GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  LDAP2PF (1)

.ds Aq ’

NAME

ldap2pf - Create and update PF tables from LDAP groups

CONTENTS

SYNOPSIS

<B>ldap2pfB> [<B>-46npvB>] [<B>-bB> base] [<B>-dB> domain] [<B>-hB> host] [<B>-PB> page size] [<B>-sB> servers] [<B>-uB> user[@domain]] group ...

DESCRIPTION

The <B>ldap2pfB> utility creates and updates PF address tables based on group memberships in an LDAP directory.

For each group name specified on the command line, the <B>ldap2pfB> utility searches the LDAP directory for group objects bearing that name. It then resolves the membership of these groups recursively, collects the DNSHostName attributes of all member objects, and looks up A and / or AAAA DNS records for these names.

If no errors occured during this process, a PF address table with the same name as the LDAP group is either created or updated to match the list of IP addresses that were discovered. If the table already exists, its contents are replaced with the list that was obtained from the LDAP directory, unless the <B>-pB> option was specified, in which case the table is treated as append-only.

The following options are available:
<B>-4B> Include IPv4 addresses in the table. If neither <B>-4B> nor <B>-6B> is specified, the default is to include both IPv4 and IPv6 addresses.
<B>-6B> Include IPv6 addresses in the table. If neither <B>-4B> nor <B>-6B> is specified, the default is to include both IPv4 and IPv6 addresses.
<B>-bB> base The search base for LDAP lookups. The default is derived from the LDAP domain.
<B>-dB> domain The LDAP domain. The default is derived from the host name.
<B>-hB> host The client’s host name. The default is whatever uname(3) returns.
<B>-nB> Perform all LDAP and DNS lookups, but do not create or update any PF tables.
<B>-PB> page size The page size to use for LDAP requests. The default is 250.
<B>-pB> Preserve existing table entries even if they are no longer members of the corresponding group.
<B>-sB> servers A comma-separated list of LDAP server names. The default is to perform an SRV lookup.
<B>-uB> user[@domain] The user name used to bind to the LDAP server, with or without domain qualifier. The default is the name of the current user.
<B>-vB> Show progress and debugging information.

IMPLEMENTATION NOTES

The <B>ldap2pfB> utility was designed for use with Microsoft Active Directory servers, and assumes that the server supports and requires GSSAPI authentication and that a valid Kerberos ticket is available.

EXAMPLES

Update a table named mx used to allow traffic to and from the organisation’s mail servers:



    % grep -w mx /etc/pf.conf
    table <mx> persist
    pass in on egress proto tcp from any to <mx> port { smtp, smtps }
    pass out on dmz proto tcp from any to <mx> port { smtp, smtps }
    pass in on dmz proto tcp from <mx> to any port { smtp, smtps }
    pass out on egress proto tcp from <mx> to any port { smtp, smtps }
    pass in on int proto tcp from int:network to <mx> port { smtp, smtps }
    pass out on dmz proto tcp from int:network to <mx> port { smtp, smtps }
    % sudo env KRB5CCNAME=/var/db/ro_user.cc ldap2pf -pv -u ro_user mx
    # host: client.example.com
    # domain: example.com
    # user: ro_user@example.com
    # looking up SRV for _ldap._tcp.example.com
    # servers: dc01.example.com dc02.example.com
    # base: DC=example,DC=com
    # Attempting to connect to dc01.example.com
    # Looking for (&(objectclass=group)(name=mx)) in DC=example,DC=com
    # last page (1)
    # resolving CN=mx,OU=roles,OU=hostpolicies,DC=example,DC=com
    # Looking for (distinguishedname=CN=mx01,OU=hosts,DC=example,DC=com) in DC=example,DC=com
    # last page (1)
    # resolving CN=mx01,OU=hosts,DC=example,DC=com
    # Looking for (distinguishedname=CN=mx02,OU=hosts,DC=example,DC=com) in DC=example,DC=com
    # last page (1)
    # resolving CN=mx02,OU=hosts,DC=example,DC=com
    # looking up mx01.example.com
    # mx01.example.com.    3600    IN      AAAA    2001:db8:0:42::2501
    # mx01.example.com.    3600    IN      A       198.51.100.251
    # looking up mx02.example.com
    # mx02.example.com.    3600    IN      AAAA    2001:db8:0:42::2502
    # mx02.example.com.    3600    IN      A       198.51.100.252
    /sbin/pfctl -t mx -T add 198.51.100.251 198.51.100.252 2001:db8:0:42:0:0:0:2501 2001:db8:0:42:0:0:0:2502
    No ALTQ support in kernel
    ALTQ related functions disabled
    4/4 addresses added.



SEE ALSO

kinit(1), pf(4), pfctl(8)

AUTHOR

The <B>ldap2pfB> utility was written by Dag-Erling Smo\k:/rgrav <d.e.smorgrav@usit.uio.no> for the University of Oslo.
Search for    or go to Top of page |  Section 1 |  Main Index


perl v5.20.3 LDAP2PF (1) 2015-11-06

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.