bionic (5) nss_ldap.5.gz

Provided by: libnss-ldap_265-5ubuntu1_amd64 bug

NAME

       nss_ldap - LDAP nameservice provider

DESCRIPTION

       The  nss_ldap module is a set of C library extensions which allows X.500 and LDAP directory servers to be
       used as a primary source of name service information. (Name service information typically includes users,
       hosts, groups, and other such data historically stored in flat files or NIS.)

       Features  of  the  PADL  nss_ldap  module include support for both the RFC 2307 and RFC 2307bis schema, a
       common implementation across multiple platforms, Kerberos and SSL security, configurable schema  mapping,
       and configuration file compatibility with the pam_ldap(5) module.

       Because  LDAP  is  a hierarchical directory service, one can distribute the information in a manner which
       reflects organizational structure.  This contrasts with the flat, single domain policy of NIS.  LDAP  has
       many of the advantages of NIS+ (security and scalability) without the complexity.

       nss_ldap  will  work  alongside  existing  NIS,  NIS+, DNS and flat file name services. More importantly,
       because it builds as a shared library, it  is  not  necessary  to  recompile  any  applications  to  take
       advantage of LDAP.

       The  present  version of nss_ldap supports AIX 4.3.3 and above, FreeBSD 5.1, HP-UX 11i, Linux and Solaris
       2.6 and above. Many vendors provide their own LDAP nameservice providers,  often  also  called  nss_ldap.
       This  manual  page  applies  to the PADL nss_ldap module only. If you are using a vendor provided module,
       consult the relevant documentation instead.

       The features supported by the version of nss_ldap depend on which flags were enabled  when  the  software
       was  built.  Most  features  are enabled in the configuration file, described below. (The location of the
       configuration file is configurable at compile time; the default  path  is  /etc/ldap.conf.)   Also,  some
       features  may  be  unavailable  on  certain  operating  systems  or with certain LDAP libraries. For more
       information, consult your vendor.

CONFIGURATION

       nss_ldap stores its configuration in the ldap.conf file, the location of which is configurable at compile
       time.   (It  should  be noted that some LDAP client libraries, such as OpenLDAP, also use a configuration
       file of the same name.  nss_ldap supports many of the same configuration file options as OpenLDAP, but it
       adds several that are specific to the functionality it provides.  Additionally, it is not guaranteed that
       nss_ldap will continue to match the configuration file semantics  of  OpenLDAP.   You  may  wish  to  use
       different files.)

       Configuration  file  options  consist  of  a keyword followed by a space and any arguments. The following
       options are supported by both nss_ldap and the PADL pam_ldap module:

       host <name:port ...>
              Specifies the name(s) or IP address(es) of the LDAP server(s) to connect  to.  In  the  case  that
              nss_ldap  is  used  for  host name resolution, each server should be specified as an IP address or
              name that can be resolved without using LDAP.  Multiple servers may be specified,  each  separated
              by  a  space.   The failover time depends on whether the LDAP client library supports configurable
              network or connect timeouts (see bind_timelimit below).

       base <base>
              Specifies the default base distinguished name (DN) to use for searches.

       uri <ldap[is]://[name[:port]] ...>
              For LDAP client libraries that support it, specifies the URI(s) of the LDAP server(s)  to  connect
              to.  The  URI  scheme  may  be  ldap,  ldapi,  or  ldaps,  specifying  LDAP  over TCP, IPC and SSL
              respectively. If applicable, a port number can be specified;  the  default  port  number  for  the
              selected protocol is used if omitted. This option takes precedence over the host option; it is not
              possible to combine the two.

       ldap_version <version>
              Specifies the version of the LDAP protocol to use. Presently version must be 2 or 3.  The  default
              is to use the maximum version supported by the client library.

       binddn <binddn>
              Specifies  the  distinguished  name  with which to bind to the directory server(s). This option is
              optional; the default is to bind anonymously.

       bindpw <bindpw>
              Specifies the cleartext credentials with which to bind. This option is only applicable  when  used
              with  binddn  above.  The default is no credential (anonymous bind). When binding to the directory
              using SASL or other authentication mechanisms apart from simple binds, this option is not used.

       rootbinddn <binddn>
              This option has the same syntax and effect as the binddn option above, except it applies when  the
              effective  user  ID  is  zero.  If  not  specified,  then the identity specified in binddn is used
              instead. Because the configuration  file  may  be  readable  by  many  users,  the  root  bind  DN
              credentials are stored in the ldap.secret file instead. This file is usually in the same directory
              as the configuration file.

       port <port>
              Specifies the port to connect to; this option is used with the host option, and  is  ignored  with
              the uri option.

       scope <sub|one|base>
              Specifies the search scope (subtree, one level or base object). The default scope is subtree; base
              scope is almost never useful for nameservice lookups.

       deref <never|searching|finding|always>
              Specifies the policy for dereferencing  aliases.  The  default  policy  is  to  never  dereference
              aliases.

       timelimit <timelimit>
              Specifies  the time limit (in seconds) to use when performing searches. A value of zero (0), which
              is the default, is to wait indefinitely for searches to be completed.

       bind_timelimit <timelimit>
              Specifies the time limit (in seconds) to use when connecting to  the  directory  server.  This  is
              distinct  from  the  time  limit  specified in timelimit and affects the initial server connection
              only. (Server connections are  otherwise  cached.)  Only  some  LDAP  client  libraries  have  the
              underlying  functionality  necessary  to  support  this  option.  The default bind timelimit is 30
              seconds.

       referrals <yes|no>
              Specifies whether automatic referral chasing should be enabled. The default behaviour is specified
              by the LDAP client library.

       restart <yes|no>
              Specifies  whether  the  LDAP  client  library  should  restart  the    select(2) system call when
              interrupted. This feature is not supported by all client libraries.

       logdir <directory>
              Specifies the directory used for logging by the LDAP client library. This feature is not supported
              by all client libraries.

       debug <level>
              Specifies  the  debug  level  used  for  logging  by  the LDAP client library. This feature is not
              supported by all client libraries, and does  not  apply  to  the  nss_ldap  and  pam_ldap  modules
              themselves (debugging, if any, is configured separately and usually at compile time).

       ssl <on|off|start_tls>
              Specifies  whether  to  use SSL/TLS or not (the default is not to). If start_tls is specified then
              StartTLS is used rather than raw LDAP over SSL.  Not all LDAP client libraries  support  both  SSL
              and StartTLS, and all related configuration options.

       sslpath <cert7_path>
              For  the  Netscape  and  Mozilla  LDAP client libraries only, this specifies the path to the X.509
              certificate database.

       tls_checkpeer <yes|no>
              Specifies whether to require and verify the server certificate or not, when using SSL/TLS with the
              OpenLDAP  client  library.  The default is to use the default behaviour of the client library; for
              OpenLDAP 2.0 and earlier it is "no", for OpenLDAP 2.1 and later it  is  "yes".  At  least  one  of
              tls_cacertdir and tls_cacertfile is required if peer verification is enabled.

       tls_cacertdir <certificate_dir>
              Specifies the directory containing X.509 certificates for peer authentication.

       tls_cacertfile <certificate_file>
              Specifies the path to the X.509 certificate for peer authentication.

       tls_randfile <entropy_file>
              Specifies the path to an entropy source.

       tls_ciphers <ciphers>
              Specifies  the  ciphers  to  use  for TLS. See your TLS implementation's documentation for further
              information.

       tls_cert <certificate_file>
              Specifies the path to the file containing the local certificate for client TLS authentication.

       tls_key <key_file>
              Specifies the path to the file containing the private key for client TLS authentication.

       The following configuration options apply to nss_ldap only:

       bind_policy <hard_open|hard_init|soft>
              Specifies the policy to use for reconnecting  to  an  unavailable  LDAP  server.  The  default  is
              hard_open, which reconnects if opening the connection to the directory server failed. By contrast,
              hard_init reconnects if initializing the connection failed. Initializing may not actually  contact
              the  directory  server,  and  it  is  possible  that  a  malformed configuration file will trigger
              reconnection. If soft is specified, then nss_ldap will return immediately on server  failure.  All
              "hard" reconnect policies block with exponential backoff before retrying.

       nss_connect_policy <persist|oneshot>
              Determines  whether  nss_ldap  persists connections. The default is for the connection to the LDAP
              server to remain open after the first request.

       idle_timelimit <timelimit>
              Specifies the time (in seconds) after which nss_ldap  will  close  connections  to  the  directory
              server. The default is not to time out connections.

       sasl_authid <authid>
              Specifies the authorization identity to be used when performing SASL authentication.

       rootsasl_auth_id <authid>
              Specifies  the authorization identity to be used when performing SASL authentication as root (when
              the effective user ID is zero).

       sasl_secprops <properties>
              Specifies Cyrus SASL security properties. Allowed values are described in the  ldap.conf(5) manual
              page.

       rootuse_sasl <yes|no>
              Specifies whether SASL authentication should be used when the effective user ID is zero.

       krb5_ccname <PREFIX:args>
              If  nss_ldap  is  built  with  configurable  GSS-API credentials cache name support, specifies the
              Kerberos credentials cache to use.

       nss_paged_results <yes|no>
               Enables support for paged results.

       pagesize <pagesize>
              When paged results are enabled (see above), specifies the number of entries to return in a  single
              page. The default is 1000.

       nss_base_<map> <basedn?scope?filter>
              Specify  the search base, scope and filter to be used for specific maps. (Note that map forms part
              of the configuration file keyword and is one of passwd, shadow, group, hosts, services,  networks,
              protocols,  rpc,  ethers,  netmasks,  bootparams, aliases and netgroup.)  The syntax of basedn and
              scope are the same as for the configuration file options of the same name, with  the  addition  of
              being  able  to  omit the trailing suffix of the base DN (in which case the global base DN will be
              appended instead).  The filter is a search filter to be added to the default search filter  for  a
              specific  map, such that the effective filter is the logical intersection of the two. The base DN,
              scope and filter are separated with literal question  marks  (?)  as  given  above;  this  is  for
              compatibility  with the DUA configuration profile schema and the ldapprofile tool. This option may
              be specified multiple times.

       nss_map_attribute <from_attribute> <to_attribute>
              This option  may  be  specified  multiple  times,  and  directs  nss_ldap  to  use  the  attribute
              to_attribute  instead  of  the  RFC 2307 attribute from_attribute in all lookups.  If nss_ldap was
              built without schema mapping support, then this option is ignored.

       nss_map_objectclass <from_objectclass> <to_objectclass>
              This option may be specified multiple  times,  and  directs  nss_ldap  to  use  the  object  class
              to_objectclass  instead of the RFC 2307 object class from_objectclass in all lookups.  If nss_ldap
              was built without schema mapping support, then this option is ignored.

       nss_default_attribute_value <attribute> <value>
              Specifies the default value to use for entries that lack the specified attribute. This option  may
              be  specified  multiple  times,  for  different  attributes.  If nss_ldap was built without schema
              mapping support, then this option is ignored.

       nss_override_attribute_value <attribute> <value>
              Specifies a value to use for the specified attribute in preference to that contained in the actual
              entry.  This  option  may  be specified multiple times, for different attributes.  If nss_ldap was
              built without schema mapping support, then this option is ignored.

       nss_schema <rfc2307bis|rfc2307>
              If the value of this option is  rfc2307bis then support for the RFC2307bis  schema  (distinguished
              names in groups) will be enabled.

       nss_initgroups <backlink>
              This  option  directs  the  nss_ldap  implementation  of initgroups(3) to determine a user's group
              membership by reading the memberOf attribute of their directory entry (and of any nested  groups),
              rather  than  querying  on  uniqueMember.  This  may  provide  increased  performance with certain
              directory servers that have peculiar indexing configurations.  If RFC2307bis support is  disabled,
              then this option is ignored.

       nss_initgroups_ignoreusers <user1,user2,...,userN>
              This  option directs the nss_ldap implementation of initgroups(3) to return NSS_STATUS_NOTFOUND if
              called with a listed users as its argument.

       nss_getgrent_skipmembers <yes|no>
              Specifies whether or not to populate the members list in the group structure for group lookups. If
              very large groups are present, enabling this option will greatly increase performance, at the cost
              of some lost functionality. You should verify no  local  applications  rely  on  this  information
              before enabling this on a production system.

       nss_srv_domain <domain>
              This option determines the DNS domain used for performing SRV lookups.

AUTHOR

       The nss_ldap module was developed by PADL Software Pty Ltd (www.padl.com).

FILES

       /etc/ldap.conf, /etc/ldap.secret, /etc/nsswitch.conf

SEE ALSO

       nsswitch.conf(5)

                                                                                                     nss_ldap(5)