This chapter presents the fundamental principles of the NIS+ (pronounced “niss-plus”) applications programming interface and a detailed sample program. The NIS+ API is for programmers who need to build applications for Solaris networks. It provides the essential features for supporting enterprise-wide applications.
This chapter covers the following topics:
The NIS+ network name service addresses the requirements of client/server networks ranging in size from 10 clients supported by a few servers on a local area network to 10,000 multi-vendor clients supported by 20 to 100 specialized servers located in sites throughout the world and connected by several public networks.
This section describes various aspects of the NIS+ network name service.
NIS+ supports hierarchical domains, as illustrated in the following figure.
A NIS+ domain is a set of data describing the workstations, users, and network services in a portion of an organization. NIS+ domains can be administered independently of each other. This independence enables NIS+ to be used in a range of networks, from small to very large.
Each domain is supported by a set of servers. The principal server is called the master server, and the backup servers are called replicas. Both master and replica servers run NIS+ server software. The master server stores the original tables, and the backup servers store copies.
NIS+ accepts incremental updates to the replicas. Changes are first made on the master server. Then they are automatically propagated to the replica servers and are soon available to the entire namespace.
NIS+ stores information in tables instead of maps or zone files. NIS+ provides 16 types of predefined, or system, tables, which are named in the following list:
Hosts
Bootparams
Password
Cred
Group
Netgroups
Mail Aliases
Timezone
Networks
Netmasks
Ethers
Services
Protocols
RPC
Auto_Home
Auto_Master
Each table stores a different type of information. For instance, the Hosts table stores host name/Internet address pairs, and the Password table stores information about users of the network.
NIS+ tables have two major improvements over NIS maps. First, a NIS+ table can be accessed by any column, not just the first column, which is sometimes referred to as the “key.” This access eliminates the need for duplicate maps, such as the hosts.byname and hosts.byaddr maps of NIS. Second, access to the information in NIS+ tables can be controlled at three levels of granularity: the table level, the entry level, and the column level.
The NIS+ security model provides both authorization and authentication mechanisms. For authorization, every object in the namespace specifies the type of operation it accepts and from whom. NIS+ attempts to authenticate every requestor accessing the namespace. After it identifies the originator of the request, it determines whether the object has authorized that particular operation for that particular principal. Based on its authentication and the object's authorization, NIS+ carries out or denies the access request.
NIS+ works in conjunction with a separate facility called the Name Service Switch. The Name Service Switch, sometimes referred to as “the Switch,” enables Solaris-based workstations to obtain their information from more than one network information service. They can get the information from local, or /etc files, from NIS maps, from DNS zone files, or from NIS+ tables. The Switch not only offers a choice of sources, but allows a workstation to specify different sources for different types of information. The name service is configured through the file /etc/nsswitch.conf.
NIS+ provides a full set of commands for administering a namespace, as listed in the following table.
Table 9–1 NIS+ Namespace Administration Commands
The NIS+ application programming interface (API) is a group of functions that can be called by an application to access and modify NIS+ objects. The NIS+ API has 54 functions that fall into nine categories:
The functions in each category are summarized in the following table. The category names match the names by which they are grouped in the NIS+ man pages.
Table 9–2 NIS+ API Functions
This sample program performs the following tasks:
Determines the local principal and local domain
Looks up the local directory object
Creates a directory called foo under the local domain
Creates the groups_dir and org_dir directories under domain foo
Creates a group object admins.foo
Adds the local principal to the admins group
Creates a table under org_dir.foo
Adds two entries to the org_dir.foo table
Retrieves and displays the new membership list of the admins group
Lists the namespace under the foo domain using callbacks
Lists the contents of the table created using callbacks
Cleans up all the objects that were created by removing the following:
The local principal from the admins group
The admins group
The entries in the table followed by the table
The groups_dir and org_dir directory objects
The foo directory object
The example program is not a typical application. In a normal situation the directories and tables would be created or removed through the command line interface, and applications would manipulate NIS+ entry objects.
The sample program uses unsupported macros that are defined in the file <rpcsvc/nis.h>. These macros are not public APIs and can change or disappear in the future. They are used for illustration purposes only and if you choose to use them, you do so at your own risk. The macros used are:
NIS_RES_OBJECT
ENTRY_VAL
DEFAULT_RIGHTS
The use of the following NIS+ C API functions is illustrated through this example.
The NIS+ principal running this application has permission to create directory objects in the local domain. The program is compiled by typing:
% cc -o example.c example -lnsl |
It is invoked by typing:
% example [dir] |
where dir is the NIS+ directory in which the program creates all the NIS+ objects. Specifying no directory argument causes the objects to be created in the parent directory of the local domain. Note that for the call to nis_lookup(), a space and the name of the local domain are appended to the string that names the directory. The argument is the name of the NIS+ directory in which to create the NIS+ objects. The principal running this program should have create permission in the directory.
The following code example shows the routine is called by main() to create directory objects.
void dir_create (dir_name, dirobj) nis_name dir_name; nis_object *dirobj; { nis_result *cres; nis_error err; printf ("\n Adding Directory %s to namespace ... \n", dir_name); cres = nis_add (dir_name, dirobj); if (cres->status != NIS_SUCCESS) { nis_perror (cres->status, "unable to add directory foo."); exit (1); } (void) nis_freeresult (cres); /* * NOTE: you need to do a nis_mkdir to create the table to store the * contents of the directory you are creating. */ err = nis_mkdir (dir_name, dirobj->DI_data.do_servers.do_servers_val); if (err != NIS_SUCCESS) { (void) nis_remove (dir_name, 0); nis_perror (err, "unable to create table for directory object foo."); exit (1); } }
This routine is called by main() to create the group object. Because nis_creategroup() works only on group objects, the “groups_dir” literal is not needed in the group name.
void grp_create (grp_name) nis_name grp_name; { nis_error err; printf ("\n Adding %s group to namespace ... \n", grp_name); err = nis_creategroup (grp_name, 0); if (err != NIS_SUCCESS) { nis_perror (err, "unable to create group."); exit (1); } }
The routine shown in the following example is called by main() to create a table object laid out as shown in the following table.
Table 9–3 NIS+ Table Objects
|
Column1 |
Column2 |
---|---|---|
Name: |
id |
name |
Attributes: |
Searchable, Text |
Searchable, Text |
Access Rights |
----rmcdr---r--- |
----rmcdr---r--- |
The TA_SEARCHABLE constant indicates to the service that the column is searchable. Only TEXT (the default) columns are searchable. TA_CASE indicates to the service that the column value is to be treated in a case-insensitive manner during searches.
#define TABLE_MAXCOLS 2 #define TABLE_COLSEP ':' #define TABLE_PATH 0 void tbl_create (dirobj, table_name) nis_object *dirobj; /* need to use some of the fields */ nis_name table_name; { nis_result *cres; static nis_object tblobj; static table_col tbl_cols[TABLE_MAXCOLS] = { {"Id", TA_SEARCHABLE | TA_CASE, DEFAULT_RIGHTS}, {"Name", TA_SEARCHABLE | TA_CASE, DEFAULT_RIGHTS} }; tblobj.zo_owner = dirobj->zo_owner; tblobj.zo_group = dirobj->zo_group; tblobj.zo_access = DEFAULT_RIGHTS; /* macro defined in nis.h */ tblobj.zo_data.zo_type = TABLE_OBJ; /* enumerated type in nis.h */ tblobj.TA_data.ta_type = TABLE_TYPE; tblobj.TA_data.ta_maxcol = TABLE_MAXCOLS; tblobj.TA_data.ta_sep = TABLE_COLSEP; tblobj.TA_data.ta_path = TABLE_PATH; tblobj.TA_data.ta_cols.ta_cols_len = tblobj.TA_data.ta_maxcol; /* ALWAYS ! */ tblobj.TA_data.ta_cols.ta_cols_val = tbl_cols; /* * Use a fully qualified table name i.e. the "org_dir" literal should * be embedded in the table name. This is necessary because nis_add * operates on all types of NIS+ objects and needs the full path name * if a table is created. */ printf ("\n Creating table %s ... \n", table_name); cres = nis_add (table_name, &tblobj); if (cres->status != NIS_SUCCESS) { nis_perror (cres->status, "unable to add table."); exit (1); } (void) nis_freeresult (cres); }
The routine shown in the following example is called by main() to add entry objects to the table object. Two entries are added to the table object. Note that the column width in both entries is set to include the NULL character for a string terminator.
#define MAXENTRIES 2 void stuff_table(table_name) nis_name table_name; { int i; nis_object entdata; nis_result *cres; static entry_col ent_col_data[MAXENTRIES][TABLE_MAXCOLS] = { {0, 2, "1", 0, 5, "John"}, {0, 2, "2", 0, 5, "Mary"} }; printf ("\n Adding entries to table ... \n"); /* * Look up the table object first since the entries being added * should have the same owner, group owner and access rights as * the table they go in. */ cres = nis_lookup (table_name, 0); if (cres->status != NIS_SUCCESS) { nis_perror (cres->status, "Unable to lookup table"); exit(1); } entdata.zo_owner = NIS_RES_OBJECT (cres)->zo_owner; entdata.zo_group = NIS_RES_OBJECT (cres)->zo_group; entdata.zo_access = NIS_RES_OBJECT (cres)->zo_access; /* Free cres, so that it can be reused. */ (void) nis_freeresult (cres); entdata.zo_data.zo_type = ENTRY_OBJ; /* enumerated type in nis.h */ entdata.EN_data.en_type = TABLE_TYPE; entdata.EN_data.en_cols.en_cols_len = TABLE_MAXCOLS; for (i = 0; i < MAXENTRIES; ++i) { entdata.EN_data.en_cols.en_cols_val = &ent_col_data[i][0]; cres = nis_add_entry (table_name, &entdata, 0); if (cres->status != NIS_SUCCESS) { nis_perror (cres->status, "unable to add entry."); exit (1); } (void) nis_freeresult (cres); } }
The routine shown in the following example is the print function for the nis_list() call. When list_objs() calls nis_list(), a pointer to print_info() is one of the calling arguments. Each time the service calls this function, it prints the contents of the entry object. The return value indicates to the library to call with the next entry from the table.
int print_info (name, entry, cbdata) nis_name name; /* Unused */ nis_object *entry; /* The NIS+ entry object */ void *cbdata; /* Unused */ { static u_int firsttime = 1; entry_col *tmp; /* only to make source more readable */ u_int i, terminal; if (firsttime) { printf ("\tId.\t\t\tName\n"); printf ("\t---\t\t\t----\n"); firsttime = 0; } for (i = 0; i < entry->EN_data.en_cols.en_cols_len; ++i) { tmp = &entry->EN_data.en_cols.en_cols_val[i]; terminal = tmp->ec_value.ec_value_len; tmp->ec_value.ec_value_val[terminal] = '\0'; } /* * ENTRY_VAL is a macro that returns the value of a specific * column value of a specified entry. */ printf("\t%s\t\t\t%s\n", ENTRY_VAL (entry, 0), ENTRY_VAL (entry, 1)); return (0); /* always ask for more */ }
The routine shown in the following example is called by main() to list the contents of the group, table, and directory objects. The routine demonstrates the use of callbacks also. It retrieves and displays the membership of the group. The group membership list is not stored as the contents of the object. So, the list is queried through the nis_lookup() instead of the nis_list() call. You must use the “groups_dir” form of the group because nis_lookup() works on all types of NIS+ objects.
void list_objs(dir_name, table_name, grp_name) nis_name dir_name, table_name, grp_name; { group_obj *tmp; /* only to make source more readable */ u_int i; char grp_obj_name [NIS_MAXNAMELEN]; nis_result *cres; char index_name [BUFFER_SIZE]; sprintf (grp_obj_name, "%s.groups_dir.%s", nis_leaf_of (grp_name), nis_domain_of (grp_name)); printf ("\nGroup %s membership is: \n", grp_name); cres = nis_lookup(grp_obj_name, 0); if (cres->status != NIS_SUCCESS) { nis_perror (cres->status, "Unable to lookup group object."); exit(1); } tmp = &(NIS_RES_OBJECT(cres)->GR_data); for (i = 0; i < tmp->gr_members.gr_members_len; ++i) printf ("\t %s\n", tmp->gr_members.gr_members_val[i]); (void) nis_freeresult (cres); /* * Display the contents of the foo domain without using callbacks. */ printf ("\nContents of Directory %s are: \n", dir_name); cres = nis_list (dir_name, 0, 0, 0); if (cres->status != NIS_SUCCESS) { nis_perror (cres->status, "Unable to list Contents of Directory foo."); exit(1); } for (i = 0; i < NIS_RES_NUMOBJ(cres); ++i) printf("\t%s\n", NIS_RES_OBJECT(cres)[i].zo_name); (void) nis_freeresult (cres); /* * List the contents of the table we created using the callback form * of nis_list(). */ printf ("\n Contents of Table %s are: \n", table_name); cres = nis_list (table_name, 0, print_info, 0); if(cres->status != NIS_CBRESULTS && cres->status != NIS_NOTFOUND){ nis_perror (cres->status, "Listing entries using callback failed"); exit(1); } (void) nis_freeresult (cres); /* * List only one entry from the table we created. Use * indexed names to do this retrieval. */ printf("\n Entry corresponding to id 1 is:\n"); /* * The name of the column is usually extracted from the table * object, which would have to be retrieved first. */ sprintf(index_name, "[Id=1],%s", table_name); cres = nis_list (index_name, 0, print_info, 0); if(cres->status != NIS_CBRESULTS && cres->status != NIS_NOTFOUND){ nis_perror (cres->status, "Listing entry using indexed names and callback failed"); exit(1); } (void) nis_freeresult (cres); }
The routine in the following table is called by cleanup() to remove a directory object from the namespace. The routine also informs the servers serving the directory about this deletion. Note that the memory containing result structure, pointed to by cres, must be freed after the result has been tested.
void dir_remove(dir_name, srv_list, numservers) nis_name dir_name; nis_server *srv_list; u_int numservers; { nis_result *cres; nis_error err; u_int i; printf ("\nRemoving %s directory object from namespace ... \n", dir_name); cres = nis_remove (dir_name, 0); if (cres->status != NIS_SUCCESS) { nis_perror (cres->status, "unable to remove directory"); exit (1); } (void) nis_freeresult (cres); for (i = 0; i < numservers; ++i) { err = nis_rmdir (dir_name, &srv_list[i]); if (err != NIS_SUCCESS) { nis_perror (err, "unable to remove server from directory"); exit (1); } } }
The following routine is called by main() to delete all the objects that were created in this example. Note the use of the REM_MULTIPLE flag in the call to nis_remove_entry(). You must delete all entries from a table before the table itself can be deleted.
void cleanup(local_princip, grp_name, table_name, dir_name, dirobj) nis_name local_princip, grp_name, table_name, dir_name; nis_object *dirobj; { char grp_dir_name [NIS_MAXNAMELEN]; char org_dir_name [NIS_MAXNAMELEN]; nis_error err; nis_result *cres; sprintf(grp_dir_name, "%s.%s", "groups_dir", dir_name); sprintf(org_dir_name, "%s.%s", "org_dir", dir_name); printf("\n\n\nStarting to Clean up ... \n"); printf("\n\nRemoving principal %s from group %s \n", local_princip, grp_name); err = nis_removemember (local_princip, grp_name); if (err != NIS_SUCCESS) { nis_perror (err, "unable to delete local principal from group."); exit (1); } /* * Delete the admins group. We do not use the "groups_dir" form * of the group name since this API is applicable to groups only. * It automatically embeds the groups_dir literal in the name of * the group. */ printf("\nRemoving %s group from namespace ... \n", grp_name); err = nis_destroygroup (grp_name); if (err != NIS_SUCCESS) { nis_perror (err, "unable to delete group."); exit (1); } printf("\n Deleting all entries from table %s ... \n", table_name); cres = nis_remove_entry(table_name, 0, REM_MULTIPLE); switch (cres->status) { case NIS_SUCCESS: case NIS_NOTFOUND: break; default: nis_perror(cres->status, "Could not delete entries from table"); exit(1); } (void) nis_freeresult (cres); printf("\n Deleting table %s itself ... \n", table_name); cres = nis_remove(table_name, 0); if (cres->status != NIS_SUCCESS) { nis_perror(cres->status, "Could not delete table."); exit(1); } (void) nis_freeresult (cres); /* delete the groups_dir, org_dir and foo directory objects. */ dir_remove (grp_dir_name, dirobj->DI_data.do_servers.do_servers_val, dirobj->DI_data.do_servers.do_servers_len); dir_remove (org_dir_name, dirobj->DI_data.do_servers.do_servers_val, dirobj->DI_data.do_servers.do_servers_len); dir_remove (dir_name, dirobj- >DI_data.do_servers.do_servers_val, dirobj->DI_data.do_servers.do_servers_len); }
Running the program displays on the screen, as shown in the following code example.
myhost% domainname sun.com myhost% ./sample Adding Directory foo.sun.com. to namespace ... Adding Directory groups_dir.foo.sun.com. to namespace ... Adding Directory org_dir.foo.sun.com. to namespace ... Adding admins.foo.sun.com. group to namespace ... Adding principal myhost.sun.com. to group admins.foo.sun.com. ... Creating table test_table.org_dir.foo.sun.com. ... Adding entries to table ... Group admins.foo.sun.com. membership is: myhost.sun.com. Contents of Directory foo.sun.com. are: groups_dir org_dir Contents of Table test_table.org_dir.foo.sun.com. are: Id. Name --- ---- 1 John 2 Mary Entry corresponding to id 1 is: 1 John Starting to Clean up ... Removing principal myhost.sun.com. from group admins.foo.sun.com. Removing admins.foo.sun.com. group from namespace ... Deleting all entries from table test_table.org_dir.foo.sun.com. ... Deleting table test_table.org_dir.foo.sun.com. itself ... Removing groups_dir.foo.sun.com. directory object from namespace ... Removing org_dir.foo.sun.com. directory object from namespace ... Removing foo.sun.com. directory object from namespace ... myhost%
As a debugging aid, the same operations are performed by the following command sequence. The first command displays the name of the master server.
Substitute the master server name where the variable master appears in the following.
% niscat -o `domainname`
% nismkdir -m master foo.`domainname`. # Create the org_dir.foo subdirectory with the specified master % nismkdir -m master org_dir.foo.`domainname`. # Create the groups_dir.foo subdirectory with the specified master % nismkdir -m master groups_dir.foo.`domainname`. # Create the “admins” group % nisgrpadm -c admins.foo.`domainname`. # Add yourself as a member of this group % nisgrpadm -a admins.foo.`domainname`. `nisdefaults -p` # Create a test_table with two columns : Id and Name % nistbladm -c test_data id=SI Name=SI \ test_table.org_dir.foo.`domainname` # Add one entry to that table. % nistbladm -a id=1 Name=John test_table.org_dir.foo.`domainname`. # Add another entry to that table. % nistbladm -a id=2 Name=Mary test_table.org_dir.foo.`domainname`. # List the members of the group admins % nisgrpadm -l admins.foo.`domainname`. # List the contents of the foo directory % nisls foo.`domainname`. # List the contents of the test_table along with its header % niscat -h test_table.org_dir.foo.`domainname`. # Get the entry from the test_table where id = 1 % nismatch id=1 test_table.org_dir.foo.`domainname`. # Delete all we created. # First, delete yourself from the admins group % nisgrpadm -r admins.foo.`domainname`. `nisdefaults -p` # Delete the admins group % nisgrpadm -d admins.foo.`domainname`. # Delete all the entries from the test_table % nistbladm -r “[],test_table.org_dir.foo.`domainname`.” # Delete the test_table itself. % nistbladm -d test_table.org_dir.foo.`domainname`. # Delete all three directories that we created % nisrmdir groups_dir.foo.`domainname`. % nisrmdir org_dir.foo.`domainname`. % nisrmdir foo.`domainname`.