Chapter 21. Integrating with NIS Domains and Netgroups

21.1. About NIS and Identity Management

In UNIX environments, the network information service (NIS) is a common way to centrally manage identities and authentication. NIS, which was originally named Yellow Pages (YP), centrally manages authentication and identity information such as:
  • Users and passwords
  • Host names and IP addresses
  • POSIX groups.
For modern network infrastructures, NIS is considered too insecure because, for example, it neither provides host authentication, nor is data sent encrypted over the network. To work around the problems, NIS is often integrated with other protocols to enhance security.
If you use Identity Management (IdM), you can use the NIS server plug-in to connect clients that cannot be fully migrated to IdM. IdM integrates netgroups and other NIS data into the IdM domain. Additionally, you can easily migrate user and host identities from a NIS domain to IdM.

NIS in Identity Management

NIS objects are integrated and stored in the Directory Server back end in compliance with RFC 2307. IdM creates NIS objects in the LDAP directory and clients retrieve them through, for example, System Security Services Daemon (SSSD) or nss_ldap using an encrypted LDAP connection.
IdM manages netgroups, accounts, groups, hosts, and other data. IdM uses a NIS listener to map passwords, groups, and netgroups to IdM entries.

NIS Plug-ins in Identity Management

For NIS support, IdM uses the following plug-ins provided in the slapi-nis package:
NIS Server Plug-in
The NIS Server plug-in enables the IdM-integrated LDAP server to act as a NIS server for clients. In this role, Directory Server dynamically generates and updates NIS maps according to the configuration. Using the plug-in, IdM serves clients using the NIS protocol as an NIS server.
Schema Compatibility Plug-in
The Schema Compatibility plug-in enables the Directory Server back end to provide an alternate view of entries stored in part of the directory information tree (DIT). This includes adding, dropping, or renaming attribute values, and optionally retrieving values for attributes from multiple entries in the tree.
For further details, see the /usr/share/doc/slapi-nis-version/sch-getting-started.txt file.

21.1.1. NIS Netgroups in Identity Management

NIS entities can be stored in netgroups. Compared to UNIX groups, netgroups provide support for:
  • Nested groups (groups as members of other groups).
  • Grouping hosts.
A netgroup defines a set of the following information: host, user, and domain. This set is called a triple. These three fields can contain:
  • A value.
  • A dash (-), which specifies "no valid value"
  • No value. An empty field specifies a wildcard.
(host.example.com,,nisdomain.example.com)
(-,user,nisdomain.example.com)
When a client requests a NIS netgroup, IdM translates the LDAP entry :
  • to a traditional NIS map and sends it to the client over the NIS protocol by using the NIS plug-in.
  • to an LDAP format that is compliant with RFC 2307 or RFC 2307bis.

21.1.1.1. Displaying NIS Netgroup Entries

IdM stores users and groups in the memberUser attribute, and hosts and host groups in memberHost. The following example shows a netgroup entry in Directory Server component of IdM:

Example 21.1. A NIS Entry in Directory Server

dn: ipaUniqueID=d4453480-cc53-11dd-ad8b-0800200c9a66,cn=ng,cn=alt,...
...
cn: netgroup1
memberHost: fqdn=host1.example.com,cn=computers,cn=accounts,...
memberHost: cn=VirtGuests,cn=hostgroups,cn=accounts,...
memberUser: cn=demo,cn=users,cn=accounts,...
memberUser: cn=Engineering,cn=groups,cn=accounts,...
nisDomainName: nisdomain.example.com
In IdM, you can manage netgroup entries using the ipa netgroup-* commands. For example, to display a netgroup entry:

Example 21.2. Displaying a Netgroup Entry

[root@server ~]# ipa netgroup-show netgroup1
Netgroup name: netgroup1
Description: my netgroup
NIS domain name: nisdomain.example.com
Member Host: VirtGuests
Member Host: host1.example.com
Member User: demo
Member User: Engineering