| Skip Navigation Links | |
| Exit Print View | |
|
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) Oracle Solaris 11 Express 11/10 |
| Skip Navigation Links | |
| Exit Print View | |
|
|
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) Oracle Solaris 11 Express 11/10 |
Part I About Naming and Directory Services
1. Naming and Directory Services (Overview)
2. The Name Service Switch (Overview)
Part II DNS Setup and Administration
3. DNS Setup and Administration (Reference)
Part III NIS Setup and Administration
4. Network Information Service (NIS) (Overview)
5. Setting Up and Configuring NIS Service
Part IV LDAP Naming Services Setup and Administration
8. Introduction to LDAP Naming Services (Overview/Reference)
9. LDAP Basic Components and Concepts (Overview)
10. Planning Requirements for LDAP Naming Services (Tasks)
11. Setting Up Sun Java System Directory Server With LDAP Clients (Tasks)
12. Setting Up LDAP Clients (Tasks)
13. LDAP Troubleshooting (Reference)
14. LDAP General Reference (Reference)
15. Transitioning From NIS to LDAP (Overview/Tasks)
NIS-to-LDAP Tools and the Service Management Facility
NIS-to-LDAP Audience Assumptions
When Not to Use the NIS-to-LDAP Service
Effects of the NIS-to-LDAP Service on Users
NIS-to-LDAP Transition Terminology
NIS-to-LDAP Commands, Files, and Maps
Transitioning From NIS to LDAP (Task Map)
Prerequisites for the NIS-to-LDAP Transition
Setting Up the NIS-to-LDAP Service
How to Set Up the N2L Service With Standard Mappings
How to Set Up the N2L Service With Custom or Nonstandard Mappings
NIS-to-LDAP Best Practices With Sun Java System Directory Server
Creating Virtual List View Indexes With Sun Java System Directory Server
VLVs for Custom and Nonstandard Maps
Avoiding Server Timeouts With Sun Java System Directory Server
Avoiding Buffer Overruns With Sun Java System Directory Server
Debugging the NISLDAPmapping File
How to Revert to Maps Based on Old Source Files
How to Revert to Maps Based on Current DIT Contents
Part V Active Directory Naming Service
You can set up the N2L service either by using standard mappings or by using custom mappings, as described in the next two procedures.
As part of the NIS-to -LDAP conversion, you need to run the inityp2l command. This command runs an interactive script for which you must provide configuration information. The following list shows the type of information you need to provide. See the ypserv(1M) man page for explanations of these attributes.
The name of the configuration file being created (default = /etc/default/ypserv)
The DN that stores configuration information in LDAP (default = ypserv)
Preferred server list for mapping data to/from LDAP
Authentication method for mapping data to/from LDAP
Transport Layer Security (TLS) method for mapping data to/from LDAP
Proxy user bind DN to read/write data from/to LDAP
Proxy user password to read/write data from/to LDAP
Timeout value (in seconds) for LDAP bind operation
Timeout value (in seconds) for LDAP search operation
Timeout value (in seconds) for LDAP modify operation
Timeout value (in seconds) for LDAP add operation
Timeout value (in seconds) for LDAP delete operation
Time limit (in seconds) for search operation on LDAP server
Size limit (in bytes) for search operation on LDAP server
Whether N2L should follow LDAP referrals
LDAP retrieval error action, number of retrieval attempts, and timeout (in seconds) between each attempt
Store error action, number of attempts, and timeout (in seconds) between each attempt
Mapping file name
Whether to generate mapping information for auto_direct map
The script places relevant information regarding custom maps at appropriate places in the mapping file.
The naming context
Whether to enable password changes
Whether to change the default TTL values for any map
Note - sasl/cram-md5 authentication is not supported by most LDAP servers, including Sun Java System Directory Server.
Use this procedure if you are transitioning the maps listed in Supported Standard Mappings. If you are using custom or nonstandard maps, see How to Set Up the N2L Service With Custom or Nonstandard Mappings.
When the LDAP server has been set up, run the inityp2l script and supply configuration information when prompted. inityp2l sets up the configuration and mapping files for standard and auto.* maps.
For more information , see How to Obtain Administrative Rights in System Administration Guide: Security Services.
# inityp2l
Run the inityp2l script on the NIS master server and follow the prompts. See Setting Up the NIS-to-LDAP Service for a list of the information you need to provide.
See the inityp2l(1M) man page for more details.
The DIT is fully initialized if it already contains the information necessary to populate all the maps that are listed in the NISLDAPmapping file.
Perform these steps only if the DIT has not been fully initialized.
# cd /var/yp # make
For more information, see the ypmake(1M) man page.
# svcadm disable network/nis/server:default
# ypserv -Ir
Wait for ypserv to exit.
Tip - The original NIS dbm files are not overwritten. You can recover these files, if needed.
# svcadm enable network/nis/server:default
This completes the set up of the N2L service with standard maps. You do not need to complete Step 6.
Perform these steps only if the DIT is fully initialized and you skipped Step 5.
# svcadm disable network/nis/server:default
# ypserv -r
Wait for ypserv to exit.
Tip - The original NIS dbm files are not overwritten. You can recover these files, if needed.
# svcadm enable network/nis/server:default
Use this procedure if the following circumstances apply:
You have maps that are not listed in Supported Standard Mappings.
You have standard NIS maps that you want to map to non-RFC 2307 LDAP mappings.
For more information , see How to Obtain Administrative Rights in System Administration Guide: Security Services.
Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.
# inityp2l
Run the inityp2l script on the NIS master server and follow the prompts. See Setting Up the NIS-to-LDAP Service for a list of the information you need to provide.
See the inityp2l(1M) man page for more details.
See Examples of Custom Maps for examples of how to modify the mapping file.
The DIT is fully initialized if it already contains the information necessary to populate all the maps that are listed in the NISLDAPmapping file.
If no, complete Step 6, Step 8, and Step 9.
If yes, skip Step 6 and complete Step 7, Step 8, and Step 9.
# cd /var/yp # make
For more information, see the ypmake(1M) man page.
# svcadm disable network/nis/server:default
# ypserv -Ir
Wait for ypserv to exit.
Tip - The original NIS dbm files are not overwritten. You can recover these files, if needed.
# svcadm enable network/nis/server:default
Perform this step only if the DIT is fully initialized.
# svcadm disable network/nis/server:default
# ypserv -r
Wait for ypserv to exit.
Tip - The original NIS dbm files are not overwritten. You can recover these files, if needed.
# svcadm enable network/nis/server:default
If the entries are not correct, then the entries can not be found by LDAP naming services clients.
# ldapsearch -h server -s sub -b "ou=servdates, dc=..." \ "objectclass=servDates"
The following sample output shows how to use makedm to verify the contents of the hosts.byaddr map.
# makedbm -u LDAP_servdate.bynumber plato: 1/3/2001 johnson: 2/4/2003,1/3/2001 yeats: 4/4/2002 poe: 3/3/2002,3/4/2000
If the contents are as expected, the transition from NIS to LDAP was successful.
Note that the original NIS dbm files are not overwritten, so you can always recover those files. See Reverting to NIS for more information.
The following two examples show how you might customize maps. Use your preferred text editor to modify the /var/yp/NISLDAPmapping file as needed. For more information about file attributes and syntax, see the NISLDAPmapping(4) man page and the LDAP naming services information in Chapter 9, LDAP Basic Components and Concepts (Overview).
This example shows how to move host entries from the default location to another (nonstandard) location in the DIT.
Change the nisLDAPobjectDN attribute in the NISLDAPmapping file to the new base LDAP distinguished name (DN). For this example, the internal structure of the LDAP objects is unchanged, so objectClass entries are unchanged.
Change:
nisLDAPobjectDN hosts: \
ou=hosts,?one?, \
objectClass=device, \
objectClass=ipHost
To:
nisLDAPobjectDN hosts: \
ou=newHosts,?one?, \
objectClass=device, \
objectClass=ipHost
This change causes entries to be mapped under
dn: ou=newHosts, dom=domain1, dc=sun, dc=com
instead of under
dn: ou=hosts, dom=domain1, dc=sun, dc=com.
This example shows how to implement a custom map.
A hypothetical map, servdate.bynumber, contains information about the servicing dates for systems. This map is indexed by the machine's serial number which, in this example, is 123. Each entry consists of the machine owner's name, a colon, and a comma-separated list of service dates, such as John Smith:1/3/2001,4/5/2003.
The old map structure is to be mapped onto LDAP entries of the following form:
dn: number=123,ou=servdates,dc=... \
number: 123 \
userName: John Smith \
date: 1/3/2001 \
date: 4/5/2003 \
.
.
.
objectClass: servDates
By examining the NISLDAPmapping file, you can see that the mapping closest to the required pattern is group. The custom mappings can be modeled on the group mapping. Since there is only one map, no nisLDAPdatabaseIdMapping attribute is required. The attributes to be added to NISLDAPmapping are the following:
nisLDAPentryTtl servdate.bynumber:1800:5400:3600
nisLDAPnameFields servdate.bynumber: \
("%s:%s", uname, dates)
nisLDAPobjectDN servdate.bynumber: \
ou=servdates, ?one? \
objectClass=servDates:
nisLDAPattributeFromField servdate.bynumber: \
dn=("number=%s,", rf_key), \
number=rf_key, \
userName=uname, \
(date)=(dates, ",")
nisLDAPfieldFromAttribute servdate.bynumber: \
rf_key=number, \
uname=userName, \
dates=("%s,", (date), ",")
|