NIS/LDAP Gateway Administrator's Guide
If you have an existing directory and you decide to place your NIS data into a new, separate
subtree, the migration scripts can build and populate this subtree.
If you merge your NIS data into an existing directory, the migration scripts can create LDIF
files of your NIS data, but you will have to write your own scripts or use other tools to merge
the NIS data into your directory.
• How will you test your NIS/LDAP Gateway environment?
You may want to set up a separate group of systems to test it on. Or you could install the
NIS/LDAP Gateway on one of your existing NIS servers or some other system but use a new
domain just for testing. Then change one or more existing NIS clients' domains to the new
domain for testing. When you have things set up and working correctly, change the
NIS/LDAP Gateway domain to your production domain. You can use ypset(1M) to force
one or more clients to bind to the NIS/LDAP Gateway for testing. If you encounter problems,
you can stop the NIS/LDAP Gateway and restart ypserv. You can migrate one NIS server
at a time to the NIS/LDAP Gateway, testing each as you go.
NOTE: You cannot run an NIS server (ypserv) and an NIS/LDAP Gateway server (ypldapd)
simultaneously on the same system.
• How will you communicate with your user community about the change? How will your
users change their personal information such as passwords, login shell, and finger(1)
information?
You can install ldappasswd on your NIS client systems to replace yppasswd. Or you can
create or purchase web-based tools your users can use to update their passwords and other
information in the directory. Note that at this release, the HP-UX commands chsh(1) and
chfn(1) do not change information in the directory.
NOTE: The csh(1) shell and finger(1) command request the entire contents of the passwd
map for certain operations which may result in a performance bottleneck. For this reason,
you may want to restrict use of csh(1) and finger(1). See “Minimizing Enumeration Requests”
for more information.
• How will you put your NIS/LDAP Gateway into production after testing?
One possible way is to convert each NIS server to an NIS/LDAP Gateway server, one server
at a time, one subnet at a time. When you are confident that server is working, convert the
next NIS server to the NIS/LDAP Gateway. During the transition, you will probably need
to keep your NIS maps and your directory in sync.
Another possible way is to create a new domain and convert each client to the new domain.
Configure Your Directory
This section describes how your directory needs to be configured to work with the NIS/LDAP
Gateway. Examples are given for Netscape/Red Hat Directory Server for HP-UX. If you have a
different directory, see the documentation for your directory for details on how to configure it
as described here.
1. Install the posix schema (RFC 2307) into your directory.
If you have Netscape Directory Server 6.21 or Red Hat Directory Server 7.x for HP-UX, the
POSIX schema is already installed.
For other directories, you can install the schema from
/opt/ldapux/ypldapd/etc/slapd-v3.nis.conf for version 3 LDAP directories and
/opt/ldapux/ypldapd/etc/slapd-v2.nis.conf for version 2 LDAP directories. Depending on
the directory you have, include a line like one of the following in your configuration file:
20 Installing the NIS/LDAP Gateway