Arthur de Jong

+ 02110-1301 USA

+<!-- DO NOT DOCUMENT FOR NOW BECAUSE IT'S NOT SUPPORTED

+ <term><emphasis remap="B">rootsasl_authid &lt;authid&gt;</emphasis></term>

+ <term><emphasis remap="B"><opional>root</opional>use_sasl &lt;yes|no&gt;</emphasis></term>

+-->

+<!-- DO NOT DOCUMENT FOR NOW BECAUSE IT'S NOT SUPPORTED

+-->

+ <varlistentry>

+ <term><option>base</option>

+ <optional><emphasis remap="I">MAP</emphasis></optional>

+ <emphasis remap="I">DN</emphasis></term>

+ <para>

+ Specifies the base distinguished name (<acronym>DN</acronym>)

+ to use as search base.

+ A global search base may be specified or a MAP-specific one.

+ If no MAP-specific search base is defined the global one is used.

+ </para>

+ </varlistentry>

+ <varlistentry>

+ <term><option>scope</option>

+ <optional><emphasis remap="I">MAP</emphasis></optional>

+ sub<optional>tree</optional>|one<optional>level</optional>|base</term>

+ <para>

+ Specifies the search scope (subtree, one level or base object).

+ The default scope is subtree; base scope is almost never useful for

+ nameservice lookups.

+ </para>

+ </varlistentry>

+ <varlistentry>

+ <term><option>deref</option> never|searching|finding|always</term>

+ <para>

+ Specifies the policy for dereferencing aliases.

+ The default policy is to never dereference aliases.

+ </para>

+ </varlistentry>

+ <varlistentry>

+ <term><option>referrals</option> yes|no</term>

+ <para>

+ Specifies whether automatic referral chasing should be enabled.

+ The default behaviour is to chase referrals.

+ </para>

+ </varlistentry>

+ <varlistentry>

+ <term><option>filter</option>

+ <emphasis remap="I">MAP</emphasis>

+ <emphasis remap="I">FILTER</emphasis></term>

+ <para>

+ The <emphasis remap="I">FILTER</emphasis>

+ is an <acronym>LDAP</acronym> search filter to use for a

+ specific map.

+ The default filter is a basic search on the

+ objectClass for the map (e.g. <code>(objectClass=posixAccount)</code>).

+ </para>

+ </varlistentry>

+ <varlistentry>

+ <term><option>map</option>

+ <emphasis remap="I">MAP</emphasis>

+ <emphasis remap="I">ATTRIBUTE</emphasis>

+ <emphasis remap="I">NEWATTRIBUTE</emphasis></term>

+ <para>

+ This option allows for custom attributes to be looked up instead of

+ the default RFC 2307 attributes that are used.

+ The <emphasis remap="I">MAP</emphasis> may be one of

+ the supported maps below.

+ The <emphasis remap="I">ATTRIBUTE</emphasis> is the one as

+ used in <acronym>RFC</acronym> 2307 (e.g. <code>userPassword</code>,

+ <code>ipProtocolNumber</code> or <code>macAddress</code>).

+ The <emphasis remap="I">NEWATTRIBUTE</emphasis> may be any attribute

+ as it is available in the directory.

+<!--

+ If the <emphasis remap="I">NEWATTRIBUTE</emphasis> is presented in

+ quotes (") the specfied value will be used instead of looking up the

+ value in the directory.

+ Specifies a value to use for the specified attribute in preference

+ to that contained in the actual entry.

+-->

+ </para>

+ </varlistentry>

+<!--

+ <varlistentry>

+ <term><option>default</option> <emphasis remap="I">MAP.ATTRIBUTE</emphasis> "<emphasis remap="I">VALUE</emphasis>"</term>

+ <para>

+ Specifies the default value to use for entries that lack the

+ specified attribute.

+ Use the specified <emphasis remap="I">VALUE</emphasis> if the

+ lookup in the directory for the specified attribute would not return

+ any data.

+ Note that if the <acronym>LDAP</acronym> server returns an empty string

+ for the attribute an empty string is returned.

+ </para>

+ </varlistentry>

+-->

+ <varlistentry>

+ <para>Specifies the time limit (in seconds) to use when performing searches. A value

+ of zero (0), which is the default, is to wait indefinitely for

+ searches to be completed.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Specifies the time limit (in seconds) to use when connecting to the directory

+ server. This is distinct from the time limit specified in

+ <emphasis remap="B">timelimit</emphasis>

+ and affects the initial server connection only. (Server connections

+ are otherwise cached.) Only some

+ <acronym>LDAP</acronym>

+ client libraries have the underlying functionality necessary to

+ support this option. The default bind timelimit is 30 seconds.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Specifies the policy to use for reconnecting to an unavailable

+ <acronym>LDAP</acronym>

+ server. The default is

+ <emphasis remap="B">hard_open,</emphasis>

+ which reconnects if opening the connection to the directory server

+ failed. By contrast,

+ <emphasis remap="B">hard_init</emphasis>

+ reconnects if initializing the connection failed. Initializing may not

+ actually contact the directory server, and it is possible that a

+ malformed configuration file will trigger reconnection. If

+ <emphasis remap="B">soft</emphasis>

+ is specified, then

+ <emphasis remap="B">nss_ldap</emphasis>

+ will return immediately on server failure. All "hard" reconnect

+ policies block with exponential backoff before retrying.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Determines whether nss_ldap persists connections. The default

+ is for the connection to the LDAP server to remain open after

+ the first request.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Specifies the time (in seconds) after which

+ <emphasis remap="B">nss_ldap</emphasis>

+ will close connections to the directory server. The default is not to

+ time out connections.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Specifies whether to use SSL/TLS or not (the default is not to). If

+ <emphasis remap="B">start_tls</emphasis>

+ is specified then StartTLS is used rather than raw LDAP over SSL.

+ Not all <acronym>LDAP</acronym> client libraries support both SSL

+ and StartTLS, and all related configuration options.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>For the Netscape and Mozilla

+ <acronym>LDAP</acronym>

+ client libraries only, this specifies the path to the X.509

+ certificate database.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Specifies whether to require and verify the server certificate

+ or not, when using SSL/TLS with the OpenLDAP client library.

+ The default is to use the default behaviour of the client

+ library; for OpenLDAP 2.0 and earlier it is "no", for OpenLDAP

+ 2.1 and later it is "yes". At least one of

+ <emphasis remap="B">tls_cacertdir</emphasis>

+ and

+ <emphasis remap="B">tls_cacertfile</emphasis>

+ is required if peer verification is enabled.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Specifies the directory containing X.509 certificates for peer

+ authentication.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Specifies the path to the X.509 certificate for peer authentication.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Specifies the path to an entropy source.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Specifies the ciphers to use for TLS. See your TLS implementation's

+ documentation for further information.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Specifies the path to the file containing the local certificate for

+ client TLS authentication.</para>

+ </varlistentry>

+ <varlistentry>

+ <para>Specifies the path to the file containing the private key for client

+ TLS authentication.</para>

+ </varlistentry>

+ <refsect1 id="maps">

+ <title>Supported maps</title>

+ <para>

+ The following maps are supported. They are referenced as

+ <emphasis remap="I">MAP</emphasis> withthe options.

+ </para>

+ <variablelist remap="TP">

+ <varlistentry>

+ <term>alias(es)</term>

+ <listitem><para>Mail aliases (ignored by most mail servers).</para></listitem>

+ </varlistentry>

+ <varlistentry>

+ <term>ether(s)</term>

+ <listitem><para>Ethernet numbers (mac addresses).</para></listitem>

+ </varlistentry>

+ <varlistentry>

+ <term>group</term>

+ <listitem><para>Posix groups.</para></listitem>

+ </varlistentry>

+ <varlistentry>

+ <term>host(s)</term>

+ <listitem><para>Host names.</para></listitem>

+ </varlistentry>

+ <varlistentry>

+ <term>netgroup</term>

+ <listitem><para>Host and user groups used for access control.</para></listitem>

+ </varlistentry>

+ <varlistentry>

+ <term>network(s)</term>

+ <listitem><para>Network numbers.</para></listitem>

+ </varlistentry>

+ <varlistentry>

+ <term>passwd</term>

+ <listitem><para>Posix users.</para></listitem>

+ </varlistentry>

+ <varlistentry>

+ <term>protocol(s)</term>

+ <listitem><para>Protocol definitions (like in <filename>/etc/protocols</filename>).</para></listitem>

+ </varlistentry>

+ <varlistentry>

+ <term>rpc</term>

+ <listitem><para>Remote procedure call names and numbers.</para></listitem>

+ </varlistentry>

+ <varlistentry>

+ <term>service(s)</term>

+ <listitem><para>Network service names and numbers.</para></listitem>

+ </varlistentry>

+ <varlistentry>

+ <term>shadow</term>

+ <listitem><para>Shadow user password information.</para></listitem>

+ </varlistentry>

+ </variablelist>

+ </refsect1>

+