Transitioning From NIS+ to LDAP
This chapter describes how to make the transition from using the NIS+ naming service to the LDAP naming service.
Overview
The NIS+ server daemon, rpc.nisd, stores NIS+ data in proprietary-format files in the /var/nis/data directory. While it is entirely possible to keep NIS+ data synchronized with LDAP, such synchronization has previously required an external agent. However, the NIS+ daemon now enables you to use an LDAP server as a data repository for NIS+ data. Since this makes it possible for NIS+ and LDAP clients to share the same naming service information, it is easier to transition from using NIS+ as the main naming service, to using LDAP for the same role. For more information on using LDAP as a naming service, see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
By default, the rpc.nisd daemon continues to work as before, relying only on the/var/nis/data NIS+ database. If desired, the system administrator can choose to use an LDAP server as the authoritative data repository for any subset of the NIS+ database. In this case, the /var/nis/data files serve as a cache for the rpc.nisd daemon, reducing LDAP lookup traffic, and enabling the rpc.nisd to continue working if the LDAP server is temporarily unavailable. In addition to continuous synchronization between NIS+ and LDAP, you can also perform uploads of NIS+ data to LDAP, or downloads of LDAP data to NIS+.
Mapping of data to and from LDAP is controlled by a flexible configuration file syntax. (All standard NIS+ tables (except for client_info.org_dir and timezone.org_dir ) are covered by a template mapping file, /var/nis/NIS+LDAPmapping.template), which should require little or no change for most NIS+ installations. (See "client_info and timezone Tables" for information on client_info.org_dir and timezone.org_dir.) In addition to locations for NIS+ data in the LDAP Directory Information Tree (DIT), the mapping file also allows establishing time-to-live (TTL) for NIS+ data sourced from LDAP. While there often is a one-to-one mapping between NIS+ column values and LDAP attribute values, the mapping file can be used to maintain more complicated relationships as well.
The new /etc/default/rpc.nisd file is used to select LDAP server and authentication, and controls some general rpc.nisd behavior. See rpc.nisd(4). The details of the mapping is specified via the /var/nis/NIS+LDAPmapping file. For more information, see NIS+LDAPmapping(4). The name of this file can be changed using the -m command-line option of rpc.nisd. For more information, see rpc.nisd(1M).
The following terms are used in this chapter.
Container
A container is the location in the LDAP DIT where all related entries are stored. For example, user account information is often stored in the ou=People container, while host address information can be stored in the ou=Hosts container.
Netname
A netname is an entity in secure RPC (user or machine) that can be authenticated.
Mapping
Mapping is the relationship between an NIS+ object and an LDAP entry. For example, data from the name column in the passwd.org_dir NIS+ table (such as the user name of an account) corresponds to the LDAP uid attribute of the posixAccount object class in the ou=People container. The configuration can establish a mapping between the name column and the uid attribute. You can also say that the name column is mapped to the uid attribute (or vice versa).
Principal
A principal is an entity in NIS+ (user or machine) that can be authenticated. Usually, there is a one-to-one correspondence between netnames and principal names.
Configuration Files
Two configuration files control rpc.nisd operation.
/etc/default/rpc.nisd
This file contains information regarding the LDAP server and authentication, the NIS+ base domain, the LDAP default search base, exception processing, and general rpc.nisd configuration, which applies whether or not LDAP mapping is in effect.
/var/nis/NIS+LDAPmapping
This file contains information on mapping of NIS+ data to and from LDAP. The template file (/var/nis/NIS+LDAPmapping.template) covers all standard NIS+ objects, except client_info.org_dir and timezone.org_dir. See "client_info and timezone Tables" and NIS+LDAPmapping(4).
Configuration is done by assigning values to pre-defined attributes. In addition to the configuration files, the configuration attributes can also be read from LDAP (see "Storing Configuration Information in LDAP") or can be specified on the rpc.nisd command line by way of the -x option. If the same attribute is specified in more than one place, the priority order is (from higher to lower) as follows.
rpc.nisd -x option
Configuration file
LDAP
Creating Attributes and Object Classes
Depending on how you configure the NIS+/LDAP mapping, you might need to create a number of new LDAP attributes and object classes. The examples show how to do this by specifying LDIF data that can be used as input to the ldapadd command. Create a file containing the LDIF data, and then invoke ldapadd(1).
# ldapadd -D bind-DN--f ldif -file
This method works with the iPlanet Directory Server 5.1 , and might work with other LDAP servers as well.
Note - Except for the defaultSearchBase, preferredServerList, and authenticationMethod attributes, as well as the SYNTAX specifications, the object identifiers (OIDs) used in this chapter are intended for illustration only. As no official OIDs have been assigned, you are free to use any suitable OIDs.
Getting Started
For an introduction to the configuration needed to start using an LDAP repository for NIS+ data, see NIS+LDAPmapping(4). The remainder of this section goes into more detail about the organization of the configuration files.
/etc/default/rpc.nisd
All assignments in the /etc/default/rpc.nisd file are of the attributeName=value type.
General Configuration
The following attributes control general configuration of the rpc.nisd, and are active whether or not LDAP mapping is in effect. They should generally be left at their default values. See rpc.nisd(4) for more information.
nisplusNumberOfServiceThreads
nisplusThreadCreationErrorAction
nisplusThreadCreationErrorAttempts
nisplusThreadCreationErrorTimeout
nisplusDumpErrorAction
nisplusDumpErrorAttempts
nisplusDumpErrorTimeout
nisplusResyncService
nisplusUpdateBatching
nisplusUpdateBatchingTimeout