Provided by: libnss-ldap_265-5ubuntu1_amd64 
NAME
nss_ldap - LDAP nameservice provider
DESCRIPTION
The nss_ldap module is a set of C library extensions which allows X.500 and LDAP directory
servers to be used as a primary source of name service information. (Name service
information typically includes users, hosts, groups, and other such data historically
stored in flat files or NIS.)
Features of the PADL nss_ldap module include support for both the RFC 2307 and RFC 2307bis
schema, a common implementation across multiple platforms, Kerberos and SSL security,
configurable schema mapping, and configuration file compatibility with the pam_ldap(5)
module.
Because LDAP is a hierarchical directory service, one can distribute the information in a
manner which reflects organizational structure. This contrasts with the flat, single
domain policy of NIS. LDAP has many of the advantages of NIS+ (security and scalability)
without the complexity.
nss_ldap will work alongside existing NIS, NIS+, DNS and flat file name services. More
importantly, because it builds as a shared library, it is not necessary to recompile any
applications to take advantage of LDAP.
The present version of nss_ldap supports AIX 4.3.3 and above, FreeBSD 5.1, HP-UX 11i,
Linux and Solaris 2.6 and above. Many vendors provide their own LDAP nameservice
providers, often also called nss_ldap. This manual page applies to the PADL nss_ldap
module only. If you are using a vendor provided module, consult the relevant documentation
instead.
The features supported by the version of nss_ldap depend on which flags were enabled when
the software was built. Most features are enabled in the configuration file, described
below. (The location of the configuration file is configurable at compile time; the
default path is /etc/ldap.conf.) Also, some features may be unavailable on certain
operating systems or with certain LDAP libraries. For more information, consult your
vendor.
CONFIGURATION
nss_ldap stores its configuration in the ldap.conf file, the location of which is
configurable at compile time. (It should be noted that some LDAP client libraries, such
as OpenLDAP, also use a configuration file of the same name. nss_ldap supports many of
the same configuration file options as OpenLDAP, but it adds several that are specific to
the functionality it provides. Additionally, it is not guaranteed that nss_ldap will
continue to match the configuration file semantics of OpenLDAP. You may wish to use
different files.)
Configuration file options consist of a keyword followed by a space and any arguments. The
following options are supported by both nss_ldap and the PADL pam_ldap module:
host <name:port ...>
Specifies the name(s) or IP address(es) of the LDAP server(s) to connect to. In the
case that nss_ldap is used for host name resolution, each server should be
specified as an IP address or name that can be resolved without using LDAP.
Multiple servers may be specified, each separated by a space. The failover time
depends on whether the LDAP client library supports configurable network or connect
timeouts (see bind_timelimit below).
base <base>
Specifies the default base distinguished name (DN) to use for searches.
uri <ldap[is]://[name[:port]] ...>
For LDAP client libraries that support it, specifies the URI(s) of the LDAP
server(s) to connect to. The URI scheme may be ldap, ldapi, or ldaps, specifying
LDAP over TCP, IPC and SSL respectively. If applicable, a port number can be
specified; the default port number for the selected protocol is used if omitted.
This option takes precedence over the host option; it is not possible to combine
the two.
ldap_version <version>
Specifies the version of the LDAP protocol to use. Presently version must be 2 or
3. The default is to use the maximum version supported by the client library.
binddn <binddn>
Specifies the distinguished name with which to bind to the directory server(s).
This option is optional; the default is to bind anonymously.
bindpw <bindpw>
Specifies the cleartext credentials with which to bind. This option is only
applicable when used with binddn above. The default is no credential (anonymous
bind). When binding to the directory using SASL or other authentication mechanisms
apart from simple binds, this option is not used.
rootbinddn <binddn>
This option has the same syntax and effect as the binddn option above, except it
applies when the effective user ID is zero. If not specified, then the identity
specified in binddn is used instead. Because the configuration file may be readable
by many users, the root bind DN credentials are stored in the ldap.secret file
instead. This file is usually in the same directory as the configuration file.
port <port>
Specifies the port to connect to; this option is used with the host option, and is
ignored with the uri option.
scope <sub|one|base>
Specifies the search scope (subtree, one level or base object). The default scope
is subtree; base scope is almost never useful for nameservice lookups.
deref <never|searching|finding|always>
Specifies the policy for dereferencing aliases. The default policy is to never
dereference aliases.
timelimit <timelimit>
Specifies the time limit (in seconds) to use when performing searches. A value of
zero (0), which is the default, is to wait indefinitely for searches to be
completed.
bind_timelimit <timelimit>
Specifies the time limit (in seconds) to use when connecting to the directory
server. This is distinct from the time limit specified in timelimit and affects the
initial server connection only. (Server connections are otherwise cached.) Only
some LDAP client libraries have the underlying functionality necessary to support
this option. The default bind timelimit is 30 seconds.
referrals <yes|no>
Specifies whether automatic referral chasing should be enabled. The default
behaviour is specified by the LDAP client library.
restart <yes|no>
Specifies whether the LDAP client library should restart the select(2) system call
when interrupted. This feature is not supported by all client libraries.
logdir <directory>
Specifies the directory used for logging by the LDAP client library. This feature
is not supported by all client libraries.
debug <level>
Specifies the debug level used for logging by the LDAP client library. This feature
is not supported by all client libraries, and does not apply to the nss_ldap and
pam_ldap modules themselves (debugging, if any, is configured separately and
usually at compile time).
ssl <on|off|start_tls>
Specifies whether to use SSL/TLS or not (the default is not to). If start_tls is
specified then StartTLS is used rather than raw LDAP over SSL. Not all LDAP client
libraries support both SSL and StartTLS, and all related configuration options.
sslpath <cert7_path>
For the Netscape and Mozilla LDAP client libraries only, this specifies the path to
the X.509 certificate database.
tls_checkpeer <yes|no>
Specifies whether to require and verify the server certificate or not, when using
SSL/TLS with the OpenLDAP client library. The default is to use the default
behaviour of the client library; for OpenLDAP 2.0 and earlier it is "no", for
OpenLDAP 2.1 and later it is "yes". At least one of tls_cacertdir and
tls_cacertfile is required if peer verification is enabled.
tls_cacertdir <certificate_dir>
Specifies the directory containing X.509 certificates for peer authentication.
tls_cacertfile <certificate_file>
Specifies the path to the X.509 certificate for peer authentication.
tls_randfile <entropy_file>
Specifies the path to an entropy source.
tls_ciphers <ciphers>
Specifies the ciphers to use for TLS. See your TLS implementation's documentation
for further information.
tls_cert <certificate_file>
Specifies the path to the file containing the local certificate for client TLS
authentication.
tls_key <key_file>
Specifies the path to the file containing the private key for client TLS
authentication.
The following configuration options apply to nss_ldap only:
bind_policy <hard_open|hard_init|soft>
Specifies the policy to use for reconnecting to an unavailable LDAP server. The
default is hard_open, which reconnects if opening the connection to the directory
server failed. By contrast, hard_init reconnects if initializing the connection
failed. Initializing may not actually contact the directory server, and it is
possible that a malformed configuration file will trigger reconnection. If soft is
specified, then nss_ldap will return immediately on server failure. All "hard"
reconnect policies block with exponential backoff before retrying.
nss_connect_policy <persist|oneshot>
Determines whether nss_ldap persists connections. The default is for the connection
to the LDAP server to remain open after the first request.
idle_timelimit <timelimit>
Specifies the time (in seconds) after which nss_ldap will close connections to the
directory server. The default is not to time out connections.
sasl_authid <authid>
Specifies the authorization identity to be used when performing SASL
authentication.
rootsasl_auth_id <authid>
Specifies the authorization identity to be used when performing SASL authentication
as root (when the effective user ID is zero).
sasl_secprops <properties>
Specifies Cyrus SASL security properties. Allowed values are described in the
ldap.conf(5) manual page.
rootuse_sasl <yes|no>
Specifies whether SASL authentication should be used when the effective user ID is
zero.
krb5_ccname <PREFIX:args>
If nss_ldap is built with configurable GSS-API credentials cache name support,
specifies the Kerberos credentials cache to use.
nss_paged_results <yes|no>
Enables support for paged results.
pagesize <pagesize>
When paged results are enabled (see above), specifies the number of entries to
return in a single page. The default is 1000.
nss_base_<map> <basedn?scope?filter>
Specify the search base, scope and filter to be used for specific maps. (Note that
map forms part of the configuration file keyword and is one of passwd, shadow,
group, hosts, services, networks, protocols, rpc, ethers, netmasks, bootparams,
aliases and netgroup.) The syntax of basedn and scope are the same as for the
configuration file options of the same name, with the addition of being able to
omit the trailing suffix of the base DN (in which case the global base DN will be
appended instead). The filter is a search filter to be added to the default search
filter for a specific map, such that the effective filter is the logical
intersection of the two. The base DN, scope and filter are separated with literal
question marks (?) as given above; this is for compatibility with the DUA
configuration profile schema and the ldapprofile tool. This option may be specified
multiple times.
nss_map_attribute <from_attribute> <to_attribute>
This option may be specified multiple times, and directs nss_ldap to use the
attribute to_attribute instead of the RFC 2307 attribute from_attribute in all
lookups. If nss_ldap was built without schema mapping support, then this option is
ignored.
nss_map_objectclass <from_objectclass> <to_objectclass>
This option may be specified multiple times, and directs nss_ldap to use the object
class to_objectclass instead of the RFC 2307 object class from_objectclass in all
lookups. If nss_ldap was built without schema mapping support, then this option is
ignored.
nss_default_attribute_value <attribute> <value>
Specifies the default value to use for entries that lack the specified attribute.
This option may be specified multiple times, for different attributes. If nss_ldap
was built without schema mapping support, then this option is ignored.
nss_override_attribute_value <attribute> <value>
Specifies a value to use for the specified attribute in preference to that
contained in the actual entry. This option may be specified multiple times, for
different attributes. If nss_ldap was built without schema mapping support, then
this option is ignored.
nss_schema <rfc2307bis|rfc2307>
If the value of this option is rfc2307bis then support for the RFC2307bis schema
(distinguished names in groups) will be enabled.
nss_initgroups <backlink>
This option directs the nss_ldap implementation of initgroups(3) to determine a
user's group membership by reading the memberOf attribute of their directory entry
(and of any nested groups), rather than querying on uniqueMember. This may provide
increased performance with certain directory servers that have peculiar indexing
configurations. If RFC2307bis support is disabled, then this option is ignored.
nss_initgroups_ignoreusers <user1,user2,...,userN>
This option directs the nss_ldap implementation of initgroups(3) to return
NSS_STATUS_NOTFOUND if called with a listed users as its argument.
nss_getgrent_skipmembers <yes|no>
Specifies whether or not to populate the members list in the group structure for
group lookups. If very large groups are present, enabling this option will greatly
increase performance, at the cost of some lost functionality. You should verify no
local applications rely on this information before enabling this on a production
system.
nss_srv_domain <domain>
This option determines the DNS domain used for performing SRV lookups.
AUTHOR
The nss_ldap module was developed by PADL Software Pty Ltd (www.padl.com).
FILES
/etc/ldap.conf, /etc/ldap.secret, /etc/nsswitch.conf
SEE ALSO
nsswitch.conf(5)
nss_ldap(5)