xref: /illumos-gate/usr/src/man/man5/ypserv.5 (revision 9b9d39d2a32ff806d2431dbcc50968ef1e6d46b2) 
 te
 Copyright (C) 2003, Sun Microsystems, Inc.
 All Rights Reserved
 The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
 When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
 YPSERV 5 "Dec 2, 2023"
 NAME
ypserv - configuration file for NIS to LDAP transition daemons

 SYNOPSIS
/etc/default/ypserv




 DESCRIPTION
The ypserv file specifies configuration information for the
ypserv(8) daemon. Configuration information can come from LDAP or be
specified in the ypserv file.


You can create a simple ypserv file by running inityp2l(8). The
ypserv file can then be customized as required.


A related NISLDAPmapping file contains mapping information that converts
NIS entries into LDAP entries. See the NISLDAPmapping(5) man page for an
overview of the setup that is needed to map NIS data to or from LDAP.

 EXTENDED DESCRIPTION
The ypserv(8) server recognizes the attributes that follow. Values
specified for these attributes in the ypserv file, including any empty
values, override values that are obtained from LDAP. However, the
nisLDAPconfig* values are read from the ypserv file only

 "Attributes"
The following are attributes that are used for initial configuration.
nisLDAPconfigDN


The DN for configuration information. If nisLDAPconfigDN is empty,
all other nisLDAPConfig* values are ignored.



nisLDAPconfigPreferredServerList


The list of servers to use for the configuration phase. There is no default
value. The following is an example of a value for
nisLDAPconfigPreferredServerList:

nisLDAPconfigPreferredServerList=127.0.0.1:389






nisLDAPconfigAuthenticationMethod


The authentication method used to obtain the configuration information. The
recognized values for nisLDAPconfigAuthenticationMethod are:
none


No authentication attempted



simple


Password of proxy user sent in the clear to the LDAP server



sasl/cram-md5


Use SASL/CRAM-MD5 authentication. This authentication method may not be
supported by all LDAP servers. A password must be supplied.



sasl/digest-md5


Use SASL/DIGEST-MD5 authentication. The SASL/CRAM-MD5authentication
method may not be supported by all LDAP servers. A password must be supplied.



nisLDAPconfigAuthenticationMethod has no default value. The following is
an example of a value for nisLDAPconfigAuthenticationMethod:

nisLDAPconfigAuthenticationMethod=simple






nisLDAPconfigTLS


The transport layer security used for the connection to the server. The
recognized values are:
none


No encryption of transport layer data. The default value is none.



ssl


SSL encryption of transport layer data. A certificate is required.



Export and import control restrictions might limit the availability of
transport layer security.



nisLDAPconfigTLSCertificateDBPath


The name of the directory that contains the certificate database. The default
path is /var/yp.



nisLDAPconfigProxyUser


The proxy user used to obtain configuration information.
nisLDAPconfigProxyUser has no default value. If the value ends with a
comma, the value of the nisLDAPconfigDN attribute is appended. For
example:

nisLDAPconfigProxyUser=cn=nisAdmin,ou=People,






nisLDAPconfigProxyPassword


The password that should be supplied to LDAP for the proxy user when the
authentication method requires one. To avoid exposing this password publicly on
the machine, the password should only appear in the configuration file, and the
file should have an appropriate owner, group, and file mode.
nisLDAPconfigProxyPassword has no default value.





The following are attributes used for data retrieval. The object class name
used for these attributes is nisLDAPconfig.
preferredServerList


The list of servers to use to read or to write mapped NIS data from or to LDAP.
preferredServerList has no default value. For example:

preferredServerList=127.0.0.1:389






authenticationMethod


The authentication method to use to read or to write mapped NIS data from or to
LDAP. For recognized values, see the LDAPconfigAuthenticationMethod
attribute. authenticationMethod has no default value. For example:

authenticationMethod=simple






nisLDAPTLS


The transport layer security to use to read or to write NIS data from or to
LDAP. For recognized values, see the nisLDAPconfigTLS attribute. The
default value is none. Export and import control restrictions might limit the
availability of transport layer security.



nisLDAPTLSCertificateDBPath


The name of the directory that contains the certificate DB. For
recognized and default values for nisLDAPTLSCertificateDBPath, see the
nisLDAPconfigTLSCertificateDBPath attribute.



nisLDAPproxyUser


Proxy user used by ypserv(8), ypxfrd(8) and yppasswdd(8)
to read or to write from or to LDAP. Assumed to have the appropriate permission
to read and modify LDAP data. There is no default value. If the value ends in a
comma, the value of the context for the current domain, as defined by a
nisLDAPdomainContext attribute, is appended. See NISLDAPmapping(5).
For example:

nisLDAPproxyUser=cn=nisAdmin,ou=People,






nisLDAPproxyPassword


The password that should be supplied to LDAP for the proxy user when the
authentication method so requires. To avoid exposing this password publicly on
the machine, the password should only appear in the configuration file, and the
file must have an appropriate owner, group, and file mode.
nisLDAPproxyPassword has no default value.



nisLDAPsearchTimeout


Establishes the timeout for the LDAP search operation. The default value for
nisLDAPsearchTimeout is 180 seconds.



nisLDAPbindTimeout


nisLDAPmodifyTimeout


nisLDAPaddTimeout


nisLDAPdeleteTimeout


Establish timeouts for LDAP bind, modify, add, and delete operations,
respectively. The default value is 15 seconds for each attribute. Decimal
values are allowed.



nisLDAPsearchTimeLimit


Establish a value for the LDAP_OPT_TIMELIMIT option, which suggests a
time limit for the search operation on the LDAP server. The server may impose
its own constraints on possible values. See your LDAP server documentation. The
default is the nisLDAPsearchTimeout value. Only integer values are
allowed.
Since the nisLDAPsearchTimeout limits the amount of time the client
ypserv will wait for completion of a search operation, do not set the
value of nisLDAPsearchTimeLimit larger than the value of
nisLDAPsearchTimeout.



nisLDAPsearchSizeLimit


Establish a value for the LDAP_OPT_SIZELIMIT option, which suggests a
size limit, in bytes, for the search results on the LDAP server. The server may
impose its own constraints on possible values. See your LDAP server
documentation. The default value for nisLDAPsearchSizeLimit is zero,
which means the size limit is unlimited. Only integer values are allowed.



nisLDAPfollowReferral


Determines if the ypserv should follow referrals or not. Recognized
values for nisLDAPfollowReferral are yes and no. The default
value for nisLDAPfollowReferral is no.





The following attributes specify the action to be taken when some event occurs.
The values are all of the form event=action. The default action is the
first one listed for each event.
nisLDAPretrieveErrorAction


If an error occurs while trying to retrieve an entry from LDAP, one of the
following actions can be selected:
use_cached


Retry the retrieval the number of time specified by
nisLDAPretrieveErrorAttempts, with the nisLDAPretrieveErrorTimeout
value controlling the wait between each attempt.
If all attempts fail, then a warning is logged and the value currently in the
cache is returned to the client.



fail


Proceed as for use_cached, but if all attempts fail, a YPERR_YPERR
error is returned to the client.






nisLDAPretrieveErrorAttempts


The number of times a failed retrieval should be retried. The default value for
nisLDAPretrieveErrorAttempts is unlimited. While retries are made the
ypserv daemon will be prevented from servicing further
requests .nisLDAPretrieveErrorAttempts values other than 1 should be used
with caution.



nisLDAPretrieveErrorTimeout


The timeout in seconds between each new attempt to retrieve LDAP data. The
default value for nisLDAPretrieveErrorTimeout is 15 seconds.



nisLDAPstoreErrorAction


An error occurred while trying to store data to the LDAP repository.
retry


Retry operation nisLDAPstoreErrorAttempts times with
nisLDAPstoreErrorTimeout seconds between each attempt. While retries are
made, the NIS daemon will be prevented from servicing further requests. Use
with caution.



fail


Return YPERR_YPERR error to the client.






nisLDAPstoreErrorAttempts


The number of times a failed attempt to store should be retried. The default
value for nisLDAPstoreErrorAttempts is unlimited. The value for
nisLDAPstoreErrorAttempts is ignored unless
nisLDAPstoreErrorAction=retry.



nisLDAPstoreErrortimeout


The timeout, in seconds, between each new attempt to store LDAP data. The
default value for nisLDAPstoreErrortimeout is 15 seconds. The
nisLDAPstoreErrortimeout value is ignored unless
nisLDAPstoreErrorAction=retry.




 "Storing Configuration Attributes in LDAP"
Most attributes described on this man page, as well as those described on
NISLDAPmapping(5), can be stored in LDAP. In order to do so, you will
need to add the following definitions to your LDAP server, which are described
here in LDIF format suitable for use by ldapadd(1). The attribute
and objectclass OIDs are examples only.

dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' \e
 DESC 'Preferred LDAP server host addresses used by DUA' \e
 EQUALITY caseIgnoreMatch \
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' \e
 DESC 'Authentication method used to contact the DSA' \e
 EQUALITY caseIgnoreMatch \
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

dn: cn=schema
 changetype: modify
 add: attributetypes
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 \e
 NAME 'nisLDAPTLS' \e
 DESC 'Transport Layer Security' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.1 \e
 NAME 'nisLDAPTLSCertificateDBPath' \e
 DESC 'Certificate file' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.2 \e
 NAME 'nisLDAPproxyUser' \e
 DESC 'Proxy user for data store/retrieval' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.3 \e
 NAME 'nisLDAPproxyPassword' \e
 DESC 'Password/key/shared secret for proxy user' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.6 \e
 NAME 'nisLDAPretrieveErrorAction' \e
 DESC 'Action following an LDAP search error' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.7 \e
 NAME 'nisLDAPretrieveErrorAttempts' \e
 DESC 'Number of times to retry an LDAP search' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.8 \e
 NAME 'nisLDAPretrieveErrorTimeout' \e
 DESC 'Timeout between each search attempt' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.9 \e
 NAME 'nisLDAPstoreErrorAction' \e
 DESC 'Action following an LDAP store error' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.10 \e
 NAME 'nisLDAPstoreErrorAttempts' \e
 DESC 'Number of times to retry an LDAP store' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.11 \e
 NAME 'nisLDAPstoreErrorTimeout' \e
 DESC 'Timeout between each store attempt' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.12 \e
 NAME 'nisLDAPdomainContext' \e
 DESC 'Context for a single domain' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.13 \e
 NAME 'nisLDAPyppasswddDomains' \e
 DESC 'List of domains for which password changes are made' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.14 \e
 NAME 'nisLDAPdatabaseIdMapping' \e
 DESC 'Defines a database id for a NIS object' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.15 \e
 NAME 'nisLDAPentryTtl' \e
 DESC 'TTL for cached objects derived from LDAP' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.16 \e
 NAME 'nisLDAPobjectDN' \e
 DESC 'Location in LDAP tree where NIS data is stored' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.17 ) \e
 NAME 'nisLDAPnameFields' \e
 DESC 'Rules for breaking NIS entries into fields' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.18 ) \e
 NAME 'nisLDAPsplitFields' \e
 DESC 'Rules for breaking fields into sub fields' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.19 \e
 NAME 'nisLDAPattributeFromField' \e
 DESC 'Rules for mapping fields to LDAP attributes' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.20 \e
 NAME 'nisLDAPfieldFromAttribute' \e
 DESC 'Rules for mapping fields to LDAP attributes' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.21 \e
 NAME 'nisLDAPrepeatedFieldSeparators' \e
 DESC 'Rules for mapping fields to LDAP attributes' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.22 \e
 NAME 'nisLDAPcommentChar' \e
 DESC 'Rules for mapping fields to LDAP attributes' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.23 \e
 NAME 'nisLDAPmapFlags' \e
 DESC 'Rules for mapping fields to LDAP attributes' \e
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 dn: cn=schema
 changetype: modify
 add: objectclasses
 objectclasses: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 NAME 'nisLDAPconfig' \e
 DESC 'NIS/LDAP mapping configuration' \e
 SUP top STRUCTURAL \e
 MAY ( cn $ preferredServerList $
 authenticationMethod $ nisLDAPTLS $
 nisLDAPTLSCertificateDBPath $
 nisLDAPproxyUser $ nisLDAPproxyPassword $
 nisLDAPretrieveErrorAction $
 nisLDAPretrieveErrorAttempts $
 nisLDAPretrieveErrorTimeout $
 nisLDAPstoreErrorAction $
 nisLDAPstoreErrorAttempts $
 nisLDAPstoreErrorTimeout $
 nisLDAPdomainContext $
 nisLDAPyppasswddDomains $
 nisLDAPdatabaseIdMapping $
 nisLDAPentryTtl $
 nisLDAPobjectDN $
 nisLDAPnameFields $
 nisLDAPsplitFields $
 nisLDAPattributeFromField $
 nisLDAPfieldFromAttribute $
 nisLDAPrepeatedFieldSeparators $
 nisLDAPcommentChar $
 nisLDAPmapFlags ) )





Create a file containing the following LDIF data. Substitute your actual
nisLDAPconfigDN for configDN:

dn: configDN
objectClass: top
objectClass: nisLDAPconfig





Use this file as input to the ldapadd(1) command in order to create the
NIS to LDAP configuration entry. Initially, the entry is empty. You can use the
ldapmodify(1) command to add configuration attributes.

 EXAMPLES
Example 1 Creating a NIS to LDAP Configuration Entry


To set the server list to port 389 on 127.0.0.1, create the following file and
use it as input to ldapmodify(1):


dn: configDN
preferredServerList: 127.0.0.1:389




 ATTRIBUTES
See attributes(7) for descriptions of the following attributes:






ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Obsolete



 SEE ALSO
 ldapadd (1),  ldapmodify (1),  NISLDAPmapping (5),  attributes (7),  inityp2l (8),  yppasswdd (8),  ypserv (8),  ypxfrd (8) 

System Administration Guide: Naming and Directory Services (DNS, NIS, and
LDAP)