt;
              Specifies the path to an entropy source.

       tls_ciphers <&lt;ciphers>&gt;
              Specifies  the  ciphers to use for TLS. See your TLS implementa-
              tion's documentation for further information.

       tls_cert <&lt;certificate_file>&gt;
              Specifies the path to the file containing the local  certificate
              for client TLS authentication.

       tls_key <&lt;key_file>&gt;
              Specifies  the  path  to the file containing the private key for
              client TLS authentication.

       The following configuration options apply to nss_ldap only:

       bind_policy <&lt;hard_open|hard_init|soft>&gt;
              Specifies the policy to use for reconnecting to  an  unavailable
              LDAP server. The default is hard_open, which reconnects if open-
              ing the connection to the directory server failed. By  contrast,
              hard_init reconnects if initializing the connection failed. Ini-
              tializing may not actually contact the directory server, and  it
              is  possible  that  a  malformed configuration file will trigger
              reconnection. If soft is specified, then  nss_ldap  will  return
              immediately  on  server  failure.  All "hard" reconnect policies
              block with exponential backoff before retrying.

       nss_connect_policy <&lt;persist|oneshot>&gt;
              Determines whether nss_ldap persists connections. The default is
              for  the  connection to the LDAP server to remain open after the
              first request.

       idle_timelimit <&lt;timelimit>&gt;
              Specifies the time (in seconds) after which nss_ldap will  close
              connections  to the directory server. The default is not to time
              out connections.

       sasl_authid <&lt;authid>&gt;
              Specifies the authorization identity to be used when  performing
              SASL authentication.

       rootsasl_auth_id <&lt;authid>&gt;
              Specifies  the authorization identity to be used when performing
              SASL authentication as root  (when  the  effective  user  ID  is

       sasl_secprops <&lt;properties>&gt;
              Specifies  Cyrus  SASL  security  properties. Allowed values are
              described in the  ldap.conf(5) manual page.

       rootuse_sasl <&lt;yes|no>&gt;
              Specifies whether SASL authentication should be  used  when  the
              effective user ID is zero.

       krb5_ccname <&lt;PREFIX:args>&gt;
              If nss_ldap is built with configurable GSS-API credentials cache
              name support, specifies the Kerberos credentials cache to use.

       nss_paged_results <&lt;yes|no>&gt;
               Enables support for paged results.

       pagesize <&lt;pagesize>&gt;
              When paged results are enabled (see above), specifies the number
              of entries to return in a single page. The default is 1000.

       nss_base_<&lt;map>&gt; <&lt;basedn?scope?filter>&gt;
              Specify  the  search  base, scope and filter to be used for spe-
              cific maps. (Note that map forms part of the configuration  file
              keyword  and  is  one of passwd, shadow, group, hosts, services,
              networks, protocols, rpc, ethers, netmasks, bootparams,  aliases
              and  netgroup.)   The syntax of basedn and scope are the same as
              for the configuration file options of the same  name,  with  the
              addition  of  being able to omit the trailing suffix of the base
              DN (in which case the global base DN will be appended  instead).
              The  filter is a search filter to be added to the default search
              filter for a specific map, such that the effective filter is the
              logical  intersection  of the two. The base DN, scope and filter
              are separated with literal question marks (?)  as  given  above;
              this  is  for  compatibility  with the DUA configuration profile
              schema and the ldapprofile tool. This option  may  be  specified
              multiple times.

       nss_map_attribute <&lt;from_attribute>&gt; <&lt;to_attribute>&gt;
              This  option  may  be  specified  multiple  times,  and  directs
              nss_ldap to use the attribute to_attribute instead  of  the  RFC
              2307  attribute  from_attribute in all lookups.  If nss_ldap was
              built without  schema  mapping  support,  then  this  option  is

       nss_map_objectclass <&lt;from_objectclass>&gt; <&lt;to_objectclass>&gt;
              This  option  may  be  specified  multiple  times,  and  directs
              nss_ldap to use the object class to_objectclass instead  of  the
              RFC  2307  object  class  from_objectclass  in  all lookups.  If
              nss_ldap was built without schema  mapping  support,  then  this
              option is ignored.

       nss_default_attribute_value <&lt;attribute>&gt; <&lt;value>&gt;
              Specifies  the  default  value  to use for entries that lack the
              specified attribute.  This  option  may  be  specified  multiple
              times,  for different attributes.  If nss_ldap was built without
              schema mapping support, then this option is ignored.

       nss_override_attribute_value <&lt;attribute>&gt; <&lt;value>&gt;
              Specifies a value to use for the specified attribute in  prefer-
              ence  to  that contained in the actual entry. This option may be
              specified multiple times, for different attributes.  If nss_ldap
              was  built  without  schema mapping support, then this option is

       nss_schema <&lt;rfc2307bis|rfc2307>&gt;
              If the value of this option is  rfc2307bis then support for  the
              RFC2307bis  schema  (distinguished  names  in  groups)  will  be

       nss_initgroups <&lt;backlink>&gt;
              This option directs the nss_ldap implementation of initgroups(3)
              to  determine  a user's group membership by reading the memberOf
              attribute of their directory entry (and of any  nested  groups),
              rather than querying on uniqueMember. This may provide increased
              performance with certain directory servers  that  have  peculiar
              indexing  configurations.   If  RFC2307bis  support is disabled,
              then this option is ignored.

       nss_initgroups_ignoreusers <&lt;user1,user2,...,userN>&gt;
              This option directs the nss_ldap implementation of initgroups(3)
              to  return  NSS_STATUS_NOTFOUND if called with a listed users as
              its argument.

       nss_getgrent_skipmembers <&lt;yes|no>&gt;
              Specifies whether or not to populate the  members  list  in  the
              group  structure  for  group  lookups.  If very large groups are
              present, enabling this option will greatly increase  perforance,
              at  the  cost  of  some lost functionality. You should verify no
              local applications rely on this information before enabling this
              on a production system.

       nss_srv_domain <&lt;domain>&gt;
              This  option  determines  the DNS domain used for performing SRV

       The  nss_ldap  module  was  developed  by   PADL   Software   Pty   Ltd

       /etc/libnss-ldap.conf, /etc/libnss-ldap.secret, /etc/nsswitch.conf