NIS Extension Guide: Initializing and Operating the NIS Service

Complete Contents
Introduction
Chapter 1 Introduction to Synchronized NIS/LDAP Service
Chapter 2 Initializing and Operating the NIS Service
Chapter 3 Using Deja to Update NIS Information
Chapter 4 NIS Information in the LDAP Directory
Chapter 5 NIS Command & File Reference
Appendix A Mapping Syntax and Semantics

Contents

Index

Chapter 2 Initializing and Operating the NIS Service

This chapter explains how to initialize the NIS extension of the Netscape Directory Server. The NIS service provided by the Solaris Extensions for Netscape Directory Server 4.11 preserves your existing NIS environment. It takes into account the customizationsthat you may have made to the standard NIS environment.

This chapter includes the following sections:

"Initializing Synchronized Operation"

"Access Control on NIS Information"

"Configuring the NIS Service"

"Updating NIS Maps"

"Propagating NIS Maps"

"Adding and Deleting NIS Maps"

Initializing Synchronized Operation

This section explains the steps you need to follow to set up synchronized NIS/LDAP operation. Because this requires that you have a running NIS server, this section also explains the main steps in setting up a standard NIS server.

Setting Up an NIS Server

You must set up an NIS server if you plan to install Netscape Directory Server and the Solaris Extensions on a machine that has not previously been used as an NIS server.

If you are migrating a current NIS server to synchronized operation with LDAP, go directly to "Setting up Synchronized Service" .

To set up an NIS server, follow these steps:

Copy the NIS administration files from the NIS master server in your network to your new server. Their default location is under the /etc directory.

Copy the Makefile from the NIS master server in your network to your new server. Its default location is /var/yp.

Install and initialize the Solaris NIS server. See the man page for ypinit(1M).

If you need detailed instructions on how to set up an NIS server, refer to the documentation for your Solaris operating environment.

Setting up Synchronized Service

To migrate an existing NIS server to synchronize it with the Directory Server, you must:

Verify that the NIS server daemon ypserv is running.

Back up your current NIS files and database.

Install and configure Netscape Directory Server 4.11. For information, refer to the Netscape Directory Server product documentation.

Install Solaris Extensions for Netscape Directory Server 4.11. For information, refer to Solaris Extensions Installation Guide.

Run the dsypinstall script, as described in "Running the dsypinstall Script" .

Make sure the NIS administrator has access to the NIS entries in the directory.

The initialization script, dsypinstall, modifies your NIS Makefile so that the make process calls dsmakedbm and dsimport instead of the standard NIS makedbm command. It also stops the ypserv daemon and starts the dsypserv daemon instead to fulfill the same functions.

The dsmakedbm command creates the NIS binary tables on disk in the same way as the makedbm command. In addition, it creates LDAP entries in the directory from the information contained in the NIS source files. For information on the location of NIS entries in your directory tree, see "NIS Files/LDAP Subtrees" .

Running the dsypinstall Script

When the package installation is complete, a message indicates that you must run the dsypinstall script to initialize the NIS service. This script will prompt you to provide all the configuration information required to start operating the NIS service.

You will need to understand and prepare the information you must supply to the dsypinstall script. The script prompts you for:

The name of the NIS domain managed by the server.

The name you provide is used to create the directory subtree under which all NIS entries are stored.

The installation directory for the Netscape Directory Server.

The DN of the Netscape Directory Server directory manager.

The DN you provide must be the same as the one you provided in the setup script for the Netscape Directory Server. This DN has all permissions on the Netscape Directory Server. By default, it is cn=Directory Manager.

The port number where the directory server listens for LDAP traffic.

The DN of the administrator for NIS information.

You can use the DN of the directory manager or create a special entry for the NIS administrator. You must make sure the NIS administrator is granted all permissions on the NIS subtrees in the directory. Refer to

"Access Control on NIS Information"

The location of the NIS source files.

The dsypinstall script assumes that your Makefile is located in /var/yp. It also assumes that the source files for NIS tables are all located in the directory that you specify when prompted, except for the aliases file which is assumed to be in /etc/mail.

A list of NIS servers.

When you have all this information, you are ready to run dsypinstall:

Back up your current NIS files and database.

As root, run dsypinstall:

# /opt/SUNWconn/sbin/dsypinstall

When the dsypinstall script has successfully finished, the NIS server is initialized and the LDAP directory database contains the information extracted from the NIS tables.

For details on how NIS information is imported and stored in the LDAP directory, refer to Chapter 4, "NIS Information in the LDAP Directory".

Verifying your NIS Installation

This section explains some of the methods you can use to ensure that NIS information is present in the directory, and that the NIS service is running according to the information you provided in the initialization script.

Checking NIS Information

There are several ways of checking that NIS information is present in the directory:

By using Deja to browse the NIS subtrees. For information on starting and using Deja, refer to Chapter 3, "Using Deja to Update NIS Information."

By using the ldapsearch utility.

For example, if you want to get a list of hosts for the airius.com domain, you can use the following command:

% ldapsearch -D "cn=Directory Manager" -w passwd -b "ou=Hosts,ou=Services,dc=airius,dc=com" objectclass=ipHost cn=*

This command returns a list of the ipHost type entries in the directory.

All NIS maps except the aliases map, are stored under the ou=Services subtree in the directory. For more information on the location of NIS information in the LDAP directory tree, refer to "NIS Files/LDAP Subtrees" .

Checking Server Status

If you want to check the functional role of a server (master or slave), you must look in the /etc/opt/SUNWconn/ldap/current directory. You will see either a nis.master or a nis.slave file which indicates the role fulfilled by the NIS server.

Getting the List of Supported Maps

There are several ways of getting the list of NIS maps supported by a server:

By using the ldapsearch utility

By using the ypwhich command

Using ldapsearch, to get a list of the NIS maps supported in the airius.com domain, you can use the following example command:

% ldapsearch -D "cn=Directory Manager" -w passwd -b "ou=admin,ou=Services,dc=airius,dc=com" objectclass=sunnismap sunnismapfullname=*

The ou=admin subtree holds information that is used internally by the NIS synchronization processes. For more information on ldapsearch, refer to the Netscape Directory Server Administrator's Guide.

To get a list of NIS maps using the NIS command, ypwhich, type:

% ypwhich -m

This command returns a list of the NIS maps followed by the name of the server that masters them.

Access Control on NIS Information

So that the NIS service can operate, the NIS information stored in the directory needs to be accessible to the NIS administrator you defined in the dsypinstall process. When the dsypinstall process has finished, there aren't any access control rules defined in the directory for the NIS subtrees. Defining access to the information is dependent on whether:

You defined the NIS administrator to be the same as the directory manager for the Netscape Directory Server

If you defined the NIS administrator to be the same as the directory manager for the Netscape Directory Server by providing the same DN and password in the dsypinstall script, then the NIS administrator automatically has access to the NIS subtrees in the directory. You do not need to create a special access control instruction (ACI). This also means that you have just one directory manager for all the information stored in the directory.

You defined the NIS administrator to be different from the directory manager for the Netscape Directory Server (recommended option)

If you defined the NIS administrator to be different from the directory manager for the Netscape Directory Server, you must create an ACI in the directory server to grant access to the NIS administrator. You must create an ACI of the form:

aci: <NIS_subtree> <attributes> <permissions> <nis_admin_DN> *

where:

NIS_subtree is the subtree you specified in dsypinstall to store NIS entries

attributes is the list of attributes to which the ACI applies

permissions specifies the permissions granted on the subtree and attributes

nis_admin_DN is the DN you specified in dsypinstall for the directory manager

For example, the default ACI for the dc=airius,dc=com subtree is:

aci:

(target="ldap:///dc=airius,dc=com")

(targetattr=*) (version 3.0; aci "NIS managing"; allow ( all ) userdn = "ldap:///cn=nis-admin,dc=airius,dc=com" ;)

For full details on creating ACIs, refer to the Netscape Directory Server Administrator's Guide.

Configuring the NIS Service

When you first initialize the NIS service using dsypinstall, you are prompted to provide values for all the NIS configurations parameters. You can change this configuration at any time after the initial configuration by editing the nis.mapping file.

For your changes to be taken into account, after modifying the appropriate parameters, you must run the dsypinit script. On a master server, run the following command:

# dsypinit -m

On a slave server, run the following command:

# dsypinit -s <master>

where master specifies the name of the master server which will replicate data to the slave.

These commands will modify the LDAP directory database to take into account the configuration changes you made in the nis.mapping file.

Setting NIS Configuration Variables

All configuration information is stored in the first part of the nis.mapping file under a section entitled Configuration Variables.

DOMAIN_NAME

Specifies the NIS domain managed by the server.

NAMING_CONTEXT

When this variable is defined, it specifies the directory tree suffix (or naming context) under which the NIS subtree is created.

If this variable is not defined, the directory tree suffix is derived from the domain name supplied when running the dsypinstall script as described in "Running the dsypinstall Script" . By default, the directory tree suffix is generated with dc (domain component) attributes. For example, with DOMAIN_NAME=france.airius.com, the directory tree suffix created by default is dc=france,dc=airius,dc=com.

The NIS subtree shown in "NIS Files/LDAP Subtrees" is created under this subtree.

ADMIN_SUFFIX

The distinguished name of the subtree that will hold NIS administrative entries. These entries are maintained automatically by the server.

DBM_DIRECTORY

Specifies the directory where the NIS binary maps are generated.

AUTOMATIC_PUSH

When NIS entries are modified in the LDAP directory, specifies to automatically push modifications to slave NIS servers. This variable is used only in the context of standard NIS replication (using yppush), not in the context of LDAP replication.

The possible values for this variable are enabled or disabled. The default setting is disabled.

AUTOMATIC_PUSH_DELAY

Specifies the delay for pushing modifications to slaves in minutes. When this variable is defined, the AUTOMATIC_PUSH variable must be enabled.

Configuring NIS Subtrees

The subtrees created for NIS entries during the initialization of the NIS service are specified in the nis.mapping file by the keyword BASE_DN. This base DN is the concatenation of an organizational unit (ou) specific to each map, and of a rootTree token that is usually common to several maps.

For example, the subtree for the entries created from the /etc/networks file is defined by the following two lines in the nis.mapping file:

rootTreeT=ou=Services,$NAMING_CONTEXT||ou=Services,$DC_NAMING

BASE_DN=ou=Networks,$rootTreeT The directory entries created from the /etc/networks file are created under the ou=Networks, ou=Services subtree.

The choice of a naming structure through the NAMING_CONTEXT keyword or DC_NAMING keyword is a configuration decision.

The DC_NAMING keyword contains a domain component (dc) suffix. The DNs of entries created with that naming structure have a suffix of the form dc=sun, dc=com. This is the default choice when you initialize the NIS service, because the import process derives a dc naming suffix from the domain name you supply when you run dsypinstall.

If you prefer to use a different naming structure, you must un-comment the NAMING_CONTEXT keyword at the beginning of the nis.mapping file, under the Common section for the front-end. Change the value of the NAMING_CONTEXT keyword to specify the suffix under which you want NIS entries to be created. The value you specify must be a valid suffix or subtree in the directory tree held on the directory server.

After changing the suffix, you must run the dsypinit script. For information, refer to "dsypinit" .

Note. Do not comment out the DOMAIN_NAME keyword in the nis.mapping file. This keyword contains the domain name that you supplied during the dsypinstall process.

Updating NIS Maps

Once you have populated the directory for the first time, you have two options for data maintenance:

Make updates to the entries in the directory using an LDAP client, for example the Netscape Console, or Deja

Making updates to the entries in the directory is the most efficient method of maintaining NIS information. The NIS maps are automatically updated when changes are made to NIS information in the directory. However, the NIS source files are not updated, therefore they will become obsolete. If you want to resynchronize the NIS source files with the directory content, you can export the NIS entries to the corresponding NIS files by using dsexport. For details, see

"dsexport"

Make updates to the NIS source files, and run make in the /var/yp directory

When you make updates to the NIS source files, the NIS information in the LDAP directory is automatically updated. However, in some cases, such as when you rebuild the LDAP database using the ldif2db command, or if you experience a system crash, you might find that the NIS information in the directory is no longer in sync with the NIS source files. In such cases, you need to resynchronize them using the dsimport utility. For information on dsimport, refer to

"dsimport"

Propagating NIS Maps

There are two methods of propagating NIS maps between master servers and slave servers. Between two Netscape Directory Servers, choose LDAP replication. Between a Netscape Directory Server and a legacy NIS server, you must use standard NIS replication.

Do not use both LDAP replication and standard NIS replication on the same subtrees or individual entries. As a general rule, use only one replication method between two servers.

Standard NIS Replication

If you make updates to your NIS files rather than to NIS entries in the directory, when you run make to rebuild the NIS tables, the yppush command is automatically executed.

LDAP Replication

If you make updates to NIS entries in the directory, you use LDAP replication to push changes to consumer NIS servers. For information on configuring LDAP replication, see Netscape Directory Server Administrator's Guide.

Adding and Deleting NIS Maps

After you have run dsypinstall to initialize the synchronized NIS/LDAP naming service, you can still modify the server configuration to add support for new NIS maps or remove maps that are no longer used. These operations are performed using the dsypaddmap and dsypdelmap commands respectively. For information, see "dsypaddmap" , and "dsypdelmap" .

These operations can be performed without stopping and restarting the NIS server.