GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
LDAP2PF(1) User Contributed Perl Documentation LDAP2PF(1)

ldap2pf - Create and update PF tables from LDAP groups

ldap2pf [-46Fnpv] [-b base] [-d domain] [-f path] [-h host] [-P page size] [-s servers] [-u user[@domain]] group ...

The ldap2pf utility creates and updates PF address tables based on group memberships in an LDAP directory.

For each group name specified on the command line, the ldap2pf utility searches the LDAP directory for group objects bearing that name. It then resolves the membership of these groups recursively, collects the DNSHostName attributes of all member objects, and looks up A and / or AAAA DNS records for these names.

If no errors occured during this process, a PF address table with the same name as the LDAP group is either created or updated to match the list of IP addresses that were discovered. If the table already exists, its contents are replaced with the list that was obtained from the LDAP directory, unless the -p option was specified, in which case the table is treated as append-only.

The following options are available:

-4
Include IPv4 addresses in the table. If neither -4 nor -6 is specified, the default is to include both IPv4 and IPv6 addresses.
-6
Include IPv6 addresses in the table. If neither -4 nor -6 is specified, the default is to include both IPv4 and IPv6 addresses.
-b base
The search base for LDAP lookups. The default is derived from the LDAP domain.
-d domain
The LDAP domain. The default is derived from the host name.
-F
Never flush a table. If an LDAP lookup does not return any results, assume that something is wrong and terminate without updating the table or file.
-f path
The path to a directory in which to store each table as a separate file, named for the group it represents. The default is to not store the tables to disk.
-h host
The client's host name. The default is whatever uname(3) returns.
-n
Perform all LDAP and DNS lookups, but do not create or update any PF tables.
-P page size
The page size to use for LDAP requests. The default is 250.
-p
Preserve existing table entries even if they are no longer members of the corresponding group. Implies -F.

This does not apply to the file generated with the -f option, which will only contain the addresses retrieved from LDAP and DNS.

-s servers
A comma-separated list of LDAP server names. The default is to perform an SRV lookup.
-u user[@domain]
The user name used to bind to the LDAP server, with or without domain qualifier. The default is the name of the current user.
-v
Show progress and debugging information.

The ldap2pf utility was designed for use with Microsoft Active Directory servers, and assumes that the server supports and requires GSSAPI authentication and that a valid Kerberos ticket is available.

Update a table named mx used to allow traffic to and from the organisation's mail servers:

    % grep -w mx /etc/pf.conf
    table <mx> persist
    pass in on egress proto tcp from any to <mx> port { smtp, smtps }
    pass out on dmz proto tcp from any to <mx> port { smtp, smtps }
    pass in on dmz proto tcp from <mx> to any port { smtp, smtps }
    pass out on egress proto tcp from <mx> to any port { smtp, smtps }
    pass in on int proto tcp from int:network to <mx> port { smtp, smtps }
    pass out on dmz proto tcp from int:network to <mx> port { smtp, smtps }
    % sudo env KRB5CCNAME=/var/db/ro_user.cc ldap2pf -pv -u ro_user mx
    # host: client.example.com
    # domain: example.com
    # user: ro_user@example.com
    # looking up SRV for _ldap._tcp.example.com
    # servers: dc01.example.com dc02.example.com
    # base: DC=example,DC=com
    # Attempting to connect to dc01.example.com
    # Looking for (&(objectclass=group)(name=mx)) in DC=example,DC=com
    # last page (1)
    # resolving CN=mx,OU=roles,OU=hostpolicies,DC=example,DC=com
    # Looking for (distinguishedname=CN=mx01,OU=hosts,DC=example,DC=com) in DC=example,DC=com
    # last page (1)
    # resolving CN=mx01,OU=hosts,DC=example,DC=com
    # Looking for (distinguishedname=CN=mx02,OU=hosts,DC=example,DC=com) in DC=example,DC=com
    # last page (1)
    # resolving CN=mx02,OU=hosts,DC=example,DC=com
    # looking up mx01.example.com
    # mx01.example.com.    3600    IN      AAAA    2001:db8:0:42::2501
    # mx01.example.com.    3600    IN      A       198.51.100.251
    # looking up mx02.example.com
    # mx02.example.com.    3600    IN      AAAA    2001:db8:0:42::2502
    # mx02.example.com.    3600    IN      A       198.51.100.252
    /sbin/pfctl -t mx -T add 198.51.100.251 198.51.100.252 2001:db8:0:42:0:0:0:2501 2001:db8:0:42:0:0:0:2502
    No ALTQ support in kernel
    ALTQ related functions disabled
    4/4 addresses added.

kinit(1), pf(4), pfctl(8)

The ldap2pf utility was written by Dag-Erling Smørgrav <d.e.smorgrav@usit.uio.no> for the University of Oslo.
2017-04-24 perl v5.32.1

Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.