RSS feed

Re: Request Attribute lists and maps

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Request Attribute lists and maps

On Thu, 2011-07-21 at 14:17 -0400, David Mitton wrote:
> Is it possible to tell the LDAP service that I only want a few  
> specific of the users attributes returned on the network,
> using the map directives in nslcd.conf ??

By default nslcd only requests the attributes that it requires for the
attribute mapping configuration (see the README for the attributes).

> Most of the documentation about the map lines talking about the return editing
> and there is a dearth of information on how it affects the search  
> request, if at all.

The userPassword, gidNumber, gecos, homeDirectory and loginShell
attributes for passwd, the userPassword attribute for group and the
userPassword, shadowLastChange, shadowMin, shadowMax, shadowWarning,
shadowInactive, shadowExpire and shadowFlag attributes for shadow maps
may be mapped with an expression so these attributes could be mapped to
some constant string or using another attribute that is already
required. E.g.:

  map passwd userPassword "*"
  map passwd gidNumber 100
  map passwd gecos ""
  map passwd homeDirectory "/home/$uid"
  map passwd loginShell "/bin/bash"

should request the only the uid, uidNumber and objectClass attributes
for passwd requests. You should furthermore try to restrict the search
filters as much as possible to reduce the number of results returned,
especially groups with a lot of members can be large.

Also, if network usage is an issue you should try (u)nscd. It will save
some requests (e.g. during login a number of different calls to get the
user information are done). However, the give me all users requests are
not cached and neither is shadow information.

Hope this helps. If you have improvements to the documentation, they are
more than welcome.

-- arthur - - --
To unsubscribe send an email to or see