AIX - Migrating NIS Maps into LDAP

With Version 5.2, AIX 5L supports LDAP for authentication, user and group attribute storage, and schema for NIS data. The following Tip describes how to migrate NIS maps into the LDAP directory using the RFC2307 schema. After the NIS maps are migrated, the NIS client can be disabled, as the NIS maps can be accessed directly using LDAP.

The RFC2307 specification defines a schema to hold the data from the following NIS maps:

passwd
group
networks
netgroups
rpc
hosts
services
protocols

To migrate the data from your NIS maps, you must run the nistoldif command to dump the maps into an LDIF file. The following example uses the nistoldif command to dump all the NIS MAP files into the LDIF file nisdump.ldif. The -d flag specifies the base DN where the AIX local repository resides.

# nistoldif -d cn=aixdata,ou=mydept,o=mycompany.example,c=us >nisdump.ldif

The following section is an excerpt of the nisdump.ldif file generated from the previous nistoldif command. The first LDIF entry is the loopback host entry in the host NIS map. The second LDIF entry is the udp protocol entry in the protocols NIS map.

dn: cn=loopback+ipHostNumber=127.0.0.1,ou=hosts,cn=nisdata,cn=aixdata,ou=mydept,o=mycompany.example,c=us
objectClass: top
objectClass: ipHost
objectClass: device
ipHostNumber: 127.0.0.1
cn: loopback
cn: localhost

dn: cn=udp,ou=protocols,cn=nisdata,cn=aixdata,ou=mydept,o=mycompany.example,c=us
cn: udp
cn: UDP
objectClass: top
objectClass: ipProtocol
ipProtocolNumber: 17
description: description

By default, the nistoldif command will export all the NIS maps into LDIF. Use the -s flag to specify the list of maps to export into LDIF. After the LDIF file is generated, you must use the ldapadd command to load the NIS maps into LDAP. The following command demonstrates this task:

# ldapadd-c -a -D "cn=admin,ou=mydept,o=mycompany.example,c=us" -w mysecret -f nisdump.ldif

The nistoldif command will not directly export NIS+ maps to LDIF files. You must use the nisaddent command to export the data from each table. After the data is exported to a LDIF file, you can import it using the ldapadd command. The following example shows the syntax of the nisaddent command:

# /usr/lib/nis/nisaddent -d -t table tabletype > filename

After the NIS maps are imported into the LDAP server, you must configure the AIX LDAP security client using the mksecldap command with the -c flag. This must be done after the NIS maps are loaded, as mksecldap will search the LDAP directory and only enable the NIS maps it locates. The following example will configure the LDAP security client. The -h flag specifies the list of host names of the LDAP servers to connect to. The -a and -p flag are the administrator’s DN and password for access to access the LDAP server. The -d flag is the base DN of the AIX data subtree. The -u NONE flag prevents any users from being migrated to LDAP.

# mksecldap -c -h ldap3.mycompany.example -a "cn=admin,ou=mydept,o=mycompany.example,c=us”
-p mysecret -d "ou=mydept,o=mycompany.example,c=us" -u NONE

The mksecldap command will modify the /etc/security/ldap/ldap.cfg configuration file. If any NIS maps have been located in the LDAP directory, it will also modify the /etc/irs.conf and /etc/netsvc.conf files.

The following excerpt from the ldap.cfg file shows the NIS map data to DN mapping generated by the previous mksecldap command. The ldap.cfg will only have configuration entries for NIS maps it was able to locate.

# Base DN where the user and group data are stored in the LDAP server.
# e.g., if user foo's DN is: username=foo,ou=aixuser,cn=aixsecdb
# then the user base DN is: ou=aixuser,cn=aixsecdb
#userbasedn:ou=aixuser,cn=aixsecdb,cn=aixdata
userbasedn:ou=aixuser,cn=aixsecdb,cn=aixdata,ou=mydept,o=mycompany.example,c=us
#groupbasedn:ou=aixgroup,cn=aixsecdb,cn=aixdata
groupbasedn:ou=aixgroup,cn=aixsecdb,cn=aixdata,ou=mydept,o=mycompany.example,c=us
#idbasedn:cn=aixid,ou=system,cn=aixsecdb,cn=aixdata
idbasedn:cn=aixid,ou=system,cn=aixsecdb,cn=aixdata,ou=mydept,o=mycompany.example,c=us
#hostbasedn:ou=hosts,cn=nisdata,cn=aixdata
hostbasedn:ou=hosts,cn=nisdata,cn=aixdata,ou=mydept,o=mycompany.example,c=us
#servicebasedn:ou=services,cn=nisdata,cn=aixdata
servicebasedn:ou=services,cn=nisdata,cn=aixdata,ou=mydept,o=mycompany.example,c=us
#protocolbasedn:ou=protocols,cn=nisdata,cn=aixdata
protocolbasedn:ou=protocols,cn=nisdata,cn=aixdata,ou=mydept,o=mycompany.example,c=us
#networkbasedn:ou=networks,cn=nisdata,cn=aixdata
networkbasedn:ou=networks,cn=nisdata,cn=aixdata,ou=mydept,o=mycompany.example,c=us
#netgroupbasedn:ou=netgroup,cn=nisdata,cn=aixdata
netgroupbasedn:ou=netgroup,cn=nisdata,cn=aixdata,ou=mydept,o=mycompany.example,c=us
#rpcbasedn:ou=rpc,cn=nisdata,cn=aixdata
rpcbasedn:ou=rpc,cn=nisdata,cn=aixdata,ou=mydept,o=mycompany.example,c=us

The mksecldap command will add nis_ldap to the host line in the /etc/netsvc.conf file. The NSORDER environment variable will also support the nis_ldap parameter. The following example will set the name resolution order to nis_ldap, bind, NIS, and then local /etc/hosts.

hosts = nis_ldap, bind, nis, local

If NIS maps are detected, the mksecldap command will also modify the /etc/irs.conf file. The irs.conf file specifies the resolution order for the NIS map files. The following example show the /etc/irs.conf file. The lookup order for the services routines are nis_ldap, nis, and then local.

hosts nis_ldap continue
hosts dns continue
hosts nis continue
hosts local
services nis_ldap continue
services nis continue
services local
networks nis_ldap continue
networks dns continue
networks nis continue
networks local
netgroup nis_ldap continue
netgroup nis continue
netgroup local
protocols nis_ldap continue
protocols nis continue
protocols local