Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
LDAP2PF(1)	      User Contributed Perl Documentation	    LDAP2PF(1)

NAME
       ldap2pf - Create	and update PF tables from LDAP groups

SYNOPSIS
       ldap2pf [-46Fnpv] [-bA base] [-dA domain] [-fA path] [-hA host]
       [-PA page_A size]	[-sA servers] [-uA user[@domain]] group	...

DESCRIPTION
       The ldap2pf utility creates and updates PF address tables based on
       group memberships in an LDAP directory.

       For each	group name specified on	the command line, the ldap2pf utility
       searches	the LDAP directory for group objects bearing that name.	 It
       then resolves the membership of these groups recursively, collects the
       DNSHostName attributes of all member objects, and looks up A and	/ or
       AAAA DNS	records	for these names.

       If no errors occured during this	process, a PF address table with the
       same name as the	LDAP group is either created or	updated	to match the
       list of IP addresses that were discovered.  If the table	already
       exists, its contents are	replaced with the list that was	obtained from
       the LDAP	directory, unless the -p option	was specified, in which	case
       the table is treated as append-only.

       The following options are available:

       -4  Include IPv4	addresses in the table.	 If neither -4 nor -6 is
	   specified, the default is to	include	both IPv4 and IPv6 addresses.

       -6  Include IPv6	addresses in the table.	 If neither -4 nor -6 is
	   specified, the default is to	include	both IPv4 and IPv6 addresses.

       -b base
	   The search base for LDAP lookups.  The default is derived from the
	   LDAP	domain.

       -d domain
	   The LDAP domain.  The default is derived from the host name.

       -F  Never flush a table.	 If an LDAP lookup does	not return any
	   results, assume that	something is wrong and terminate without
	   updating the	table or file.

       -f path
	   The path to a directory in which to store each table	as a separate
	   file, named for the group it	represents.  The default is to not
	   store the tables to disk.

       -h host
	   The client's	host name.  The	default	is whatever uname(3) returns.

       -n  Perform all LDAP and	DNS lookups, but do not	create or update any
	   PF tables.

       -P page size
	   The page size to use	for LDAP requests.  The	default	is 250.

       -p  Preserve existing table entries even	if they	are no longer members
	   of the corresponding	group.	Implies	-F.

	   This	does not apply to the file generated with the -f option, which
	   will	only contain the addresses retrieved from LDAP and DNS.

       -s servers
	   A comma-separated list of LDAP server names.	 The default is	to
	   perform an SRV lookup.

       -u user[@domain]
	   The user name used to bind to the LDAP server, with or without
	   domain qualifier.  The default is the name of the current user.

       -v  Show	progress and debugging information.

IMPLEMENTATION NOTES
       The ldap2pf utility was designed	for use	with Microsoft Active
       Directory servers, and assumes that the server supports and requires
       GSSAPI authentication and that a	valid Kerberos ticket is available.

EXAMPLES
       Update a	table named mx used to allow traffic to	and from the
       organisation's mail servers:

	   % grep -w mx	/etc/pf.conf
	   table <mx> persist
	   pass	in on egress proto tcp from any	to <mx>	port { smtp, smtps }
	   pass	out on dmz proto tcp from any to <mx> port { smtp, smtps }
	   pass	in on dmz proto	tcp from <mx> to any port { smtp, smtps	}
	   pass	out on egress proto tcp	from <mx> to any port {	smtp, smtps }
	   pass	in on int proto	tcp from int:network to	<mx> port { smtp, smtps	}
	   pass	out on dmz proto tcp from int:network to <mx> port { smtp, smtps }
	   % sudo env KRB5CCNAME=/var/db/ro_user.cc ldap2pf -pv	-u ro_user mx
	   # host: client.example.com
	   # domain: example.com
	   # user: ro_user@example.com
	   # looking up	SRV for	_ldap._tcp.example.com
	   # servers: dc01.example.com dc02.example.com
	   # base: DC=example,DC=com
	   # Attempting	to connect to dc01.example.com
	   # Looking for (&(objectclass=group)(name=mx)) in DC=example,DC=com
	   # last page (1)
	   # resolving CN=mx,OU=roles,OU=hostpolicies,DC=example,DC=com
	   # Looking for (distinguishedname=CN=mx01,OU=hosts,DC=example,DC=com)	in DC=example,DC=com
	   # last page (1)
	   # resolving CN=mx01,OU=hosts,DC=example,DC=com
	   # Looking for (distinguishedname=CN=mx02,OU=hosts,DC=example,DC=com)	in DC=example,DC=com
	   # last page (1)
	   # resolving CN=mx02,OU=hosts,DC=example,DC=com
	   # looking up	mx01.example.com
	   # mx01.example.com.	  3600	  IN	  AAAA	  2001:db8:0:42::2501
	   # mx01.example.com.	  3600	  IN	  A	  198.51.100.251
	   # looking up	mx02.example.com
	   # mx02.example.com.	  3600	  IN	  AAAA	  2001:db8:0:42::2502
	   # mx02.example.com.	  3600	  IN	  A	  198.51.100.252
	   /sbin/pfctl -t mx -T	add 198.51.100.251 198.51.100.252 2001:db8:0:42:0:0:0:2501 2001:db8:0:42:0:0:0:2502
	   No ALTQ support in kernel
	   ALTQ	related	functions disabled
	   4/4 addresses added.

SEE ALSO
       kinit(1), pf(4),	pfctl(8)

AUTHOR
       The ldap2pf utility was written by Dag-Erling SmA,rgrav
       <d.e.smorgrav@usit.uio.no> for the University of	Oslo.

perl v5.24.1			  2017-04-24			    LDAP2PF(1)

NAME | SYNOPSIS | DESCRIPTION | IMPLEMENTATION NOTES | EXAMPLES | SEE ALSO | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ldap2pf&sektion=1&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help