NIGREP(1) General Commands Manual NIGREP(1)
mkslapdconf - generate a configuration file for the LDAP server
mkslapdconf [ -r ]
mkslapdconf creates a configuration file suitable for the slapd(8) LDAP
server, using the LDAP NetInfo bridge (back-netinfo). By default, it is
invoked in local mode, in which a list of NetInfo domains to serve is
determined by listing the valid databases in /var/db/netinfo.
If the -r option is specified, then mkslapdconf consults the NetInfo
binder daemon, nibindd(8), to list the NetInfo domains served by the
local machine. In either case, a separate instance of the bridge is
created for each domain (although they all share the same process). In
local mode, slapd(8) will access the NetInfo database directly; in
remote mode, it will use the netinfo(3) client library to access the
database via remote procedure calls (RPC).
NetInfo has separate namespaces for domains and directories; in the
X.500 information model, there is a single namespace. NetInfo names
are written most significant component to least significant; X.500
"distinguished" names are usually written the other way. X.500 names
are also case-insensitive.
The mapping between NetInfo domains and X.500 names may be configured
using the suffix property in a specific host's /machines entry. Like
the serves property, the suffix property determines the relative domain
name of a child domain; its values must be ordered according to the
serves property in each host entry. In the case of the master NetInfo
server's host entry, the value of the suffix property at the same index
as the "./tag" serves property will be used to determine the distin-
guished name for the root NetInfo domain. In the absence of a specific
mapping, the ou attribute type is used to construct a relative distin-
guished name from the NetInfo domain name. Note that in the present
implementation, even if the NetInfo database is accessed directly, the
NetInfo server must still be running as the namespace is interrogated
using NetInfo RPC. See nicl(1) for more information on how NetInfo
directory names are mapped to X.500 distinguished names.
For example, the NetInfo entry /users/alice in the NetInfo domain
/sales/polaris would be (with RFC 2307 schema mapping) by default
mapped to the distinguished name
mkslapdconf configures the LDAP bridge to apply traditional NetInfo
authorization policies, as well as the native slapd(8) authorization
model. If the current host is not the master for a NetInfo domain, then
the LDAP bridge will be configured for read-only access only.
Referrals are used to glue NetInfo domains together so that the search
policy described in netinfo(5) is adhered to. mkslapdconf configures a
default referral for the immediate parent domain; child domains are
handled by the bridge itself. The local domain is always aliased to the
distinguished name dc=local, and (for one-level and subtree searches)
the root (empty) DSE. A search with a base of "dc=local" or "" will
consult the local NetInfo domain; search results will always be written
relative to the canonical distinguished name for the domain, however.
The configuration file created by mkslapdconf includes the OpenLDAP
core, Cosine (RFC 1274), NIS (RFC 2307) inetOrgPerson (RFC 2798), mis-
cellaneous and Apple schema. If you wish to add support for additional
schema you will need to postprocess the configuration file manually.
The configuration file is written to the standard output. mkslapdconf
should be run at startup immediately before the LDAP server is started,
but after the NetInfo server is started.
-r Specify that the LDAP bridge will access the NetInfo database
using the netinfo(3) RPC client library.
# mkslapdconf > /etc/openldap/slapd.conf
netinfo(3), netinfo(5), nibindd(8), nicl(1), nidomain(8), slapd(8)
Luke Howard, Apple Computer, Inc.
Apple Computer, Inc. March 21, 2001 NIGREP(1)