ldapcd.conf - Configuration file for LDAP authentication.
/etc/ldapcd.conf
The ldapcd.conf file contains the configuration and operating
parameters for the LDAP authentication daemon.
To modify ldapcd.conf, use one of the following methods:
Use the SysMan Menu options. Expand the menu and select
General Tasks - Setup LDAP Configuration. When you select
this option, a window titled LDAP Configuration is displayed,
containing a list of the LDAP configuration
attributes. When you select an attribute from the list, a
dialog box is displayed showing the current attribute
value and providing an area for you to enter a new
attribute value. Use a text editor to edit the
ldapcd.conf file and modify the parameters.
If you use a text editor to edit the configuration file,
you must enter only one parameter per line. To create comments,
use the number sign (#). Any characters after the
number sign are ignored to the end of the line. Blank
lines and any leading trailing white space on a lie are
also ignored. The file format for ldapcd.conf is as follows:
# comment_string
parameter: integer
identifier: string
identifier: "quoted_string,quoted_string,..."
Parameters [Toc] [Back]
You can modify the values of the caching parameters as
follows: Host name of the LDAP directory server to be used
for user authentication. The root of the branch in the
directory server's database where user information is
stored. The default directory server port; this must
match the port you are using for the directory server.
The number of open connections that the caching daemon
makes to the active directory. Increasing the value of
this entry opens more connections to the active directory,
however this consumes more file descriptors and increases
the load on the active directory. Typically, 4 connections
are adequate for a workstation and 15 connections
are adequate for a server.
Default: 4 connections Maximum number of threads
maintained by the ldapcd caching daemon. Each
thread handles one connection to a local program.
Allowing a higher number of threads may enable better
response from the LDAP caching daemon, but
requires more memory. If you are running a service
that requires a large number of connections (for
example, a mail service), set the maximum number of
threads to 64 or greater (if your system has
sufficient memory). The maximum number of user
entries to store in cache. Increase or decrease
this value as the maximum number of users increases
or decreases.
Default: 500 entries The maximum number of seconds
to cache a user entry. Increasing this value
increases performance because a user's entry is
readily available in the cache. If you delete a
recently used user account, its entry remains in
the cache for the amount of time specified by this
parameter.
Default: 900 seconds. The maximum number of group
IDs to cache. Increasing this value increases performance
because group IDs are readily available in
the cache.
Default: 100 group IDs The maximum number of seconds
to cache group IDs.
Default: 900 seconds The value of machine_dn is the
distinguished name by which the ldapcd caching daemon
binds to the directory to do searches and
retrievals of information from the directory. By
requiring each system to use a particular DN, you
can determine which machines are accessing the
directory and for what purpose. Further, you can
also control read and search access to the directory
on a machine-account basis. The name for the
object class that defines the attributes for a netgroup
entry in the extended schema on your server.
Typically this is set to nisNetGroup as specified
in RFC 2307. If you change this object class, you
must also ensure that the rest of the nisnetgrp*
attributes in ldapcd.conf are set to attributes in
the new object class. LDAP attribute name for netgroup
name. The default value is cn. LDAP
attribute name for defining a netgroup triple with
the syntax (hostname,username,domainname). The
default value is nisNetgroupTriple. LDAP attribute
name for defining a member netgroup. The default is
memberNisNetgroup. If specified, sets the root
branch in the directory server's database where
netgroup entries are stored, overriding the searchbase
parameter. If specified, sets the root branch
in the directory server's database where user
entries are stored, overriding the searchbase
parameter. If specified, sets the root branch in
the directory server's database where group entries
are stored, overriding the searchbase parameter.
Password associated with the machine_dn entry. The
name for the object class that defines the
attributes for a UNIX account in the extended
schema on your server.
Typically this is set to posixAccount as specified
in RFC 2307. If you change this object class, you
must also ensure that the rest of the pw_*
attributes in ldapcd.conf are set to attributes in
the new object class. LDAP attribute name mapped
to the pw_username field in the group structure
returned by a call to getpwent(3). LDAP attribute
name mapped to the pw_password field in the group
structure returned by a call to getpwent(3). Only
the encrypted password is stored in the userPassword
attribute. LDAP attribute name mapped to the
pw_uid field in the group structure returned by a
call to getpwent(3). LDAP attribute name mapped to
the pw_gid field in the group structure returned by
a call to getpwent(3). LDAP attribute name mapped
to the pw_quota field in the group structure
returned by a call to getpwent(3). LDAP attribute
name mapped to the pw_comment field in the group
structure returned by a call to getgrent(3). LDAP
attribute name mapped to the pw_gecos field in the
group structure returned by a call to getpwent(3).
LDAP attribute name mapped to the pw_homedir field
in the group structure returned by a call to getpwent(3). LDAP attribute name mapped to the
pw_shell field in the group structure returned by a
call to getpwent(3). LDAP class name mapped to the
gr_oclass field in the group structure returned by
a call to getgrent(3). LDAP group name mapped to
the gr_class field in the group structure returned
by a call to getgrent(3). LDAP group password
mapped to the gr_class field in the group structure
returned by a call to getgrent(3). LDAP group id
mapped to the gr_class field in the group structure
returned by a call to getgrent(3). LDAP member uid
mapped to the gr_class field in the group structure
returned by a call to getgrent(3).
Using a Revised Configuration [Toc] [Back]
If you change the value of a cache parameter in the
/etc/ldapcd.conf file, you must enter the following command
to read the new configuration and restart the daemon:
# /sbin/init.d/ldapcd restart
The following example shows a typical configuration file:
# # directory server and port, active ldap connections
cached # by the daemon, max worker threads started #
directory: host.xyz.com searchbase: "o=XYZCompany"
port: 389 connections: 6 max_threads:
64
# # max entries in cache, and number of seconds before
entries # expire in the cache # pw_cachesize: 2000
pw_expirecache: 120 gr_cachesize: 100 gr_expirecache:
600
. . . machine_dn: "cn=Directory Manager"
machine_pass: "password"
#
. . .
# the objectClass name of a password entry pw_oclass:
posixAccount
# name mappings for password attribute fields pw_username:
uid pw_password: userPassword pw_uid: uidNumber
pw_gid: gidNumber pw_quota: pw_comment:
description pw_gecos: gecos pw_homedir: homedirectory
pw_shell: loginshell
# the objectClass name of a group entry gr_oclass:
posixGroup
# name mappings for group attribute fields gr_oclass:
unixGroup gr_name: cn gr_password: userPassword
gr_gid: gidNumber gr_members: MemberUID
Location of the file.
ldapcd.conf(4)
[ Back ] |
