Document Information
Preface
Part I About Naming and Directory Services
1. Naming and Directory Services (Overview)
2. The Name Service Switch (Overview)
Part II DNS Setup and Administration
3. DNS Setup and Administration (Reference)
Part III NIS Setup and Administration
4. Network Information Service (NIS) (Overview)
5. Setting Up and Configuring NIS Service
6. Administering NIS (Tasks)
7. NIS Troubleshooting
Part IV LDAP Naming Services Setup and Administration
8. Introduction to LDAP Naming Services (Overview/Reference)
9. LDAP Basic Components and Concepts (Overview)
10. Planning Requirements for LDAP Naming Services (Tasks)
11. Setting Up Sun Java System Directory Server With LDAP Clients (Tasks)
12. Setting Up LDAP Clients (Tasks)
13. LDAP Troubleshooting (Reference)
14. LDAP General Reference (Reference)
15. Transitioning From NIS to LDAP (Overview/Tasks)
16. Transitioning From NIS+ to LDAP
NIS+ to LDAP Overview
Getting Started With the NIS+ to LDAP Transition
Masters and Replicas (NIS+ to LDAP)
The Directory Server (NIS+ to LDAP)
Mapping NIS+ Objects Other Than Table Entries
Principal Names and Netnames (NIS+ to LDAP)
client_info and timezone Tables (NIS+ to LDAP)
Adding New Object Mappings (NIS+ to LDAP)
Storing Configuration Information in LDAP
Part V Active Directory Naming Service
17. Setting Up Solaris Active Directory Clients
A. Solaris 10 Software Updates to DNS, NIS, and LDAP
Service Management Facility Changes
DNS BIND
pam_ldap Changes
Documentation Errors
Glossary
Index
|
NIS+ Entry Owner, Group, Access, and TTL
When NIS+ table entries are created from LDAP data, the default behavior is
to initialize the entry object owner, group, access rights, and TTL using the
corresponding values from the table object in which the entry object lives. This
is normally sufficient, but there might be cases where these NIS+ entry attributes
must be established individually. An example of this would be a site that
did not use the rpc.nispasswdd(1M) daemon. In order to allow individual users to
change their NIS+ passwords (and re-encrypt their Diffie-Hellman keys stored in the cred.org_dir
table), passwd.org_dir and cred.org_dir entries for the user should be owned by the
user, and have modify rights for the entry owner. If you need to store table entry owner, group, access, or TTL
in LDAP for one or more NIS+ tables, you need to do the
following.
How to Store Additional Entry Attributes in LDAP
- Consult your LDAP server documentation, and create the following new attributes and object
class. (LDIF data is suitable for ldapadd. Attribute and object class OIDs are
for illustration only.)
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.4.0 NAME 'nisplusEntryOwner' \
DESC 'Opaque representation of NIS+ entry owner' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.4.1 NAME 'nisplusEntryGroup' \
DESC 'Opaque representation of NIS+ entry group' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.4.2 NAME 'nisplusEntryAccess' \
DESC 'Opaque representation of NIS+ entry access' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.4.3 NAME 'nisplusEntryTtl' \
DESC 'Opaque representation of NIS+ entry TTL' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) dn: cn=schema
changetype: modify
add: objectclasses objectclasses:(1.3.6.1.4.1.42.2.27.5.42.42.5.0 NAME 'nisplusEntryData'\
SUP top STRUCTURAL DESC 'NIS+ entry object non-column data'\ MUST ( cn ) MAY ( nisplusEntryOwner $ nisplusEntryGroup $\
nisplusEntryAccess $ nisplusEntryTtl ) )
- Modify the nisplusLDAPobjectDN attribute value for the relevant table(s) so that the write
portion includes the newly created nisplusEntryData object class.
For example, for the passwd.org_dir table, assuming that you are using a mapping file
based on /var/nis/NIS+LDAPmapping.template, edit as follows. nisplusLDAPobjectDN passwd:ou=People,?one?objectClass=shadowAccount,\
objectClass=posixAccount:\
ou=People,?one?objectClass=shadowAccount,\
objectClass=posixAccount,\
objectClass=account,objectClass=top Edit the attribute value as follows. nisplusLDAPobjectDN passwd:ou=People,?one?objectClass=shadowAccount,\
objectClass=posixAccount:\
ou=People,?one?objectClass=shadowAccount,\
objectClass=posixAccount,\
objectClass=nisplusEntryData,\
objectClass=account,objectClass=top
- Edit the nisplusLDAPattributeFromColumn and nisplusLDAPcolumnFromAttribute attribute values to specify any desired subset of
owner, group, access, or TTL.
In Step 2, you created the LDAP attributes used to store these
values. For NIS+, there are predefined pseudo-column names called zo_owner, zo_group, zo_access, and
zo_ttl, respectively. For example, in order to store owner, group, and access for
passwd.org_dir entries in LDAP, modify the nisplusLDAPattributeFromColumn value from the following. nisplusLDAPattributeFromColumn \
passwd: dn=("uid=%s,", name), \
cn=name, \
uid=name, \
userPassword=("{crypt$}%s", passwd), \
uidNumber=uid, \
gidNumber=gid, \
gecos=gcos, \
homeDirectory=home, \
loginShell=shell, \
(shadowLastChange,shadowMin,shadowMax, \
shadowWarning, shadowInactive,shadowExpire)=\
(shadow, ":") Edit to read as follows. nisplusLDAPattributeFromColumn \
passwd: dn=("uid=%s,", name), \
cn=name, \
uid=name, \
userPassword=("{crypt$}%s", passwd), \
uidNumber=uid, \
gidNumber=gid, \
gecos=gcos, \
homeDirectory=home, \
loginShell=shell, \
(shadowLastChange,shadowMin,shadowMax, \
shadowWarning, shadowInactive,shadowExpire)=\
(shadow, ":"), \
nisplusEntryOwner=zo_owner, \
nisplusEntryGroup=zo_group, \
nisplusEntryAccess=zo_access Similarly, to set NIS+ entry owner, group, and access from LDAP data for
the passwd.org_dir table, modify the following. nisplusLDAPcolumnFromAttribute \
passwd: name=uid, \
("{crypt$}%s", passwd)=userPassword, \
uid=uidNumber, \
gid=gidNumber, \
gcos=gecos, \
home=homeDirectory, \
shell=loginShell, \
shadow=("%s:%s:%s:%s:%s:%s", \
shadowLastChange, \
shadowMin, \
shadowMax, \
shadowWarning, \
shadowInactive, \
shadowExpire) Edit to read as follows. nisplusLDAPcolumnFromAttribute \
passwd: name=uid, \
("crypt$%s", passwd)=authPassword, \
uid=uidNumber, \
gid=gidNumber, \
gcos=gecos, \
home=homeDirectory, \
shell=loginShell, \
shadow=("%s:%s:%s:%s:%s:%s", \
shadowLastChange, \
shadowMin, \
shadowMax, \
shadowWarning, \
shadowInactive, \
shadowExpire), \
zo_owner=nisplusEntryOwner, \
zo_group=nisplusEntryGroup, \
zo_access=nisplusEntryAccess
- Upload owner, group, access, and/or TTL entry data to LDAP.
See How to Convert All NIS+ Data to LDAP in One Operation for more information.
- Restart the NIS+ service in order to make the mapping change take effect.
# svcadm restart network/rpc/nisplus:default
|