NIS to LDAP Transition: Exploring

Similar documents
SunVTS Quick Reference Card

Sun Control Station. Performance Module. Sun Microsystems, Inc. Part No September 2003, Revision A

Solaris 8 6/00 Sun Hardware Roadmap

Memory Hole in Large Memory X86 Based Systems

Automating LDAP Client Installations

Solaris 8 User Supplement. Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A.

The Solaris Security Toolkit - Quick Start

Sun Java System Connector for Microsoft Outlook Q4 Installation Guide

Traditional Chinese Solaris Release Overview

Scenario Planning - Part 1

man pages section 6: Demos

Font Administrator User s Guide. Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A.

Sun Enterprise System 336-Mhz Processor Upgrade Instructions

Solaris 9 9/04 Installation Roadmap

Solaris 8 User Supplement. Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A.

Solaris PC NetLink 1.2 Installation Guide

Java Desktop System Release 2 Installation Guide

Solaris 8 Desktop User Supplement. Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A.

Font Administrator User s Guide

Sun Fire V100 Server Product Notes

SunPCi Release Notes

Sun Ultra TM. 5 and Ultra 10 Product Notes. Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A.

Sun Patch Manager 2.0 Administration Guide for the Solaris 8 Operating System

Directory Server Indexing

Transitioning to Solaris PC NetLink 1.0

Rackmount Placement Matrix

Java Desktop System Release 3 Troubleshooting Guide

Sun Management Center 3.5 Supplement for VSP High-End Entry Servers (Workgroup Servers)

Sun Cluster 2.2 7/00 Data Services Update: Lotus Domino 4.6.3

Sun StorEdge RAID Manager 6.2 Installation and Support Guide

Tales from the Trenches: The Case of the RAM Starved Cluster

Sun Management Center 3.5 Service Availability Manager User s Guide

Ultra Enterprise 6000/5000/4000 Systems Power Cord Installation

GNOME 2.0 Desktop for the Solaris Operating Environment Installation Guide

Sun Management Center 3.6 Version 7 Add-On Software Release Notes

Solaris 8 Desktop User Supplement

Provisioning in Replicated, Mission-Critical Environments

Cable Management Guide

GNOME 2.0 Desktop for the Solaris Operating Environment User Guide

Solaris Common Desktop Environment: User s Transition Guide. Sun Microsystems, Inc Garcia Avenue Mountain View, CA U.S.A.

Jini Network Technology

Sun Remote System Control (RSC) 2.2 Release Notes

4.0 Gbyte 1/4-Inch Tape Drive Specifications

Simplified Chinese Solaris Release Overview

Sun StorEdge T3 Disk Tray Cabinet Installation Guide

Oracle Usage Guide for the Sun StorEdge N8600 Filer

Sun Multipath Failover Driver 1.0 for AIX User s Guide

Sun StorEdge N8000 Filer Series Administrator s Guide

Wide Thin Disk Striping

Sun Management Center 4.0 Version 4 Add-On Software Release Notes

Sun Management Center 4.0 Version 3 Add-On Software Release Notes

Traditional Chinese Solaris Release Overview

Using Solaris Resource Manager Software with Solaris PC NetLink Software - Part 2

PCI:SBus Comparison. Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A. Part No.: October 1998, Revision A

UltraSPARC - IIs CPU Module Installation Guide

Sun Cluster Data Service for NetBackup Guide for Solaris OS

Solaris 8 System Administration Supplement. Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A.

Sun StorEdge N8200 Filer Installation, Configuration, and Service Guide

Sun HPC ClusterTools Software Best Practices

Sun StorEdge Network 2 Gb Brocade SilkWorm 3200 and 3800 Switches Release Notes

Solaris Common Desktop Environment: User s Transition Guide

man pages section 9: DDI and DKI Overview

Sun Cluster 3.1 Data Service for Domain Name Service (DNS)

Sun Fire 6800 System and Sun Fire Cabinet Rackmount Placement Matrix

Sun Ultra 2 UltraSPARC -II Module Upgrade

Sun Ultra 2 UltraSPARC -IIModuleX-Option

Sun Control Station. Software Installation. Sun Microsystems, Inc. Part No January 2004, Revision A

StorageTek Host Software Component (HSC) MVS Software

Sun Fire V60x and V65x Servers ReadMe

20-40 Gbyte 8mm Tape Drive Installation and User s Guide

Solaris Volume Manager Administration Guide

The Art of Production Environment Engineering

Sun Remote System Control (RSC) Release Notes

Sun Management Center 3.0 Service Availability Manager User s Guide

N1 Grid Service Provisioning System 4.1. Developers Concept Guide Network Circle Santa Clara, CA U.S.A.

SunScreen EFS Release 3.0 Release Notes

Sun Management Center 4.0 Version 2 Add-On Software Release Notes

Fortran 90 Browser. f90browse

Java Desktop System Release 3 Installation Guide

IP Network Multipathing Administration Guide. Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A.

Sun StorEdge 3310 SCSI Array Best Practices Manual

Solstice AdminSuite 2.3 Administration Guide. Sun Microsystems, Inc. 910 San Antonio Road Palo Alto, CA U.S.A.

Java Desktop System Release 2 Quick Start User Guide

Sun Cluster Data Service for DNS Guide for Solaris OS

Sun Blade 1000 and Sun Blade 2000 Product Notes

Platform Notes: The eri FastEthernet Device Driver

Sun Java System Web Server 6.1 SP6 Getting Started Guide

JumpStart Architecture and Security Scripts for the Solaris Operating Environment - Part 1

Cluster Platform 15K/9960 System

Solaris Bandwidth Manager 1.6 System Administration Guide. Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A.

Sun Netra TM X4200 M2 Server Product Notes

Sun StorEdge MultiPack Storage Guide

Workgroup Server PCI RAID Solution - The Sun StorEdge SRC/P Controller

Sun Java System Connector for Microsoft Outlook Q4 User s Guide

Sun StorEdge Traffic Manager 4.4 Software Installation Guide

Sun Update Manager 1.0 Administration Guide

Sun Fire V20z Server Installation Guide

Platform Notes: The eri FastEthernet Device Driver

Sun Cluster With Fibre Channel JBOD Storage Device Manual

Sun Fire V60x and V65x BIOS and Firmware Update ReadMe

Transcription:

NIS to LDAP Transition: Exploring By Tom Bialaski - Enterprise Engineering Sun BluePrints OnLine - February 2000 http://www.sun.com/blueprints Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA 94303 USA 650 960-1300 fax 650 969-9131 Part No.: 806-4597-10 Revision 01, February 2000

Copyright 2000 Sun Microsystems, Inc. 901 San Antonio Road, Palo Alto, California 94303 U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, The Network Is The Computer, Sun BluePrints, iplanet, Sun Alliance and Solaris are trademarks, registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. The OPEN LOOK and Sun Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun s written license agreements. RESTRICTED RIGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-14(g)(2)(6/87) and FAR 52.227-19(6/87), or DFAR 252.227-7015(b)(6/95) and DFAR 227.7202-3(a). DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON- INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Copyright 2000 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, Californie 94303 Etats-Unis. Tous droits réservés. Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l utilisation, la copie, la distribution, et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans l autorisation préalable et écrite de Sun et de ses bailleurs de licence, s il y en a. Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des fournisseurs de Sun. Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l Université de Californie. UNIX est une marque déposée aux Etats-Unis et dans d autres pays et licenciée exclusivement par X/Open Company, Ltd. Sun, Sun Microsystems, le logo Sun, The Network Is The Computer, Sun BluePrints, iplanet, Sun Alliance, et Solaris sont des marques de fabrique ou des marques déposées, ou marques de service, de Sun Microsystems, Inc. aux Etats-Unis et dans d autres pays. Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc. L interface d utilisation graphique OPEN LOOK et Sun a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d utilisation visuelle ou graphique pour l industrie de l informatique. Sun détient une licence non exclusive de Xerox sur l interface d utilisation graphique Xerox, cette licence couvrant également les licenciés de Sun qui mettent en place l interface d utilisation graphique OPEN LOOK et qui en outre se conforment aux licences écrites de Sun. CETTE PUBLICATION EST FOURNIE "EN L ETAT" ET AUCUNE GARANTIE, EXPRESSE OU IMPLICITE, N EST ACCORDEE, Y COMPRIS DES GARANTIES CONCERNANT LA VALEUR MARCHANDE, L APTITUDE DE LA PUBLICATION A REPONDRE A UNE UTILISATION PARTICULIERE, OU LE FAIT QU ELLE NE SOIT PAS CONTREFAISANTE DE PRODUIT DE TIERS. CE DENI DE GARANTIE NE S APPLIQUERAIT PAS, DANS LA MESURE OU IL SERAIT TENU JURIDIQUEMENT NUL ET NON AVENU. Please Recycle

NIS to LDAP Transition: Exploring ypldapd This is the first in This is the first in a series of articles in which I examine technologies that help increase availability during the transition from legacy Solaris Operating Environment directory services, such as NIS, to LDAP based ones. The Network Information Service (NIS), which was introduced in 1985 by Sun Microsystems, Inc. is still one of the most widely deployed enterprise directory services in corporate intranets today. While NIS has served its purpose admirably, future directory services adopted by corporate IT planners most likely will be based on the emerging standard Lightweight Directory Access Protocol (LDAP). The transition from one directory service to another has never been a simple task and requires careful planning. The complex nature and widespread implications of an ill-planned transition have led system planners to migrate users in small groups to the new technology, rather than risking downtime for a large group of users if something goes wrong. One approach to this migration is to replace selected legacy directory servers with gateway servers which store information in the new directory, but emulate the services provided by the legacy server. This article focuses on ypldapd, one of the NIS to LDAP gateway products developed by PADL Software. We will take a look at the functionality ypldapd provides, how it works, and how it is installed and configured. This article is targeted at readers who do not currently have a lot of experience with LDAP based technology, but may be working with it in the future. Since the best way to become familiar with new technology is to get hands-on experience, I will explain how to set up a ypldapd test bed with the iplanet software Directory Server acting as the LDAP server back-end. 1

For more product details on ypldapd, including pricing and availability, see http:/ /www.padl.com. A full set of iplanet Directory Server documentation can be found at http://iplanet.com. What does ypldapd do? In general, ypldapd emulates the NIS server process ypserv by providing an RPC call-compatible interface. To the NIS client, it looks and behaves like a real NIS server. However, instead of storing its information in NIS maps, it stores the data in an LDAP directory. When client requests for information are received, ypldapd retrieves the information from an LDAP directory instead of NIS maps. Utilities that use the NIS such as ypcat, ypmatch, and login, work unmodified. However, since user passwords are kept in an LDAP directory instead of NIS, the standard Solaris Operating Environment utility for changing passwords does not work. To change passwords kept in an LDAP directory, PADL provides a utility called ldappasswd which is included with the ypldapd software. How ypldapd works The ypldapd implementation is pretty simple, consisting of a daemon process that reads a configuration file when it starts. A script in /etc/rc2.d that automatically starts the daemon is also included. Configuration changes are performed by editing configuration files and restarting the daemon. When ypldapd starts, it binds to a specified LDAP server. This binding action is similar to logging into an operating system or application. An identifier is sent to the LDAP server along with an associated password. If the password matches, a connection to the server is established, then maintained as long as ypldapd and the LDAP server are running. An anonymous connection can be established without providing an identifier and password, but only LDAP directory data with anonymous access rights can be viewed or modified over this connection. The ypldapd software does not include an LDAP directory server, but should work with any LDAP servers which run in the Solaris Operating Environment. However, containers for NIS data, called object classes, must be set up on the LDAP server before ypldapd can access the data. This actually takes more work than the ypldapd setup does. More information on what the required data structures look like is presented in the next section. 2 NIS to LDAP Transition: Exploring February 2000

One of the most significant functions NIS plays is its role in the authentication of users. NIS stores passwords in an encrypted format called Unix crypt, which the Solaris Operating Environment login program retrieves. To prevent it from being intercepted, the password is sent over the network as an encrypted string instead of clear text. However, to support this method of authentication, the LDAP server where passwords reside must have the ability to store passwords in Unix crypt format. We will discuss setting up the iplanet software Directory Server to support Unix crypt passwords later in this article. Mapping NIS Maps to LDAP Objects To better understand how NIS data is maintained in an LDAP directory it is helpful to examine the two data structures and see how one is mapped to the other. NIS stores its information in maps which contain data in the form of keyword-value pairs. Searches are always performed by locating a keyword then retrieving the value associated with it. Since searches can only be performed on keywords, multiple NIS maps are required if you want to search using more than one keyword. For example, two NIS maps are created, passwd.byname and passwd.byuid, so user account information can be retrieved either by specifying the user s login name or numeric User s ID. LDAP directories consist of entries which conform to a format specified in an object class. The object class defines attributes which the entry can contain. Searches are performed by specifying the value of a specific attribute along with a starting point in the Directory Information Tree (DIT). To provide uniqueness among directory entries, the value of at least one attribute is made unique. For example, each entry for a user contains an attribute called uid, which is the login name of the user and is unique. Searches performed on uid will only return the entry for that particular user. Unlike NIS maps, LDAP directories can be searched by specifying a value of any attribute. This eliminates the needs for multiple maps which contain the same data. Since the data structures are so different between NIS maps and LDAP directory objects, there needs to be a well defined way of mapping one to the other. A proposed mapping was defined in RFC2307 and later refined in RFC2307bis. A number of LDAP object classes and attributes are defined in this specification. These include: posixaccount posixgroup iphost uidnumber gidnumber NIS to LDAP Transition: Exploring 3

The data contained in these object classes relates to data found in NIS maps such as passwd.byname and hosts.byname. A complete description of the object classes and attributes defined in RFC2307 is provided with the ypldapd user documentation. The syntax and rules for storing data in an LDAP directory are defined in the directory server s schema. When a directory server starts, a configuration file, which represents the directory server s schema is read. This file specifies what is allowed to be stored in the directory. The iplanet Directory Server 4.x ships with a schema file called slapd.oc.conf, which contains the object classes and attributes defined in RFC2307. When the iplanet software Directory Server starts, the slapd.oc.conf file is read by default, so no additional setup is required prior to populating the directory with NIS objects. Other LDAP directory servers may require that the RFC2307 schema file be included in its configuration file. Building a ypldapd Test Bed Now that you have some basic understanding how ypldapd works and what needs to be performed on the LDAP server, we will discuss setting up a test configuration. Setting up a test environment for ypldapd requires three components: 1. An LDAP Server (iplanet software Directory Server) 2. ypldapd Server 3. NIS client A single system can be used for all three components, but I decided to run the LDAP server on one system and the ypldapd service and NIS client on another system. My reason for this was that I already had the iplanet software Directory Server set up on my office workstation which is a NIS client to the corporate network. Since I didn t want to have my workstation belong to a NIS test domain, I installed the ypldapd server on a test system and made it a NIS client of its own domain. iplanet Software Directory Server Setup If you already have an iplanet software Directory Server deployed, you can skip this section. However, my assumption is that you are new to LDAP or do not have access to an LDAP server to perform the required configuration. 4 NIS to LDAP Transition: Exploring February 2000

The Sun Alliance organization provides a demonstration version of the iplanet software Directory Server which you can download from http://iplanet/ downloads/testdrive. I used the 4.1 version, although the 4.11 should work fine. Before downloading the software, you should have the following configuration available: SPARC platform-based system running the Solaris 2.5.1, 2.6. or 7 Operating Environment At least 128MB RAM and 300 MHz CPU 100 MB free disk space for downloading and uncompressing the tarfile image 150MB free disk space where the server and utilities will be installed A monitor on which to run the iplanet software Console (local or via X-windows) The GNU utility gunzip or zcat for uncompressing the tarfile After the files are extracted, run the setup command, which walks you through a series of configuration questions. Since this is a test bed, specifying the defaults suits our purposes. In a production environment, we would probably change the distinguished name (DN) of the directory server s naming context which defaults to the value of domainname on the system on which it is installed. After the installation scripts complete, the following directory is created: <install-dir>/server4 - for example /usr/netscape/server4. Contained in that directory is the command startconsole, which invokes the iplanet software Console tool. Although it doesn t have to be, I found it more convenient to run this command as root. After the command executes, you are prompted for the administration account and the associated password which were created by the installation script. Note The admin account is stored in the LDAP directory, so the iplanet software Directory Server must be running before you log in. It is started automatically during the installation, but can also be manually started by running the startslapd command, located in the../server4/slapd-<servername> directory. By default, it is not made part of the Solaris Operating Environment startup scripts. Under the Server Group listing in the Console tool, you can click on the Directory Server icon to bring up the administration screen for the iplanet software Directory Server. We will use this tool for setting up the necessary configuration items. These items include: Creating containers for NIS objects Creating entries in the NIS containers Storing user passwords in crypt format NIS to LDAP Transition: Exploring 5

Populating the LDAP Directory Data contained in NIS maps must be placed in the LDAP directory so that ypldapd can retrieve it. There are three ways this data can be input: Imported via an LDIF file Updated via the ldapmodify command Manually input from the object editor in the Console tool The ypldapd software contains Perl scripts which can be run to perform either online or offline updates. The online scripts update the directory by running the ldapmodify command, and the offline scripts generate LDIF files which can be imported into the LDAP directory. These scripts are useful when importing entire sets of NIS maps, but for our testing purposes, the easiest method is to manually create a small number of entries with the object editor. Example: Creating User Accounts Before populating the LDAP Directory, you need to decide where in the Directory Information Tree (DIT) you want the NIS objects stored. By default, ypldapd looks under the top DIT level in organization unit (OU) containers defined in the ypldapd configuration file. For example, ou=people and ou=hosts. The ou=people container, where user account information is stored, is created automatically when the iplanet software Directory Server is installed. Other containers, such as ou=hosts, can be created from the Directory tab under Object->New->Organization Unit. To create new users from the Property Editor under the Directory tab, bring up the posixaccount template by going to the Object->New->Other->posixAccount form as shown in the following screen shot. 6 NIS to LDAP Transition: Exploring February 2000

FIGURE 1 Property Editor Window Notice that not all the attributes for the posixaccount object class appear in the Property Editor form. For example, there is no field for a password. To add the password field and assign a password to the user account, perform the following steps: 1. Double-click on a user entry. The Edit Entry form appears. 2. Navigate to Advanced -> Edit -> Add Attribute. The Add Attribute window appears (see FIGURE 2 on page 7). 3. From the list, select the User Password attribute. 4. Click OK. FIGURE 2 Add Attribute Window NIS to LDAP Transition: Exploring 7

Enabling Unix crypt Passwords on the iplanet Software Directory Server By default, the iplanet software Directory Server stores user passwords in the Secure Hash Algorithm (SHA) format. While this is suitable for most client applications, this format is not compatible with the standard authentication method used by the Solaris Operating Environment login program. To allow Solaris Operating Environment NIS client authentication using the iplanet software Directory Server, it must be set up to store passwords in the Unix crypt format. To do this, perform the following operations from the Directory Server administration screen. 1. Login as Directory Manager (default is admin). 2. Under the Configuration tab, go to Passwords. 3. Change the Password encryption: field to Unix crypt. 4. Stop and restart the directory server. Note As will be discussed in a future article, an alternative to Unix crypt encryption can be used by adding a PAM module to the Solaris Operating Environment client. This eliminates the requirement to store passwords in Unix crypt format on the LDAP server. Verifying the LDAP Directory Setup To check if the data we put into the LDAP directory is accessible from the server where ypldapd server was installed, run the ldapsearch command. For example: server% ldapsearch -h ldaphost -b o=test.com uid=nuser dn: cn=nuser,ou=people,o=test.com cn: nuser gidnumber: 1001 homedirectory: /usr/nuser objectclass: top objectclass: posixaccount uidnumber: 1002 uid: nuser gecos: test account loginshell: /bin/sh 8 NIS to LDAP Transition: Exploring February 2000

Note The ldapsearch command can be found in the../server4/shared/bin directory on the system where the iplanet software Directory Server was installed. ypldapd Server Setup The system where the ypldapd software is installed must be set up as a NIS client and must not be a NIS master or slave server. The domain to which the system belongs can either be the same as the one ypldapd will service or an existing NIS domain. The basic installation steps are outlined below. 1. Download the ypldapd_solaris-sparc.tar.gz file from http://www.padl.com 2. Unzip and untar the file. 3. Install the package using the pkgadd -d ypldapd.pkg command. 4. Supply the name of the domain you want ypldapd to serve and the name of the iplanet software Directory Server where the NIS object classes will reside. Note The evaluation copy of ypldapd you download comes with a license key which is used to activate the software. The key is very long and must be entered without any whitespace. The installation script also asks if you want to populate the LDAP directory from /etc files. Since you can run the migration scripts later, you can answer no to this question. At this point, the ypldapd software is running and acting as a NIS server. You can do a quick check to see if things are working correctly, by having a NIS client attempt to bind to the server running ypldapd. On a NIS client, issue the following commands: nisclient# ps -e grep ypbind 298? 0:00 ypbind nisclient# kill 298 (pid of ypbind) nisclient# domainname ypldapd_domain nisclient# /usr/lib/netsvc/yp/ypbind -b nisclient# ypwhich ypldapd_host NIS to LDAP Transition: Exploring 9

If the ypwhich command succeeds, then things are working properly. If you have already created some entries in the LDAP directory, you should be able to view them with the ypcat command. For example: nisclient# ypcat passwd nuser:x:1002:1001::/home/nuser:/bin/csh The default ypldapd setup is to bind to the directory as anonymous. This will allow viewing of the NIS data except passwords. To retrieve passwords, which are required for authentication, the ypldapd process must supply appropriate credentials when binding to the directory server. The next section describes how this is done. Binding with Credentials The DN and the associated password which ypldapd binds with can be specified during the installation. This information is stored in the configuration file /opt/ypldapd/etc/ypldapd.conf and can be edited later. The applicable lines are shown below. # (optional) the DN to bind as binddn cn=directory Manager # (optional) the password to bind with bindcred <password> Two pieces of information are required to bind to the directory server: a distinguished name (DN) and a password associated with that name. The common name (cn) Directory Manager is akin to root in the Solaris Operating Environment and is automatically created when the iplanet software Directory Server is installed. Binding with cn=directory Manager gives you access to passwords and allows users to be authenticated using the password stored in an LDAP directory instead of NIS. Note For testing purposes, I set the Directory Manager password to be stored in clear text. This is accomplished by going to the Configuration->Manager tab in the Directory Server Console. In a production environment, the password would be stored in an encrypted format. 10 NIS to LDAP Transition: Exploring February 2000

If the binding is performed correctly, you should be able to view the encrypted password from the ypcat command. For example: nisclient# ypcat passwd nuser:mrm/uavk73kzy:26314:10::/home/nuser:/bin/csh The encrypted passwords can be hidden by specifying the hide_passwords parameter in the ypldapd.conf file.the default is not to set this parameter, which is fine for testing. At this point, you should be able to login as a user you set up in the LDAP directory from the NIS client. If you get a password failure, make sure the iplanet Directory server is configured to store passwords in Unix crypt format and that ypldapd binds to the LDAP directory as cn=directory Manager. Changing the Naming Context The location in the DIT where NIS information is stored is determined by the parameters specified in the namingcontexts.conf file, located in the /opt/ypldapd/etc directory. For testing purposes, the defaults are fine, but can be changed by modifying namingcontexts.conf, parts of which are shown here. # # Account information lives in ou=people. # shadow.byname ou=people, passwd.byuid ou=people, passwd.byname ou=people, passwd.adjunct.byname ou=people, Conclusion I found the ypldapd software easy to install and configure. I was able to set up a Solaris Operating Environment NIS client where users were authenticated using the LDAP directory server and found it to be an excellent learning experience. However, ypldapd is not the only NIS to LDAP gateway software available and does have some limitations. NIS to LDAP Transition: Exploring 11

In future articles, I will be looking at alternatives to ypldapd and will be presenting the pros and cons of each solution. There are also several features of ypldapd which were not discussed in this article. These features are documented in the ypldapd documentation and experimentation with them is left as an exercise for the reader. Author s Bio: Tom Bialaski Tom has nearly 20 years of experience with the UNIX operating system and has been a Sun Microsystems, Inc., engineer since 1984. He is currently a staff engineer on the Sun BluePrints team and is the author of "Solaris Guide for Windows NT Administrators". 12 NIS to LDAP Transition: Exploring February 2000

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback