You can set up the N2L service either by using standard mappings or by using custom mappings, as described in the next two procedures.
As part of the NIS-to -LDAP conversion, you need to run the inityp2l command. This command runs an interactive script for which you must provide configuration information. The following list shows the type of information you need to provide. See the ypserv(1M) man page for explanations of these attributes.
The name of the configuration file being created (default = /etc/default/ypserv)
The DN that stores configuration information in LDAP (default = ypserv)
Preferred server list for mapping data to/from LDAP
Authentication method for mapping data to/from LDAP
Transport Layer Security (TLS) method for mapping data to/from LDAP
Proxy user bind DN to read/write data from/to LDAP
Proxy user password to read/write data from/to LDAP
Timeout value (in seconds) for LDAP bind operation
Timeout value (in seconds) for LDAP search operation
Timeout value (in seconds) for LDAP modify operation
Timeout value (in seconds) for LDAP add operation
Timeout value (in seconds) for LDAP delete operation
Time limit (in seconds) for search operation on LDAP server
Size limit (in bytes) for search operation on LDAP server
Whether N2L should follow LDAP referrals
LDAP retrieval error action, number of retrieval attempts, and timeout (in seconds) between each attempt
Store error action, number of attempts, and timeout (in seconds) between each attempt
Mapping file name
Whether to generate mapping information for auto.* maps
The script places relevant information regarding custom maps at appropriate places in the mapping file.
The naming context
Whether to enable password changes
Whether to change the default TTL values for any map
sasl/cram-md5 authentication is not supported by most LDAP servers, including Sun ONE Directory Server.
Use this procedure if you are transitioning the maps listed in Supported Standard Mappings. If you are using custom or nonstandard maps, see How to Set Up the N2L Service With Custom or Nonstandard Mappings.
When the LDAP server has been set up, run the inityp2l script and supply configuration information when prompted. inityp2l sets up the configuration and mapping files for standard and auto.* maps.
Complete the prerequisite steps that are listed in Prerequisites for the NIS-to-LDAP Transition.
Become superuser, or equivalent, on the NIS master server.
Convert the NIS master server into a N2L server.
# inityp2l |
Run the inityp2l script on the NIS master server and follow the prompts. See Setting Up the N2L Service for a list of the information you need to provide.
See the inityp2l(1M) man page for more details.
Determine if the LDAP Directory Information Tree (DIT) is fully initialized.
The DIT is fully initialized if it already contains the information necessary to populate all the maps that are listed in the NISLDAPmapping file.
Initialize the DIT for the transition from the NIS source files.
Perform these steps only if the DIT has not been fully initialized.
Make sure that the old NIS maps are up-to-date.
# cd /var/yp # make |
For more information, see the ypmake(1M) man page.
Stop the NIS daemons.
# ypstop |
Copy the old maps to the DIT, then initialize N2L support for the maps.
# ypserv -Ir |
Wait for ypserv to exit.
The original NIS dbm files are not overwritten. You can recover these files, if needed.
Restart the NIS daemons to ensure that they use the new maps.
# ypstart |
This completes the set up of the N2L service with standard maps. You do not need to complete Step 6.
Initialize the NIS maps.
Perform these steps only if the DIT is fully initialized and you skipped Step 5.
Use this procedure if the following circumstances apply:
You have maps that are not listed in Supported Standard Mappings.
You have standard NIS maps that you want to map to non-RFC 2307 LDAP mappings.
Complete the prerequisite steps that are listed in Prerequisites for the NIS-to-LDAP Transition.
Become superuser, or equivalent, on the NIS master server.
Configure the NIS master server into the N2L server.
# inityp2l |
Run the inityp2l script on the NIS master server and follow the prompts. See Setting Up the N2L Service for a list of the information you need to provide.
See the inityp2l(1M) man page for more details.
Modify the /var/yp/NISLDAPmapping file.
See Examples of Custom Maps for examples of how to modify the mapping file.
Determine if the LDAP Directory Information Tree (DIT) is fully initialized.
The DIT is fully initialized if it already contains the information necessary to populate all the maps that are listed in the NISLDAPmapping file.
If no, complete Step 6, Step 8, and Step 9.
If yes, skip Step 6 and complete Step 7, Step 8, and Step 9.
Initialize the DIT for the transition from the NIS source files.
Make sure that the old NIS maps are up-to-date.
# cd /var/yp # make |
For more information, see the ypmake(1M) man page.
Stop the NIS daemons.
# ypstop |
Copy the old maps to the DIT, then initialize N2L support for the maps.
# ypserv -Ir |
Wait for ypserv to exit.
The original NIS dbm files are not overwritten. You can recover these files, if needed.
Restart the NIS daemons to ensure that they use the new maps.
# ypstart |
Skip Step 7 and continue with Step 8.
Initialize the NIS maps.
Perform this step only if the DIT is fully initialized.
Verify that the LDAP entries are correct.
If the entries are not correct, then the entries can not be found by LDAP naming services clients.
# ldapsearch -h server -s sub -b "ou=servdates, dc=..." \ "objectclass=servDates" |
Verify the contents of the LDAP_ maps.
The following sample output shows how to use makedm to verify the contents of the hosts.byaddr map.
# makedbm -u LDAP_servdate.bynumber plato: 1/3/2001 johnson: 2/4/2003,1/3/2001 yeats: 4/4/2002 poe: 3/3/2002,3/4/2000 |
If the contents are as expected, the transition from NIS to LDAP was successful.
Note that the original NIS dbm files are not overwritten, so you can always recover those files. See Reverting to NIS for more information.
The following two examples show how you might customize maps. Use your preferred text editor to modify the /var/yp/NISLDAPmapping file as needed. For more information about file attributes and syntax, see the NISLDAPmapping(4) man page and the LDAP naming services information in Chapter 13, Basic Components and Concepts (Overview).
This example shows how to move host entries from the default location to another (nonstandard) location in the DIT.
Change the nisLDAPobjectDN attribute in the NISLDAPmapping file to the new base LDAP distinguished name (DN). For this example, the internal structure of the LDAP objects is unchanged, so objectClass entries are unchanged.
Change:
nisLDAPobjectDN hosts: \ ou=hosts,?one?, \ objectClass=device, \ objectClass=ipHost |
To:
nisLDAPobjectDN hosts: \ ou=newHosts,?one?, \ objectClass=device, \ objectClass=ipHost |
This change causes entries to be mapped under
dn: ou=newHosts, dom=domain1, dc=sun, dc=com
instead of under
dn: ou=hosts, dom=domain1, dc=sun, dc=com.
This example shows how to implement a custom map.
A hypothetical map, servdate.bynumber, contains information about the servicing dates for systems. This map is indexed by the machine's serial number which, in this example, is 123. Each entry consists of the machine owner's name, a colon, and a comma-separated list of service dates, such as John Smith:1/3/2001,4/5/2003.
The old map structure is to be mapped onto LDAP entries of the following form:
dn: number=123,ou=servdates,dc=... \ number: 123 \ userName: John Smith \ date: 1/3/2001 \ date: 4/5/2003 \ . . . objectClass: servDates |
By examining the NISLDAPmapping file, you can see that the mapping closest to the required pattern is group. The custom mappings can be modeled on the group mapping. Since there is only one map, no nisLDAPdatabaseIdMapping attribute is required. The attributes to be added to NISLDAPmapping are the following:
nisLDAPentryTtl servdate.bynumber:1800:5400:3600 nisLDAPnameFields servdate.bynumber: \ ("%s:%s", uname, dates) nisLDAPobjectDN servdate.bynumber: \ ou=servdates, ?one? \ objectClass=servDates: nisLDAPattributeFromField servdate.bynumber: \ dn=("number=%s,", rf_key), \ number=rf_key, \ userName=uname, \ (date)=(dates, ",") nisLDAPfieldFromAttribute servdate.bynumber: \ rf_key=number, \ uname=userName, \ dates=("%s,", (date), ",") |