NIS+ to LDAP Migration Scenarios showed how to synchronize NIS+ and LDAP data when data conflicts between the two should be resolved by letting either the NIS+ or the LDAP data be authoritative. Merging data requires a more complicated procedure.
The example procedure in this section assumes the following.
You are putting a backup of the NIS+ data in the /nisbackup directory.
Valid mapping configuration already exists in /etc/default/rpc.nisd and /var/nis/tmpmap (for tables that should be merged).
Flat file representations of the NIS+ data before the merge are stored in /before, and after-merge representations in /after.
niscat is used to dump flat file representations of custom NIS+ tables not supported by nisaddent(1M). You might have your own commands or scripts for dumping and loading such custom tables from and to NIS+. If so, those commands/scripts should be used in preference to niscat since the latter has no convenient counterpart to load data back into NIS+.
Your command path includes /usr/lib/nis (which is where nisaddent(1M) resides).
If the LDAP data should change between the download in Step 4 and the upload in Step 10, the upload might overwrite those changes. For this reason, you should try to prevent modifications to the LDAP data during this procedure. Consult your LDAP server documentation for more information.
Back up all NIS+ data using the nisbackup command.
# nisbackup -a /nisbackup
Identify the NIS+ tables that have data which must be merged with LDAP. Dump the contents of these tables to flat files. For example, dump the contents of group.org_dir by using nisaddent as follows.
# nisaddent -d group | sort > /before/group
Piping the nisaddent output to sort will make for convenient comparison later on.
Download LDAP data to NIS+.
# /usr/sbin/rpc.nisd -D -m tmpmap \ -x nisplusLDAPinitialUpdateAction=from_ldap \ -x nisplusLDAPinitialUpdateOnly=yes
Start the NIS+ service.
# svcadm enable network/rpc/nisplus:default
The rpc.nisd daemon will now be serving the data downloaded from LDAP. If the conflicts to be resolved are such that NIS+ clients should not be exposed to them, make sure to perform this and the following steps when there are few (preferably no) active NIS+ clients.
Dump the NIS+ data for the affected tables.
The following example uses the group.org_dir table.
# nisaddent -d group | sort > /after/group
Create merged versions of the tables.
Use the file merge procedure of your choice to produce the merged tables. If no other tools are available, you can use diff(1) to collect differences between the /before and /after files, and merge manually with a text editor.
The following example assumes that the merged results are available in /after.
Load the merged data into NIS+. The following example uses the group table.
# nisaddent -m -f /after/group group
Remove LDAP entries that should not exist after the merge.
A. If there are LDAP entries that do not exist in the (now merged) NIS+ data, and that should not exist in LDAP after the upload, you must remove those LDAP entries.
Your LDAP server might provide a convenient method for removing multiple entries, such as a way to delete all entries in a container. If this is not the case, you can use ldapsearch(1) to generate a list of entries for each container. For example, to generate a list of all entries in the ou=Rpc container, use ldapsearch(1) as follows.
# ldapsearch -h server-address -D bind-DN -w password \ -b ou=Rpc,search-base 'objectClass=*' dn | \ grep -i ou=Rpc | grep -v -i \^ou=Rpc > /tmp/delete-dn
See Performance and Indexing for an explanation of the meta-arguments (server-address, bind-DN, for example).
B. You can now edit the result file (/tmp/delete-dn) to specify only those entries that should be removed. Alternatively, in order to remove all entries in the container, use the file as is, and rely on the NIS+ upload to restore the LDAP data. Either way, you should backup the LDAP data before performing the ldapdelete operation below.
C. Use ldapdelete to remove LDAP entries, redirecting stdout (which usually is one blank line for each entry removed) to /dev/null.
# ldapdelete -h server-address -D bind-DN -w password \ /tmp/delete-dn /dev/null
D. Repeat the above procedure for each container that has at least one entry which must be removed.