Chapter 4 NIS Information in the LDAP Directory

This chapter shows the organization of NIS information in the LDAP directory tree. Solaris Extensions for Netscape Directory Server 4.11 offers a default tree structure for NIS information that is compliant with RFC 2307 An Approach for Using LDAP as a Network Information Service. However, this structure can be configured to suit your own preferences.

This chapter also explains how the information in NIS maps is extracted and used to create LDAP entries.

This chapter includes the following sections:

• "NIS Files/LDAP Subtrees"
• "NIS File Entries/LDAP Entries"


• "NIS Schema"


• "NIS/LDAP Mapping Summary"

Figure 4.1 NIS Subtrees in the DIT

This tree structure can be configured to suit your needs by modifying the mapping file /etc/opt/SUNWconn/ldap/current/mapping/nis.mapping.

• aliases, see "aliases Mapping"
• bootparams, see "bootparams Mapping"


• ethers, see "ethers Mapping"


• group, see "group Mapping"


• hosts, see "hosts Mapping"


• netgroup, see "netgroup Mapping"


• networks, see "networks Mapping"


• passwd, see "passwd Mapping"


• protocols, see "protocols Mapping"


• rpc, see "rpc Mapping"


• ypservers, see "ypservers Mapping"

The nis.mapping file also contains a generic mapping definition for files that are not specifically defined. This includes any custom-built maps listed in your Makefile, and the following standard NIS files:

• auto_home
• auto_master


• netid


• netmasks


• publickey


• services


• timezone

The nis.mapping file is used by the following components:

• The dsimport utility, to extract information from NIS files and convert it to LDAP directory entries.
• The dsexport utility, to extract information from LDAP entries and restore the NIS files in their original format.


• The dejasync command, to synchronize the nis.mapping file with the deja.properties file. For information of the deja.properties file, refer to "Deja.properties" .


• The dsypaddmap and dsypdelmap utilities to respectively add an NIS map in the directory, or to delete an NIS map from the directory.

• The object class and attributes used to create an entry in the directory
• The subtree under which the entries are created

A generic mapping is applied to all files listed in the NIS Makefile that do not have a specific mapping definition in the nis.mapping file. This mapping extracts the NIS key and NIS value information from any file and creates an LDAP entry as follows:

LDAP attribute	NIS information
cn	nisKey (case ignored in LDAP searches)
sunNisKey	nisKey
nisMapEntry	nisValue
nisMapName	map name in Makefile
objectClass	top, nisSunObject

An entry in the aliases file is usually of the form:

aliasname: mailaddress1, mailaddress2, mailaddress3...

The mapping of this line in the nis.mapping file is shown below:

Table: mail.aliases

...

Import:

Extract:

LINE =>$aliasNameT:$aliasListT

Condense:

rfc822mailMembersT=string2instances($aliasListT,",")

trimrfc822mailMembersT=trim($rfc822mailMembersT)

objectClassT=string2instances("top nisMailAlias", " ")

Build:

dn=cn=$aliasNameT,$BASE_DN

cn=$aliasNameT

rfc822mailMember=$trimrfc822mailMembersT

objectClass=$objectClassT

The object class and attributes necessary to create an entry are listed in the Import/Build section of the mapping definition. The values assigned to the LDAP attributes listed in the Build section are taken from the tokens specified in either:

• The Import/Extract section of the mapping definition
• The Import/Condense section of the mapping definition
• The Common section in the nis.mapping file that applies to all mapping definitions.

In the Extract section, the keyword LINE shows the initial decomposition of a line in the aliases file. If,in your aliases file you use a punctuation mark other than a colon to separate the alias name from the alias list, you must change the LINE definition to match your file format.

Condense Section

In the Condense section, the token definition for rfc822mailMembersT provides a further decomposition of the alias list. If in your aliases file you use a punctuation mark other than a comma to separate the elements in the alias list, you must change the token definition to match your file format.

The token definition for trimrfc822mailMemberT removes any unnecessary white spaces from the result produced by the preceding string2instances operation on the alias list. The string2instances and trim functions are described in Appendix  A, "Mapping Syntax and Semantics.".

The token definition for objectClassT shows the nisMailAlias object class, and the object classes it inherits from, that is the top object class.

Build Section

In the Build section, the DN of the entry is created by concatenating the cn attribute and attribute value with the BASE_DN token. The BASE_DN token identifies the subtree under which the entry is created.

The rfc822mailMember and objectClass attributes are multi-valued. There is one occurrence of these attributes for each value resulting from the string2instances operations.

Example

For example, the aliases file in the domain France.airius.com contains the following line:

dir-team: pdurand, jdupond, asantini, msmith, dphilippe, smartin

The directory entry created from this line in the aliases file is:

dn: cn=dir-team, ou=Aliases, ou=Services, dc=France, dc=airius, dc=com

cn: dir-team

rfc822mailMember: pdurand

rfc822mailMember: jdupond

rfc822mailMember: asantini

rfc822mailMember: msmith

rfc822mailMember: dphilippe

rfc822mailMember: smartin

objectclass: nisMailAlias

objectclass: top

bootparams Mapping

An entry in the bootparams file is usually of the form:

hostname parameter1 parameter2 parameter3...parameterx

For example, the bootparams file in the domain France.airius.com contains the following line:

camembert root=server1:/export/camembert/root \

swap=server1:/export/camembert/swap \

domain=France.airius.com

The directory entry created from this entry in the bootparams file is:

dn: cn=camembert, ou=Hosts, ou=Services, dc=France, dc=airius, dc=com

cn: camembert

bootParameter: root=server1:/export/camembert/root

bootParameter: swap=server1:/export/camembert/swap

bootParameter: domain=France.airius.com

objectClass: top

objectClass: device

objectClass: bootableDevice

The host camembert probably also has an entry in /etc/ethers and in /etc/hosts. However, in the LDAP directory, the host camembert has just one entry, with all the attributes derived from the ethers mapping and the hosts mapping. The LDAP entry created for camembert has several object classes:

• One inherited structural object class: device
• Three auxiliary object classes; bootableDevice, ieee802Device, and ipHost

dn: cn=camembert, ou=Hosts, ou=Services, dc=France, dc=airius, dc=com

cn: camembert

cn: bertie

bootParameter: root=server1:/export/camembert/root

bootParameter: swap=server1:/export/camembert/swap

bootParameter: domain=France.airius.com

macAddress: 0:1:23:aa:bb:cc

ipHostNumber: 123.456.789.1

description: SS5 Pierre's desktop

objectClass: top

objectClass: device

objectClass: bootableDevice

objectClass:ieee802Device

objectClass: ipHost

If the entry for camembert is deleted from the bootparams file, the directory entry for camembert is updated by removing the bootableDevice object class and the bootParameter attributes which are specific to that object class.

ethers Mapping

An entry in the ethers file is usually of the form:

ethernetaddress machinename

For example, the ethers file in the domain France.airius.com contains the following line:

0:1:23:aa:bb:cc camembert

The directory entry created from this line in the ethers file is:

dn: cn=camembert, ou=Hosts, ou=Services, dc=France, dc=airius, dc=com

cn: camembert

cn: bertie

macAddress: 0:1:23:aa:bb:cc

objectClass: top

objectClass: device

objectClass:ieee802Device

The host camembert may also have an entry in the etc/bootparams file and the /etc/hosts file. See the example given in "bootparams Mapping" for details of the complete LDAP directory entry created from these files.

group Mapping

An entry in the group file is usually of the form:

groupname:password:groupidnumber:listofmembers

For example, the group file in the domain France.airius.com contains the following line:

sysadmin:yai957KJwXrjc:10:pdurand, jdupond, asantini

The directory entry created from this line in the group file is:

dn: cn=sysadmin, ou=Group, ou=Services, dc=France, dc=airius, dc=com

cn: sysadmin

gidNumber: 10

memberUid: pdurand

memberUid: jdupond

memberUid: asantini

userPassword: {crypt}yai957KJwXrjc

hosts Mapping

An entry in the hosts file is usually of the form:

ipaddress hostname hostaliasnames #hostdescription

For example, the hosts file in the domain France.airius.com contains the following line:

123.456.789.1 camembert bertie # SS5 Pierre's Desktop

The directory entry created from this line in the hosts file is:

dn: cn=camembert, ou=Hosts, ou=Services, dc=France, dc=airius, dc=com

cn: camembert

cn: bertie

ipHostNumber: 123.456.789.1

description: SS5 Pierre's desktop

objectClass: top

objectClass: device

objectClass: ipHost

The host camembert may also have an entry in the /etc/bootparams file and the /etc/ethers file. See the example given in "bootparams Mapping" for details of the complete LDAP directory entry created from these files.

netgroup Mapping

An entry in the netgroup file is usually of the form:

netgroupname grouptriple grouptriple grouptriple grouptriple

where grouptriple is of the form (hostname, username, domainname).

For example, the netgroup file in the domain France.airius.com contains the following line:

printers\

(bordeaux,-,France.airius.com)\

(bourgogne,-,France.airius.com)\

(sauternes,-,France.airius.com)

The directory entry created from this entry in the netgroup file is:

dn: cn=printers, ou=netgroup, ou=Services, dc=France, dc=airius, dc=com

cn: printers

nisNetGroupTriple: bordeaux,-,France.airius.com

nisNetGroupTriple: bourgogne,-,France.airius.com

nisNetGroupTriple: sauternes,-,France.airius.com

networks Mapping

An entry in the networks file is usually of the form:

networkname networkaddress networkalias #description

For example, the networks file in the domain France.airius.com contains the following line:

airius-eng 123.456.789 eng #engineering subnetwork

The directory entry created from this line in the networks file is:

dn: cn=airius-eng, ou=networks, ou=Services, dc=France, dc=airius, dc=com

cn: airius-eng

cn: eng

ipNetworkNumber: 123.456.789

description: engineering subnetwork

objectClass: top

objectClass: ipNetwork

passwd Mapping

An entry in the passwd file is usually of the form:

userid:userPasswd:uidnumber:gidnumber:gecos:homeDir:shell

When there is a shadow file associated with the passwd file, it is usually of the form:

userid:userPasswd:::::::

The user ID in the passwd file and in the shadow file are identical, but the user's password is actually stored in the shadow file and not in the passwd file.

For example, the passwd file in the domain France.airius.com contains the following line for Pierre Durand:

pdurand:x:12345:67:Pierre Durand-Project Manager:/home/pdurand:/bin/csh

The x instead of the user password indicates that the actual password is stored in the shadow file. The shadow file contains the following line for Pierre Durand:

pdurand:yai957KJwXrjc:::::::

The directory entry created from this line in the passwd file is:

dn: uid=pdurand, ou=People, dc=France, dc=airius, dc=com

cn: Pierre Durand

uid: pdurand

userPassword: {crypt}yai957KJwXrjc

uidNumber: 12345

gidNumber: 67

gecos: Pierre Durand-Project Manager

homeDirectory: /home/pdurand

loginShell: /bin/csh

objectClass: top

objectClass: account

objectClass: posixAccount

protocols Mapping

An entry in the protocols file is usually of the form:

protocolname protocolnumber protocolalias #description

For example, the protocols file in the domain France.airius.com contains the following line:

tcp 0 TCP_Protocol #Transmission Control Protocol

The directory entry created from this line in the protocols file is:

dn: cn=tcp, ou=protocols, ou=Services, dc=France, dc=airius, dc=com

cn: tcp

cn: tcP_Protocol

ipProtocolNumber: 0

description: Transmission Control Protocol

objectClass: top

objectClass: ipProtocol

rpc Mapping

An entry in the rpc file is usually of the form:

programname programnumber protocolalias #description

For example, the rpc file in the domain France.airius.com contains the following line:

yppasswdd 100123 yppasswd

The directory entry created from this line in the rpc file is:

dn: cn=yppasswdd, ou=rpc, ou=Services, dc=France, dc=airius, dc=com

cn: yppasswdd

cn: yppasswd

oncRpcNumber: 100123

objectClass: top

objectClass: oncRpc

ypservers Mapping

In the NIS environment, the ypservers file contains a list of the NIS servers in the domain.

For example, the ypservers file in the domain France.airius.com contains the following list:

brie

camembert

emmental

gorgonzola

roquefort

A directory entry is created for each server listed in the file. For example, the entry created for the server brie is:

dn: cn=brie, ou=ypservers, ou=Services, dc=France, dc=airius, dc=com

cn: brie

objectClass: top

objectClass: sunNisServer

The object classes and attributes in the NIS schema are compliant with RFC 2307 An Approach for Using LDAP as a Network Information Service.

The standard NIS schema objects are included in the slapd.oc.conf and slapd.at.conf files used by the directory server. By default, these files are stored in NSHOME/slapd-serverID, where NSHOME represents the directory where you installed the server, and serverID represents the identifier you assigned to the server during the installation process.

Some specific object classes and attributes that are not part of the RFC are also needed to operate the NIS service. These objects are defined in the nis.oc.conf and nis.at.conf files stored by default in the directory /opt/SUNWconn/ldap/default/schema.

For more details on the directory schema, refer to the Netscape Directory Server Administrator's Guide.

NIS Object Classes

automount

Description: Defines an entry representing an NIS automount record.

Superior object class: top

Mandatory attributes: cn (commonName), automountInformation

Optional attribute: description

bootableDevice (auxiliary object class)

Description: Defines an entry representing any device that requires boot parameters. Used to import information from the /etc/bootparams file. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

Superior object class: device

Mandatory attribute: cn (commonName)

Optional attributes: bootFile, bootParameter

ieee802Device (auxiliary object class)

Description: Defines entries representing any device that has a MAC address. Used to import information from the /etc/ethers file. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

Superior object class: device

Optional attribute: macAddress

ipHost (auxiliary object class)

Description: Used to describe a device that has an IP address. Used to import information from the /etc/hosts file. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

Superior object class: top

Mandatory attributes: cn (commonName), ipHostNumber

Optional attributes: bootFile, bootParameter, description, l (localityName), macAddress, manager, serialNumber

ipNetwork

Description: Defines an entry that describes an IP network. Used to import information from the /etc/networks file.

Superior object class: top

Mandatory attributes: cn (commonName), ipNetworkNumber

Optional attributes: description, ipNetmaskNumber, l (localityName), manager

ipProtocol

Description: Defines an entry that describes an IP protocol. Used to import information from the /etc/protocols file.

Superior object class: top

Mandatory attributes: cn (commonName), ipProtocolNumber

nisMailAlias

Description: Defines an entry that represents an NIS mail.aliases record. Used to import information from the /etc/mail/aliases file.

Superior object class: top

Mandatory attribute: cn (commonName)

Optional attribute: rfc822MailMember

nisMap

Description: Defines an entry that represents an NIS map.

Superior object class: top

Mandatory attribute: nisMapName

Optional attribute: description

nisNetGroup

Description: Defines an entry that represents an NIS netgroup record. Used to import information from the /etc/netgroup file.

Superior object class: top

Mandatory attribute: cn (commonName)

Optional attributes: description, memberNisNetgroup, nisNetgroupTriple

nisNetId

Description: Defines an entry that represents an NIS netid.byname record.

Superior object class: top

Mandatory attribute: cn (commonName)

Optional attribute: nisNetIdGroup, nisNetIdHost, nisNetIdUser

nisObject

Description: Defines an entry in the directory that represents an entry in an NIS map. The NIS key is stored in the cn attribute.

Superior object class: top

Mandatory attribute: nisMapName

Optional attributes: cn (commonName), description, nisMapEntry

nisSunObject

Description: Defines an entry in the directory that represents an entry in an NIS map. This object class is used in the generic NIS map definition in Sun Directory Services. The NIS key is stored in the sunNisKey attribute.

Superior object class: top

Mandatory attribute: nisMapName

Optional attributes: cn (commonName), description, nisMapEntry, sunNisKey

oncRpc

Description: Defines an entry that represents an Open Network Computing (ONC) remote procedure call (RPC). Used to import information from the /etc/rpc file.

Superior object class: top

Mandatory attributes: cn (commonName), oncRpcNumber

Optional attribute: description

posixAccount (auxiliary object class)

Description: Represents an account defined by POSIX attributes. Used to import information from the /etc/passwd file. It is an auxiliary object class, which means that it should be used in conjunction with a structural object class.

Superior object class: top

Mandatory attributes: cn (commonName), uid (userid), uidNumber, gidNumber, homeDirectory

Optional attributes: description, gecos, loginShell, userPassword

posixGroup

Description: Defines an entry that represents a group of POSIX accounts. Used to import information from the /etc/group file.

Superior object class: top

Mandatory attributes: cn (commonName), gidNumber

Optional attributes: description, memberUid, userPassword

shadowAccount (auxiliary object class)

Description: Used to represent a user that has a shadow password. It is an auxiliary object class, which means that it may be used in conjunction with any object class.

Superior object class: top

Mandatory attribute: uid (userid)

Optional attributes: description, shadowLastChange, shadowMax, shadowMin, shadowWarning, shadowInactive, shadowExpire, shadowFlag, userPassword

sunNisMap

Description: Used internally by the server to manage NIS maps. An entry is created under the ou=admin,ou=Services subtree for each map stored in the LDAP directory.

Superior object class: top

Mandatory attributes: sunNisDomain, sunNisMapFullName, sunNisMapState, sunNisMaster, sunNisSecurityMode

Optional attributes: description, seeAlso, sunNisDbmCache, sunNisDnsForwarding, sunNisInputFile, sunNisOutputName, sunNisLoadMap

sunNisServer

Description: Defines an entry that represents an NIS ypservers record. Used to import information from the ypservers file.

Superior object class: top

Mandatory attributes: cn (commonName)

Optional attribute: description

NIS Attributes

All attributes defined in the NIS schema have one of the following syntaxes:

• Distinguished name (dn)
• Case-ignore string (cis); An alphanumeric string, not case-sensitive
• Case-exact string (ces); A case-sensitive alphanumeric string
• Telephone number (tel)
• Integer (int or long)
• Binary (bin)
• Encrypted (protected); A value that has been encrypted using the method specified through the Admin Console. Possible values are sunds, crypt, or none.
• UTC time (utctime)

automountInformation

Description: The automount information for the entry in the NIS automount map.

Syntax: ces

bootFile

Description: The name of the file containing the boot parameters for the bootable device described by the entry.

Syntax: ces

bootParameter

Description: A boot parameter for the bootable device described by the entry.

Syntax: ces

commonName

Alias: cn

Description: The full name of the user described by the entry.

Syntax: cis

description

Description: The description of the entry object.

Syntax: cis

gecos

Description: The gecos field of the user described in the entry. Usually the user's common name. This attribute is single-valued.

Syntax: cis

gidNumber

Description: An integer that uniquely identifies a group in an administrative domain. This attribute is single-valued.

Syntax: long

homeDirectory

Description: Specifies the home directory of the user described by the entry. This attribute is single-valued.

Syntax: ces

ipHostNumber

Description: Specifies the IP address of the host described by the entry, in dotted decimal format, without leading zeros.

Syntax: cis

ipNetmaskNumber

Description: Specifies an IP netmask, in dotted decimal format, without leading zeros. This attribute is single-valued.

Syntax: cis

ipNetworkNumber

Description: Specifies the number of the IP network described by the entry, in dotted decimal format, without leading zeros. This attribute is single-valued.

Syntax: cis

ipProtocolNumber

Description: Specifies the port number/port type (for example UDP or TCP) pair for the IP protocol described by the entry. This attribute is single-valued.

Syntax: long

localityName

Alias: l

Description: The geographical locality of the object described by the entry.

Syntax: cis

loginShell

Description: The path to the login shell of the user described by the entry. This attribute is single-valued.

Syntax: ces

macAddress

Description: Specifies a MAC address for the device described by the entry, expressed in colon-separated hex notation.

Syntax: cis

manager

Description: The distinguished name of the manager of the person or object described by the entry.

Syntax: dn

memberNisNetgroup

Description: The name of a member of the netgroup described by the entry.

Syntax: cis

nisMapEntry

Description: Contains a record in the NIS map described by the entry. This attribute is single-valued.

Syntax: ces

nisMapName

Description: Specifies the name of the NIS map described by the entry. This attribute is single-valued.

Syntax: ces

nisNetgroupTriple

Description: Represents a triple of the form hostname/username/domainname associated with the netgroup described by the entry.

Syntax: cis

nisNetIdGroup

Description: Represents the group id associated with a record in the netid.byname map.

Syntax: ces

nisNetIdHost

Description: Represents the hostname associated with a record in the netid.byname map.

Syntax: ces

nisNetIdUser

Description: Represents the user id associated with a record in the netid.byname map.

Syntax: ces

oncRpcNumber

Description: RPC number of the RPC service described by the entry. This attribute is single-valued.

Syntax: long

rfc822MailMember

Description: Stores the email addresses (RFC-822 format) defined for members of the list.

Syntax: ces

seeAlso

Description: The distinguished name of an entry that contains information that is also of interest to anyone interested in the object described by this entry.

Syntax: dn

serialNumber

Description: The serial number of the device described by the entry.

Syntax: cis

shadowLastChange

Description: Indicates the number of days between January 1, 1970 and the day when the user password was last changed in the /etc/shadow file. This attribute is single-valued.

Syntax: long

shadowExpire

Description: Indicates the date on which the user login will be disabled. This attribute is single-valued.

Syntax: long

shadowFlag

Description: Reserved attribute, not currently in use.

Syntax: long

shadowInactive

Description: Indicates the number of days of inactivity allowed for the user. This attribute is single-valued.

Syntax: long

shadowMax

Description: Indicates the maximum number of days for which the user password remains valid. This attribute is single-valued.

Syntax: long

shadowMin

Description: Indicates the minimum number of days required between password changes. This attribute is single-valued.

Syntax: long

shadowWarning

Description: The number of days of advance warning given to the user before the user password expires. This attribute is single-valued.

Syntax: long

sunNisDbmCache

Description: Indicates whether the NIS/LDAP server must maintain the map described by the entry in plain NIS format. The possible values of this attribute are Enabled or Disabled. It is usually Enabled for a master server, and Disabled for a slave server. The value automatically changes to Disabled for a map that exceeds 50 000 entries. This attribute is single-valued.

Syntax: cis

sunNisDnsForwarding

Description: Indicates that the server must look up DNS for hostnames and addresses not found in the NIS tables. The possible values of this attribute are Enabled or Disabled. This attribute is created with the value Enabled when you run the dsypinit command with option -b. This attribute is single-valued.

Syntax: cis

sunNisDomain

Description: Gives the name of the NIS domain to which the map described by the entry belongs. This attribute is single-valued.

Syntax: ces

sunNisInputFile

Description: Stores the value of a special NIS key called YP_INPUT_FILE. This attribute is single-valued.

Syntax: ces

sunNisKey

Description: Stores the value of a NIS key (case-sensitive).

Syntax: ces

sunNisLoadMap

Description: Adding this attribute to the entry launches a reload of the map described by the entry. It builds the map from the entries already present in the directory. This attribute is single-valued, and you can give it any value. This attribute is automatically removed when the reload of the map is complete. Creating this attribute is equivalent to running the dsypinit command with option -l.

Syntax: cis

sunNisMapFullName

Description: Gives the full name of a Sun NIS map with the domain name as suffix. This attribute is single-valued.

Syntax: ces

sunNisMapState

Description: Indicates whether the map described by the entry is supported by the server. The possible values of this attribute are Enabled and Disabled. Enabled indicates that the map is supported by the server, Disabled that it is not. This attribute is single-valued.

Syntax: cis

sunNisMaster

Description: Specifies the hostname of the master server for the map described by the entry. This attribute is single-valued.

Syntax: ces

sunNisOutputName

Description: Stores the value of a special NIS key called YP_OUTPUT_FILE. This attribute is single-valued.

Syntax: ces

sunNisSecurityMode

Description: Sets the security mode for the map described by the entry. The possible values of this attribute are Secure and Insecure. When set to Secure, the server will accept connections from secure networks only. This attribute is single-valued. Setting this attribute to Secure is equivalent to running the dsypinit command with the option -r.

Syntax: cis

uidNumber

Description: An integer that uniquely identifies a user in an administrative domain. This attribute is single-valued.

Syntax: long

userid

Alias: uid

Description: The user ID of the user described by the entry.

Syntax: cis

userPassword

Description: The password that the user described by the entry uses to gain access to the entry. The directory server automatically crypts this attribute.

Table 4.1 NIS/LDAP Mapping Summary