Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
27.  Transitioning From NIS+ to LDAP The Directory Server Security and Authentication  Previous   Contents   Next 
   
 

Using SSL

The rpc.nisd daemon also supports transport layer encryption of LDAP traffic using SSL. Consult your LDAP server documentation to generate an SSL certificate for LDAP server authentication. Store the certificate in a file on the NIS+ server (/var/nis/cert7.db, for example) and modify /etc/default/rpc.nisd as follows.

nisplusLDAPTLS=ssl 
nisplusLDAPTLSCertificateDBPath=/var/nis/cert7.db

Be sure to protect the certificate file from unauthorized access. Note that the above provides session encryption and authentication of the LDAP server to the rpc.nisd. It does not provide authentication of the rpc.nisd to the LDAP server, since the certificate does not contain anything that identifies the LDAP client (rpc.nisd). However, you can combine SSL with another authentication method (simple, sasl/digest-md5) in order to achieve mutual authentication.

For more information regarding LDAP security issues, refer to System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

Performance and Indexing

When the rpc.nisd daemon is asked to enumerate an NIS+ table (using niscat(1) for example) that is mapped from LDAP, it will enumerate the corresponding LDAP container if at least one entry in the table has an expired TTL. Although this container enumeration is done in the background, so that LDAP performance is of limited importance, it can nevertheless be beneficial to establish LDAP indices to speed up container enumeration for large containers.

To obtain an estimate of the amount of time required for enumeration of a particular container, you can use a command like the following.

% /bin/time ldapsearch -h server-address -D bind-DN -w password \

-b container, search-base 'cn=*' /dev/null

where

  • server-address

    IP address portion of preferredServerList value from /etc/default/rpc.nisd

  • bind-DN

    nisplusLDAPproxyUser value from /etc/default/rpc.nisd

  • password

    nisplusLDAPproxyPassword value from /etc/default/rpc.nisd

  • container

    One of the RFC 2307 container names (ou=Services, ou=Rpc, and so on.)

  • search-base

    defaultSearchBase value from /etc/default/rpc.nisd

The "real" value printed by /bin/time is the elapsed (wall-clock) time. If this value exceeds a significant fraction (25 percent or more) of the TTL for the corresponding table entries (see "Authentication and Security"), it might be beneficial to index the LDAP container.

The rpc.nisd supports the simple page and VLV indexing methods. Refer to your LDAP server documentation to find out which indexing methods it supports, and how to create such indices.

Mapping NIS+ Objects Other Than Table Entries

You can store NIS+ objects other than table entries in LDAP. However, doing so has no particular value unless you also have NIS+ replicas that obtain those NIS+ objects from LDAP. The recommended choices are the following.

  • There are no replicas, or the replicas obtain their data from the NIS+ master only.

    Edit the mapping configuration file (see NIS+LDAPmapping(4)) to remove the following attribute values for all non-table-entry objects. 

    nisplusLDAPdatabaseIdMapping
nisplusLDAPentryTtl
nisplusLDAPobjectDN

    For example, if you started out from the /var/nis/NIS+LDAPmapping.template file, the sections you need to remove (or disable by commenting) are as follows.

    # Standard NIS+ directories 
nisplusLDAPdatabaseIdMapping    basedir: 	
. 	
. 	
.
    nisplusLDAPdatabaseIdMapping    user_attr_table:user_attr.org_dir
    nisplusLDAPdatabaseIdMapping	 audit_user_table:audit_user.org_dir

# Standard NIS+ directories 
nisplusLDAPentryTtl             basedir:21600:43200:43200 	
. 	
. 	
.
    nisplusLDAPentryTtl	user_attr_table:21600:43200:43200 
nisplusLDAPentryTtl	audit_user_table:21600:43200:43200 

# Standard NIS+ directories 
nisplusLDAPobjectDN	basedir:cn=basedir,ou=nisPlus,?base?\
    					objectClass=nisplusObjectContainer:\ 
								cn=basedir,ou=nisPlus,?base?\ 
									objectClass=nisplusObjectContainer,\
									objectClass=top 	
. 	
. 	
.
    nisplusLDAPobjectDN	audit_user_table:cn=audit_user,ou=nisPlus,?base?\ 
								objectClass=nisplusObjectContainer:\
								cn=audit_user,ou=nisPlus,?base?\ 
									objectClass=nisplusObjectContainer,\
									objectClass=top

  • NIS+ replicas obtain their data from LDAP server.

    Create the nisplusObject attribute and nisplusObjectContainer object class as shown in the following example (LDIF data is suitable for ldapadd(1). Attribute and object class OIDs are for illustration only.)

    dn: cn=schema 
changetype: modify 
add: attributetypes 
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.1.0 NAME 'nisplusObject' \  
								DESC 'An opaque representation of an NIS+ object' \ 
								SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )
    dn: cn=schema
changetype: modify
add: objectclasses
    objectclasses(1.3.6.1.4.1.42.2.27.5.42.42.2.0 NAME'nisplusObjectContainer'\
    SUP top STRUCTURAL DESC 'Abstraction of an NIS+ object 
MUST ( cn $ nisplusObject ) )

    You also need to create a container for the NIS+ objects. The following LDIF syntax shows how to create the ou=nisPlus,dc=some,dc=domain container, and can be used as input to ldapadd(1).

    dn: ou=nisPlus,dc=some,dc=domain
ou: nisPlus
objectClass: top
objectClass: organizationalUnit
 		 
 
  Previous   Contents   Next