System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

NIS+ Entry Owner, Group, Access, and TTL

When NIS+ table entries are created from LDAP data, the default behavior is to initialize the entry object owner, group, access rights, and TTL using the corresponding values from the table object in which the entry object lives. This is normally sufficient, but there might be cases where these NIS+ entry attributes must be established individually. An example of this would be a site that did not use the rpc.nispasswdd(1M) daemon. In order to allow individual users to change their NIS+ passwords (and re-encrypt their Diffie-Hellman keys stored in the cred.org_dir table), passwd.org_dir and cred.org_dir entries for the user should be owned by the user, and have modify rights for the entry owner.

If you need to store table entry owner, group, access, or TTL in LDAP for one or more NIS+ tables, you need to do the following.

How to Store Additional Entry Attributes in LDAP
  1. Consult your LDAP server documentation, and create the following new attributes and object class. (LDIF data is suitable for ldapadd. Attribute and object class OIDs are for illustration only.)


    dn: cn=schema
    changetype: modify
    add: attributetypes
    attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.4.0 NAME 'nisplusEntryOwner' \
    		  						DESC 'Opaque representation of NIS+ entry owner' \
    		  						SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
    attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.4.1 NAME 'nisplusEntryGroup' \
    		  						DESC 'Opaque representation of NIS+ entry group' \
    		  						SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
    attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.4.2 NAME 'nisplusEntryAccess' \
    		  						DESC 'Opaque representation of NIS+ entry access' \
    		  						SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
    attributetypes:	( 1.3.6.1.4.1.42.2.27.5.42.42.4.3 NAME 'nisplusEntryTtl' \
    		  						DESC 'Opaque representation of NIS+ entry TTL' \
    		  						SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

    dn: cn=schema
    changetype: modify
    add: objectclasses

    objectclasses:(1.3.6.1.4.1.42.2.27.5.42.42.5.0 NAME 'nisplusEntryData'\
    SUP top STRUCTURAL DESC 'NIS+ entry object non-column data'\

    MUST ( cn ) MAY ( nisplusEntryOwner $ nisplusEntryGroup $\
    nisplusEntryAccess $ nisplusEntryTtl ) )
  2. Modify the nisplusLDAPobjectDN attribute value for the relevant table(s) so that the write portion includes the newly created nisplusEntryData object class.

    For example, for the passwd.org_dir table, assuming that you are using a mapping file based on /var/nis/NIS+LDAPmapping.template, edit as follows.


    nisplusLDAPobjectDN	passwd:ou=People,?one?objectClass=shadowAccount,\
    												objectClass=posixAccount:\
    										ou=People,?one?objectClass=shadowAccount,\
    												objectClass=posixAccount,\
    												objectClass=account,objectClass=top

    Edit the attribute value as follows.


    nisplusLDAPobjectDN	passwd:ou=People,?one?objectClass=shadowAccount,\
    												objectClass=posixAccount:\
    										ou=People,?one?objectClass=shadowAccount,\
    												objectClass=posixAccount,\
    												objectClass=nisplusEntryData,\
    												objectClass=account,objectClass=top
  3. Edit the nisplusLDAPattributeFromColumn and nisplusLDAPcolumnFromAttribute attribute values to specify any desired subset of owner, group, access, or TTL.

    In Step 2, you created the LDAP attributes used to store these values. For NIS+, there are predefined pseudo-column names called zo_owner, zo_group, zo_access, and zo_ttl, respectively. For example, in order to store owner, group, and access for passwd.org_dir entries in LDAP, modify the nisplusLDAPattributeFromColumn value from the following.


    nisplusLDAPattributeFromColumn \
    		passwd:		dn=("uid=%s,", name), \
    				cn=name, \
    				uid=name, \
    				userPassword=("{crypt$}%s", passwd), \
    				uidNumber=uid, \
    				gidNumber=gid, \
    				gecos=gcos, \
    				homeDirectory=home, \
    				loginShell=shell, \
    				(shadowLastChange,shadowMin,shadowMax, \
    				 shadowWarning, shadowInactive,shadowExpire)=\
    					(shadow, ":")

    Edit to read as follows.


    nisplusLDAPattributeFromColumn \
    		passwd:		dn=("uid=%s,", name), \
    				cn=name, \
    				uid=name, \
    				userPassword=("{crypt$}%s", passwd), \
    				uidNumber=uid, \
    				gidNumber=gid, \
    				gecos=gcos, \
    				homeDirectory=home, \
    				loginShell=shell, \
    				(shadowLastChange,shadowMin,shadowMax, \
    				 shadowWarning, shadowInactive,shadowExpire)=\
    					(shadow, ":"), \
    				nisplusEntryOwner=zo_owner, \
    				nisplusEntryGroup=zo_group, \
    				nisplusEntryAccess=zo_access

    Similarly, to set NIS+ entry owner, group, and access from LDAP data for the passwd.org_dir table, modify the following.


    nisplusLDAPcolumnFromAttribute \
    		passwd:		name=uid, \
    				("{crypt$}%s", passwd)=userPassword, \
    				uid=uidNumber, \
    				gid=gidNumber, \
    				gcos=gecos, \
    				home=homeDirectory, \
    				shell=loginShell, \
    				shadow=("%s:%s:%s:%s:%s:%s", \
    					shadowLastChange, \
    					shadowMin, \
    					shadowMax, \
    					shadowWarning, \
    					shadowInactive, \
    					shadowExpire)

    Edit to read as follows.


    nisplusLDAPcolumnFromAttribute \
    		passwd:		name=uid, \
    				("crypt$%s", passwd)=authPassword, \
    				uid=uidNumber, \
    				gid=gidNumber, \
    				gcos=gecos, \
    				home=homeDirectory, \
    				shell=loginShell, \
    				shadow=("%s:%s:%s:%s:%s:%s", \
    					shadowLastChange, \
    					shadowMin, \
    					shadowMax, \
    					shadowWarning, \
    					shadowInactive, \
    					shadowExpire), \
    				zo_owner=nisplusEntryOwner, \
    				zo_group=nisplusEntryGroup, \
    				zo_access=nisplusEntryAccess
  4. Restart the rpc.nisd daemon in order to make the mapping change take effect.

    First, however, you probably want to upload owner, group, access, and/or TTL entry data to LDAP. Perform an upload as shown in How to Convert All NIS+ Data to LDAP in One Operation.