YPSERV(5) File Formats and Configurations YPSERV(5)

ypserv - configuration file for NIS to LDAP transition daemons

/etc/default/ypserv

The ypserv file specifies configuration information for the ypserv(8) daemon. Configuration information can come from LDAP or be specified in the ypserv file.

You can create a simple ypserv file by running inityp2l(8). The ypserv file can then be customized as required.

A related NISLDAPmapping file contains mapping information that converts NIS entries into LDAP entries. See the NISLDAPmapping(5) man page for an overview of the setup that is needed to map NIS data to or from LDAP.

The ypserv(8) server recognizes the attributes that follow. Values specified for these attributes in the ypserv file, including any empty values, override values that are obtained from LDAP. However, the nisLDAPconfig* values are read from the ypserv file only

The following are attributes that are used for initial configuration.

nisLDAPconfigDN

The DN for configuration information. If nisLDAPconfigDN is empty, all other nisLDAPConfig* values are ignored.

nisLDAPconfigPreferredServerList

The list of servers to use for the configuration phase. There is no default value. The following is an example of a value for nisLDAPconfigPreferredServerList:


nisLDAPconfigPreferredServerList=127.0.0.1:389

nisLDAPconfigAuthenticationMethod

The authentication method used to obtain the configuration information. The recognized values for nisLDAPconfigAuthenticationMethod are:

none

No authentication attempted

simple

Password of proxy user sent in the clear to the LDAP server

sasl/cram-md5

Use SASL/CRAM-MD5 authentication. This authentication method may not be supported by all LDAP servers. A password must be supplied.

sasl/digest-md5

Use SASL/DIGEST-MD5 authentication. The SASL/CRAM-MD5authentication method may not be supported by all LDAP servers. A password must be supplied.

nisLDAPconfigAuthenticationMethod has no default value. The following is an example of a value for nisLDAPconfigAuthenticationMethod:


nisLDAPconfigAuthenticationMethod=simple

nisLDAPconfigTLS

The transport layer security used for the connection to the server. The recognized values are:

none

No encryption of transport layer data. The default value is none.

ssl

SSL encryption of transport layer data. A certificate is required.

Export and import control restrictions might limit the availability of transport layer security.

nisLDAPconfigTLSCertificateDBPath

The name of the directory that contains the certificate database. The default path is /var/yp.

nisLDAPconfigProxyUser

The proxy user used to obtain configuration information. nisLDAPconfigProxyUser has no default value. If the value ends with a comma, the value of the nisLDAPconfigDN attribute is appended. For example:


nisLDAPconfigProxyUser=cn=nisAdmin,ou=People,

nisLDAPconfigProxyPassword

The password that should be supplied to LDAP for the proxy user when the authentication method requires one. To avoid exposing this password publicly on the machine, the password should only appear in the configuration file, and the file should have an appropriate owner, group, and file mode. nisLDAPconfigProxyPassword has no default value.

The following are attributes used for data retrieval. The object class name used for these attributes is nisLDAPconfig.

preferredServerList

The list of servers to use to read or to write mapped NIS data from or to LDAP. preferredServerList has no default value. For example:


preferredServerList=127.0.0.1:389

authenticationMethod

The authentication method to use to read or to write mapped NIS data from or to LDAP. For recognized values, see the LDAPconfigAuthenticationMethod attribute. authenticationMethod has no default value. For example:


authenticationMethod=simple

nisLDAPTLS

The transport layer security to use to read or to write NIS data from or to LDAP. For recognized values, see the nisLDAPconfigTLS attribute. The default value is none. Export and import control restrictions might limit the availability of transport layer security.

nisLDAPTLSCertificateDBPath

The name of the directory that contains the certificate DB. For recognized and default values for nisLDAPTLSCertificateDBPath, see the nisLDAPconfigTLSCertificateDBPath attribute.

nisLDAPproxyUser

Proxy user used by ypserv(8), ypxfrd(8) and yppasswdd(8) to read or to write from or to LDAP. Assumed to have the appropriate permission to read and modify LDAP data. There is no default value. If the value ends in a comma, the value of the context for the current domain, as defined by a nisLDAPdomainContext attribute, is appended. See NISLDAPmapping(5). For example:


nisLDAPproxyUser=cn=nisAdmin,ou=People,

nisLDAPproxyPassword

The password that should be supplied to LDAP for the proxy user when the authentication method so requires. To avoid exposing this password publicly on the machine, the password should only appear in the configuration file, and the file must have an appropriate owner, group, and file mode. nisLDAPproxyPassword has no default value.

nisLDAPsearchTimeout

Establishes the timeout for the LDAP search operation. The default value for nisLDAPsearchTimeout is 180 seconds.

nisLDAPbindTimeout
nisLDAPmodifyTimeout
nisLDAPaddTimeout
nisLDAPdeleteTimeout

Establish timeouts for LDAP bind, modify, add, and delete operations, respectively. The default value is 15 seconds for each attribute. Decimal values are allowed.

nisLDAPsearchTimeLimit

Establish a value for the LDAP_OPT_TIMELIMIT option, which suggests a time limit for the search operation on the LDAP server. The server may impose its own constraints on possible values. See your LDAP server documentation. The default is the nisLDAPsearchTimeout value. Only integer values are allowed.

Since the nisLDAPsearchTimeout limits the amount of time the client ypserv will wait for completion of a search operation, do not set the value of nisLDAPsearchTimeLimit larger than the value of nisLDAPsearchTimeout.

nisLDAPsearchSizeLimit

Establish a value for the LDAP_OPT_SIZELIMIT option, which suggests a size limit, in bytes, for the search results on the LDAP server. The server may impose its own constraints on possible values. See your LDAP server documentation. The default value for nisLDAPsearchSizeLimit is zero, which means the size limit is unlimited. Only integer values are allowed.

nisLDAPfollowReferral

Determines if the ypserv should follow referrals or not. Recognized values for nisLDAPfollowReferral are yes and no. The default value for nisLDAPfollowReferral is no.

The following attributes specify the action to be taken when some event occurs. The values are all of the form event=action. The default action is the first one listed for each event.

nisLDAPretrieveErrorAction

If an error occurs while trying to retrieve an entry from LDAP, one of the following actions can be selected:

use_cached

Retry the retrieval the number of time specified by nisLDAPretrieveErrorAttempts, with the nisLDAPretrieveErrorTimeout value controlling the wait between each attempt.

If all attempts fail, then a warning is logged and the value currently in the cache is returned to the client.

fail

Proceed as for use_cached, but if all attempts fail, a YPERR_YPERR error is returned to the client.

nisLDAPretrieveErrorAttempts

The number of times a failed retrieval should be retried. The default value for nisLDAPretrieveErrorAttempts is unlimited. While retries are made the ypserv daemon will be prevented from servicing further requests .nisLDAPretrieveErrorAttempts values other than 1 should be used with caution.

nisLDAPretrieveErrorTimeout

The timeout in seconds between each new attempt to retrieve LDAP data. The default value for nisLDAPretrieveErrorTimeout is 15 seconds.

nisLDAPstoreErrorAction

An error occurred while trying to store data to the LDAP repository.

retry

Retry operation nisLDAPstoreErrorAttempts times with nisLDAPstoreErrorTimeout seconds between each attempt. While retries are made, the NIS daemon will be prevented from servicing further requests. Use with caution.

fail

Return YPERR_YPERR error to the client.

nisLDAPstoreErrorAttempts

The number of times a failed attempt to store should be retried. The default value for nisLDAPstoreErrorAttempts is unlimited. The value for nisLDAPstoreErrorAttempts is ignored unless nisLDAPstoreErrorAction=retry.

nisLDAPstoreErrortimeout

The timeout, in seconds, between each new attempt to store LDAP data. The default value for nisLDAPstoreErrortimeout is 15 seconds. The nisLDAPstoreErrortimeout value is ignored unless nisLDAPstoreErrorAction=retry.

Most attributes described on this man page, as well as those described on NISLDAPmapping(5), can be stored in LDAP. In order to do so, you will need to add the following definitions to your LDAP server, which are described here in LDIF format suitable for use by ldapadd(1). The attribute and objectclass OIDs are examples only.


dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' \

DESC 'Preferred LDAP server host addresses used by DUA' \
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' \
DESC 'Authentication method used to contact the DSA' \
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 \
NAME 'nisLDAPTLS' \
DESC 'Transport Layer Security' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.1 \
NAME 'nisLDAPTLSCertificateDBPath' \
DESC 'Certificate file' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.2 \
NAME 'nisLDAPproxyUser' \
DESC 'Proxy user for data store/retrieval' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.3 \
NAME 'nisLDAPproxyPassword' \
DESC 'Password/key/shared secret for proxy user' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.6 \
NAME 'nisLDAPretrieveErrorAction' \
DESC 'Action following an LDAP search error' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.7 \
NAME 'nisLDAPretrieveErrorAttempts' \
DESC 'Number of times to retry an LDAP search' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.8 \
NAME 'nisLDAPretrieveErrorTimeout' \
DESC 'Timeout between each search attempt' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.9 \
NAME 'nisLDAPstoreErrorAction' \
DESC 'Action following an LDAP store error' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.10 \
NAME 'nisLDAPstoreErrorAttempts' \
DESC 'Number of times to retry an LDAP store' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.11 \
NAME 'nisLDAPstoreErrorTimeout' \
DESC 'Timeout between each store attempt' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.12 \
NAME 'nisLDAPdomainContext' \
DESC 'Context for a single domain' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.13 \
NAME 'nisLDAPyppasswddDomains' \
DESC 'List of domains for which password changes are made' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.14 \
NAME 'nisLDAPdatabaseIdMapping' \
DESC 'Defines a database id for a NIS object' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.15 \
NAME 'nisLDAPentryTtl' \
DESC 'TTL for cached objects derived from LDAP' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.16 \
NAME 'nisLDAPobjectDN' \
DESC 'Location in LDAP tree where NIS data is stored' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.17 ) \
NAME 'nisLDAPnameFields' \
DESC 'Rules for breaking NIS entries into fields' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.18 ) \
NAME 'nisLDAPsplitFields' \
DESC 'Rules for breaking fields into sub fields' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.19 \
NAME 'nisLDAPattributeFromField' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.20 \
NAME 'nisLDAPfieldFromAttribute' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.21 \
NAME 'nisLDAPrepeatedFieldSeparators' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.22 \
NAME 'nisLDAPcommentChar' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.23 \
NAME 'nisLDAPmapFlags' \
DESC 'Rules for mapping fields to LDAP attributes' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.42.2.27.5.42.43.1.0 NAME 'nisLDAPconfig' \
DESC 'NIS/LDAP mapping configuration' \
SUP top STRUCTURAL \
MAY ( cn $ preferredServerList $
authenticationMethod $ nisLDAPTLS $
nisLDAPTLSCertificateDBPath $
nisLDAPproxyUser $ nisLDAPproxyPassword $
nisLDAPretrieveErrorAction $
nisLDAPretrieveErrorAttempts $
nisLDAPretrieveErrorTimeout $
nisLDAPstoreErrorAction $
nisLDAPstoreErrorAttempts $
nisLDAPstoreErrorTimeout $
nisLDAPdomainContext $
nisLDAPyppasswddDomains $
nisLDAPdatabaseIdMapping $
nisLDAPentryTtl $
nisLDAPobjectDN $
nisLDAPnameFields $
nisLDAPsplitFields $
nisLDAPattributeFromField $
nisLDAPfieldFromAttribute $
nisLDAPrepeatedFieldSeparators $
nisLDAPcommentChar $
nisLDAPmapFlags ) )

Create a file containing the following LDIF data. Substitute your actual nisLDAPconfigDN for configDN:


dn: configDN
objectClass: top
objectClass: nisLDAPconfig

Use this file as input to the ldapadd(1) command in order to create the NIS to LDAP configuration entry. Initially, the entry is empty. You can use the ldapmodify(1) command to add configuration attributes.

Example 1 Creating a NIS to LDAP Configuration Entry

To set the server list to port 389 on 127.0.0.1, create the following file and use it as input to ldapmodify(1):


dn: configDN
preferredServerList: 127.0.0.1:389

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Obsolete

ldapadd(1), ldapmodify(1), NISLDAPmapping(5), attributes(7), inityp2l(8), yppasswdd(8), ypserv(8), ypxfrd(8)

System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

December 2, 2023 OmniOS