1 '\" te 2 .\" Copyright (C) 2006, Sun Microsystems, Inc. All Rights Reserved 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. 4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. 5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 6 .TH NISLDAPMAPPING 4 "Feb 25, 2017" 7 .SH NAME 8 NISLDAPmapping \- mapping file used by the NIS server components 9 .SH SYNOPSIS 10 .LP 11 .nf 12 \fB/var/yp/NISLDAPmapping\fR 13 .fi 14 15 .SH DESCRIPTION 16 .LP 17 The \fBNISLDAPmapping\fR file specifies the mapping between NIS map entries and 18 equivalent Directory Information Tree (DIT) entries. 19 .sp 20 .LP 21 The presence of \fB/var/yp/NISLDAPmapping\fR on a NIS master server causes that 22 server to obtain NIS data from LDAP. See \fBypserv\fR(4). If 23 \fB/var/yp/NISLDAPmapping\fR is present but the connection configuration file 24 that is defined in \fB/etc/default/ypserv\fR cannot be found, a warning is 25 logged. See \fBypserv\fR(1M). 26 .sp 27 .LP 28 NIS slave servers always obtain their data from a NIS master server, whether or 29 not that server is getting data from LDAP, and ignore the 30 \fB/var/yp/NISLDAPmapping\fR file. 31 .sp 32 .LP 33 A simple \fBNISLDAPmapping\fR file is created using \fBinityp2l\fR(1M). You can 34 customize your \fBNISLDAPmapping\fR file as you require. 35 .sp 36 .LP 37 Each attribute defined below can be specified 38 in\fB/var/yp/NISLDAPmappingLDAP\fR or as an LDAP attribute. If both are 39 specified, then the attribute in \fB/var/yp/NISLDAPmapping\fR (including empty 40 values) takes precedence. 41 .sp 42 .LP 43 A continuation is indicated by a '\e' (backslash) in the last position, 44 immediately before the newline of a line. Characters are escaped, that is, 45 exempted from special interpretation, when preceded by a backslash character. 46 .sp 47 .LP 48 The '#' (hash) character starts a comment. White space is either ASCII space or 49 a horizontal tab. In general, lines consist of optional white space, an 50 attribute name, at least one white space character, and an attribute value. 51 .SH EXTENDED DESCRIPTION 52 .SS "File Syntax" 53 .LP 54 Repeated fields, with separator characters, are described by the following 55 syntax: 56 .sp 57 .ne 2 58 .na 59 \fBOne or more entries\fR 60 .ad 61 .RS 24n 62 entry:entry:entry 63 .sp 64 .in +2 65 .nf 66 entry[":"...] 67 .fi 68 .in -2 69 70 .RE 71 72 .sp 73 .ne 2 74 .na 75 \fBZero or more entries\fR 76 .ad 77 .RS 24n 78 .sp 79 .in +2 80 .nf 81 [entry":"...] 82 .fi 83 .in -2 84 85 .RE 86 87 .SS "Attributes" 88 .LP 89 Attributes generally apply to one more more NIS maps. Map names can be 90 specified either on their own,that is in \fBpasswd.byname\fR, in which case 91 they apply to all domains, or for individual NIS domains, for example, in 92 \fBpasswd.byname,example.sun.uk\fR. Where a map is mentioned in more than one 93 attribute, both versions are applied. If any parts of the attributes are in 94 conflict, the domain specific version takes precedence over the non-domain 95 specific version. 96 .sp 97 .LP 98 Each domain specific attributes must appear in \fBNISLDAPmapping\fR before any 99 related non-domain specific attribute. If non-domain specific attributes appear 100 first, behavior may be unpredictable. Errors are logged when non-domain 101 specific attributes are found first. 102 .sp 103 .LP 104 You can associate a group of map names with a \fBdatabaseId\fR. In effect, a 105 macro is expanded to the group of names. Use this mechanism where the same 106 group of names is used in many attributes or where domain specific map names 107 are used. Then, you can make any changes to the domain name in one place. 108 .sp 109 .LP 110 Unless otherwise noted, all elements of the syntaxes below may be surrounded by 111 white space. Separator characters and white space must be escaped if they are 112 part of syntactic elements. 113 .sp 114 .LP 115 The following attributes are recognized. 116 .sp 117 .ne 2 118 .na 119 \fB\fBnisLDAPdomainContext\fR\fR 120 .ad 121 .sp .6 122 .RS 4n 123 The context to use for a NIS domain. 124 .sp 125 The syntax for \fBnisLDAPdomainContext\fR is: 126 .sp 127 .in +2 128 .nf 129 NISDomainName ":" context 130 .fi 131 .in -2 132 133 The following is an example of the \fBnisLDAPdomainContext\fR attribute: 134 .sp 135 .in +2 136 .nf 137 domain.one : dc=site, dc=company, dc=com 138 .fi 139 .in -2 140 141 The mapping file should define the context for each domain before any other 142 attribute makes use of the \fBNISDomainName\fR specified for that domain. 143 .RE 144 145 .sp 146 .ne 2 147 .na 148 \fB\fBnisLDAPyppasswddDomains\fR\fR 149 .ad 150 .sp .6 151 .RS 4n 152 Lists the domains for which password changes should be made. NIS password 153 change requests do not specify the domains in which any given password should 154 be changed. In traditional NIS this information is effectively hard coded in 155 the NIS makefile. 156 .sp 157 The syntax for the \fBnisLDAPyppasswddDomains\fR attribute is: 158 .sp 159 .in +2 160 .nf 161 domainname 162 .fi 163 .in -2 164 165 If there are multiple domains, use multiple \fBnisLDAPyppasswddDomain\fR 166 entries with one domainname per entry. 167 .RE 168 169 .sp 170 .ne 2 171 .na 172 \fB\fBnisLDAPdatabaseIdMapping\fR\fR 173 .ad 174 .sp .6 175 .RS 4n 176 Sets up an alias for a group of NIS map names. There is no default value. 177 .sp 178 The syntax for the \fBnisLDAPdatabaseIdMapping\fR attribute is: 179 .sp 180 .in +2 181 .nf 182 databaseId ":" ["["indexlist"]"] mapname[" "...] 183 .fi 184 .in -2 185 186 where 187 .sp 188 .in +2 189 .nf 190 databaseId = Label identifying a (subset of a) NIS 191 object for mapping purposes. 192 indexlist = fieldspec[","...] 193 fieldspec = fieldname "=" fieldvalue 194 fieldname = The name of a entry field as defined in 195 nisLDAPnameFields. 196 fieldvalue = fieldvaluestring | \e" fieldvaluestring \e" 197 .fi 198 .in -2 199 200 \fBindexlist\fR is used for those cases where it is necessary to select a 201 subset of entries from a NIS map. The subset are those NIS entries that match 202 the \fBindexlist\fR. If there are multiple specifications indexed for a 203 particular NIS map, they are tried in the order retrieved until one matches. 204 Note that retrieval order usually is unspecified for multi-valued LDAP 205 attributes. Hence, if using indexed specifications when 206 \fBnisLDAPdatabaseIdMapping\fR is retrieved from LDAP, make sure that the 207 subset match is unambiguous. 208 .sp 209 If the \fBfieldvaluestring\fR contains white space or commas, it must either be 210 surrounded by double quotes, or the special characters must be escaped. 211 Wildcards are allowed in the \fBfieldvaluestring\fR. See Wildcards 212 .sp 213 To associate the \fBpasswd.byname\fR and \fBpasswd.byuid\fR maps with the 214 \fBpasswd databaseId\fR: 215 .sp 216 .in +2 217 .nf 218 passwd:passwd.byname passwd.byuid 219 .fi 220 .in -2 221 222 The \fBpasswd\fR and \fBpasswd.adjunct\fR \fBdatabaseIds\fR receive special 223 handling. In addition to its normal usage, \fBpasswd\fR defines which maps 224 \fByppasswdd\fR is to update when a \fBpasswd\fR is changed. In addition to its 225 normal usage \fBpasswd.adjunct\fR defines which maps \fByppasswdd\fR is to 226 update when an adjunct \fBpasswd\fR is changed. 227 .sp 228 You may not alias a single map name to a different name, as the results are 229 unpredictable. 230 .RE 231 232 .sp 233 .ne 2 234 .na 235 \fB\fBnisLDAPentryTtl\fR\fR 236 .ad 237 .sp .6 238 .RS 4n 239 Establish TTLs for NIS entries derived from LDAP. 240 .sp 241 The syntax for the \fBnisLDAPentryTtl\fR attribute is: 242 .sp 243 .in +2 244 .nf 245 mapName[" "...]":" 246 initialTTLlo ":" initialTTLhi ":" runningTTL 247 .fi 248 .in -2 249 250 where 251 .sp 252 .ne 2 253 .na 254 \fB\fBinitialTTLlo\fR\fR 255 .ad 256 .RS 16n 257 The lower limit for the initial \fBTTL\fR (in seconds) for data read from LDAP 258 when the \fBypserv\fR starts. If the \fBinitialTTLhi\fR also is specified, the 259 actual \fBinitialTTL\fR will be randomly selected from the interval 260 \fBinitialTTLlo\fR to \fBinitialTTLhi\fR , inclusive. Leaving the field empty 261 yields the default value of 1800 seconds. 262 .RE 263 264 .sp 265 .ne 2 266 .na 267 \fB\fBinitialTTLhi\fR\fR 268 .ad 269 .RS 16n 270 The upper limit for the initial TTL. If left empty, defaults to 5400. 271 .RE 272 273 .sp 274 .ne 2 275 .na 276 \fB\fBrunningTTL\fR\fR 277 .ad 278 .RS 16n 279 The TTL (in seconds) for data retrieved from LDAP while the ypserv is running. 280 Leave the field empty to obtain the default value of 3600 seconds. 281 .RE 282 283 If there is no specification of \fBTTL\fRs for a particular map, the default 284 values are used. 285 .sp 286 If the \fBinitialTTLlo\fR and \fBinitialTTLhi\fR have the same value, the 287 effect will be that all data known to the \fBypserv\fR at startup times out at 288 the same time. Depending on NIS data lookup patterns, this could cause spikes 289 in ypserv-to-LDAP traffic. In order to avoid that, you can specify different 290 \fBinitialTTLlo\fR and \fBinitialTTLhi\fR values, and obtain a spread in 291 initial TTLs. 292 .sp 293 The following is an example of the \fBnisLDAPentryTtl\fR attribute used to 294 specify that entries in the NIS host maps read from LDAP should be valid for 295 four hours. When \fBypserv\fR restarts, the disk database entries are valid for 296 between two and three hours. 297 .sp 298 .in +2 299 .nf 300 hosts.byname hosts.byaddr:7200:10800:14400 301 .fi 302 .in -2 303 304 .RE 305 306 .sp 307 .ne 2 308 .na 309 \fB\fBnisLDAPobjectDN\fR\fR 310 .ad 311 .sp .6 312 .RS 4n 313 Specifies the connection between a group of NIS maps and the LDAP directory. 314 This attribute also defines the 'order' of the NIS maps. When NIS maps are bulk 315 copied to or from the DIT, they are processed in the same order as related 316 \fBnisLDAPobjectDN\fR attributes appear in \fB/var/yp/NISLDAPmapping.\fR 317 .sp 318 The syntax for the \fBnisLDAPobjectDN\fR\ attribute is: 319 .sp 320 .in +2 321 .nf 322 mapName[" "...] ":" objectDN *( ";" objectDN ) 323 .fi 324 .in -2 325 326 where 327 .sp 328 .in +2 329 .nf 330 objectDN = readObjectSpec [":"[writeObjectSpec]] 331 readObjectSpec = [baseAndScope [filterAttrValList]] 332 writeObjectSpec = [baseAndScope [attrValList]] 333 baseAndScope = [baseDN] ["?" [scope]] 334 filterAttrValList = ["?" [filter | attrValList]]] 335 scope = "base" | "one" | "sub" 336 attrValList = attribute "=" value 337 *("," attribute "=" value) 338 .fi 339 .in -2 340 341 The \fBbaseDN\fR defaults to the value of the \fBnisLDAPdomainContext\fR 342 attribute for the accessed domain. If the \fBbaseDN\fR ends in a comma, the 343 \fBnisLDAPdomainContext\fR value is appended. 344 .sp 345 \fBscope\fR defaults to one. \fBscope\fR has no meaning and is ignored in a 346 \fBwriteObjectSpec\fR. 347 .sp 348 The \fBfilter\fR is an LDAP search filter and has no default value. 349 .sp 350 The \fBattrValList\fR is a list of attribute and value pairs. There is no 351 default value. 352 .sp 353 As a convenience, if an \fBattrValList\fR is specified in a 354 \fBreadObjectSpec\fR, it is converted to a search filter by ANDing together the 355 attributes and the values. For example, the attribute and value list: 356 .sp 357 .in +2 358 .nf 359 objectClass=posixAccount,objectClass=shadowAccount 360 .fi 361 .in -2 362 363 is converted to the filter: 364 .sp 365 .in +2 366 .nf 367 (&(objectClass=posixAccount)\e 368 (objectClass=shadowAccount)) 369 .fi 370 .in -2 371 372 Map entries are mapped by means of the relevant mapping rules in the 373 \fBnisLDAPnameFields\fR and \fBnisLDAPattributeFromField\fR . 374 .sp 375 If a \fBwriteObjectSpec\fR is omitted, the effect is one of the following: 376 .RS +4 377 .TP 378 .ie t \(bu 379 .el o 380 If there is no trailing colon after the \fBreadObjectSpec\fR, then there is no 381 write at all. 382 .RE 383 .RS +4 384 .TP 385 .ie t \(bu 386 .el o 387 If there is a colon after the \fBreadObjectSpec\fR, then \fBwriteObjectSpec\fR 388 equals \fBreadObjectSpec\fR. 389 .RE 390 The following is an example of a \fBnisLDAPobjectDN\fR attribute declaration 391 that gets the \fBhosts.byaddr\fR map entries from the \fBou=Hosts\fR container 392 under the default search base and writes to the same place. 393 .sp 394 .in +2 395 .nf 396 hosts.byaddr:ou=Hosts,?one?objectClass=ipHost: 397 .fi 398 .in -2 399 400 The following is an example of a \fBnisLDAPobjectDN\fR attribute declaration 401 that obtains \fBpasswd\fR map entries from the \fBou=People\fR containers under 402 the default search base, and also from \fBdc=another,dc=domain\fR. 403 .sp 404 .in +2 405 .nf 406 passwd:ou=People,?one?\e 407 objectClass=shadowAccount,\e 408 objectClass=posixAccount:;\e 409 ou=People,dc=another,dc=domain,?one?\e 410 objectClass=shadowAccount,\e 411 objectClass=posixAccount 412 .fi 413 .in -2 414 415 .RE 416 417 .sp 418 .ne 2 419 .na 420 \fB\fBnisLDAPnameFields\fR\fR 421 .ad 422 .sp .6 423 .RS 4n 424 Specifies the content of entries in a NIS map and how they should be broken 425 into named fields. \fBnisLDAPnameFields\fR is required because NIS 426 maps do not store information in named fields. 427 .sp 428 The syntax for the \fBnisLDAPnameFields\fR attribute is as follows: 429 .sp 430 .in +2 431 .nf 432 "nisLDAPnameFields" mapName ":" "(" matchspec "," fieldNames ")" 433 fieldName = nameOrArrayName[","...] 434 nameOrArrayName = Name of field or 'array' of repeated fields. 435 matchspec = \e" formatString \e" 436 .fi 437 .in -2 438 439 \fBformatString\fR may contains a list of \fB%s\fR and \fB%a\fR elements each 440 of which represents a single named field or a list of repeated fields. A 441 \fB%a\fR field is interpreted as an IPv4 address or an IPv6 address in 442 preferred format. If an IPv6 address in non preferred format is found, then it 443 is converted and a warning is logged. 444 .sp 445 Where there are a list of repeated fields, the entire list is stored as one 446 entry. The fields are broken up into individual entries, based on the internal 447 separator, at a latter stage. Other characters represent separators which must 448 be present. Any separator, including whitespace, specified by the 449 \fBformatString\fR, may be surrounded by a number of whitespace and tab 450 characters. The whitespace and tab characters are ignored. 451 .sp 452 Regardless of the content of this entry some \fBfieldNames\fR are reserved: 453 .sp 454 .ne 2 455 .na 456 \fB\fBrf_key\fR\fR 457 .ad 458 .RS 18n 459 The DBM key value 460 .RE 461 462 .sp 463 .ne 2 464 .na 465 \fB\fBrf_ipkey\fR\fR 466 .ad 467 .RS 18n 468 The DBM key value handled as an IP address. See the discussion of \fB%a\fR 469 fields. 470 .RE 471 472 .sp 473 .ne 2 474 .na 475 \fB\fBrf_comment\fR\fR 476 .ad 477 .RS 18n 478 Everything following the first occurrence of a symbol. \fBrf_comment\fR is 479 defined by \fBnisLDAPcommentChar\fR. 480 .RE 481 482 .sp 483 .ne 2 484 .na 485 \fB\fBrf_domain\fR\fR 486 .ad 487 .RS 18n 488 The name of the domain in which the current NIS operation is being carried out. 489 .RE 490 491 .sp 492 .ne 2 493 .na 494 \fB\fBrf_searchipkey\fR\fR 495 .ad 496 .RS 18n 497 The \fBrf_searchkey\fR value handled as an IP address. See the discussion of 498 \fB%a\fR fields above. 499 .RE 500 501 .sp 502 .ne 2 503 .na 504 \fB\fBrf_searchkey\fR\fR 505 .ad 506 .RS 18n 507 See the description under \fBnisLDAPattributeFromField\fR below. 508 .RE 509 510 For example, the \fBrpc.bynumber\fR map has the format: 511 .sp 512 .in +2 513 .nf 514 name number alias[" "...] 515 .fi 516 .in -2 517 518 The NIS to LDAP system is instructed to break it into a name, a number, and an 519 array of alias field by the following entry in the mapping file: 520 .sp 521 .in +2 522 .nf 523 nisLDAPnameFields rpc.bynumber : \e 524 "%s %s %s", name,number,aliases) 525 .fi 526 .in -2 527 528 .RE 529 530 .sp 531 .ne 2 532 .na 533 \fB\fBnisLDAPsplitFields\fR\fR 534 .ad 535 .sp .6 536 .RS 4n 537 Defines how a field, or list of fields, named by \fBnisLDAPnameFields\fR is 538 split into subfields. The original field is compared with each line of this 539 attribute until one matches. When a match is found named subfields are 540 generated. In latter operations subfield names can be used in the same way as 541 other field names. 542 .sp 543 The syntax for the \fBnisLDAPsplitFields\fR attribute is as follows: 544 .sp 545 .in +2 546 .nf 547 "nisLDAPsplitFields" fieldName ":" splitSpec[","...] 548 splitSpec = "(" matchspec "," subFieldNames ")" 549 fieldName = Name of a field from nisLDAPnameFields 550 subFieldNames = subFieldname[","...] 551 matchspec = \e" formatString \e" 552 .fi 553 .in -2 554 555 The netgroup \fBmemberTriples\fR can have format \fB(host, user, domain)\fR or 556 \fBgroupname\fR. The format is specified by the attribute: 557 .sp 558 .in +2 559 .nf 560 nisLDAPsplitField memberTriple: \e 561 ("(%s,%s,%s)", host, user, domain) , \e 562 ("%s", group) 563 .fi 564 .in -2 565 566 Later operations can then use field names \fBhost\fR, \fBuser\fR, \fBdomain\fR, 567 \fBgroup\fR or \fBmemberTriple\fR. Because lines are processed in order, if 568 \fBhost\fR, \fBuser\fR and \fBdomain\fR are found, \fBgroup\fR will not be 569 generated. 570 .sp 571 Several maps and databaseIds may contain fields that are to be split in the 572 same way. As a consequence, the names of fields to be split must be unique 573 across all maps and databaseIds. 574 .sp 575 Only one level of spliting is supported.That is, a subfield cannot be split 576 into further subfields. 577 .RE 578 579 .sp 580 .ne 2 581 .na 582 \fB\fBnisLDAPrepeatedFieldSeparators\fR\fR 583 .ad 584 .sp .6 585 .RS 4n 586 Where there is a list of repeated, splitable fields, 587 \fBnisLDAPrepeatedFieldSeparators\fR specifies which characters separate 588 instances of the splitable field. 589 .sp 590 The syntax for the \fBnisLDAPrepeatedFieldSeparators\fR attribute is as 591 follows: 592 .sp 593 .in +2 594 .nf 595 "nisLDAPrepeatedFieldSeparators" fieldName \e"sepChar[...]\e" 596 sepChar = A separator character. 597 .fi 598 .in -2 599 600 The default value is space or tab. If repeated splitable fields are adjacent, 601 that is, there is no separating character, then the following should be 602 specified: 603 .sp 604 .in +2 605 .nf 606 nisLDAPrepeatedFieldSeparators netIdEntry: "" 607 .fi 608 .in -2 609 610 .RE 611 612 .sp 613 .ne 2 614 .na 615 \fB\fBnisLDAPcommentChar\fR\fR 616 .ad 617 .sp .6 618 .RS 4n 619 Specifies which character represents the start of the special comment field in 620 a given NIS map. If this attribute is not present then the default comment 621 character \fB#\fR is used. 622 .sp 623 To specify that a map uses a asterix to mark the start of comments. 624 .sp 625 .in +2 626 .nf 627 nisLDAPcommentChar mapname : '*' 628 .fi 629 .in -2 630 631 If a map cannot contain comments, then the following attribute should be 632 specified. 633 .sp 634 .in +2 635 .nf 636 nisLDAPcommentChar mapname : '' 637 .fi 638 .in -2 639 640 .RE 641 642 .sp 643 .ne 2 644 .na 645 \fB\fBnisLDAPmapFlags\fR\fR 646 .ad 647 .sp .6 648 .RS 4n 649 Indicates if \fBYP_INTERDOMAIN\fR or \fBYP_SECURE\fR entries should be created 650 in a map. Using \fBnisLDAPmapFlags\fR is equivalent to running 651 \fBmakedbm\fR(1M) with the \fB-b\fR or the \fB-s\fR option. When a map is 652 created from the contents of the DIT, the mapping file attribute is the only 653 source for the \fBYP_INTERDOMAIN\fR or \fBYP_SECURE\fR entries. 654 .sp 655 The syntax for the \fBnisLDAPmapFlags\fR attribute is as follows: 656 .sp 657 .in +2 658 .nf 659 "nisLDAPmapFlags" mapname ":" ["b"]["s"] 660 .fi 661 .in -2 662 663 By default neither entry is created. 664 .RE 665 666 .sp 667 .ne 2 668 .na 669 \fB\fBnisLDAPfieldFromAttribute\fR\fR 670 .ad 671 .sp .6 672 .RS 4n 673 Specifies how a NIS entries field values are derived from LDAP attribute 674 values. 675 .sp 676 The syntax for the \fBnisLDAPfieldFromAttribute\fR attribute is as follows: 677 .sp 678 .in +2 679 .nf 680 mapName ":" fieldattrspec *("," fieldattrspec) 681 .fi 682 .in -2 683 684 The format of \fBfieldattrspec\fR is shown below at Field and Attribute 685 Conversion Syntax. 686 .sp 687 To map by direct copy and assignment the value of the \fBipHostNumber\fR 688 attribute to the \fBaddr\fR named field, for example: 689 .sp 690 .in +2 691 .nf 692 addr=ipHostNumber 693 .fi 694 .in -2 695 696 Formats for the named field and attribute conversion syntax are discussed 697 below, including examples of complex attribute to field conversions. 698 .RE 699 700 .sp 701 .ne 2 702 .na 703 \fB\fBnisLDAPattributeFromField\fR\fR 704 .ad 705 .sp .6 706 .RS 4n 707 Specifies how an LDAP attribute value is derived from a NIS entriy field 708 value. 709 .sp 710 The syntax for the \fBnisLDAPattributeFromField\fR attribute is as follows: 711 .sp 712 .in +2 713 .nf 714 mapName ":" fieldattrspec *("," fieldattrspec ) 715 .fi 716 .in -2 717 718 The format of \fBfieldattrspec\fR is shown below at Field and Attribute 719 Conversion Syntax. 720 .sp 721 As a special case, if the \fBdn\fR attribute value derived from a 722 \fBfieldattrspec\fR ends in a comma ("\fB,\fR"), the domains context from 723 \fBnisLDAPdomainContext\fR is appended. 724 .sp 725 Use the following example to map the value of the \fBaddr\fR field to the 726 \fBipHostNumber\fR attribute by direct copy and assignment: 727 .sp 728 .in +2 729 .nf 730 ipHostNumber=addr 731 .fi 732 .in -2 733 734 All relevant attributes, including the \fBdn\fR, must be specified. 735 .sp 736 For every map it must be possible to rapidly find a DIT entry based on its key. 737 There are some maps for which a NIS to LDAP mapping for the key is not 738 desirable, so a key mapping cannot be specified. In these cases a mapping that 739 uses the reserved \fBrf_searchkey\fR must be specified. Mappings that use this 740 field name are ignored when information is mapped into the DIT. 741 .RE 742 743 .SS "Field and Attribute Conversion Syntax" 744 .LP 745 The general format of a \fBfieldattrspec\fR is: 746 .sp 747 .in +2 748 .nf 749 fieldattrspec = lhs "=" rhs 750 lhs = lval | namespeclist 751 rhs = rval | [namespec] 752 namespeclist = namespec | "(" namespec *("," namespec) ")" 753 .fi 754 .in -2 755 756 .sp 757 .LP 758 The \fBlval\fR and \fBrval\fR syntax are defined below at Values. The format of 759 a \fBnamespec\fR is: 760 .sp 761 .ne 2 762 .na 763 \fB\fBnamespec\fR\fR 764 .ad 765 .RS 16n 766 .sp 767 .in +2 768 .nf 769 ["ldap:"] attrspec [searchTriple] | ["yp:"] fieldname 770 [mapspec] 771 .fi 772 .in -2 773 774 .RE 775 776 .sp 777 .ne 2 778 .na 779 \fB\fBfieldname\fR\fR 780 .ad 781 .RS 16n 782 .sp 783 .in +2 784 .nf 785 field | "(" field ")" 786 .fi 787 .in -2 788 789 .RE 790 791 .sp 792 .ne 2 793 .na 794 \fB\fBattrspec\fR\fR 795 .ad 796 .RS 16n 797 .sp 798 .in +2 799 .nf 800 attribute | "(" attribute ")" 801 .fi 802 .in -2 803 804 .RE 805 806 .sp 807 .ne 2 808 .na 809 \fB\fBsearchTriple\fR\fR 810 .ad 811 .RS 16n 812 .sp 813 .in +2 814 .nf 815 ":" [baseDN] ["?" [scope] ["?" [filter]]] 816 .fi 817 .in -2 818 819 .RE 820 821 .sp 822 .ne 2 823 .na 824 \fB\fBbaseDN\fR\fR 825 .ad 826 .RS 16n 827 Base DN for search 828 .RE 829 830 .sp 831 .ne 2 832 .na 833 \fB\fBfilter\fR\fR 834 .ad 835 .RS 16n 836 LDAP search filter 837 .RE 838 839 .sp 840 .ne 2 841 .na 842 \fB\fBmapspec\fR\fR 843 .ad 844 .RS 16n 845 Map name 846 .RE 847 848 .sp 849 .LP 850 The repository specification in a \fBnamespec\fR defaults is as follows: 851 .RS +4 852 .TP 853 .ie t \(bu 854 .el o 855 For assignments to a field: 856 .RS 857 858 .sp 859 .ne 2 860 .na 861 \fBon the \fBLHS\fR\fR 862 .ad 863 .RS 14n 864 yp 865 .RE 866 867 .sp 868 .ne 2 869 .na 870 \fBon the \fBRHS\fR\fR 871 .ad 872 .RS 14n 873 ldap 874 .RE 875 876 .RE 877 878 NIS field values on the \fBRHS\fR are those that exist before the NIS entry is 879 modified. 880 .RE 881 .RS +4 882 .TP 883 .ie t \(bu 884 .el o 885 For assignments to an attribute: 886 .RS 887 888 .sp 889 .ne 2 890 .na 891 \fBon the \fBLHS\fR\fR 892 .ad 893 .RS 14n 894 ldap 895 .RE 896 897 .sp 898 .ne 2 899 .na 900 \fBon the \fBRHS\fR\fR 901 .ad 902 .RS 14n 903 yp 904 .RE 905 906 .RE 907 908 Attribute values on the \fBRHS\fR are those that exist before the LDAP entry is 909 modified. 910 .RE 911 .sp 912 .LP 913 When the field or attribute name is enclosed in parenthesis, it denotes a list 914 of field or attribute values. For attributes, the meaning is the list of all 915 attributes of that name, and the interpretation depends on the context. See the 916 discussion at Values. The list specification is ignored when a 917 \fBsearchTriple\fR or \fBmapspec\fR is supplied. 918 .sp 919 .LP 920 For fields, the \fBfieldname\fR syntax is used to map multiple attribute 921 instances to multiple NIS entries. 922 .sp 923 .LP 924 The \fBsearchTriple\fR can be used to specify an attribute from a location 925 other than the read or write target. The defaultvalues are as follows: 926 .sp 927 .ne 2 928 .na 929 \fB\fBbaseDN\fR\fR 930 .ad 931 .RS 10n 932 If \fBbaseDN\fR is omitted, the default is the current \fBobjectDN\fR. If the 933 \fBbaseDN\fR ends in a comma, the context of the domain is appended from 934 \fBnisLDAPdomainContext\fR . 935 .RE 936 937 .sp 938 .ne 2 939 .na 940 \fB\fBscope\fR\fR 941 .ad 942 .RS 10n 943 one 944 .RE 945 946 .sp 947 .ne 2 948 .na 949 \fB\fBfilter\fR\fR 950 .ad 951 .RS 10n 952 Empty 953 .RE 954 955 .sp 956 .LP 957 Similarly, the \fBmapspec\fR can be used to specify a field value from a NIS 958 map other than the one implicitly indicated by the \fBmapName\fR. If 959 \fBsearchTriple\fR or \fBmapspec\fR is explicitly specified in a 960 \fBnamespec\fR, the retrieval or assignment, whether from or to LDAP or NIS, is 961 performed without checking if read and write are enabled for the LDAP container 962 or NIS map. 963 .sp 964 .LP 965 The omission of the \fBnamespec\fR in an \fBrhs\fR is only allowed if the 966 \fBlhs\fR is one or more attributes. The effect is to delete the specified 967 attribute(s). In all other situations, an omitted \fBnamespec\fR means that the 968 rule is ignored. 969 .sp 970 .LP 971 The \fBfilter\fR can be a value. See Values. For example, to find the 972 \fBipHostNumber\fRthat uses the \fBcn\fR, you specify the following in the 973 \fBfilter\fR field: 974 .sp 975 .in +2 976 .nf 977 ldap:ipHostNumber:?one?("cn=%s", (cname, "%s.*")) 978 .fi 979 .in -2 980 981 .sp 982 .LP 983 In order to remove ambiguity, the unmodified value of a single field or 984 attribute must be specified as the following when used in the \fBfilter\fR 985 field. 986 .sp 987 .in +2 988 .nf 989 ("%s", namespec) 990 .fi 991 .in -2 992 993 .sp 994 .LP 995 If the \fBfilter\fR is not specified, the scope will be base, and the 996 \fBbaseDN\fR is assumed to be the \fBDN\fR of the entry that contains the 997 attribute to be retrieved or modified. To use previously existing field or 998 attribute values in the mapping rules requires a lookup to find those values. 999 Obviously, this adds to the time required to perform the modification. Also, 1000 there is a window between the time when a value is retrieved and then slightly 1001 later stored back. If the values have changed in the mean time, the change may 1002 be overwritten. 1003 .sp 1004 .LP 1005 When \fBfieldattrspecs\fR are grouped into rule sets, in the value of a 1006 \fBnisLDAPfieldFromAttribute\fR or \fBnisLDAPattributeFromField\fR attribute, 1007 the evaluation of the \fBfieldattrspecs\fR proceed in the listed order. 1008 However, evaluation may be done in parallel for multiple \fBfieldattrspecs\fR. 1009 If there is an error when evaluating a certain \fBfieldattrspec\fR, including 1010 retrieval or assignment of entry or field values, the extent to which the other 1011 \fBfieldattrspec\fR rules are evaluated is unspecified. 1012 .SS "Wildcards" 1013 .LP 1014 Where wildcard support is available, it is of the following limited form: 1015 .sp 1016 .ne 2 1017 .na 1018 \fB\fB*\fR\fR 1019 .ad 1020 .RS 9n 1021 Matches any number of characters 1022 .RE 1023 1024 .sp 1025 .ne 2 1026 .na 1027 \fB\fB[x]\fR\fR 1028 .ad 1029 .RS 9n 1030 Matches the character x 1031 .RE 1032 1033 .sp 1034 .ne 2 1035 .na 1036 \fB\fB[x-y]\fR\fR 1037 .ad 1038 .RS 9n 1039 Matches any character in the range x to y, inclusive 1040 .RE 1041 1042 .sp 1043 .LP 1044 Combinations such as \fB[a-cA-C0123]\fR are also allowed, which would match any 1045 one of a, b, c, A, B, C, 0, 1, 2, or 3. 1046 .SS "Substring Extraction" 1047 .in +2 1048 .nf 1049 substringextract = "(" namespec "," matchspec ")" 1050 name = field or attribute name 1051 matchspec = 1052 .fi 1053 .in -2 1054 1055 .sp 1056 .LP 1057 The \fBmatchspec\fR is a string like the \fBsscanf\fR(3C) format string, except 1058 that there may be at most one format specifier, a single \fB%s\fR. The output 1059 value of the \fBsubstringextract\fR is the substring that matches the location 1060 of the \fB%s\fR. 1061 .sp 1062 .LP 1063 If there is no \fB%s\fR in the formatstring, it must instead be a single 1064 character, which is assumed to be a field separator for the \fBnamespec\fR. The 1065 output values are the field values. Wild cards are supported. If there is no 1066 match, the output value is the empty string, " ". 1067 .sp 1068 .LP 1069 For example, if the \fBfieldcname\fR has the value 1070 \fBuser.some.domain.name.\fR, the value of the expression: 1071 .sp 1072 .in +2 1073 .nf 1074 (cname, "%s.*") 1075 .fi 1076 .in -2 1077 1078 .sp 1079 .LP 1080 is \fBuser\fR, which can be used to extract the user name from a NIS principal 1081 name. 1082 .sp 1083 .LP 1084 Similarly, use this expression to extract the third of the colon-separated 1085 fields of the shadow field: 1086 .sp 1087 .in +2 1088 .nf 1089 (shadow, "*:*:%s:*") 1090 .fi 1091 .in -2 1092 1093 .sp 1094 .LP 1095 This form can be used to extract all of the shadow fields. However, a simpler 1096 way to specify that special case is: 1097 .sp 1098 .in +2 1099 .nf 1100 (shadow, ":") 1101 .fi 1102 .in -2 1103 1104 .SS "Values" 1105 .in +2 1106 .nf 1107 lval = "(" formatspec "," namespec *("," namespec) ")" 1108 rval = "(" formatspec ["," namelist ["," elide] ] ")" 1109 1110 namelist = name_or_sse *( "," name_or_sse) 1111 name_or_sse = namespec | removespec | substringextract 1112 removespec = list_or_name "-" namespec 1113 list_or_name = "(" namespec ")" | namespec 1114 formatspec = 1115 formatstring = A string combining text and % field specifications 1116 elide = 1117 singlechar = Any character 1118 .fi 1119 .in -2 1120 1121 .sp 1122 .LP 1123 The syntax above is used to produce \fBrval\fR values that incorporate field or 1124 attribute values, in a manner like \fBsprintf\fR(3C), or to perform assignments 1125 to \fBlval\fR like \fBsscanf\fR(3C). One important restriction is that the 1126 format specifications,\fB%\fR plus a single character, use the designations 1127 from \fBber_printf\fR(3LDAP). Thus, while \fB%s\fR is used to extract a string 1128 value, \fB%i\fR causes BER conversion from an integer. Formats other than 1129 \fB%s\fR, for instance, \fB%i\fR, are only meaningfully defined in simple 1130 format strings without any other text. 1131 .sp 1132 .LP 1133 The following \fBber_printf()\fR format characters are recognized: 1134 .sp 1135 .in +2 1136 .nf 1137 b i n o s 1138 .fi 1139 .in -2 1140 1141 .sp 1142 .LP 1143 If there are too few format specifiers, the format string may be repeated as 1144 needed. 1145 .sp 1146 .LP 1147 When used as an \fBlval\fR, there is a combination of pattern matching and 1148 assignment, possibly to multiple fields or attributes. 1149 .sp 1150 .LP 1151 In an assignment to an attribute, if the value of the \fBaddr\fR field is 1152 \fB1.2.3.4\fR, the \fBrval\fR: 1153 .sp 1154 .in +2 1155 .nf 1156 ("ipNetworkNumber=%s,", addr) 1157 .fi 1158 .in -2 1159 1160 .sp 1161 .LP 1162 produces the value \fBipNetworkNumber=1.2.3.4,\fR, while: 1163 .sp 1164 .in +2 1165 .nf 1166 ("(%s,%s,%s)", host, user, domain) 1167 .fi 1168 .in -2 1169 1170 .sp 1171 .LP 1172 results in: 1173 .sp 1174 .in +2 1175 .nf 1176 (assuming host="xyzzy", user="-", domain="x.y.z") 1177 "(xyzzy,-,x.y.z)" 1178 .fi 1179 .in -2 1180 1181 .sp 1182 .LP 1183 The elide character feature is used with attribute lists. So: 1184 .sp 1185 .in +2 1186 .nf 1187 ("%s,", (mgrprfc822mailmember), ",") 1188 .fi 1189 .in -2 1190 1191 .sp 1192 .LP 1193 concatenates all \fBmgrprfc822mailmember\fR values into one comma-separated 1194 string, and then elides the final trailing comma. Thus, for 1195 .sp 1196 .in +2 1197 .nf 1198 mgrprfc822mailmember=usera 1199 mgrprfc822mailmember=userb 1200 mgrprfc822mailmember=userc 1201 .fi 1202 .in -2 1203 1204 .sp 1205 .LP 1206 the value would be: 1207 .sp 1208 .in +2 1209 .nf 1210 usera,userb,userc 1211 .fi 1212 .in -2 1213 1214 .sp 1215 .LP 1216 As a special case, to combine an \fBLHS\fR extraction with an \fBRHS\fR 1217 implicit list creates multiple entries and values. So 1218 .sp 1219 .in +2 1220 .nf 1221 ("(%s,%s,%s)", host, user, domain)=(nisNetgroupTriple) 1222 .fi 1223 .in -2 1224 1225 .sp 1226 .LP 1227 creates one NIS entry for each \fBnisNetgroupTriple\fR value. 1228 .sp 1229 .LP 1230 The \fB\&'removespec'\fR form is used to exclude previously assigned fields 1231 values from a list. So, if an LDAP entry contains: 1232 .sp 1233 .in +2 1234 .nf 1235 name: foo 1236 cn: foo 1237 cn: foo1 1238 cn: foo2 1239 .fi 1240 .in -2 1241 1242 .sp 1243 .LP 1244 and the mapping file specifies : 1245 .sp 1246 .in +2 1247 .nf 1248 myName = name, \e 1249 myAliases = ("%s ", (cn) - yp:myName, " ") 1250 .fi 1251 .in -2 1252 1253 .sp 1254 .LP 1255 then the following assignments are carried out: 1256 .RS +4 1257 .TP 1258 1. 1259 Assign value \fBfoo\fR to \fBmyName\fR 1260 .RE 1261 .RS +4 1262 .TP 1263 2. 1264 Assign value \fBfoo foo1 foo2\fR to \fBmyAliases\fR 1265 .RE 1266 .RS +4 1267 .TP 1268 3. 1269 Remove value of \fBmyName\fR from value \fBmyAliases\fR 1270 .RE 1271 .sp 1272 .LP 1273 This results in the field values \fBmyName\fR is set to \fBfoo\fR, and 1274 \fBmyAliases\fR is set to \fBfoo1 foo2\fR. 1275 .SS "Assignments" 1276 .LP 1277 The assignment syntax, also found at Field and Attribute Conversion Syntax, is 1278 as follows: 1279 .sp 1280 .in +2 1281 .nf 1282 fieldattrspec = lhs "=" rhs 1283 lhs = lval | namespeclist 1284 rhs = rval | namespec 1285 namespeclist = namespec | "(" namespec *("," namespec) ")" 1286 .fi 1287 .in -2 1288 1289 .sp 1290 .LP 1291 The general form of a simple assignment, which is a one-to-one mapping of field 1292 to attribute, is: 1293 .sp 1294 .in +2 1295 .nf 1296 ("%s", fieldname)=("%s", attrname) 1297 .fi 1298 .in -2 1299 1300 .sp 1301 .LP 1302 As a convenient shorthand, this can also be written as: 1303 .sp 1304 .in +2 1305 .nf 1306 fieldname=attrname 1307 .fi 1308 .in -2 1309 1310 .sp 1311 .LP 1312 A list specification, which is a name enclosed in parenthesis, can be used to 1313 make many-to-many assignments. The expression: 1314 .sp 1315 .in +2 1316 .nf 1317 (fieldname)=(attrname) 1318 .fi 1319 .in -2 1320 1321 .sp 1322 .LP 1323 where there are multiple instances of \fBattrname\fR, creates one NIS entry for 1324 each such instance, differentiated by their \fBfieldname\fR values. The 1325 following combinations of lists are allowed, but they are not particularly 1326 useful: 1327 .sp 1328 .ne 2 1329 .na 1330 \fB\fB(attrname)=(fieldname)\fR\fR 1331 .ad 1332 .RS 26n 1333 Equivalent to \fBattrname=fieldname\fR 1334 .RE 1335 1336 .sp 1337 .ne 2 1338 .na 1339 \fB\fBattrname=(fieldname)\fR\fR 1340 .ad 1341 .RS 26n 1342 Equivalent to \fBattrname=fieldname\fR 1343 .RE 1344 1345 .sp 1346 .ne 2 1347 .na 1348 \fB\fB(fieldname)=attrname\fR\fR 1349 .ad 1350 .RS 26n 1351 Equivalent to \fBfieldname=attrname\fR 1352 .RE 1353 1354 .sp 1355 .ne 2 1356 .na 1357 \fB\fBfieldname=(attrname)\fR\fR 1358 .ad 1359 .RS 26n 1360 Equivalent to \fBfieldname=attrname\fR 1361 .RE 1362 1363 .sp 1364 .LP 1365 If a multi-valued \fBRHS\fR is assigned to a single-valued \fBLHS\fR, the 1366 \fBLHS\fR value will be the first of the \fBRHS\fR values. If the \fBRHS\fR is 1367 an attribute list, the first attribute is the first one returned by the LDAP 1368 server when queried. Otherwise, the definition of "first"is implementation 1369 dependent. 1370 .sp 1371 .LP 1372 Finally, the \fBLHS\fR can be an explicit list of fields or attributes, such 1373 as: 1374 .sp 1375 .in +2 1376 .nf 1377 (name1,name2,name3) 1378 .fi 1379 .in -2 1380 1381 .sp 1382 .LP 1383 If the \fBRHS\fR is single-valued, this assigns the \fBRHS\fR value to all 1384 entities in the list. If the \fBRHS\fR is multi-valued, the first value is 1385 assigned to the first entity of the list, the second value to the second 1386 entity, and so on. Excess values or entities are silently ignored. 1387 .SH EXAMPLES 1388 .LP 1389 \fBExample 1 \fRAssigning an Attribute Value to a Field 1390 .sp 1391 .LP 1392 The following example illustrates how to assign the value of the 1393 \fBipHostNumber\fR attribute to the \fBaddr\fR field 1394 1395 .sp 1396 .in +2 1397 .nf 1398 addr=ipHostNumber 1399 .fi 1400 .in -2 1401 1402 .LP 1403 \fBExample 2 \fRCreating Multiple NIS Entries from Multi-Valued LDAP Attributes 1404 .sp 1405 .LP 1406 An LDAP entry with: 1407 1408 .sp 1409 .in +2 1410 .nf 1411 cn=name1 1412 cn=name2 1413 cn=name3 1414 .fi 1415 .in -2 1416 1417 .sp 1418 .LP 1419 and the following assignments: 1420 1421 .sp 1422 .in +2 1423 .nf 1424 cname=cn 1425 (name)=(cn) 1426 .fi 1427 .in -2 1428 1429 .sp 1430 .LP 1431 creates three NIS entries. Other attributes and fields are omitted for clarity. 1432 1433 .sp 1434 .in +2 1435 .nf 1436 cname=name1, name=name1 1437 cname=name1, name=name2 1438 cname=name1, name=name3 1439 .fi 1440 .in -2 1441 1442 .LP 1443 \fBExample 3 \fRAssigning String Constants 1444 .sp 1445 .LP 1446 The following expression sets the \fBpasswd\fR field to x: 1447 1448 .sp 1449 .in +2 1450 .nf 1451 passwd=("x") 1452 .fi 1453 .in -2 1454 1455 .LP 1456 \fBExample 4 \fRSplitting Field Values to Multi-Valued Attributes 1457 .sp 1458 .LP 1459 The \fBexpansion\fR field contains a comma-separated list of alias member 1460 names. In the following example, the expression assigns each member name to an 1461 instance of \fBmgrprfc822mailmember\fR: 1462 1463 .sp 1464 .in +2 1465 .nf 1466 (mgrprfc822mailmember)=(expansion, ",") 1467 .fi 1468 .in -2 1469 1470 .SH FILES 1471 .ne 2 1472 .na 1473 \fB\fB/var/yp/NISLDAPmapping\fR\fR 1474 .ad 1475 .RS 26n 1476 Mapping file used by the NIS server components 1477 .RE 1478 1479 .SH ATTRIBUTES 1480 .LP 1481 See \fBattributes\fR(5) for descriptions of the following attributes: 1482 .sp 1483 1484 .sp 1485 .TS 1486 box; 1487 c | c 1488 l | l . 1489 ATTRIBUTE TYPE ATTRIBUTE VALUE 1490 _ 1491 Interface Stability Obsolete 1492 .TE 1493 1494 .SH SEE ALSO 1495 .LP 1496 \fBinityp2l\fR(1M), \fBmakedbm\fR(1M), \fBypserv\fR(1M), 1497 \fBber_printf\fR(3LDAP), \fBsprintf\fR(3C), \fBsscanf\fR(3C), 1498 \fBypserv\fR(4), \fBattributes\fR(5) 1499 .sp 1500 .LP 1501 \fISystem Administration Guide: Naming and Directory Services (DNS, NIS, and 1502 LDAP)\fR