Naming and Directory Services (DNS, NIS, and LDAP)

More documents

Recommendations

Info

nisplusLDAPdatabaseIdMappingnisplusLDAPdatabaseIdMappingrpc_table:rpc.org_dirrpc:rpc.org_dirdefines the database ids rpc_table and rpc as aliases for the rpc.org_dir table.Later definitions will make it clear that rpc_table is used for the rpc.org_dirtable object, and rpc for the entries in that table.nisplusLDAPentryTtl AttributeSince the rpc.nisd daemon’s local database (in memory and on disk) functions as acache for LDAP data, the nisplusLDAPentryTtl attribute allows you to set thetime-to-live (TTL) values of entries in that cache. There are three TTLs for eachdatabase ID. The first two control the initial TTL when the rpc.nisd first loads thecorresponding NIS+ object data from disk, and the third TTL is assigned to an objectwhen it is read or refreshed from LDAP.For example the following results in the rpc.org_dir table object getting an initialTTL randomly selected in the range 21600 to 43200 seconds.nisplusLDAPentryTtlrpc_table:21600:43200:43200When that initial TTL expires and the table object is refreshed from LDAP, the TTL willbe set to 43200 seconds.Similarly the following will assign an initial TTL between 1800 and 3600 seconds tothe entries in the rpc.org_dir table when it is first loaded.nisplusLDAPentryTtlrpc:1800:3600:3600Each entry gets its own randomly selected TTL in the range specified. When a tableentry expires and is refreshed, the TTL is set to 3600 seconds.When selecting TTL values, consider the trade-off between performance andconsistency. If the TTLs used for LDAP data cached by the rpc.nisd are very long,performance is the same as if rpc.nisd was not mapping data from LDAP at all.However, if the LDAP data is changed (by some entity other than rpc.nisd), it canalso take a very long time before that change is visible in NIS+.Conversely, selecting a very short (or even zero) TTL means that changes to LDAPdata are quickly visible in NIS+, but can also impose a significant performancepenalty. Typically, an NIS+ operation that also reads data from or writes data to LDAPwill take at least two to three times longer (plus the LDAP lookup overhead) than thesame operation without LDAP communication. Although performance can varygreatly depending on the hardware resources, scanning a large (tens of thousands orhundreds of thousands of entries) LDAP container to identify NIS+ entries that shouldbe refreshed can take a long time. The rpc.nisddaemon performs this scan in thebackground, continuing to serve possibly stale data while it is running, but thebackground scan still consumes CPU and memory on the NIS+ server.260 System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) • January 2005
Carefully consider how critical it is to have NIS+ data in close synchronization withLDAP, and select the longest TTL that is acceptable for each NIS+ object. The default(when no nisplusLDAPentryTtl is specified) is 1 hour. The template mapping file/var/nis/NIS+LDAPmapping.template changes this to 12 hours for objects otherthan table entries. However, there is no auto-recognition of non-entry objects, so if youadd mapping for a non-entry object, the TTL will default to 1 hour.Note – There are no TTLs for nonexistent objects. Hence, no matter which TTLs are ineffect for LDAP-mapped entries in an NIS+ table, a request for an entry that does notexist in NIS+ will query LDAP for that entry.nisplusLDAPobjectDNnisplusLDAPobjectDN AttributeFor each mapped NIS+ object, nisplusLDAPobjectDN establishes the location in theLDAP DIT where the object data resides. It also allows specification of the action totake when an LDAP entry is deleted. Each nisplusLDAPobjectDN value has threeparts. The first specifies where LDAP data is read from, the second to where it iswritten, and the third what should happen when LDAP data is deleted. Refer to thefollowing example.rpc_table:\cn=rpc,ou=nisPlus,?base?\objectClass=nisplusObjectContainer:\cn=rpc,ou=nisPlus,?base?\objectClass=nisplusObjectContainer,\objectClass=topThe above example shows that the rpc.org_dir table object should be read from theDN cn=rpc,ou=nisPlus, (since the value ends in a comma, the value of thedefaultSearchBase attribute is appended), with scope base, and that entries witha value of nisplusObjectContainer for the ObjectClass attribute are selected.The table object is written to the same place. The delete specification is missing, whichimplies the default action, which is as follows. If the NIS+ table object is deleted, theentire LDAP entry should also be deleted.If data should be read from, but not written to LDAP, omit the write portion (and thecolon separating it from the read part).nisplusLDAPobjectDNrpc_table:\cn=rpc,ou=nisPlus,?base?\objectClass=nisplusObjectContainerNote that the nisplusObjectContainer object class is not part of RFC 2307. Inorder to use it, you must configure your LDAP server as detailed in “Mapping NIS+Objects Other Than Table Entries” on page 273.For the rpc.org_dir table entries, you could use the following example.Chapter 16 • Transitioning From NIS+ to LDAP 261
Page 1 and 2:
System Administration Guide:Naming
Page 3 and 4:
ContentsPreface 15Part I About Nami
Page 5 and 6:
Server-List Mode 77Broadcast Mode 7
Page 7 and 8:
Using Fully Qualified Domain Names
Page 9 and 10:
Checking Server Data From a Non-Cli
Page 11 and 12:
Replication Timestamps 268The Direc
Page 13 and 14:
ExamplesEXAMPLE 2-1 NIS+ Switch Fil
Page 15 and 16:
PrefaceSolaris Administration Guide
Page 17 and 18:
Related Books■ Sun Java System Di
Page 19 and 20:
PARTIAbout Naming and Directory Ser
Page 21 and 22:
CHAPTER 1Naming and Directory Servi
Page 23 and 24:
A network information service store
Page 25 and 26:
docS2S1sales.docS3manf.docC1 C2 C3
Page 27 and 28:
Subsequent changes in your organiza
Page 29 and 30:
NIS+ uses a client-server model to
Page 31 and 32:
CHAPTER 2The Name Service Switch (O
Page 33 and 34:
TABLE 2-1 Switch File Information S
Page 35 and 36:
networks: nis [NOTFOUND=return] fil
Page 37 and 38:
Note - In order to use LDAP naming
Page 39 and 40:
EXAMPLE 2-3 Files Switch File Templ
Page 41 and 42:
Selecting a Different Configuration
Page 43 and 44:
Caution - Potential delay issues:
Page 45 and 46:
PARTIIDNS Setup and AdministrationT
Page 47 and 48:
CHAPTER 3DNS Setup and Administrati
Page 49 and 50:
DNS and the Service ManagementFacil
Page 51 and 52:
EXAMPLE 3-2 Sample named.conf File
Page 53 and 54:
etc/rndc.confComparison of BIND 8 a
Page 55 and 56:
Options {Changes[ directory path_na
Page 57 and 58:
Options {Changes[ sortlist { addres
Page 59 and 60:
options {blackhole { ; ... };coresi
Page 61 and 62:
};print-time ;print-severity ;print
Page 63 and 64:
};maintain-ixfr-base ; // obsoletem
Page 65 and 66:
PARTIIINIS Setup and Administration
Page 67 and 68:
CHAPTER 4Network Information Servic
Page 69 and 70:
NIS Machine TypesThere are three ty
Page 71 and 72:
Note - rpc.yppasswdd considers all
Page 73 and 74:
TABLE 4-3 NIS Map DescriptionsMap N
Page 75 and 76:
For example, when you add a new mac
Page 77 and 78:
TABLE 4-4 NIS Command SummaryComman
Page 79 and 80:
CHAPTER 5Setting Up and Configuring
Page 81 and 82:
■You can query the status of NIS
Page 83 and 84:
In addition, if audit_user, auth_at
Page 85 and 86:
Preparing the MakefileAfter checkin
Page 87 and 88:
If the map or maps being pushed by
Page 89 and 90:
# svcadm restart network/nis/server
Page 91 and 92:
Setting Up NIS ClientsThe two metho
Page 93 and 94:
CHAPTER 6Administering NIS (Tasks)T
Page 95 and 96:
This step is necessary because the
Page 97 and 98:
separated by commas. For example, t
Page 99 and 100:
▼How to Change a Map’s Master S
Page 101 and 102:
master of the map, modify the Makef
Page 103 and 104:
5. Run make.# make mapnameWhere map
Page 105 and 106:
To periodically run ypxfr at a rate
Page 107 and 108:
■Using the Makefile” on page 10
Page 109 and 110:
2. Change to the NIS domain directo
Page 111 and 112:
Using NIS in Conjunction With DNSTy
Page 113 and 114:
CHAPTER 7NIS TroubleshootingThis ch
Page 115 and 116:
Client7# ls /var/yp...-rwxr-xr-x 1
Page 117 and 118:
Note - For security reasons, the us
Page 119 and 120:
# svcadm restart network/nis/server
Page 121 and 122:
100004 2 udp 731 ypserv100004 1 udp
Page 123 and 124:
PARTIVLDAP Naming Services Setup an
Page 125 and 126:
CHAPTER 8Introduction to LDAP Namin
Page 127 and 128:
DNS NIS NIS+ LDAPServers Master/sla
Page 129 and 130:
CHAPTER 9LDAP Basic Components andC
Page 131 and 132:
networksdn: ipNetworkNumber=200.20.
Page 133 and 134:
Also, if you use interface-specific
Page 135 and 136:
semicolon-separated base-scope-filt
Page 137 and 138:
LDAP Client ProfilesTo simplify Sol
Page 139 and 140:
TABLE 9-2 Client Profile Attributes
Page 141 and 142:
LDAP Naming Services Security Model
Page 143 and 144:
Caution - Allowing anonymous write
Page 145 and 146:
■and that it is easy to set up.sa
Page 147 and 148:
Pluggable Authentication MethodsBy
Page 149 and 150:
TABLE 9-5 pam_unix versus pam_ldapP
Page 151 and 152:
Note - The preceding account manage
Page 153 and 154:
CHAPTER 10Planning Requirements for
Page 155 and 156:
information will be searched for a
Page 157 and 158:
For information about how to set up
Page 159 and 160:
Because the entries are stored in t
Page 161 and 162:
CHAPTER 11Setting Up Sun Java Syste
Page 163 and 164:
Note - If you are using hostnames i
Page 165 and 166:
Using Service Search Descriptors to
Page 167 and 168:
▼How to Configure Sun Java System
Page 169 and 170:
EXAMPLE 11-1 Running idsconfig for
Page 171 and 172:
EXAMPLE 11-1 Running idsconfig for
Page 173 and 174:
Populating the Directory Server Wit
Page 175 and 176:
Migrating Your Sun Java SystemDirec
Page 177 and 178:
CHAPTER 12Setting Up LDAP Clients (
Page 179 and 180:
■dependencyrequire_all/none svc:/
Page 181 and 182:
System successfully configuredThe -
Page 183 and 184:
Setting Up TLS SecurityNote - The s
Page 185 and 186:
Retrieving LDAP Naming ServicesInfo
Page 187 and 188:
Enabling DNS With LDAPIf you want t
Page 189 and 190:
CHAPTER 13LDAP Troubleshooting (Ref
Page 191 and 192:
Checking the Current Profile Inform
Page 193 and 194:
5. No password is defined for the u
Page 195 and 196:
CHAPTER 14LDAP General Reference (R
Page 197 and 198:
CompatibilityClients configured on
Page 199 and 200:
General LDAP ToolsLDAP command line
Page 201 and 202:
other password required pam_dhkeys.
Page 203 and 204:
IETF Schemas for LDAPSchemas are de
Page 205 and 206:
SYNTAX ’INTEGER’ SINGLE-VALUE )
Page 207 and 208:
( nisSchema.2.5 NAME ’oncRpc’ S
Page 209 and 210: Directory User Agent Profile(DUAPro
Page 211 and 212: Solaris SchemasThe schemas required
Page 213 and 214: ( 1.3.6.1.4.1.42.2.27.5.2.4 NAME
Page 215 and 216: EQUALITY caseIgnoreMatch ORDERING c
Page 217 and 218: "edge-stitch-bottom", "staple-dual-
Page 219 and 220: Legal values include; "unknown", "b
Page 221 and 222: client generates protocol extension
Page 223 and 224: ootparams(&(objectclass=bootableDev
Page 225 and 226: TABLE 14-5 getent Attribute Filters
Page 227 and 228: CHAPTER 15Transitioning From NIS to
Page 229 and 230: ■■Chapter 4, for an overview of
Page 231 and 232: TABLE 15-1 Terminology Related to t
Page 233 and 234: Transitioning From NIS to LDAP (Tas
Page 235 and 236: ■ The name of the configuration f
Page 237 and 238: d. Start the NIS daemons to ensure
Page 239 and 240: Tip - The original NIS dbm files ar
Page 241 and 242: ou=servdates, ?one? \objectClass=se
Page 243 and 244: For example, to increase the minimu
Page 245 and 246: Object class violationError Number:
Page 247 and 248: Problem: Object class violations oc
Page 249 and 250: ▼How to Revert to Maps Based on O
Page 251 and 252: CHAPTER 16Transitioning From NIS+ t
Page 253 and 254: “client_info and timezone Tables
Page 255 and 256: 2. Stop the NIS+ service.# svcadm d
Page 257 and 258: ■nisplusLDAPconfigProxyPasswordSe
Page 259: ■■■■■■■■■■nispl
Page 263 and 264: Assuming the defaultSearchBase valu
Page 265 and 266: ▼How to Convert All NIS+ Data to
Page 267 and 268: 7. Create merged versions of the ta
Page 269 and 270: eplica. For example, assume that th
Page 271 and 272: traffic. For example, if the rpc.ni
Page 273 and 274: ■■■passwordnisplusLDAPproxyPa
Page 275 and 276: NIS+ Entry Owner, Group, Access, an
Page 277 and 278: homeDirectory=home, \loginShell=she
Page 279 and 280: Set the owner of the link object to
Page 281 and 282: NAME ’nisplusClientInfoData’ \D
Page 283 and 284: nisplusLDAPdatabaseIdMappingIf this
Page 285 and 286: nisplusLDAPobjectDNThe cname column
Page 287 and 288: nisplusLDAPcolumnFromAttribute \net
Page 289 and 290: NIS+/LDAP configuration attributes
Page 291 and 292: NAME ’nisplusLDAPbaseDomain’ \D
Page 293 and 294: APPENDIXASolaris 10 Software Update
Page 295 and 296: It is not possible to provide a cle
Page 297 and 298: Glossaryapplication-levelnaming ser
Page 299 and 300: DNS zonesDNS zone filesdomainAdmini
Page 301 and 302: N2L servername resolutionname serve
Page 303 and 304: server listslave serverSee preferre
Page 305 and 306: IndexNumbers and Symbols+/- Syntaxc
Page 307 and 308: IP address, 300ipsec(7), 144IPv6, n
Page 309 and 310: NIS (Continued)stopping, 112stoppin
Page 311 and 312:
private key, 301Profiles, LDAP clie
Page 313 and 314:
yppush command, NIS problems, 120yp
show all

Naming and Directory Services (DNS, NIS, and LDAP)

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?