Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

NIS+ to LDAP Migration Example

The NIS+ Gateway is very flexible, providing many different ways to configure it to meet your needs. Providing examples that cover all the different possible configurations would be very long and would be more confusing than beneficial. Therefore, the following assumptions are made about the environment where the NIS+ Gateway is run.

  • The target directory server is Sun ONE Directory Server 5.x software.

  • The idsconfig script is run on the directory server.

  • The directory server is set up to store passwords in crypt format.

  • The current NIS+ service consists of a single domain with one NIS+ master server.

  • The timezone and client_info tables are not mapped. This eliminates the need to update the directory server schema.

  • Table objects are not mapped. This eliminates the need to update the directory server schema.

  • The LDAP structure is empty and will be populated by running rpc.nisd.

To Migrate Your Data From NIS+ to LDAP

Before proceeding, make sure you backup all NIS+ data; see nisbackup(1M).

  1. Upgrade your NIS+ master server to run the Solaris 9 OE.

  2. Install the Sun ONE Directory Server software, and run the idsconfig script.

  3. The sample deployment assumes the Sun ONE Directory Server software is running on the same system as the NIS+ Gateway, but this is not necessary. If you choose not to run them on the same system, the server IP address and port number must be defined in rpc.nisd.

  4. Obtain the password for the cn=directory manager account.

  5. The sample deployment uses this account as the proxy user for accessing data stored in the LDAP directory. For a real production environment you should to create a separate account for this purpose and grant that account read and write access privileges.

  6. Edit the following lines in /etc/default/rpc.nisd.

    • preferredServerList=127.0.0.1:389 – You do not have to edit this line if the directory server is running on the same system as NIS+ Gateway.

    • defaultSearchBase=dc=example,dc=com - You do not have to edit this line if the directory server DIT equates to your NIS+ domain name.

    • authenticationMethod=simple

    • nisplusLDAPproxyUser=cn=directory manager – If you choose not to use this account, specify the DN of an existing account.

    • nisplusLDAPproxyPassword=dirmanager – Make sure you read protect the rpc.nisd file to protect the password.

  7. Create a copy of the /var/nis/NIS+LDAPmapping.template file.

  8. The copy should be created in the /var/nis directory and can be called anything except NIS+LDAPmapping. For this example, we assume the copy of the mapping file is /var/nis/nlm.

  9. Edit the /var/nis/nlm file to disable directory and group objects.

  10. # Standard NIS+ directories
    #nisplusLDAPdatabaseIdMapping  basedir:
    #nisplusLDAPdatabaseIdMapping  orgdir:org_dir
    #nisplusLDAPdatabaseIdMapping  groupsdir:groups_dir
    
    # Standard NIS+ groups.
    #nisplusLDAPdatabaseIdMapping  admin:admin.groups_dir
    
    # Standard NIS+ directories
    #nisplusLDAPentryTtl      basedir:21600:43200:43200
    #nisplusLDAPentryTtl      orgdir:21600:43200:43200
    #nisplusLDAPentryTtl      groupsdir:21600:43200:43200
    #nisplusLDAPentryTtl      admin:21600:43200:43200
    
    # Standard NIS+ directories
    #nisplusLDAPobjectDN  basedir:cn=basedir,ou=nisPlus,?base?#
     objectClass=nisplusObjectContainer:# cn=basedir,
    ou=nisPlus,?base?# objectClass=nisplusObjectContainer,#
     objectClass=top
    
    #nisplusLDAPobjectDN  orgdir:cn=orgdir,ou=nisPlus,?base?# 
    objectClass=nisplusObjectContainer:# cn=orgdir,ou=nisPlus,
    ?base?# objectClass=nisplusObjectContainer,# objectClass=top
    
    #nisplusLDAPobjectDN  
    #groupsdir:cn=groupsdir,ou=nisPlus,?base?#
     objectClass=nisplusObjectContainer:# 
    cn=groupsdir,ou=nisPlus,?base?#
     objectClass=nisplusObjectContainer,# objectClass=top
    
    #nisplusLDAPobjectDN  admin:cn=admin,ou=nisPlus,?base?#
     objectClass=nisplusObjectContainer:#
     cn=admin,ou=nisPlus,?base?# 
    objectClass=nisplusObjectContainer,# objectClass=top
  11. Edit the /var/nis/nlm file to remove all references to table objects.

  12. Any entry containing _table needs to be commented out. Example (not all entries shown for brevity):

    #nisplusLDAPdatabaseIdMapping  passwd_table:passwd.org_dir
    #nisplusLDAPdatabaseIdMapping  group_table:group.org_dir
    #nisplusLDAPdatabaseIdMapping  auto_master_table:auto_master.org_dir
    .
    .
    .
    nisplusLDAPentryTtl passwd_table:21600:43200:43200
    #nisplusLDAPentryTtl group_table:21600:43200:43200
    #nisplusLDAPentryTtl auto_master_table:21600:43200:43200
    .
    .
    .
    #nisplusLDAPobjectDN  
    #passwd_table:cn=passwd,ou=nisPlus,?base?
    #objectClass=nisplusObjectContainer:# 
    cn=passwd,ou=nisPlus,?base?# 
    objectClass=nisplusObjectContainer,# objectClass=top
    .
    .
    .
  13. Test the mapping you created using the nisldapmaptest utility with the im option specifying the mapping file nlm.

  14. NOTE

    Make sure you remove the test data entries before performing the next step.

  15. Upload all NIS+ data to LDAP using rpc.nisd.

  16. Example:

    # pkill rpc.nisd
    # /usr/sbin/rpc.nisd -D \
    -x nisplusLDAPinitialUpdateAction=to_ldap \
    -x nisplusLDAPinitialUpdateOnly=yes
  17. Verify that the LDAP entries were created.

  18. See the instructions in the next section that explain how to perform the verification.

  19. Rename /var/nis/nlm to /var/nis/NIS+LDAPmapping and restart rpc.nisd.

  20. # cd /var/nis
    # cp nlm NIS+LDAPmapping
    # /usr/sbin/rpc.nisd
  • + Share This
  • 🔖 Save To Your Account