test

系统管理指南:名称和目录服务(DNS、NIS 和 LDAP)

将配置信息存储到 LDAP 中

除了将 NIS+/LDAP 配置信息保存在配置文件中和命令行上,还可以将配置属性存储到 LDAP 中。如果配置信息由许多 NIS+ 服务器共享,并且将定期进行更改,则这非常有用。

要在 LDAP 中启用对配置属性的存储,请查阅 LDAP 服务器文档并新建下列属性和对象类。配置信息应当位于由 nisplusLDAPconfigDN 值(来自 rpc.nisd 命令行或来自 /lib/svc/method/nisplus)指定的位置中,而且 cn 等于 nisplusLDAPbaseDomain 值(因为 rpc.nisd 守护进程从 LDAP 读取任何配置信息之前,就已经获知了该值)。

LDIF 数据适用于 ldapadd(1)(属性和对象类 OID 仅用于举例说明)。

defaultSearchBasepreferredServerListauthenticationMethod 属性是从“DUA 配置”草稿架构(将成为 IETF 标准)派生的。在任何情况下,以下定义都可以满足 NIS+LDAPmapping(4) 的要求:


dn: cn=schema

changetype: modify

add: attributetypes

attributetypes:	( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' \

		  DESC 'Default LDAP base DN used by a DUA' \

		  EQUALITY distinguishedNameMatch \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' \

		  DESC 'Preferred LDAP server host addresses to be used by a DUA' \

		  EQUALITY caseIgnoreMatch \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' \

		  DESC 'Identifies the authentication method used to connect to the DSA'\

		  EQUALITY caseIgnoreMatch \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

NIS+/LDAP 配置属性如下所示:


dn: cn=schema

changetype: modify

add: attributetypes

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.0 \

		  NAME 'nisplusLDAPTLS' \

		  DESC 'Transport Layer Security' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.1 \

		  NAME 'nisplusLDAPTLSCertificateDBPath' \

		  DESC 'Certificate file' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.2 \

		  NAME 'nisplusLDAPproxyUser' \

		  DESC 'Proxy user for data store/retrieval' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.3 \

		  NAME 'nisplusLDAPproxyPassword' \

		  DESC 'Password/key/shared secret for proxy user' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.4 \

		  NAME 'nisplusLDAPinitialUpdateAction' \

		  DESC 'Type of initial update' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.5 \

		  NAME 'nisplusLDAPinitialUpdateOnly' \

		  DESC 'Exit after update ?' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.6 \

		  NAME 'nisplusLDAPretrieveErrorAction' \

		  DESC 'Action following an LDAP search error' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.7 \

		  NAME 'nisplusLDAPretrieveErrorAttempts' \

		  DESC 'Number of times to retry an LDAP search' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.8 \

		  NAME 'nisplusLDAPretrieveErrorTimeout' \

		  DESC 'Timeout between each search attempt' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.9 \

		  NAME 'nisplusLDAPstoreErrorAction' \

		  DESC 'Action following an LDAP store error' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.10 \

		  NAME 'nisplusLDAPstoreErrorAttempts' \

		  DESC 'Number of times to retry an LDAP store' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.11 \

		  NAME 'nisplusLDAPstoreErrorTimeout' \

		  DESC 'Timeout between each store attempt' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.12 \

		  NAME 'nisplusLDAPrefreshErrorAction' \

		  DESC 'Action when refresh of NIS+ data from LDAP fails' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.13 \

		  NAME 'nisplusLDAPrefreshErrorAttempts' \

		  DESC 'Number of times to retry an LDAP refresh' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.14 \

		  NAME 'nisplusLDAPrefreshErrorTimeout' \

		  DESC 'Timeout between each refresh attempt' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.15 \

		  NAME 'nisplusNumberOfServiceThreads' \

		  DESC 'Max number of RPC service threads' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.16 \

		  NAME 'nisplusThreadCreationErrorAction' \

		  DESC 'Action when a non-RPC-service thread creation fails' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.17 \

		  NAME 'nisplusThreadCreationErrorAttempts' \

		  DESC 'Number of times to retry thread creation' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.18 \

		  NAME 'nisplusThreadCreationErrorTimeout' \

		  DESC 'Timeout between each thread creation attempt' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.19 \

		  NAME 'nisplusDumpErrorAction' \

		  DESC 'Action when an NIS+ dump fails' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.20 \

		  NAME 'nisplusDumpErrorAttempts' \

		  DESC 'Number of times to retry a failed dump' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.21 \

		  NAME 'nisplusDumpErrorTimeout' \

		  DESC 'Timeout between each dump attempt' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.22 \

		  NAME 'nisplusResyncService' \

		  DESC 'Service provided during a resync' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.23 \

		  NAME 'nisplusUpdateBatching' \

		  DESC 'Method for batching updates on master' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.24 \

		  NAME 'nisplusUpdateBatchingTimeout' \

		  DESC 'Minimum time to wait before pinging replicas' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.25 \

		  NAME 'nisplusLDAPmatchFetchAction' \

		  DESC 'Should pre-fetch be done ?' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.26 \

		  NAME 'nisplusLDAPbaseDomain' \

		  DESC 'Default domain name used in NIS+/LDAP mapping' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.27 \

		  NAME 'nisplusLDAPdatabaseIdMapping' \

		  DESC 'Defines a database id for an NIS+ object' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.28 \

		  NAME 'nisplusLDAPentryTtl' \

		  DESC 'TTL for cached objects derived from LDAP' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.29 \

		  NAME 'nisplusLDAPobjectDN' \

		  DESC 'Location in LDAP tree where NIS+ data is stored' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.30 \

		  NAME 'nisplusLDAPcolumnFromAttribute' \

		  DESC 'Rules for mapping LDAP attributes to NIS+ columns' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.18.31 \

		  NAME 'nisplusLDAPattributeFromColumn' \

		  DESC 'Rules for mapping NIS+ columns to LDAP attributes' \

		  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )



dn: cn=schema

changetype: modify

add: objectclasses

objectclasses:	( 1.3.6.1.4.1.42.2.27.5.42.42.19.0 NAME 'nisplusLDAPconfig' \

		  DESC 'NIS+/LDAP mapping configuration' \

		  SUP top STRUCTURAL MUST ( cn ) \

		  MAY ( preferredServerList $ defaultSearchBase $

authenticationMethod $ nisplusLDAPTLS $ nisplusLDAPTLSCertificateDBPate

$ nisplusLDAPproxyUser $ nisplusLDAPproxyPassword $ nisplusLDAPinitialUpdateAction

$ nisplusLDAPinitialUpdateOnly $ nisplusLDAPretrieveErrorAction

$ nisplusLDAPretrieveErrorAttempts $ nisplusLDAPretrieveErrorTimeout

$ nisplusLDAPstoreErrorAction $ nisplusLDAPstoreErrorAttempts

$ nisplusLDAPstoreErrorTimeout $ nisplusLDAPrefreshErrorAction

$ nisplusLDAPrefreshErrorAttempts $ nisplusLDAPrefreshErrorTimeout

$ nisplusNumberOfServiceThreads $nisplusThreadCreationErrorAction

$ nisplusThreadCreationErrorAttempts $ nisplusThreadCreationErrorTimeout

$ nisplusDumpErrorAction $ nisplusDumpErrorAttempts

$ nisplusDumpErrorTimeout $ nisplusResyncService $ nisplusUpdateBatching

$ nisplusUpdateBatchingTimeout $ nisplusLDAPmatchFetchAction

$ nisplusLDAPbaseDomain $ nisplusLDAPdatabaseIdMapping $ nisplusLDAPentryTtl 

$ nisplusLDAPobjectDN $ nisplusLDAPcolumnFromAttribute !

$ nisplusLDAPattributeFromColumn ) )

创建一个包含以下 LDIF 数据的文件(并用实际的搜索库替换 searchBase,用完全限定的域名替换 domain)。

dn: cn=domain,searchBase

cn: domain

objectClass: top objectClass: nisplusLDAPconfig

将以上文件用作 ldapadd(1) 的输入,以便创建 NIS+/LDAP 配置项。该项最初为空。使用 ldapmodify(1) 添加配置属性。例如,要将 nisplusNumberOfServiceThreads 属性设置为 "32",请创建以下文件(用作 ldapmodify(1) 的输入):

dn: cn=domain, searchBasenisplusNumberOfServiceThreads: 32