System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

Merging NIS+ and LDAP Data

NIS+ to LDAP Migration Scenarios showed how to synchronize NIS+ and LDAP data when data conflicts between the two should be resolved by letting either the NIS+ or the LDAP data be authoritative. Merging data requires a more complicated procedure.

The example procedure in this section assumes the following.

ProcedureHow to Merge NIS+ and LDAP Data

Caution – Caution –

If the LDAP data should change between the download in Step 4 and the upload in Step 10, the upload might overwrite those changes. For this reason, you should try to prevent modifications to the LDAP data during this procedure. Consult your LDAP server documentation for more information.

  1. Back up all NIS+ data using the nisbackup command.

    # nisbackup -a /nisbackup
  2. Identify the NIS+ tables that have data which must be merged with LDAP. Dump the contents of these tables to flat files. For example, dump the contents of group.org_dir by using nisaddent as follows.

    # nisaddent -d group | sort > /before/group

    Piping the nisaddent output to sort will make for convenient comparison later on.

  3. Download LDAP data to NIS+.

    # /usr/sbin/rpc.nisd -D -m tmpmap \
    -x nisplusLDAPinitialUpdateAction=from_ldap \
    -x nisplusLDAPinitialUpdateOnly=yes
  4. Start the NIS+ service.

    # svcadm enable network/rpc/nisplus:default

    The rpc.nisd daemon will now be serving the data downloaded from LDAP. If the conflicts to be resolved are such that NIS+ clients should not be exposed to them, make sure to perform this and the following steps when there are few (preferably no) active NIS+ clients.

  5. Dump the NIS+ data for the affected tables.

    The following example uses the group.org_dir table.

    # nisaddent -d group | sort > /after/group
  6. Create merged versions of the tables.

    Use the file merge procedure of your choice to produce the merged tables. If no other tools are available, you can use diff(1) to collect differences between the /before and /after files, and merge manually with a text editor.

    The following example assumes that the merged results are available in /after.

  7. Load the merged data into NIS+. The following example uses the group table.

    # nisaddent -m -f /after/group group
  8. Remove LDAP entries that should not exist after the merge.

    A. If there are LDAP entries that do not exist in the (now merged) NIS+ data, and that should not exist in LDAP after the upload, you must remove those LDAP entries.

    Your LDAP server might provide a convenient method for removing multiple entries, such as a way to delete all entries in a container. If this is not the case, you can use ldapsearch(1) to generate a list of entries for each container. For example, to generate a list of all entries in the ou=Rpc container, use ldapsearch(1) as follows.

    # ldapsearch -h server-address -D bind-DN -w password \
     -b ou=Rpc,search-base 'objectClass=*' dn | \
    grep -i ou=Rpc | grep -v -i \^ou=Rpc > /tmp/delete-dn

    See Performance and Indexing for an explanation of the meta-arguments (server-address, bind-DN, for example).

    B. You can now edit the result file (/tmp/delete-dn) to specify only those entries that should be removed. Alternatively, in order to remove all entries in the container, use the file as is, and rely on the NIS+ upload to restore the LDAP data. Either way, you should backup the LDAP data before performing the ldapdelete operation below.

    C. Use ldapdelete to remove LDAP entries, redirecting stdout (which usually is one blank line for each entry removed) to /dev/null.

    # ldapdelete -h server-address -D bind-DN -w password \
    /tmp/delete-dn /dev/null

    D. Repeat the above procedure for each container that has at least one entry which must be removed.