YPLDAP.CONF(5) - File Formats Manual

YPLDAP.CONF(5) - File Formats Manual #

YPLDAP.CONF(5) - File Formats Manual

NAME #

ypldap.conf - LDAP YP map daemon configuration file

DESCRIPTION #

The ypldap(8) daemon provides YP maps using LDAP as a backend.

The ypldap.conf config file is divided into the following main sections:

Macros

User-defined variables may be defined and used later, simplifying the configuration file.

Global Configuration

Global settings for ypldap(8).

Directories

LDAP Directory specific parameters.

MACROS #

Much like cpp(1) or m4(1), macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words (for example, domain). Macros are not expanded inside quotes.

For example:

fixed_gecos="Pulled from LDAP"

fixed attribute gecos $fixed_gecos

GLOBAL CONFIGURATION #

Global settings concern the main behaviour of the daemon.

domain string

Specify the name of the NIS domain ypldap(8) will provide.

interval seconds

Specify the interval in seconds at which the whole directory will be pulled from LDAP.

provide map string

Specify a map that should be provided by ypldap(8) The currently implemented maps are: passwd.byname, passwd.byuid, group.byname, group.bygid.

cafile filename

Load CA certificates from the specified file to validate the server certificate. If not specified, CA certificates will be loaded from /etc/ssl/cert.pem.

bind mode

Specify how the domain is made available for binding. Valid options are:

portmap

Register with portmap(8) and allow ypbind(8) discovery. This is the default mode.

local

Create a YP binding file in /var/yp/binding to enable YP support in the passwd(5) and group(5) databases. In this mode it is not necessary to run portmap(8), and ypbind(8) must not be running. YP services are only available to the host running ypldap(8).

DIRECTORIES #

Directories are used to describe the LDAP schema and help ypldap(8) convert LDAP entries to passwd(5), master.passwd(5), and group(5) lines. Each directory section consists of a declaration of the directory server name and a set of directives describing how entries from the directory are used to construct YP map entries.

directory hostname [port port] [tls] {…}

Defines a directory by hostname and optionally port number. If the tls argument is not specified, no transport-level security will be used. Valid options are:

tls

Use STARTTLS to negotiate TLS, by default on port 389.

ldaps

Connect with TLS enabled, by default on port 636.

Valid directives for directories are:

attribute name maps to string

Map the passwd(5), master.passwd(5), or group(5) attribute to the LDAP attribute name supplied.

basedn string

Use the supplied search base as starting point for the directory search.

certfile string

Use the specified client certificate when connecting to the directory. The file must contain a PEM encoded certificate.

groupdn string

Use the supplied search base as starting point for the directory search for groups. If not supplied, the basedn value will be used.

bindcred string

Use the supplied credentials for simple authentication against the directory.

binddn string

Use the supplied Distinguished Name to bind to the directory.

bindext [string]

Bind to the directory using SASL EXTERNAL, optionally using a supplied identity string. When using a TLS client certificate, this allows the client to bind as the subject of the certificate. If an identity string is supplied, usually in the form of a distinguished name prefixed with “dn:”, the directory will only allow the bind to succeed if it matches the subject of the certificate.

fixed attribute attribute string

Do not retrieve the specified attribute from LDAP but instead set it unconditionally to the supplied value for every entry.

group filter string

Use the supplied LDAP filter to retrieve group entries.

keyfile string

Use the specified private key when connecting to the directory. The file must contain a PEM encoded key.

list name maps to string

Map the passwd(5), master.passwd(5), or group(5) attribute to the LDAP attribute name supplied. A list creates a comma separated list of all the LDAP attributes found.

Valid attributes are:

name

passwd

uid

gid

gecos

home

shell

change

expire

class

groupname

grouppasswd

groupgid

groupmembers

passwd filter string

Use the supplied LDAP filter to retrieve password entries.

FILES #

/etc/ypldap.conf

ypldap(8) configuration file.

/etc/examples/ypldap.conf

Example configuration file.

SEE ALSO #

ypbind(8), ypldap(8), ypserv(8)

HISTORY #

The ypldap.conf file format first appeared in OpenBSD 4.4.

OpenBSD 7.5 - October 13, 2022