YPSERV(5) File Formats and Configurations YPSERV(5)
NAME
ypserv - configuration file for NIS to LDAP transition daemons
SYNOPSIS
/etc/default/ypservDESCRIPTION
The
ypserv file specifies configuration information for the
ypserv(8) daemon. Configuration information can come from LDAP or be specified
in the
ypserv file.
You can create a simple
ypserv file by running
inityp2l(8). The
ypserv file can then be customized as required.
A related
NISLDAPmapping file contains mapping information that
converts NIS entries into LDAP entries. See the
NISLDAPmapping(5) man
page for an overview of the setup that is needed to map NIS data to
or from LDAP.
EXTENDED DESCRIPTION
The
ypserv(8) server recognizes the attributes that follow. Values
specified for these attributes in the
ypserv file, including any
empty values, override values that are obtained from LDAP. However,
the
nisLDAPconfig* values are read from the
ypserv file only
Attributes
The following are attributes that are used for initial configuration.
nisLDAPconfigDN The
DN for configuration information. If
nisLDAPconfigDN is
empty, all other
nisLDAPConfig* values are ignored.
nisLDAPconfigPreferredServerList The list of servers to use for the configuration phase. There is
no default value. The following is an example of a value for
nisLDAPconfigPreferredServerList:
nisLDAPconfigPreferredServerList=127.0.0.1:389
nisLDAPconfigAuthenticationMethod The authentication method used to obtain the configuration
information. The recognized values for
nisLDAPconfigAuthenticationMethod are:
none No authentication attempted
simple Password of proxy user sent in the clear to
the LDAP server
sasl/cram-md5 Use
SASL/CRAM-MD5 authentication. This
authentication method may not be supported by
all LDAP servers. A password must be supplied.
sasl/digest-md5 Use SASL/DIGEST-MD5 authentication. The
SASL/CRAM-MD5authentication method may not be
supported by all LDAP servers. A password must
be supplied.
nisLDAPconfigAuthenticationMethod has no default value. The
following is an example of a value for
nisLDAPconfigAuthenticationMethod:
nisLDAPconfigAuthenticationMethod=simple
nisLDAPconfigTLS The transport layer security used for the connection to the
server. The recognized values are:
none No encryption of transport layer data. The default value
is
none.
ssl SSL encryption of transport layer data. A certificate is
required.
Export and import control restrictions might limit the
availability of transport layer security.
nisLDAPconfigTLSCertificateDBPath The name of the directory that contains the certificate database.
The default path is
/var/yp.
nisLDAPconfigProxyUser The proxy user used to obtain configuration information.
nisLDAPconfigProxyUser has no default value. If the value ends
with a comma, the value of the
nisLDAPconfigDN attribute is
appended. For example:
nisLDAPconfigProxyUser=cn=nisAdmin,ou=People,
nisLDAPconfigProxyPassword The password that should be supplied to LDAP for the proxy user
when the authentication method requires one. To avoid exposing
this password publicly on the machine, the password should only
appear in the configuration file, and the file should have an
appropriate owner, group, and file mode.
nisLDAPconfigProxyPassword has no default value.
The following are attributes used for data retrieval. The object
class name used for these attributes is
nisLDAPconfig.
preferredServerList The list of servers to use to read or to write mapped NIS data
from or to LDAP.
preferredServerList has no default value. For
example:
preferredServerList=127.0.0.1:389
authenticationMethod The authentication method to use to read or to write mapped NIS
data from or to LDAP. For recognized values, see the
LDAPconfigAuthenticationMethod attribute.
authenticationMethod has no default value. For example:
authenticationMethod=simple
nisLDAPTLS The transport layer security to use to read or to write NIS data
from or to LDAP. For recognized values, see the
nisLDAPconfigTLS attribute. The default value is none. Export and import control
restrictions might limit the availability of transport layer
security.
nisLDAPTLSCertificateDBPath The name of the directory that contains the certificate
DB. For
recognized and default values for
nisLDAPTLSCertificateDBPath,
see the
nisLDAPconfigTLSCertificateDBPath attribute.
nisLDAPproxyUser Proxy user used by
ypserv(8),
ypxfrd(8) and
yppasswdd(8) to read
or to write from or to LDAP. Assumed to have the appropriate
permission to read and modify LDAP data. There is no default
value. If the value ends in a comma, the value of the context for
the current domain, as defined by a
nisLDAPdomainContext attribute, is appended. See
NISLDAPmapping(5). For example:
nisLDAPproxyUser=cn=nisAdmin,ou=People,
nisLDAPproxyPassword The password that should be supplied to LDAP for the proxy user
when the authentication method so requires. To avoid exposing
this password publicly on the machine, the password should only
appear in the configuration file, and the file must have an
appropriate owner, group, and file mode.
nisLDAPproxyPassword has no default value.
nisLDAPsearchTimeout Establishes the timeout for the LDAP search operation. The
default value for
nisLDAPsearchTimeout is 180 seconds.
nisLDAPbindTimeout nisLDAPmodifyTimeout nisLDAPaddTimeout nisLDAPdeleteTimeout Establish timeouts for LDAP bind, modify, add, and delete
operations, respectively. The default value is 15 seconds for
each attribute. Decimal values are allowed.
nisLDAPsearchTimeLimit Establish a value for the
LDAP_OPT_TIMELIMIT option, which
suggests a time limit for the search operation on the LDAP
server. The server may impose its own constraints on possible
values. See your LDAP server documentation. The default is the
nisLDAPsearchTimeout value. Only integer values are allowed.
Since the
nisLDAPsearchTimeout limits the amount of time the
client
ypserv will wait for completion of a search operation, do
not set the value of
nisLDAPsearchTimeLimit larger than the value
of
nisLDAPsearchTimeout.
nisLDAPsearchSizeLimit Establish a value for the
LDAP_OPT_SIZELIMIT option, which
suggests a size limit, in bytes, for the search results on the
LDAP server. The server may impose its own constraints on
possible values. See your LDAP server documentation. The default
value for
nisLDAPsearchSizeLimit is zero, which means the size
limit is unlimited. Only integer values are allowed.
nisLDAPfollowReferral Determines if the
ypserv should follow referrals or not.
Recognized values for
nisLDAPfollowReferral are
yes and
no. The
default value for
nisLDAPfollowReferral is
no.
The following attributes specify the action to be taken when some
event occurs. The values are all of the form
event=action. The
default action is the first one listed for each event.
nisLDAPretrieveErrorAction If an error occurs while trying to retrieve an entry from LDAP,
one of the following actions can be selected:
use_cached Retry the retrieval the number of time specified by
nisLDAPretrieveErrorAttempts, with the
nisLDAPretrieveErrorTimeout value controlling the
wait between each attempt.
If all attempts fail, then a warning is logged and
the value currently in the cache is returned to the
client.
fail Proceed as for
use_cached, but if all attempts
fail, a
YPERR_YPERR error is returned to the
client.
nisLDAPretrieveErrorAttempts The number of times a failed retrieval should be retried. The
default value for
nisLDAPretrieveErrorAttempts is unlimited.
While retries are made the
ypserv daemon will be prevented from
servicing further requests .
nisLDAPretrieveErrorAttempts values
other than
1 should be used with caution.
nisLDAPretrieveErrorTimeout The timeout in seconds between each new attempt to retrieve LDAP
data. The default value for
nisLDAPretrieveErrorTimeout is 15
seconds.
nisLDAPstoreErrorAction An error occurred while trying to store data to the LDAP
repository.
retry Retry operation
nisLDAPstoreErrorAttempts times with
nisLDAPstoreErrorTimeout seconds between each attempt.
While retries are made, the NIS daemon will be prevented
from servicing further requests. Use with caution.
fail Return
YPERR_YPERR error to the client.
nisLDAPstoreErrorAttempts The number of times a failed attempt to store should be retried.
The default value for
nisLDAPstoreErrorAttempts is unlimited. The
value for
nisLDAPstoreErrorAttempts is ignored unless
nisLDAPstoreErrorAction=retry.
nisLDAPstoreErrortimeout The timeout, in seconds, between each new attempt to store LDAP
data. The default value for
nisLDAPstoreErrortimeout is 15
seconds. The
nisLDAPstoreErrortimeout value is ignored unless
nisLDAPstoreErrorAction=retry.
Storing Configuration Attributes in LDAP
Most attributes described on this man page, as well as those
described on
NISLDAPmapping(5), can be stored in LDAP. In order to do
so, you will need to add the following definitions to your LDAP
server, which are described here in
LDIF format suitable for use by
ldapadd(1). The attribute and objectclass OIDs are examples only.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' \
DESC 'Preferred LDAP server host addresses used by DUA' \
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' \
DESC 'Authentication method used to contact the DSA' \
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 \
NAME 'nisLDAPTLS' \
DESC 'Transport Layer Security' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.1 \
NAME 'nisLDAPTLSCertificateDBPath' \
DESC 'Certificate file' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.2 \
NAME 'nisLDAPproxyUser' \
DESC 'Proxy user for data store/retrieval' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.3 \
NAME 'nisLDAPproxyPassword' \
DESC 'Password/key/shared secret for proxy user' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.6 \
NAME 'nisLDAPretrieveErrorAction' \
DESC 'Action following an LDAP search error' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.7 \
NAME 'nisLDAPretrieveErrorAttempts' \
DESC 'Number of times to retry an LDAP search' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.8 \
NAME 'nisLDAPretrieveErrorTimeout' \
DESC 'Timeout between each search attempt' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.9 \
NAME 'nisLDAPstoreErrorAction' \
DESC 'Action following an LDAP store error' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.10 \
NAME 'nisLDAPstoreErrorAttempts' \
DESC 'Number of times to retry an LDAP store' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.11 \
NAME 'nisLDAPstoreErrorTimeout' \
DESC 'Timeout between each store attempt' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.12 \
NAME 'nisLDAPdomainContext' \
DESC 'Context for a single domain' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.13 \
NAME 'nisLDAPyppasswddDomains' \
DESC 'List of domains for which password changes are made' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.14 \
NAME 'nisLDAPdatabaseIdMapping' \
DESC 'Defines a database id for a NIS object' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.15 \
NAME 'nisLDAPentryTtl' \
DESC 'TTL for cached objects derived from LDAP' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.16 \
NAME 'nisLDAPobjectDN' \
DESC 'Location in LDAP tree where NIS data is stored' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.17 ) \
NAME 'nisLDAPnameFields' \
DESC 'Rules for breaking NIS entries into fields' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.18 ) \
NAME 'nisLDAPsplitFields' \
DESC 'Rules for breaking fields into sub fields' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.19 \
NAME 'nisLDAPattributeFromField' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.20 \
NAME 'nisLDAPfieldFromAttribute' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.21 \
NAME 'nisLDAPrepeatedFieldSeparators' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.22 \
NAME 'nisLDAPcommentChar' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.23 \
NAME 'nisLDAPmapFlags' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 NAME 'nisLDAPconfig' \
DESC 'NIS/LDAP mapping configuration' \
SUP top STRUCTURAL \
MAY ( cn $ preferredServerList $
authenticationMethod $ nisLDAPTLS $
nisLDAPTLSCertificateDBPath $
nisLDAPproxyUser $ nisLDAPproxyPassword $
nisLDAPretrieveErrorAction $
nisLDAPretrieveErrorAttempts $
nisLDAPretrieveErrorTimeout $
nisLDAPstoreErrorAction $
nisLDAPstoreErrorAttempts $
nisLDAPstoreErrorTimeout $
nisLDAPdomainContext $
nisLDAPyppasswddDomains $
nisLDAPdatabaseIdMapping $
nisLDAPentryTtl $
nisLDAPobjectDN $
nisLDAPnameFields $
nisLDAPsplitFields $
nisLDAPattributeFromField $
nisLDAPfieldFromAttribute $
nisLDAPrepeatedFieldSeparators $
nisLDAPcommentChar $
nisLDAPmapFlags ) )
Create a file containing the following LDIF data. Substitute your
actual
nisLDAPconfigDN for
configDN:
dn: configDN
objectClass: top
objectClass: nisLDAPconfig
Use this file as input to the
ldapadd(1) command in order to create
the NIS to LDAP configuration entry. Initially, the entry is empty.
You can use the
ldapmodify(1) command to add configuration
attributes.
EXAMPLES
Example 1: Creating a NIS to LDAP Configuration Entry
To set the server list to port 389 on 127.0.0.1, create the following
file and use it as input to
ldapmodify(1):
dn: configDN
preferredServerList: 127.0.0.1:389
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Obsolete |
+--------------------+-----------------+
SEE ALSO
ldapadd(1),
ldapmodify(1),
NISLDAPmapping(5),
attributes(7),
inityp2l(8),
yppasswdd(8),
ypserv(8),
ypxfrd(8) System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) December 2, 2023 YPSERV(5)
