ldap.conf(4) ldap.conf(4) NAME ldap.conf - Lightweight Directory Access Protocol configuration file SYNOPSIS /var/ns/ldap.conf DESCRIPTION This file controls the behavior of the Lightweight Directory Access Protocol (LDAP) client implementation for nsd. It is read by the initialization routine of the ldap(7P) library when the nsd daemon is started, or sent the SIGHUP signal. This file contains information about remote LDAP daemons database schemas, and format rules. The file is made up of comment lines, table entries, server entries and the domain command. Comment lines begin with either a '#' or a ';' character, and are ignored by the parser. Table entries begin with the keyword table followed by the name of the table, and a series of attributes. Table entries are separated by one or more blank lines. Server entries begin with the keyword server, and are followed by a series of attributes. Server entries are separated by one or more blank lines. domain [domainname] The domain command changes the domain context. Each of the following entries and command lines set information for this domain. If the domainname is not given then it sets the context for the default, or null, domain. server hostname[:port] A given domain may specify one or more LDAP servers to send requests to. hostname refers to the hostname of the LDAP server. The hostname may be given directly as an IP address. If no port number is given, the default LDAP port (389) is assumed. The attribute, attribute value pairs following the server keyword define attributes for a particular server. Attributes include: base Defines the distinguished name (dn) of the base for the LDAP search. scope Defines the depth used in searching for LDAP entries. The value may be one of the following: subtree - will search all entries below the base (default), onelevel - will search one level below base, and sbase - will search only at the base level. binddn Specifies the distinguished name used in binding to the server. This attribute is optional. bindpwd Specifies the password used in binding to the server. This attribute is also optional. regsub attribute {regex} {substitutions} The regsub command causes the results of lookups of the LDAP attribute named by attribute, which have a value that matches the regular expression regex, to have the matched portion of their value substituted according to the expression substitution. regex accepts the regular expression syntax described in regex(3G) with the exception that the '}' character must be back-quoted in order to be accepted as part of the regular expression. substitution is a string which will replace the portion of value of attribute that was matched by regex. If the '&' character appears in substitution, it will be replaced by the entire matched substring. If substitution contains any of the variable names \1...\9, the variable name will be replaced by the corresponding parethesized grouping from the match made against regex. If there is no group corresponding to the variable \n, a literal n is produced. Each of the special characters that denote substitution expansion variables can be produced literally by back-quoting them. If more that one regsub command is specified for the same attribute, each is applied in turn until a successful substitution can be made. If no substitutions can be made, the value is passed through unmodified. table tablename The table entries define the way in which the LDAP library responds to a particular request from the nsd daemon. tablename defines the name of the map requested. The attribute list must include the following three items: filter_lookup Defines the LDAP filter used for lookup type searches made against this map. The filter may contain one (or more) strings "%s" which will be replaced by the key requested (or a split of the key, split by the characters ",", "/" or ".".). filter_list Defines the LDAP filter used for list type searches made against this map. format Defines the way in which LDAP responses are formatted into output strings. Alphanumeric strings conforming to the LDAP attribute protocol are replaced by server responses for that attribute. If an attribute is placed inside of brackets, and followed by a separator (eg. (MEMBERUID,)+), then multiple responses of that attribute will be added to the output string. If the special string "KEY" is used in the format attribute, this string will be replaced with the key requested by the nsd daemon. In addition, the attribute list may optionally contain any of the following items: require attribute The argument to the require keyword is the name of an LDAP attribute that appears in a format string. A output string will be included in the library response only if the value of the corresponding attribute is non-null after any applicable regsub expansions have been performed. default In the case of a split key (i.e. two substitutions in the filter), the second substitution may be given a default value with this attribute. single_line If this tag is set, multiple entries returned for a particular query will be placed on a single output line. The value for this tag may be null. If it is not null, the value is interpreted as a prefix string conforming to the format syntax defined above. This string will be placed before the formatted output corresponding to individual LDAP entries. EXAMPLE Part of an example ldap.conf file follow, demonstrating the domain command, server and table entries: domain foo.com server test.foo.com:390 base "o=Your Organization Name, c=US" binddn "cn=root, o=Your Organization Name, c=US" bindpwd secret table group.byname filter (&(OBJECTCLASS=POSIXGROUP)(CN=%s)) format "CN:GROUPPASSWORD:POSIXGIDNUMBER:(MEMBERUID,)+" FILES /var/ns/ldap.conf SEE ALSO nsd(1M), ldap(7P), regex(3G) IRIX Admin: Networking and Mail Page 3