ldapcd.conf(4)ldapcd.conf(4)NAMEldapcd.conf - Configuration file for LDAP authentication.
SYNOPSIS
/etc/ldapcd.conf
DESCRIPTION
The ldapcd.conf file contains the configuration and operating parame‐
ters for the LDAP authentication daemon.
To modify ldapcd.conf, use one of the following methods: Use the SysMan
Menu options. Expand the menu and select General Tasks - Setup LDAP
Configuration. When you select this option, a window titled LDAP Con‐
figuration is displayed, containing a list of the LDAP configuration
attributes. When you select an attribute from the list, a dialog box is
displayed showing the current attribute value and providing an area for
you to enter a new attribute value. Use a text editor to edit the
ldapcd.conf file and modify the parameters.
If you use a text editor to edit the configuration file, you must enter
only one parameter per line. To create comments, use the number sign
(#). Any characters after the number sign are ignored to the end of
the line. Blank lines and any leading trailing white space on a lie are
also ignored. The file format for ldapcd.conf is as follows: # com‐
ment_string
parameter: integer
identifier: string
identifier: "quoted_string,quoted_string,..."
Parameters
You can modify the values of the caching parameters as follows: Host
name of the LDAP directory server to be used for user authentication.
The root of the branch in the directory server's database where user
information is stored. The default directory server port; this must
match the port you are using for the directory server. The number of
open connections that the caching daemon makes to the active directory.
Increasing the value of this entry opens more connections to the active
directory, however this consumes more file descriptors and increases
the load on the active directory. Typically, 4 connections are ade‐
quate for a workstation and 15 connections are adequate for a server.
Default: 4 connections Maximum number of threads maintained by
the ldapcd caching daemon. Each thread handles one connection to
a local program. Allowing a higher number of threads may enable
better response from the LDAP caching daemon, but requires more
memory. If you are running a service that requires a large num‐
ber of connections (for example, a mail service), set the maxi‐
mum number of threads to 64 or greater (if your system has suf‐
ficient memory). The maximum number of user entries to store in
cache. Increase or decrease this value as the maximum number of
users increases or decreases.
Default: 500 entries The maximum number of seconds to cache a
user entry. Increasing this value increases performance because
a user's entry is readily available in the cache. If you delete
a recently used user account, its entry remains in the cache for
the amount of time specified by this parameter.
Default: 900 seconds. The maximum number of group IDs to cache.
Increasing this value increases performance because group IDs
are readily available in the cache.
Default: 100 group IDs The maximum number of seconds to cache
group IDs.
Default: 900 seconds The value of machine_dn is the distin‐
guished name by which the ldapcd caching daemon binds to the
directory to do searches and retrievals of information from the
directory. By requiring each system to use a particular DN, you
can determine which machines are accessing the directory and for
what purpose. Further, you can also control read and search
access to the directory on a machine-account basis. The name
for the object class that defines the attributes for a netgroup
entry in the extended schema on your server.
Typically this is set to nisNetGroup as specified in RFC 2307.
If you change this object class, you must also ensure that the
rest of the nisnetgrp* attributes in ldapcd.conf are set to
attributes in the new object class. LDAP attribute name for
netgroup name. The default value is cn. LDAP attribute name for
defining a netgroup triple with the syntax (hostname,user‐
name,domainname). The default value is nisNetgroupTriple. LDAP
attribute name for defining a member netgroup. The default is
memberNisNetgroup. If specified, sets the root branch in the
directory server's database where netgroup entries are stored,
overriding the searchbase parameter. If specified, sets the
root branch in the directory server's database where user
entries are stored, overriding the searchbase parameter. If
specified, sets the root branch in the directory server's data‐
base where group entries are stored, overriding the searchbase
parameter. Password associated with the machine_dn entry. The
name for the object class that defines the attributes for a UNIX
account in the extended schema on your server.
Typically this is set to posixAccount as specified in RFC 2307.
If you change this object class, you must also ensure that the
rest of the pw_* attributes in ldapcd.conf are set to attributes
in the new object class. LDAP attribute name mapped to the
pw_username field in the group structure returned by a call to
getpwent(3). LDAP attribute name mapped to the pw_password
field in the group structure returned by a call to getpwent(3).
Only the encrypted password is stored in the userPassword
attribute. LDAP attribute name mapped to the pw_uid field in
the group structure returned by a call to getpwent(3). LDAP
attribute name mapped to the pw_gid field in the group structure
returned by a call to getpwent(3). LDAP attribute name mapped
to the pw_quota field in the group structure returned by a call
to getpwent(3). LDAP attribute name mapped to the pw_comment
field in the group structure returned by a call to getgrent(3).
LDAP attribute name mapped to the pw_gecos field in the group
structure returned by a call to getpwent(3). LDAP attribute
name mapped to the pw_homedir field in the group structure
returned by a call to getpwent(3). LDAP attribute name mapped
to the pw_shell field in the group structure returned by a call
to getpwent(3). LDAP class name mapped to the gr_oclass field
in the group structure returned by a call to getgrent(3). LDAP
group name mapped to the gr_class field in the group structure
returned by a call to getgrent(3). LDAP group password mapped
to the gr_class field in the group structure returned by a call
to getgrent(3). LDAP group id mapped to the gr_class field in
the group structure returned by a call to getgrent(3). LDAP
member uid mapped to the gr_class field in the group structure
returned by a call to getgrent(3).
Using a Revised Configuration
If you change the value of a cache parameter in the /etc/ldapcd.conf
file, you must enter the following command to read the new configura‐
tion and restart the daemon: # /sbin/init.d/ldapcd restart
EXAMPLE
The following example shows a typical configuration file:
# # directory server and port, active ldap connections cached # by the
daemon, max worker threads started # directory: host.xyz.com
searchbase: "o=XYZCompany" port: 389 connections: 6
max_threads: 64
# # max entries in cache, and number of seconds before entries # expire
in the cache # pw_cachesize: 2000 pw_expirecache: 120 gr_cachesize:
100 gr_expirecache: 600
. . . machine_dn: "cn=Directory Manager" machine_pass: "pass‐
word"
#
. . .
# the objectClass name of a password entry pw_oclass: posixAccount
# name mappings for password attribute fields pw_username: uid
pw_password: userPassword pw_uid: uidNumber pw_gid:
gidNumber pw_quota: pw_comment: description pw_gecos: gecos
pw_homedir: homedirectory pw_shell: loginshell
# the objectClass name of a group entry gr_oclass: posixGroup
# name mappings for group attribute fields gr_oclass: unixGroup
gr_name: cn gr_password: userPassword gr_gid: gidNum‐
ber gr_members: MemberUID
FILES
Location of the file.
ldapcd.conf(4)