NIS/LDAP Gateway Administrator's Guide HP-UX 11i v1, v2 and v3 HP Part Number: J4269-90082 Published: September, 2007
© Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents Preface: About This Document.......................................................................................11 Intended Audience................................................................................................................................11 New and Changed Documentation in This Edition.............................................................................11 Publishing History.....................................................................................
LDAP Directory Tools...........................................................................................................................34 ldapsearch........................................................................................................................................34 ldapmodify......................................................................................................................................35 ldapdelete............................................................
Valid Range................................................................................................................................42 Syntax.........................................................................................................................................42 Example......................................................................................................................................42 Parent NIS Domain...............................................................
5 User Tasks.....................................................................................................................47 To Change Passwords...........................................................................................................................47 To Change Personal Information..........................................................................................................47 Glossary.......................................................................................
List of Figures 1-1 1-2 Typical NIS Environment..............................................................................................................14 NIS/LDAP Gateway Environment................................................................................................
List of Tables 1 Publishing History Details.................................................................................................................11 1-1 NIS/LDAP Gateway Components.................................................................................................16 1-2 Client Administration Tools..........................................................................................................16 4-1 Default Naming Context........................................................
Preface: About This Document The latest version of this document can be found on line at: http://www.docs.hp.com This document describes how to install and configure NIS/LDAP Gateway on HP-UX platforms. The document printing date and part number indicate the document's current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
HP Encourages Your Comments HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. Please send comments to: netinfo_feedback@cup.hp.com Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document. Also, please include what we did right so we can incorporate it into other documents.
1 Overview of NIS/LDAP Gateway This chapter provides a high level overview of what the NIS/LDAP Gateway product is and how it works. The NIS/LDAP Gateway is a Network Information Service (NIS) server that uses an LDAP directory as its information source instead of NIS map files. The Gateway accepts NIS client requests for information, gets the information from an LDAP directory, and returns the information to the NIS clients.
Figure 1-1 Typical NIS Environment NIS master server ypserv & yppasswdd daemons running Map transfers NIS slave server NIS slave server ypserv daemon running ypserv daemon running Users change password with yppasswd NIS client ypbind daemon running yppasswd NIS Requests NIS client ypbind daemon running yppasswd NIS client ypbind daemon running yppasswd In this NIS environment, the master map files reside on the NIS master server.
Figure 1-2 NIS/LDAP Gateway Environment LDAP Directory Server LDAP directory replaces NIS maps. No map transfers. NIS servers become NIS/LDAP Gateway servers. LDAP Requests NIS/LDAP server NIS/LDAP server ypldapd daemon running ypldapd daemon running Users change password with ldappasswd NIS client ypbind daemon running ldappasswd ypldapd replaces ypserv. ldappasswd replaces yppasswd.
The NIS/LDAP Gateway Components The NIS/LDAP Gateway product, comprising the following components, can be found under /opt/ldapux/ypldapd, except where noted. Table 1-1 NIS/LDAP Gateway Components Component Description ypldapd The daemon that replaces the ypserv daemon and serves NIS requests from NIS clients. ypldapd.conf The NIS/LDAP Gateway configuration file. namingcontexts.conf Configuration file that specifies where in the LDAP directory each NIS map is. init.d Contains start-up files.
Table 1-2 Client Administration Tools (continued) Component Description migrate_passwd.pl Migrates /etc/passwd to LDIF. migrate_protocols.pl Migrates /etc/protocols to LDIF. migrate_rpc.pl Migrates /etc/rpc to LDIF. migrate_services.pl Migrates /etc/services to LDIF. perl, version 5 Used by all the migration scripts. README-client, README-ypldapd Additional documentation files. Contributed tools Unsupported tools in /opt/ldapux/contrib. See the file /opt/ldapux/contrib/bin/README for details.
2 Installing the NIS/LDAP Gateway This chapter describes the decisions you need to make and the steps you need to take to install and configure the NIS/LDAP Gateway. Before You Begin This section lists some things to keep in mind as you plan your installation. • You must have an LDAP directory. You can obtain Netscape Directory Server 6.21 or Red Hat Directory Server 7.x for HP-UX in HP-UX 11i Foundation OE, Application Release CD or from http://www.hp.com/go/softwaredepot.
If you have an existing directory and you decide to place your NIS data into a new, separate subtree, the migration scripts can build and populate this subtree. If you merge your NIS data into an existing directory, the migration scripts can create LDIF files of your NIS data, but you will have to write your own scripts or use other tools to merge the NIS data into your directory. • How will you test your NIS/LDAP Gateway environment? You may want to set up a separate group of systems to test it on.
include /opt/ldapux/ypldapd/etc/slapd-v3.nis.conf include /opt/ldapux/ypldapd/etc/slapd-v2.nis.conf For information on the posix schema (RFC 2307), see http://www.ietf.org. 2. Restrict write access to certain passwd attributes of the posix schema. CAUTION: Make sure you restrict access to the attributes listed below.
6. Index important entries for better performance. Since many of your directory requests will be for the attributes listed below, you should index these to improve performance. If you don't index, your directory may search sequentially causing a performance bottleneck. Index on the following attributes: • • • • • • cn objectclass memberuid uidnumber gidnumber uid To index these entries with Netscape/Red Hat Directory Server, use the Console, Configuration tab, Indexes tab, Add Attributes button. 7.
Install the NIS/LDAP Gateway on Your Server Use swinstall(1M) to install the NIS/LDAP Gateway software and the Client Administration Tools. See the NIS/LDAP Gateway Release Notes for any last-minute changes to this procedure. You can install the NIS/LDAP Gateway server and the LDAP-UX Client Administration Tools. Import NIS Data into Your Directory The next step is to import your NIS data into your LDAP Directory. How you do this depends on several factors.
basedn The Distinguished Name in your directory where the NIS/LDAP Gateway should begin all searches. CAUTION: The file ypldapd.conf contains the proxy user's password and could represent a security risk. Restricting the permissions on this file reduces this risk. For testing, you can set ypdomain to a new domain, then set the domain name of your test clients to that domain. When you finish testing, set it to your production domain.
1. On an NIS client system, log in as root and change the domain by editing the file /etc/rc.config.d/namesvrs. Change the line containing NIS_DOMAIN to: NIS_DOMAIN=test-ldap 2. On the same NIS client system logged in as root, restart the NIS client process: /sbin/init.d/nis.client stop /sbin/init.d/nis.client start 3.
5. 6. 7. Edit the file /etc/rc.config.d/namesvrs and change NIS_MASTER_SERVER=0 and NIS_SLAVE_SERVER=0. If you want the NIS/LDAP Gateway to restart automatically after rebooting, edit the file /etc/rc.config.d/ypldapd and set YPLDAPD=1. Start the NIS/LDAP Gateway server. If YPLDAPD=0 in the file /etc/rc.config.d/ypldapd, use the following command: /opt/ldapux/ypldapd/sbin/ypldapd If YPLDAPD=1 in the file /etc/rc.config.d/ypldapd, use the following command: /sbin/init.d/ypldapd start 8.
3 Administering the NIS/LDAP Gateway This chapter describes how to administer the NIS/LDAP Gateway to keep it running smoothly and expand it as your computing environment expands.
Adding a Client System Adding an NIS/LDAP Gateway client is essentially the same as adding an NIS client except for ldappasswd or whatever means you give your users for changing their password and other personal information. For more information, see “To Change Passwords” and “To Change Personal Information” and “The ldappasswd Command”. For NIS information see "To Enable NIS Client Capability" in Installing and Administering NFS Services available at http://docs.hp.com/hpux/communications.
and the group map as these are often the largest and most enumerated maps. However, the more maps you preload, the longer the NIS/LDAP Gateway takes to start up. Use the preload_cache parameter in ypldapd.conf. For example, the following command specifies preloading of the passwd.byname map and group.byname map: preload_cache passwd.byname group.byname For information on the preload_cache parameter see “Preload Maps into the Cache”.
Log Files You can check log files to see if any unusual incidents have occurred with the NIS/LDAP Gateway or your directory. The NIS/LDAP Gateway logs important events and errors to the file /var/adm/syslog/syslog.log. The Netscape/Red Hat Directory Server for HP-UX logs information to files in the logs directory under /var/opt/netscape/servers/slapd- where slapd- is the name of your directory server.
• Make sure UNIX crypt is the default encryption. Verify in Netscape/Red Hat Directory Server with a command like the following: ldapsearch -b "o=hp.com" -D "AdminDN" -w "AdminPw" uid=username where AdminDN is the directory administrator's relative distinguished name, AdminPw is the administrator's password, and username is the name of a user in the directory. The user must be an inetorgperson or posixaccount.
4 Command and Tool Reference This chapter describes all the commands and tools associated with the NIS/LDAP Gateway: • “The ypldapd Command” describes the NIS/LDAP Gateway daemon and command and its parameters. • “The ldappasswd Command” describes the command that changes passwords in your directory. • “LDAP Directory Tools” briefly describes the tools ldapsearch, ldapmodify, and ldapdelete.
See also “Starting and Stopping the NIS/LDAP Gateway”. The ldappasswd Command This section describes the ldappasswd command and its parameters. The ldappasswd program, installed in /opt/ldapux/bin, allows users to change their passwords in the directory. Changing a user's password with ldappasswd marks the cache entry for that user as stale, if caching is enabled. ldappasswd assumes an LDAP directory server that supports {crypt} format. (For more information, see passwd(1) and crypt(3C).
ldapmodify You use the ldapmodify command-line utility to modify entries in an existing LDAP directory. ldapmodify opens a connection to the specified server using the distinguished name and password you supply, and modifies the entries based on the LDIF update statements contained in a specified file. Because ldapmodify uses LDIF update statements, ldapmodify can do everything ldapdelete can do. For details, see the Netscape Directory Server for HP-UX Administrator's Guide available at http://docs.hp.
If you change the default naming context, modify the file migrate_common.ph and change it to reflect your naming context. You must also change the file /opt/ldapux/ypldapd/etc/namingcontexts.conf. See also “Naming Context Mappings”. Migrating All Your Files The two shell scripts migrate_all_online.sh and migrate_all_nis_online.sh migrate all your NIS maps either to LDIF or into your directory. The migrate_all_online.
• • • • • • • • • • • • • • migrate_aliases.pl migrates aliases in /etc/aliases to LDIF information, conforming to the RFC 822 MailGroup schema. migrate_base.pl creates base DN information. migrate_fstab.pl migrates file system information in /etc/fstab. migrate_group.pl migrates groups in /etc/group. migrate_hosts.pl migrates hosts in /etc/hosts. migrate_netgroup.pl migrates netgroups in /etc/netgroup. migrate_netgroup_byhost.pl migrates the netgroup.byhost map.
userPassword: {crypt}* gidNumber: 325 The following command migrates /etc/hosts: migrate_hosts.pl /etc/hosts Configuration Parameters You can change the NIS/LDAP Gateway's run-time configuration parameters in the file /opt/ldapux/ypldapd/etc/ypldapd.conf. This section describes these parameters in detail. NOTE: Because the configuration file contains a password, you should protect it by making the file only accessible by root. Use a command like the following: chmod 600 ypldapd.
LDAP Protocol Version Specifies the version of the LDAP protocol your directory server is using. Optional. Default Value 2 Valid Range 2|3 Syntax ldapversion integer Example ldapversion 3 Search Base DN Specifies the Distinguished Name in your directory where the NIS/LDAP Gateway should begin all searches. Required. Syntax basedn DN Example basedn o=hp.
Optional. Default value The default is to bind anonymously. Syntax binddn DN Example binddn cn=Directory Manager binddn cn=proxyuser, ou=people, o=hp.com Bind DN Password Specifies the credentials or password of the proxy user the NIS/LDAP Gateway uses to bind to the directory. See “Bind DN” above. Optional, but required if using a proxy user. NOTE: You should protect this password in your configuration file by making the file ypldapd.
Valid Range sub | one | base where: • • • sub means the NIS/LDAP Gateway is to search the base DN and all of its descendants; that is, the entire subtree. one means search only the immediate children of the base DN; that is, one level down. base means search only the base DN. This value should not be used as it is too restrictive, effectively preventing searching below the base DN.
Valid Range on | off Syntax extended Boolean Example extended off Parent NIS Domain Specifies the NIS domain to fall through to if the needed information is not found in the directory. Maps not supported by the NIS/LDAP Gateway and maps already fulfilled by the directory will be supplemented by binding to the specified NIS parentdomain. Optional.
Syntax timelimit integer Example timelimit 6000 Enable or Disable Caching Specifies whether the NIS/LDAP Gateway should cache information from the directory. See “Caching” for more information. Optional. Default caching on Valid Range on | off Syntax caching Boolean Example caching off Cache Lifetime Specifies how often, in minutes, the NIS/LDAP Gateway should refresh the preloaded maps in the cache and flush all other maps from the cache.
Syntax preload_maps mapname [mapname2 [... mapnameN]] Recommended preload_maps group.byname Example preload_maps passwd group hosts Maximum Number of Processes Specifies the maximum number of processes to fork for enumeration requests. See “Minimizing Enumeration Requests” for more information. Optional. Default maxchildren 0 Recommended 5 or greater Syntax maxchildren integer Example maxchildren 10 Use Caching for Enumeration Requests Specifies whether enumeration requests use caching.
NIS Master Host Name Specifies the NIS domain the ypwhich command should return. By default, ypwhich returns the name of the local host. Optional. Syntax ypmaster hostname Example ypmaster nisserver PID File Specifies the file in which to write the process identifier (PID) for the NIS/LDAP Gateway daemon, ypldapd. If you don't specify a full path, the file is placed in the root directory, /. Optional. Default pidfile /var/run/ypldapd.pid Recommended pidfile /var/run/ypldapd.
5 User Tasks This chapter describes the following tasks your users will need to do: • “To Change Passwords” • “To Change Personal Information”, such as login shell, phone number and location To Change Passwords On HP-UX, users change their passwords with the passwd(1) command which changes /etc/passwd or the NIS maps or the yppasswd(1) command which changes the NIS maps. With users' passwords in the directory, they must use a different method of changing their password.
Glossary See also the Glossary in the Netscape Directory Server for HP-UX Administrator's Guide available at http://docs.hp.com/hpux/internet. Access Control Instruction A specification controlling access to entries in a directory. Access Control List One or more ACIs. ACI See See Access Control Instruction. ACL See See Access Control List.. IETF Internet Engineering Task Force; the organization that defines the LDAP specification. See http://www.ietf.org.
Index A access control instruction (ACI), 21, 22, 49 add a client, 28 administration tools, 16 authentication, 30 automatic start-up, 24, 27 files, 16 B sha, 21 enumeration requests, 28, 44 extended, 41 F fall through to DNS, 42 fall through to NIS, 41, 42 finger, 28, 47 force a refresh of the cache, 29 basedn, 23, 39 bindcred, 23, 40 binddn, 23, 39 G C H cache, 28 enabling, 28, 43 enumeration requests, 28, 44 frequency of refresh, 29 lifetime, 43 preload maps, 28, 29, 43, 44 refresh, 29 refreshing,
fall through, 42 master map files, 14 migrate maps, 16, 36 ypbind, 14 yppasswd, 14 ypserv, 14, 20, 30, 33 NIS and NIS/LDAP Gateway compared, 13 NIS domain, 23, 42 NIS environment, 13 NIS migration scripts, 35 NIS/LDAP Gateway environment, 14 P parentdomain, 42 password, change, 34, 47 performance cache, 28 enumeration requests, 28 improving, 28 performance tuning, 21 perl, 17, 35 perl scripts, 36 pidfile, 45 posix schema, 20, 49 preload maps in the cache, 29, 43 preload maps into cache, 28 preload_cache, 4
