NIS+ to LDAP Migration Guide HP-UX 11.0, 11i v1 and v2 Editon 3 Manufacturing Part Number : J4269-90054 E0606 © Copyright 2006 Hewlett-Packard Company, L.P.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Contents 1. Overview of NIS+ to LDAP Migration Migration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Documentation References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Overview of the LDAP-UX Integration Product. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 LDAP Directory Server and LDAP-UX Client Services . . . . . . . . . . . . . . . . . . . . . . .
Contents ldapsearch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ldapmodify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ldapdelete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NIS+ to LDAP Migration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface: About This Document The latest version of this document can be found on line at: http://www.docs.hp.com This document describes the migration procedures used to migrate the NIS+ server to the LDAP directory server and to install LDAP-UX Client Services on HP-UX NIS+ clients. The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date.
Table 1 Publishing History (Continued) Document Manufacturing Part Number J4269-90054 Operating Systems Supported 11i v1 and v2 Supported Product Versions B.04.00 Publication Date June, 2006 What’s in This document This manual describes migration procedures you take to migrate the NIS+ servers to the LDAP directory server and to install the LDAP-UX Client Services on NIS+ clients.
1 Overview of NIS+ to LDAP Migration This chapter provides the migration overview, a high level overview of what the LDAP-UX Integration product is, and feature and security comparisons between LDAP-UX and NIS+.
Overview of NIS+ to LDAP Migration Migration Overview Migration Overview One of the features of LDAP-UX Integration product 4.0 delivers functionality that provides a replacement for NIS+ by using the LDAP-UX Integration product in place of the features provided by NIS+. This evolution means that the NIS+ Client and Server products will no longer be released as part of the HP-UX 11i v3 release. The LDAP-UX Integration product is the recommended replacement for NIS+.
Overview of NIS+ to LDAP Migration Migration Overview NOTE Any user applications that are calling NIS+ APIs directly without using the Name Service Switch (NSS) must be modified to call the corresponding LDAP APIs to do the same task. The LDAP-UX Integration product supports Mozilla LDAP SDK. The Mozilla LDAP SDK is a Software Development Kit that contains a set of LDAP Application Programming Interfaces (APIs) to build LDAP-enabled clients.
Overview of NIS+ to LDAP Migration Overview of the LDAP-UX Integration Product Overview of the LDAP-UX Integration Product The LDAP-UX Integration product uses the Lightweight Directory Access Protocol (LDAP) to centralize user, group and network information management in an LDAP directory. The LDAP-UX Integration product includes the following subproducts: • LDAP-UX Client Services. Provides both an LDAP-based Pluggable Authentication Module (PAM) and Name Service Switch (NSS) module.
Overview of NIS+ to LDAP Migration Comparing Features and Security Between LDAP-UX and NIS+ • Centralized authentication of HP-UX PAM-enabled applications and LDAP-enabled enterprise applications. • Host access control of individual users or groups. • Enforcement of global account and password policies. • Data privacy using SSL encryption. • Co-existence with HP-UX Trusted Mode and shadow passwords.
Overview of NIS+ to LDAP Migration Comparing Features and Security Between LDAP-UX and NIS+ access the database. The LDAP server provides global account and password policies to LDAP-enabled clients and applications. There are some feature differences between LDAP and NIS+.
Overview of NIS+ to LDAP Migration Comparing Features and Security Between LDAP-UX and NIS+ • NIS+ can hide passwords from users and supports Trusted Mode to offer extensive password and account policies. But, the passwords are sent in clear text format over a network. With LDAP support, passwords can be hidden from users. Passwords may also be hashed to protect passwords. The LDAP directory server supports UNIX-crypt, SHA, and SSHA hashing methods.
Overview of NIS+ to LDAP Migration Comparing Features and Security Between LDAP-UX and NIS+ a. Enforced by Trusted Mode for local accounts. Enforced by the LDAP server for LDAP accounts. Trusted Mode NIS+ supports Trusted Mode to provide extensive password and audit policies for local accounts. LDAP-UX Client Services version B.03.30 or later supports coexistence with Trusted Mode system.
Overview of NIS+ to LDAP Migration Comparing LDAP and NIS+ Information Sharing Comparing LDAP and NIS+ Information Sharing Traditionally, HP-UX account and configuration information is stored in text files like /etc/passwd and /etc/group. NIS+ is used to ease system administration by sharing the information across systems on the network. With NIS+, account and configuration information resides on NIS+ servers.
Overview of NIS+ to LDAP Migration Comparing LDAP and NIS+ Information Sharing LDAP-UX Client Services improves on this configuration information sharing. User, group, and other network operating system configuration information can be integrated with other identity information in other organization-wide applications. The account and configuration information is stored in an LDAP directory. Client systems retrieve this shared configuration information across the network from the LDAP directory.
Overview of NIS+ to LDAP Migration Comparing LDAP and NIS+ Information Sharing Refer to pam(3) and pam.conf(4) and to Managing Systems and Workgroups: A Guide For System Administrators at http://docs.hp.com/hpux/os/11iv2/ for more information on PAM. For information on NSS, refer to switch(4) and “Configuring the Name Service Switch” in the NFS Services Administrator’s Guide at http://docs.hp.com.
Overview of NIS+ to LDAP Migration LDAP-UX Client Administrator’s Tools And Migration Scripts LDAP-UX Client Administrator’s Tools And Migration Scripts Table 1-3 shows a list of the LDAP-UX client administrator’s tools. These tools can be used to manage data in an LDAP directory server. Table 1-3 LDAP Administrator ‘s Tools Tool Description ldapdelete Allows you to delete entries in the directory. ldapmodify Allows you to add, delete, modify, or rename directory entries.
Overview of NIS+ to LDAP Migration LDAP-UX Client Administrator’s Tools And Migration Scripts Table 1-4 NIS+ to LDAP Migration Tools (Continued) Tool Chapter 1 Description migrate_nisp_netgroup.pl Migrates netgroups from the NIS+ server to LDIF. migrate_nisp_networks.pl Migrates networks from the NIS+ server to LDIF. migrate_nisp_rpc.pl Migrates RPCs from the NIS+ server to LDIF. migrate_all_nisplus_online.sh Migrates NIS+ name service data into an LDAP directory. cred_table_sort.
Overview of NIS+ to LDAP Migration LDAP-UX Client Administrator’s Tools And Migration Scripts 14 Chapter 1
2 Migrating NIS+ to LDAP This chapter describes the NIS+ to LDAP migration procedures. It includes the decisions you need to make and the procedures you need to take to install, configure and verify the Netscape Directory Server for HP-UX and the LDAP-UX Client Services.
Migrating NIS+ to LDAP Before You Begin 16 • Most examples here use the Netscape Directory Server for HP-UX and assume you have some knowledge of this directory and its tools, such as the Directory Console and ldapsearch. If you have another directory, consult your directory’s documentation for specific information. • For detailed procedures on how to set up, install and configure the LDAP-UX Client Services to work with the Netscape Directory Server for HP-UX, refer to LDAP-UX Client Services B.04.
Migrating NIS+ to LDAP Summary of Migration Steps Summary of Migration Steps The section summarizes the steps you take when migrating NIS+ service data to the LDAP directory server and installing the LDAP-UX Client Services on all of NIS+ clients: Migrating NIS+ Service Data to the LDAP Server The section summarizes the steps you take when migrating NIS+ service data from the NIS+ server to the LDAP directory server: Step 1.
Migrating NIS+ to LDAP Summary of Migration Steps Migrating NIS+ Clients to LDAP-UX Client Services The section summarizes the steps you take when migrating the NIS+ client systems to LDAP-UX Client Servces: Step 1. Install LDAP-UX Client Services B.04.00 on all NIS+ client systems, if not already installed. See “Installing the LDAP-UX Integration Product” on page 20 for details. Step 2.
Migrating NIS+ to LDAP Installing and Configuring Your LDAP Directory Server Installing and Configuring Your LDAP Directory Server This section describes how to install and configure your to work with LDAP-UX Client Services. Examples are given for Netscape Directory Server for HP-UX. If you have a different directory, see the documentation for your directory for details on how to install and configure it.
Migrating NIS+ to LDAP Installing the LDAP-UX Integration Product Installing the LDAP-UX Integration Product Use swinstall(1M) to install the LDAP-UX Integration product, J4269AA. See the LDAP-UX Client Services B.04.00 Release Notes for more details on the installation procedures. The LDAP-UX Integration product is available at http://www.software.hp.com. You must install the LDAP-UX Integration product version B.04.00.
Migrating NIS+ to LDAP Installing ONC EP/NCF Software and AutoFS 2.3 Patch Installing ONC EP/NCF Software and AutoFS 2.3 Patch ONC EP/NCF Software Requirement When migrating NIS+ to LDAP, support for publickey requires functionality enhancement in LDAP-UX Client Services and enhancement in the ONC product. ONC with publickey LDAP support is available via the ONC EP/NCF Software Pack (SPK) web release for HP-UX 11i v1 and v2.
Migrating NIS+ to LDAP Installing ONC EP/NCF Software and AutoFS 2.3 Patch AutoFS Patch Requirement AutoFS is a client-side service that automatically mounts appropriate file systems when users request access to them. If an automounted file system has been idle for a period of time, AutoFS unmounts it. If you use the LDAP directory to store and manage your AutoFS maps, you must update your client systems to a version of AutoFS that supports LDAP.
Migrating NIS+ to LDAP Extending Publickey or Automount Schema Into Netscape Directory Server Extending Publickey or Automount Schema Into Netscape Directory Server You must extend your Netscape Directory Server with the publickey schema or new automount schema if you want to migrate the public keys of users and hosts or AutoFS maps from the NIS+ server to your LDAP directory server.
Migrating NIS+ to LDAP Extending Publickey or Automount Schema Into Netscape Directory Server • objectClasses:( 1.3.6.1.1.1.2.9 NAME ’automount’ DESC ’Standard LDAP objectclass’ SUP top MUST (cn $automountInformation)MAY (description) X-ORIGIN ’RFC2307’) If above two entries exist, go to step 3. Otherwise, go to step 6. Step 3. Stop your Netscape Directory Server daemon, slapd. /var/opt/netscape/servers/slapd-/stop-slapd For example: /var/opt/netscape/servers/slapd-ldapA.cup.hp.
Migrating NIS+ to LDAP Extending Publickey or Automount Schema Into Netscape Directory Server objectClasses: ( 1.3.6.1.1.1.2.14 NAME ’nisKeyObject’ DESC ’An object with a public and secret key’ SUP top AUXILIARY MUST ( cn $ nisPublicKey $ nisSecret Key ) MAY ( uidNumber $ description ) X-ORIGIN ’user defined’ ) attributeTypes: ( 1.3.6.1.1.1.1.28 NAME ’nisPublicKey’ DESC ’NIS public key’ E QUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
Migrating NIS+ to LDAP Importing Your NIS+ Data to Your LDAP Directory Server Each entry started by “attributetypes:” or “objectclasses:” must be one continuous line. Importing Your NIS+ Data to Your LDAP Directory Server This section describes the steps you take to import your NIS+ data to your LDAP directory. How you do this depends on several factors. Here are some considerations when planning this: • The migration scripts take your NIS+ data and generate LDIF files.
Migrating NIS+ to LDAP Importing Your NIS+ Data to Your LDAP Directory Server Steps to Import Your NIS+ Data into Your Directory Migration scripts are provided to ease the task of importing your NIS+ data into your LDAP directory. See Chapter 3, “Command and Tool Reference,” on page 39 for a complete description of the NIS+ to LDAP migration scripts, what they do, and how to use them. You should migrate NIS+ service data one domain at a time.
Migrating NIS+ to LDAP Importing Your NIS+ Data to Your LDAP Directory Server Step 7. Create the file that will contain all the data extracted from the NIS+ server and placed into a LDIF formatted file: rm main.ldif touch main.ldif Step 8. If you do not have the credential tables on the NIS+ server that you want to migrate, then skip this step and go to step 10. Run the cred_table_sort.
Migrating NIS+ to LDAP Importing Your NIS+ Data to Your LDAP Directory Server Step 11. Run the migrate_nisp_autofs.pl script to migrate each of the AutoFS maps determined in steps 10 ( such as /etc/auto_master, /etc/auto_home, /etc/auto_direc, etc...) from the NIS+ server to the nisp_automap.ldif file. Append the nisp_automap.ldif file into the LDIF formatted file, main.ldif. Migrate the AutoFS maps into the LDIF file one map at a time. ./migrate_nisp_autofs.pl cat nisp_automap.
Migrating NIS+ to LDAP Importing Your NIS+ Data to Your LDAP Directory Server ./migrate_nisp_aliases.pl cat nisp_aliases.ldif >> main.ldif Step 14. Run the /opt/ldapux/bin/ldapmodify tool to import the LDIF file main.ldif that you created above into the LDAP directory server. For example, the following command imports main.ldif to the base DN cup.hp.com in the LDAP directory server LDAPSERV1: /opt/ldapux/bin/ldapmodify -a -c -h LDAPSERV1 -D \ “cn = Directory Manager” -w -f main.ldif Step 15.
Migrating NIS+ to LDAP Importing Your NIS+ Data to Your LDAP Directory Server Enter the manager DN Enter the credentials of the directory manager for the following question: Enter the credentials to bind with This completes the migration of your existing NIS+ server data into your LDAP directory server.
Migrating NIS+ to LDAP Configuring LDAP-UX Client Services Configuring LDAP-UX Client Services Below is a summary of how to configure LDAP-UX Client Services with Netscape Directory Server 6.11 or later. For detailed information on how to set up a default configuration, see the “Quick Configuration” section in the LDAP-UX Client Services Adminstrator’s Guide available at http://www.docs.hp.com.
Migrating NIS+ to LDAP Configuring LDAP-UX Client Services • AutoFS is a client-side service that supports automatic mounting and unmounting of file systems. LDAP-UX Client Services B.04.00 supports the automount service under the AutoFS subsystem. This new feature allows you to store and manage AutoFS maps in an LDAP directory. To enable AutoFS for LDAP support, you must configure the Name Service Switch (NSS). Save a copy of the /etc/nsswitch.
Migrating NIS+ to LDAP Configuring LDAP-UX Client Services NOTE You must run the setup program to configure the LDAP-UX Client Services. Otherwise, the LDAP-UX Client Services will not work properly. For detailed procedures on how to run setup program to configure the LDAP-UX Client Services, see the “Configure the LDAP-UX Client Services” section in the LDAP-UX Client Services B.04.00 Administrator’s Guide available at http://www.docs.hp.com.
Migrating NIS+ to LDAP Configuring LDAP-UX Client Services For the detailed information on how to configure the policy file, /etc/opt/ldapux/pam_authz.policy, see the “PAM_AUTHZ Login Authorization Enhancement” section in the LDAP-UX Client Services B.04.00 Administrator’s Guide After you configure your directory and the first client system, configuring additional client systems is simpler. Refer to the “Configure Subsequent Client Systems” section in the LDAP-UX Client Services B.04.
Migrating NIS+ to LDAP Verify LDAP-UX Client Services Verify LDAP-UX Client Services This section describes some simple ways you can verify the installation and configuration of your LDAP-UX Client Services.
Migrating NIS+ to LDAP Verify LDAP-UX Client Services • Log in to the client system from another system using rlogin or telnet. Log in as a user in the directory and as a user in /etc/passwd to make sure both work. • Use the ls(1) or ll(1) command to examine files belonging to a user whose account information is in the directory.
Migrating NIS+ to LDAP Verify LDAP-UX Client Services 38 Chapter 2
3 Command and Tool Reference This chapter briefly describes the LDAP directory tools used to search, add, modify or delete entries in an LDAP directory and NIS+ to LDAP migration scripts. It includes the following sections: • “The ldappasswd Command” on page 39 describes the command that changes passwords in your directory. • “LDAP Directory Tools” on page 40 briefly describes the tools ldapsearch, ldapmodify, and ldapdelete.
Command and Tool Reference LDAP Directory Tools -c generates an encrypted password on the client. Use this parameter for directories that do not automatically encrypt passwords. The default is to send the new password in plain text to the directory. Netscape Directory Server 6.x for HP-UX supports automatic encryption of passwords. -v prints the software version and exits. -p port specifies port as the LDAP server TCP port number. -D binddn specifies binddn as the bind distinguished name.
Command and Tool Reference LDAP Directory Tools Additional tools are available in the directory /opt/ldapux/contrib/bin, however these tools are unsupported. See the file /opt/ldapux/contrib/bin/README for more information. ldapentry ldapentry is a script tool that simplifies the task of adding, modifying and deleting entries in an LDAP directory. It supports the following name services: passwd, group, hosts, rpc, services, networks, and protocols.
Command and Tool Reference LDAP Directory Tools LDAP_SCOPE The scope of LDAP search (sub, one, base). Will default to sub if LDAP_BASEDN is defined, but LDAP_SCOPE is not. You must define LDAP_BASEDN, if you define LDAP_SCOPE. INSERT_BASE This DN tells ldapentry where to insert new entries. This value will default to LDAP_BASEDN or a default discovered by the profile. INSERT_BASE is only used when adding entries. EDITOR The editor to use when an entry is added or modified.
Command and Tool Reference LDAP Directory Tools Refer to the ldapentry(1) man page for more detailed information. Examples The following configuration variables are defined in the user's configuration file as ~/.
Command and Tool Reference NIS+ to LDAP Migration Scripts ldapsearch You use the ldapsearch command-line utility to locate and retrieve LDAP directory entries. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on the specified search filter. Search results are returned in LDIF format. For details, see the Netscape Directory Server for HP-UX Administrator’s Guide available at http://docs.hp.com/hpux/internet.
Command and Tool Reference NIS+ to LDAP Migration Scripts script migrate_all_nisplus_online.sh migrates all of your groups, hosts, services, netgroup, rpc, protocols and networks maps at one time, while the perl scripts: migrate_nisp_group.pl, migrate_nisp_hosts.pl, migrate_nisp_services.pl, migrate_nisp_netgroup.pl, migrate_nisp_rpc.pl, and so forth , migrate individual NIS maps. The migration scripts require perl, version 5 or later, which is installed in /opt/ldapux/contrib/bin/perl.
Command and Tool Reference NIS+ to LDAP Migration Scripts Table 3-1 NIS+ to LDAP Migration Tools (Continued) Tool 46 Description Corresponding LDIF File migrate_nisp_passwd.pl Migrates all user accounts with encrypted passwords from the NIS+ server to LDIF. nisp_passwd.ldif migrate_nisp_aliases.pl Migrates all user accounts with encrypted passwords from the NIS+ server to LDIF. nisp_aliases.ldif migrate_nisp_protocols.
Command and Tool Reference NIS+ to LDAP Migration Scripts Table 3-1 NIS+ to LDAP Migration Tools (Continued) Tool Corresponding LDIF File Description cred_table_sort.pl Migrates credential table entries including public keys and secret keys of users and hosts from the NIS+ server to the flat (etc) file. migrate_all_nisplus_onlin e.sh Migrates NIS+ name service data to an LDAP directory. passwd.cred.etc and host.cred.
Command and Tool Reference NIS+ to LDAP Migration Scripts scriptname [inputfile] where scriptname Is the name of the particular script you are using. inputfile This only applies to the migrate_nisp_autofs.pl and migrate_nisp_nonstandard.pl scripts which require you to provide the name of the appropriate name service map file that you want to migrate. For examples, migrate_nisp_autofs.pl auto_master and migrate_nisp_autofs.pl auto_home.
Command and Tool Reference NIS+ to LDAP Migration Scripts Table 3-2 Default Naming Context (Continued) NIS+ Map Name user-defined (non-standard) mapa Location in the Directory Tree nisMapName=mapname a. In general, non-standard NIS+ maps should be converted into LDAP-based schemas. This procedure generally requires migration consultation from LDAP experts. If you change the default naming context, modify the file migrate_common.ph and change it to reflect your naming context.
Command and Tool Reference NIS+ to LDAP Migration Scripts cd /opt/ldapux/migrate/nisplusmigration Step 2. Run the cred_table_sort.pl script to extract the credential table entries including public key and secret key of users and hosts from the NIS+ server. This creates the two files, passwd.cred.etc and host.cred.etc: ./cred_table_sort.pl Step 3. Run the following two scripts that migrate the credential files, passwd.cred.etc and host.cred.etc, created in step 2 into two LDIF files, passwd.
Command and Tool Reference NIS+ to LDAP Migration Scripts Enter the name of your LDAP server Enter the manager DN for the following question.
Command and Tool Reference NIS+ to LDAP Migration Scripts • migrate_nisp_autofs.pl Migrating User-Defined Maps The LDAP directory has a special object class, nisMap, which is used to store user-defined (non-standard) maps. The migrate_nisp_nonstard.pl migration script migrates user-defined maps to LDIF file using nisMap as the object class and storing the name of user-defined map to the nisMapName location.
Command and Tool Reference NIS+ to LDAP Migration Scripts The following commands migrate all user accounts with encrypted passwords from the NIS+ server into LDIF and place the results in the nisp_passwd.ldif file: export LDAP_BASEDN=”dc=cup,dc=hp,dc=com” export DOM_ENV =”cup.hp.com” migrate_nisp_passwd.
Command and Tool Reference NIS+ to LDAP Migration Scripts The following commands migrate hosts data from the NIS+ server to LDIF and places the results in the nisp_hosts.ldif file: export LDAP_BASEDN=”dc=cup,dc=hp,dc=com” export DOM_ENV =”cup.hp.com” migrate_nisp_hosts.pl dn:cn=mira.cup.hp.com,ou=Hosts,dc=cup,dc=hp,dc=com objectclass: ipHost objectclass: device objectclass: top ipHostNumber: 10.1.80.60 cn: mira cn: mira.cup.hp.
Command and Tool Reference NIS+ to LDAP Migration Scripts The following commands migrate the AutoFS map /etc/auto_indirect from the NIS+ server to LDIF and place the results in the nisp_automap.ldif file: export LDAP_BASEDN=”dc=nishpbnd” export DOM_ENV =”cup.hp.com” migrate_nisp_autofs.pl /etc/auto_indirect The following shows the /etc/auto_indirect file: #local mount point lab1 lab2 remote server:directory hostA:/tmp hostB:/tmp The following shows the nisp_automap.
Command and Tool Reference NIS+ to LDAP Migration Scripts 56 Chapter 3
Glossary Refer to the Glossary in the Netscape Directory Server for HP-UX Administrator’s Guide available at http://docs.hp.com/hpux/internet. Access Control Instruction A specification controlling access to entries in a directory. Access Control List One or more ACIs. ACI See Access Control Instruction ACL See Access Control List. Network Information Service Plus (NIS+) A distributed database system providing centralized management of common configuration files, such as /etc/passwd and /etc/hosts.
Glossary Network Information Service Plus (NIS+) 58 Glossary
Index Symbols /etc/nsswitch.
