JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)
search filter icon
search icon

Document Information

Preface

Part I About Naming and Directory Services

1.  Naming and Directory Services (Overview)

2.  The Name Service Switch (Overview)

Part II DNS Setup and Administration

3.  DNS Setup and Administration (Reference)

Part III NIS Setup and Administration

4.  Network Information Service (NIS) (Overview)

5.  Setting Up and Configuring NIS Service

6.  Administering NIS (Tasks)

7.  NIS Troubleshooting

Part IV LDAP Naming Services Setup and Administration

8.  Introduction to LDAP Naming Services (Overview/Reference)

9.  LDAP Basic Components and Concepts (Overview)

10.  Planning Requirements for LDAP Naming Services (Tasks)

11.  Setting Up Sun Java System Directory Server With LDAP Clients (Tasks)

12.  Setting Up LDAP Clients (Tasks)

13.  LDAP Troubleshooting (Reference)

14.  LDAP General Reference (Reference)

15.  Transitioning From NIS to LDAP (Overview/Tasks)

16.  Transitioning From NIS+ to LDAP

NIS+ to LDAP Overview

rpc.nisd Configuration Files

NIS+ to LDAP Tools and the Service Management Facility

When Not to Use SMF With NIS+ to LDAP

Modifying the /lib/svc/method/nisplus File

Creating Attributes and Object Classes

Getting Started With the NIS+ to LDAP Transition

/etc/default/rpc.nisd File

General Configuration

Configuration Data From LDAP

Server Selection

Authentication and Security

Default Location in LDAP and NIS+

Timeout/Size Limits and Referral Action for LDAP Communication

Error Actions

General LDAP Operation Control

/var/nis/NIS+LDAPmapping File

nisplusLDAPdatabaseIdMapping Attribute

nisplusLDAPentryTtl Attribute

nisplusLDAPobjectDN Attribute

nisplusLDAPattributeFromColumn Attribute

nisplusLDAPcolumnFromAttribute Attribute

NIS+ to LDAP Migration Scenarios

How to Convert All NIS+ Data to LDAP in One Operation

How to Convert All LDAP Data to NIS+ in One Operation

Merging NIS+ and LDAP Data

How to Merge NIS+ and LDAP Data

Masters and Replicas (NIS+ to LDAP)

Replication Timestamps

The Directory Server (NIS+ to LDAP)

Configuring the Sun Java System Directory Server

Assigning Server Address and Port Number

Security and Authentication

Using SSL

Performance and Indexing

Mapping NIS+ Objects Other Than Table Entries

NIS+ Entry Owner, Group, Access, and TTL

How to Store Additional Entry Attributes in LDAP

Principal Names and Netnames (NIS+ to LDAP)

client_info and timezone Tables (NIS+ to LDAP)

client_info Attributes and Object Class

timezone Attributes and Object Class

Adding New Object Mappings (NIS+ to LDAP)

How to Map Non-Entry Objects

Adding Entry Objects

Storing Configuration Information in LDAP

A.  Solaris 10 Software Updates to DNS, NIS, and LDAP

Service Management Facility Changes

DNS BIND

pam_ldap Changes

Documentation Errors

Glossary

Index

NIS+ Entry Owner, Group, Access, and TTL

When NIS+ table entries are created from LDAP data, the default behavior is to initialize the entry object owner, group, access rights, and TTL using the corresponding values from the table object in which the entry object lives. This is normally sufficient, but there might be cases where these NIS+ entry attributes must be established individually. An example of this would be a site that did not use the rpc.nispasswdd(1M) daemon. In order to allow individual users to change their NIS+ passwords (and re-encrypt their Diffie-Hellman keys stored in the cred.org_dir table), passwd.org_dir and cred.org_dir entries for the user should be owned by the user, and have modify rights for the entry owner.

If you need to store table entry owner, group, access, or TTL in LDAP for one or more NIS+ tables, you need to do the following.

How to Store Additional Entry Attributes in LDAP

  1. Consult your LDAP server documentation, and create the following new attributes and object class. (LDIF data is suitable for ldapadd. Attribute and object class OIDs are for illustration only.)
    dn: cn=schema
    changetype: modify
    add: attributetypes
    attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.4.0 NAME 'nisplusEntryOwner' \
                    DESC 'Opaque representation of NIS+ entry owner' \
                    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
    attributetypes:    ( 1.3.6.1.4.1.42.2.27.5.42.42.4.1 NAME 'nisplusEntryGroup' \
                    DESC 'Opaque representation of NIS+ entry group' \
                    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
    attributetypes:    ( 1.3.6.1.4.1.42.2.27.5.42.42.4.2 NAME 'nisplusEntryAccess' \
                    DESC 'Opaque representation of NIS+ entry access' \
                    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
    attributetypes:    ( 1.3.6.1.4.1.42.2.27.5.42.42.4.3 NAME 'nisplusEntryTtl' \
                    DESC 'Opaque representation of NIS+ entry TTL' \
                    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
    dn: cn=schema
    changetype: modify
    add: objectclasses
    objectclasses:(1.3.6.1.4.1.42.2.27.5.42.42.5.0 NAME 'nisplusEntryData'\
    SUP top STRUCTURAL DESC 'NIS+ entry object non-column data'\
    MUST ( cn ) MAY ( nisplusEntryOwner $ nisplusEntryGroup $\
    nisplusEntryAccess $ nisplusEntryTtl ) )
  2. Modify the nisplusLDAPobjectDN attribute value for the relevant table(s) so that the write portion includes the newly created nisplusEntryData object class.

    For example, for the passwd.org_dir table, assuming that you are using a mapping file based on /var/nis/NIS+LDAPmapping.template, edit as follows.

    nisplusLDAPobjectDN    passwd:ou=People,?one?objectClass=shadowAccount,\
    
                    objectClass=posixAccount:\
                    ou=People,?one?objectClass=shadowAccount,\
                    objectClass=posixAccount,\
                    objectClass=account,objectClass=top

    Edit the attribute value as follows.

    nisplusLDAPobjectDN    passwd:ou=People,?one?objectClass=shadowAccount,\
    
                    objectClass=posixAccount:\
                    ou=People,?one?objectClass=shadowAccount,\
                    objectClass=posixAccount,\
                    objectClass=nisplusEntryData,\
                    objectClass=account,objectClass=top
  3. Edit the nisplusLDAPattributeFromColumn and nisplusLDAPcolumnFromAttribute attribute values to specify any desired subset of owner, group, access, or TTL.

    In Step 2, you created the LDAP attributes used to store these values. For NIS+, there are predefined pseudo-column names called zo_owner, zo_group, zo_access, and zo_ttl, respectively. For example, in order to store owner, group, and access for passwd.org_dir entries in LDAP, modify the nisplusLDAPattributeFromColumn value from the following.

    nisplusLDAPattributeFromColumn \
            passwd:        dn=("uid=%s,", name), \
                    cn=name, \
                    uid=name, \
                    userPassword=("{crypt$}%s", passwd), \
                    uidNumber=uid, \
                    gidNumber=gid, \
                    gecos=gcos, \
                    homeDirectory=home, \
                    loginShell=shell, \
                    (shadowLastChange,shadowMin,shadowMax, \
                     shadowWarning, shadowInactive,shadowExpire)=\
                        (shadow, ":")

    Edit to read as follows.

    nisplusLDAPattributeFromColumn \
            passwd:        dn=("uid=%s,", name), \
                    cn=name, \
                    uid=name, \
                    userPassword=("{crypt$}%s", passwd), \
                    uidNumber=uid, \
                    gidNumber=gid, \
                    gecos=gcos, \
                    homeDirectory=home, \
                    loginShell=shell, \
                    (shadowLastChange,shadowMin,shadowMax, \
                     shadowWarning, shadowInactive,shadowExpire)=\
                        (shadow, ":"), \
                    nisplusEntryOwner=zo_owner, \
                    nisplusEntryGroup=zo_group, \
                    nisplusEntryAccess=zo_access

    Similarly, to set NIS+ entry owner, group, and access from LDAP data for the passwd.org_dir table, modify the following.

    nisplusLDAPcolumnFromAttribute \
            passwd:        name=uid, \
                    ("{crypt$}%s", passwd)=userPassword, \
                    uid=uidNumber, \
                    gid=gidNumber, \
                    gcos=gecos, \
                    home=homeDirectory, \
                    shell=loginShell, \
                    shadow=("%s:%s:%s:%s:%s:%s", \
                        shadowLastChange, \
                        shadowMin, \
                        shadowMax, \
                        shadowWarning, \
                        shadowInactive, \
                        shadowExpire)

    Edit to read as follows.

    nisplusLDAPcolumnFromAttribute \
            passwd:        name=uid, \
                    ("crypt$%s", passwd)=authPassword, \
                    uid=uidNumber, \
                    gid=gidNumber, \
                    gcos=gecos, \
                    home=homeDirectory, \
                    shell=loginShell, \
                    shadow=("%s:%s:%s:%s:%s:%s", \
                        shadowLastChange, \
                        shadowMin, \
                        shadowMax, \
                        shadowWarning, \
                        shadowInactive, \
                        shadowExpire), \
                    zo_owner=nisplusEntryOwner, \
                    zo_group=nisplusEntryGroup, \
                    zo_access=nisplusEntryAccess
  4. Upload owner, group, access, and/or TTL entry data to LDAP.

    See How to Convert All NIS+ Data to LDAP in One Operation for more information.

  5. Restart the NIS+ service in order to make the mapping change take effect.
    # svcadm restart network/rpc/nisplus:default