NIS to Ldap

Notes on a recent multi master NIS to LDAP migration

Setup Nis Container - this is a nis to ldap migration project 

# primary.ldif
dn: ou=nisdomains,dc=company,dc=ch
objectClass: top
objectClass: organizationalUnit
description: NIS Domain Container
ou: nisdomains
#end of primary ldif
 

load into servers :

ldapmodify  -h foo -a -v -D "cn=Directory Manager" -w - -f primary.ldif
ldapmodify  -h bar -a -v -D "cn=Directory Manager" -w - -f primary.ldif
 

NIS to LDAP Migration tools

http://www.padl.com/OSS/MigrationTools.html
http://www.padl.com/download/MigrationTools.tgz

Example Migration

I did the migration in a slightly different way from the padl documentation in that I did most of the munging by hand

Nis_Containers.ldif :

dn: ou=Automount,ou=stc2,ou=nisdomains,dc=company,dc=ch
objectClass: top
objectClass: organizationalUnit
ou: Automount

dn: ou=Group,ou=stc2,ou=nisdomains,dc=company,dc=ch
objectClass: top
objectClass: organizationalUnit
ou: Group

dn: ou=Hosts,ou=stc2,ou=nisdomains,dc=company,dc=ch
objectClass: top
objectClass: organizationalUnit
ou: Hosts

dn: ou=Netgroup,ou=stc2,ou=nisdomains,dc=company,dc=ch
objectClass: top
objectClass: organizationalUnit
ou: Netgroup

dn: ou=People,ou=stc2,ou=nisdomains,dc=company,dc=ch
objectClass: top
objectClass: organizationalUnit
ou: People

dn: ou=Protocols,ou=stc2,ou=nisdomains,dc=company,dc=ch
objectClass: top
objectClass: organizationalUnit
ou: Protocols

Load into tree as above

download and untar the Migration tools from padl

modify migrate_common.ph to reflect the domain and default base 


# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "company.ch";

# Default base
$DEFAULT_BASE = "ou=stc2,ou=nisdomains,dc=company,dc=ch";


modify migrate_automount.pl to read as follows :

$PROGRAM = "migrate_automount.pl";
$NAMINGCONTEXT = &getsuffix($PROGRAM);
$NAMINGCONTEXT = "ou=Automount,$NAMINGCONTEXT";

from the target nis server take the passwd , group , netgroup , hosts , protocols source files and the netgroup.byhost and netgroup.byuser dbms and copy them into the migration tools directory

make an ldif directory to store the resultant ldif files 

mkdir ldif

Run through the migration

for i in group hosts netgroup passwd protocols ; do ./migrate_${i}.pl $i ldif/$i.ldif; done
./migrate_netgroup_byuser.pl netgroup.byuser ldif/netgroupbyuser.ldif
./migrate_netgroup_byhost.pl netgroup.byhost ldif/netgroupbyhost.ldif 

build the dua config but strip out the posixNamingProfile objectclass (my chosen ldap server does not have this class)

./migrate_profile.pl "ldap1.company.ch ldap2.company.ch" |grep -v posixNamingProfile > ldif/dua.ldif
 
for i in auto* ; do echo $i;  migrate_automount.pl $i ldif/$i.ldif; done

cd ldif

for i in *ldif ; do ldapmodify -x -a -c -h ldaps1.company.ch -D "cn=Directory manager" -w password -f $i; done

Using ypldapd for Migration/Legacy clients that can't talk to ldap

http://www.padl.com/Products/NISLDAPGateway.html

follow the manual and you will have zero trouble installing it - it just works!

ypldapd init script to SMF migration 

 as shipped ypldapd runs as an init sript out of rc2.d  i would prefer to use suns SMF to capture and control the service

  cp /etc/rc2.d/S94ypldapd /lib/svc/methos/ypldapd

create ypldapd.xml as follows

<?xml version="1.0"?>

<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">

<service_bundle type='manifest' name='ddclient'>

<service
        name='network/ypldapd'
        type='service'
        version='1'>

        <create_default_instance enabled='false' />

        <dependency
                name='network'
                grouping='require_all'
                restart_on='none'
                type='service'>
                <service_fmri value='svc:/network/initial:default' />
        </dependency>

        <exec_method
                type='method'
                name='start'
                exec='/lib/svc/method/ypldapd start'
                timeout_seconds='0' />

        <exec_method
                type='method'
                name='stop'
                exec='/lib/svc/method/ypldapd start'
                timeout_seconds='3' />

        <stability value='Unstable'/>

        <template>
                <common_name>
                        <loctext xml:lang='C'>YP LDAP Gateway</loctext>
                </common_name>
        </template>
</service>
</service_bundle>

svccfg validate ypservd.xml
svccfg import ypservd.xml 

now double check smf has it :

svcs -a |grep -i yp   
disabled        8:28:26 svc:/network/ypldapd:default
 

shut it down form the init scripts (if running) and start via smf

/etc/rc2.d/S94ypldapd stop

svcadm enable ypldapd

check for errors with svcs -x


Automount Maps and ypldapd


by default Padl's ypservd will look for automount maps in the root of the namingcontext container

  But with the our preferred schema of placing them into a Automount container we need to modify the /opt/ypldapd/etc/nameingcontext.conf to reflect it's location 


* nisMapName=%s,ou=Automount,

Once in place restart the ypldapd process

 

Netscape/Redhat/fedora DS - allow users to change there own passwords

aci: (targetattr = "*") (version 3.0; acl "Allow self entry modification";
 allow (write)userdn = "ldap:///self";)