summaryrefslogtreecommitdiff
path: root/usr.sbin/ypldap/ypldap.conf.5
blob: c0b7a2b2cd5aa547bbaa6e653384fdbcf72942e6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
.\"	$OpenBSD: ypldap.conf.5,v 1.28 2022/10/13 04:55:33 jmatthew Exp $
.\"
.\" Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: October 13 2022 $
.Dt YPLDAP.CONF 5
.Os
.Sh NAME
.Nm ypldap.conf
.Nd LDAP YP map daemon configuration file
.Sh DESCRIPTION
The
.Xr ypldap 8
daemon provides YP maps using LDAP as a backend.
.Pp
The
.Nm
config file is divided into the following main sections:
.Bl -tag -width xxxx
.It Sy Macros
User-defined variables may be defined and used later, simplifying the
configuration file.
.It Sy Global Configuration
Global settings for
.Xr ypldap 8 .
.It Sy Directories
LDAP Directory specific parameters.
.El
.Sh MACROS
Much like
.Xr cpp 1
or
.Xr m4 1 ,
macros can be defined that will later be expanded in context.
Macro names must start with a letter, digit, or underscore,
and may contain any of those characters.
Macro names may not be reserved words (for example,
.Ic domain ) .
Macros are not expanded inside quotes.
.Pp
For example:
.Bd -literal -offset indent
fixed_gecos="Pulled from LDAP"

fixed attribute gecos $fixed_gecos
.Ed
.Sh GLOBAL CONFIGURATION
Global settings concern the main behaviour of the daemon.
.Pp
.Bl -tag -width Ds -compact
.It Ic domain Ar string
Specify the name of the NIS domain
.Xr ypldap 8
will provide.
.It Ic interval Ar seconds
Specify the interval in seconds at which the whole directory will be pulled
from LDAP.
.It Ic provide map Ar string
Specify a map that should be provided by
.Xr ypldap 8
The currently implemented maps are: passwd.byname, passwd.byuid,
group.byname, group.bygid.
.It Ic cafile Ar filename
Load CA certificates from the specified file to validate the server certificate.
If not specified, CA certificates will be loaded from
.Pa /etc/ssl/cert.pem .
.It Ic bind Ar mode
Specify how the domain is made available for binding.
Valid options are:
.Bl -tag -width portmap
.It Ic portmap
Register with
.Xr portmap 8
and allow
.Xr ypbind 8
discovery.
This is the default mode.
.It Ic local
Create a YP binding file in
.Pa /var/yp/binding
to enable YP support in the
.Xr passwd 5
and
.Xr group 5
databases.
In this mode it is not necessary to run
.Xr portmap 8 ,
and
.Xr ypbind 8
must not be running.
YP services are only available to the host running
.Xr ypldap 8 .
.El
.El
.Sh DIRECTORIES
Directories are used to describe the LDAP schema and help
.Xr ypldap 8
convert LDAP entries to
.Xr passwd 5 ,
.Xr master.passwd 5 ,
and
.Xr group 5
lines.
Each directory section consists of a declaration of the directory
server name and a set of directives describing how entries from the
directory are used to construct YP map entries.
.Bl -tag -width Ds
.It Ic directory Ar hostname Oo Ic port Ar port Oc Oo tls Oc Brq ...
Defines a directory by hostname and optionally port number.
If the
.Ar tls
argument is not specified, no transport-level security will be used.
Valid options are:
.Bl -tag -width Ds
.It Ic tls
Use STARTTLS to negotiate TLS, by default on port 389.
.It Ic ldaps
Connect with TLS enabled, by default on port 636.
.El
.El
.Pp
Valid directives for directories are:
.Bl -tag -width Ds
.It Xo
.Ic attribute Ar name Ic maps to Ar string
.Xc
Map the
.Xr passwd 5 ,
.Xr master.passwd 5 ,
or
.Xr group 5
attribute to the LDAP attribute name supplied.
.It Ic basedn Ar string
Use the supplied search base as starting point for the directory search.
.It Ic certfile Ar string
Use the specified client certificate when connecting to the directory.
The file must contain a PEM encoded certificate.
.It Ic groupdn Ar string
Use the supplied search base as starting point for the directory search for
groups.
If not supplied, the basedn value will be used.
.It Ic bindcred Ar string
Use the supplied credentials for simple authentication against the directory.
.It Ic binddn Ar string
Use the supplied Distinguished Name to bind to the directory.
.It Ic bindext Oo Ar string Oc
Bind to the directory using SASL EXTERNAL, optionally using a supplied identity
string.
When using a TLS client certificate, this allows the client to bind as the
subject of the certificate.
If an identity string is supplied, usually in the form of a distinguished name
prefixed with "dn:", the directory will only allow the bind to succeed if it
matches the subject of the certificate.
.It Ic fixed attribute Ar attribute string
Do not retrieve the specified attribute from LDAP but
instead set it unconditionally to the supplied value for
every entry.
.It Ic group filter Ar string
Use the supplied LDAP filter to retrieve group entries.
.It Ic keyfile Ar string
Use the specified private key when connecting to the directory.
The file must contain a PEM encoded key.
.It Xo
.Ic list Ar name Ic maps to Ar string
.Xc
Map the
.Xr passwd 5 ,
.Xr master.passwd 5 ,
or
.Xr group 5
attribute to the LDAP attribute name supplied.
A list creates a comma separated list of all the LDAP attributes found.
.Pp
Valid attributes are:
.Pp
.Bl -tag -width groupmembers -offset indent -compact
.It Ic name
.It Ic passwd
.It Ic uid
.It Ic gid
.It Ic gecos
.It Ic home
.It Ic shell
.It Ic change
.It Ic expire
.It Ic class
.It Ic groupname
.It Ic grouppasswd
.It Ic groupgid
.It Ic groupmembers
.El
.It Ic passwd filter Ar string
Use the supplied LDAP filter to retrieve password entries.
.El
.Sh FILES
.Bl -tag -width /etc/examples/ypldap.conf -compact
.It Pa /etc/ypldap.conf
.Xr ypldap 8
configuration file.
.It Pa /etc/examples/ypldap.conf
Example configuration file.
.El
.Sh SEE ALSO
.Xr ypbind 8 ,
.Xr ypldap 8 ,
.Xr ypserv 8
.Sh HISTORY
The
.Nm
file format first appeared in
.Ox 4.4 .