| |
|
|
NIS+ Entry Owner, Group, Access, and TTL
When NIS+ table entries are created from LDAP data, the default behavior is
to initialize the entry object owner, group, access rights, and TTL using the
corresponding values from the table object in which the entry object lives. This
is normally sufficient, but there might be cases where these NIS+ entry attributes
must be established individually. An example of this would be a site that
did not use the rpc.nispasswdd(1M) daemon. In order to allow individual users to
change their NIS+ passwords (and re-encrypt their Diffie-Hellman keys stored in the cred.org_dir
table), passwd.org_dir and cred.org_dir entries for the user should be owned by the
user, and have modify rights for the entry owner. If you need to store table entry owner, group, access, or TTL
in LDAP for one or more NIS+ tables, you need to do the
following.
How to Store Additional Entry Attributes in LDAP
- Consult your LDAP server documentation, and create the following new attributes and object
class. (LDIF data is suitable for ldapadd. Attribute and object class OIDs are
for illustration only.)
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.4.0 NAME 'nisplusEntryOwner' \
DESC 'Opaque representation of NIS+ entry owner' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.4.1 NAME 'nisplusEntryGroup' \
DESC 'Opaque representation of NIS+ entry group' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.4.2 NAME 'nisplusEntryAccess' \
DESC 'Opaque representation of NIS+ entry access' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetypes: ( 1.3.6.1.4.1.42.2.27.5.42.42.4.3 NAME 'nisplusEntryTtl' \
DESC 'Opaque representation of NIS+ entry TTL' \
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )dn: cn=schema
changetype: modify
add: objectclasses objectclasses:(1.3.6.1.4.1.42.2.27.5.42.42.5.0 NAME 'nisplusEntryData'\
SUP top STRUCTURAL DESC 'NIS+ entry object non-column data'\ MUST ( cn ) MAY ( nisplusEntryOwner $ nisplusEntryGroup $\
nisplusEntryAccess $ nisplusEntryTtl ) )
- Modify the nisplusLDAPobjectDN attribute value for the relevant table(s) so that the write
portion includes the newly created nisplusEntryData object class.
For example, for the passwd.org_dir table, assuming that you are using a mapping file
based on /var/nis/NIS+LDAPmapping.template, edit as follows. nisplusLDAPobjectDN passwd:ou=People,?one?objectClass=shadowAccount,\
objectClass=posixAccount:\
ou=People,?one?objectClass=shadowAccount,\
objectClass=posixAccount,\
objectClass=account,objectClass=topEdit the attribute value as follows. nisplusLDAPobjectDN passwd:ou=People,?one?objectClass=shadowAccount,\
objectClass=posixAccount:\
ou=People,?one?objectClass=shadowAccount,\
objectClass=posixAccount,\
objectClass=nisplusEntryData,\
objectClass=account,objectClass=top
- Edit the nisplusLDAPattributeFromColumn and nisplusLDAPcolumnFromAttribute attribute values to specify any desired subset of
owner, group, access, or TTL.
In Step 2, you created the LDAP attributes used to store these
values. For NIS+, there are predefined pseudo-column names called zo_owner, zo_group, zo_access, and
zo_ttl, respectively. For example, in order to store owner, group, and access for
passwd.org_dir entries in LDAP, modify the nisplusLDAPattributeFromColumn value from the following. nisplusLDAPattributeFromColumn \
passwd: dn=("uid=%s,", name), \
cn=name, \
uid=name, \
userPassword=("{crypt$}%s", passwd), \
uidNumber=uid, \
gidNumber=gid, \
gecos=gcos, \
homeDirectory=home, \
loginShell=shell, \
(shadowLastChange,shadowMin,shadowMax, \
shadowWarning, shadowInactive,shadowExpire)=\
(shadow, ":")Edit to read as follows. nisplusLDAPattributeFromColumn \
passwd: dn=("uid=%s,", name), \
cn=name, \
uid=name, \
userPassword=("{crypt$}%s", passwd), \
uidNumber=uid, \
gidNumber=gid, \
gecos=gcos, \
homeDirectory=home, \
loginShell=shell, \
(shadowLastChange,shadowMin,shadowMax, \
shadowWarning, shadowInactive,shadowExpire)=\
(shadow, ":"), \
nisplusEntryOwner=zo_owner, \
nisplusEntryGroup=zo_group, \
nisplusEntryAccess=zo_accessSimilarly, to set NIS+ entry owner, group, and access from LDAP data for
the passwd.org_dir table, modify the following. nisplusLDAPcolumnFromAttribute \
passwd: name=uid, \
("{crypt$}%s", passwd)=userPassword, \
uid=uidNumber, \
gid=gidNumber, \
gcos=gecos, \
home=homeDirectory, \
shell=loginShell, \
shadow=("%s:%s:%s:%s:%s:%s", \
shadowLastChange, \
shadowMin, \
shadowMax, \
shadowWarning, \
shadowInactive, \
shadowExpire)Edit to read as follows. nisplusLDAPcolumnFromAttribute \
passwd: name=uid, \
("crypt$%s", passwd)=authPassword, \
uid=uidNumber, \
gid=gidNumber, \
gcos=gecos, \
home=homeDirectory, \
shell=loginShell, \
shadow=("%s:%s:%s:%s:%s:%s", \
shadowLastChange, \
shadowMin, \
shadowMax, \
shadowWarning, \
shadowInactive, \
shadowExpire), \
zo_owner=nisplusEntryOwner, \
zo_group=nisplusEntryGroup, \
zo_access=nisplusEntryAccess
- Upload owner, group, access, and/or TTL entry data to LDAP.
See How to Convert All NIS+ Data to LDAP in One Operation for more information.
- Restart the NIS+ service in order to make the mapping change take effect.
# svcadm restart network/rpc/nisplus:default
|
|
|
|
|
