Chapter 21. Integrating with NIS Domains and Netgroups
21.1. About NIS and Identity Management
In UNIX environments, the network information service (NIS) is a common way to centrally manage identities and authentication. NIS, which was originally named Yellow Pages (YP), centrally manages authentication and identity information such as:
- Users and passwords
- Host names and IP addresses
- POSIX groups.
For modern network infrastructures, NIS is considered too insecure because, for example, it neither provides host authentication, nor is data sent encrypted over the network. To work around the problems, NIS is often integrated with other protocols to enhance security.
If you use Identity Management (IdM), you can use the NIS server plug-in to connect clients that cannot be fully migrated to IdM. IdM integrates netgroups and other NIS data into the IdM domain. Additionally, you can easily migrate user and host identities from a NIS domain to IdM.
NIS in Identity Management
NIS objects are integrated and stored in the Directory Server back end in compliance with RFC 2307. IdM creates NIS objects in the LDAP directory and clients retrieve them through, for example, System Security Services Daemon (SSSD) or
nss_ldapusing an encrypted LDAP connection.
IdM manages netgroups, accounts, groups, hosts, and other data. IdM uses a NIS listener to map passwords, groups, and netgroups to IdM entries.
NIS Plug-ins in Identity Management
For NIS support, IdM uses the following plug-ins provided in the slapi-nis package:
- NIS Server Plug-in
- The NIS Server plug-in enables the IdM-integrated LDAP server to act as a NIS server for clients. In this role, Directory Server dynamically generates and updates NIS maps according to the configuration. Using the plug-in, IdM serves clients using the NIS protocol as an NIS server.For further details, see Section 21.2, “Enabling NIS in Identity Management”.
- Schema Compatibility Plug-in
- The Schema Compatibility plug-in enables the Directory Server back end to provide an alternate view of entries stored in part of the directory information tree (DIT). This includes adding, dropping, or renaming attribute values, and optionally retrieving values for attributes from multiple entries in the tree.For further details, see the
21.1.1. NIS Netgroups in Identity Management
NIS entities can be stored in netgroups. Compared to UNIX groups, netgroups provide support for:
- Nested groups (groups as members of other groups).
- Grouping hosts.
A netgroup defines a set of the following information: host, user, and domain. This set is called a triple. These three fields can contain:
- A value.
- A dash (-), which specifies "no valid value"
- No value. An empty field specifies a wildcard.
When a client requests a NIS netgroup, IdM translates the LDAP entry :
- to a traditional NIS map and sends it to the client over the NIS protocol by using the NIS plug-in.
- to an LDAP format that is compliant with RFC 2307 or RFC 2307bis.
188.8.131.52. Displaying NIS Netgroup Entries
IdM stores users and groups in the
memberUserattribute, and hosts and host groups in
memberHost. The following example shows a netgroup entry in Directory Server component of IdM:
Example 21.1. A NIS Entry in Directory Server
dn: ipaUniqueID=d4453480-cc53-11dd-ad8b-0800200c9a66,cn=ng,cn=alt,... ... cn: netgroup1 memberHost: fqdn=host1.example.com,cn=computers,cn=accounts,... memberHost: cn=VirtGuests,cn=hostgroups,cn=accounts,... memberUser: cn=demo,cn=users,cn=accounts,... memberUser: cn=Engineering,cn=groups,cn=accounts,... nisDomainName: nisdomain.example.com
In IdM, you can manage netgroup entries using the ipa netgroup-* commands. For example, to display a netgroup entry:
Example 21.2. Displaying a Netgroup Entry
[root@server ~]# ipa netgroup-show netgroup1 Netgroup name: netgroup1 Description: my netgroup NIS domain name: nisdomain.example.com Member Host: VirtGuests Member Host: host1.example.com Member User: demo Member User: Engineering