Configuration Data From LDAP
The following attributes control the reading of other configuration attributes from LDAP. These attributes cannot themselves reside in LDAP. They are read only from the command line or the configuration file. See rpc.nisd(4) for more information.
nisplusLDAPconfigDN
nisplusLDAPconfigPreferredServerList
nisplusLDAPconfigAuthenticationMethod
nisplusLDAPconfigTLS
nisplusLDAPconfigTLSCertificateDBPath
nisplusLDAPconfigProxyUser
nisplusLDAPconfigProxyPassword
Server Selection
preferredServerList
Specify the LDAP server and port number.
# LDAP server can be found at port 389 # LDAP server can be found at port 389 on the local machine # preferredServerList=127.0.0.1 # Could also be written # preferredServerList=127.0.0.0.1:389 LDAP server on the machine at IP # address "1.2.3.4", at port 65042 # preferredServerList=1.2.3.4:65042
Authentication and Security
authenticationMethod
nisplusLDAPproxyUser
nisplusLDAPproxyPassword
The authentication method and, if appropriate for the method selected, the proxy user (bind distinguished name [DN]) and password (key or other shared secret) to be used between the rpc.nisd daemon and the LDAP server. See "Security and Authentication" for more information.
nisplusLDAPTLS
nisplusLDAPTLSCertificateDBPath
Default Location in LDAP and NIS+
defaultSearchBase
The point in the LDAP DIT where the containers for RFC 2307- style naming services data live. This is the default used when individual container DNs do not specify a full search base. See " nisplusLDAPobjectDN" for more information.
nisplusLDAPbaseDomain
The default NIS+ domain name to use when NIS+ object specifications (see "nisplusLDAPdatabaseIdMapping") are not fully qualified.
Timeout/Size Limits and Referral Action for LDAP Communication
nisplusLDAPbindTimeout
nisplusLDAPmodifyTimeout
nisplusLDAPaddTimeout
nisplusLDAPdeleteTimeout
The above parameters are timeouts for the ldap bind, modify, add, and delete operations, respectively. They should generally be left at their default values.
nisplusLDAPsearchTimeout
nisplusLDAPsearchTimeLimit
The above parameters set the timeout for the LDAP search operation, and request a server-side search time limit, respectively. Since the nisplusLDAPsearchTimeLimit will control how much time the LDAP server spends on the search request, make sure that nisplusLDAPsearchTimeLimit is not smaller than nisplusLDAPsearchTimeout. Depending on the performance of the NIS+ server, the LDAP server, and the connection between them, you might have to increase the search limits from the default values. Watch for timeout syslog messages from rpc.nisd as a clue to making these values larger.
nisplusLDAPsearchSizeLimit
The above parameter requests a limit on the amount of LDAP data returned for an LDAP search request. The default is to ask for no limitation. This is a server side limit. The LDAP server might impose restrictions on the maximum, and these restrictions might be tied to the proxy user (bind DN) used. Make sure that the LDAP server allows the rpc.nisd to transfer enough data to account for the largest container (depending on the site, often the container used for passwd.org_dir, mail_aliases.org_dir, or netgroup.org_dir). Consult your LDAP server documentation for more information.
nisplusLDAPfollowReferral
The above parameter defines the action to be taken when an LDAP operation results in a referral to another LDAP server. The default is to not follow referrals. Enable follow referrals if you want or need referrals to be honored. Keep in mind that while referrals are convenient, they can also slow down operations by making the rpc.nisd talk to multiple LDAP servers for each request. The rpc.nisd should generally be pointed directly to an LDAP server that can handle all LDAP requests that the rpc.nisd might make.