Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 118. Migrating from NIS to Identity Management

A Network Information Service (NIS) server can contain information about users, groups, hosts, netgroups and automount maps. As a system administrator you can migrate these entry types, authentication, and authorization from NIS server to an Identity Management (IdM) server so that all user management operations are performed on the IdM server. Migrating from NIS to IdM will also allow you access to more secure protocols such as Kerberos.

118.1. Enabling NIS in IdM

To allow communication between NIS and Identity Management (IdM) server, you must enable NIS compatibility options on IdM server.

Prerequisites

  • You have root access on IdM server.

Procedure

  1. Enable the NIS listener and compatibility plug-ins on IdM server:

    Copy to Clipboard Toggle word wrap 
    [root@ipaserver ~]# ipa-nis-manage enable
[root@ipaserver ~]# ipa-compat-manage enable

  2. Optional: For a more strict firewall configuration, set a fixed port.

    For example, to set the port to unused port 514:

    Copy to Clipboard Toggle word wrap 
    [root@ipaserver ~]# ldapmodify -x -D 'cn=directory manager' -W
dn: cn=NIS Server,cn=plugins,cn=config
changetype: modify
add: nsslapd-pluginarg0
nsslapd-pluginarg0: 514
    Warning

    To avoid conflict with other services do not use any port number above 1024.

  3. Enable and start the port mapper service:

    Copy to Clipboard Toggle word wrap 
    [root@ipaserver ~]# systemctl enable rpcbind.service
[root@ipaserver ~]# systemctl start rpcbind.service

  4. Restart Directory Server:

    Copy to Clipboard Toggle word wrap 
    [root@ipaserver ~]# systemctl restart dirsrv.target

118.2. Migrating user entries from NIS to IdM

The NIS passwd map contains information about users, such as names, UIDs, primary group, GECOS, shell, and home directory. Use this data to migrate NIS user accounts to Identity Management (IdM):

Prerequisites

  • You have root access on NIS server.
  • NIS is enabled in IdM.
  • The NIS server is enrolled into IdM.
  • You have ID ranges that can store UIDs of importing users.

Procedure

  1. Install the yp-tools package:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# yum install yp-tools -y

  2. On the NIS server create the /root/nis-users.sh script with the following content:

    Copy to Clipboard Toggle word wrap 
    #!/bin/sh
# $1 is the NIS domain, $2 is the primary NIS server
ypcat -d $1 -h $2 passwd > /dev/shm/nis-map.passwd 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.passwd) ; do
	IFS=' '
	username=$(echo $line | cut -f1 -d:)
	# Not collecting encrypted password because we need cleartext password
	# to create kerberos key
	uid=$(echo $line | cut -f3 -d:)
	gid=$(echo $line | cut -f4 -d:)
	gecos=$(echo $line | cut -f5 -d:)
	homedir=$(echo $line | cut -f6 -d:)
	shell=$(echo $line | cut -f7 -d:)

	# Now create this entry
	echo passw0rd1 | ipa user-add $username --first=NIS --last=USER \
	     --password --gidnumber=$gid --uid=$uid --gecos="$gecos" --homedir=$homedir \
	     --shell=$shell
	ipa user-show $username
done

  3. Authenticate as the IdM admin user:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# kinit admin

  4. Run the script. For example:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# sh /root/nis-users.sh nisdomain nis-server.example.com
    Important

    This script uses hard-coded values for first name, last name, and sets the password to passw0rd1. The user must change the temporary password at the next login.

118.3. Migrating user group from NIS to IdM

The NIS group map contains information about groups, such as group names, GIDs, or group members. Use this data to migrate NIS groups to Identity Management (IdM):

Prerequisites

Procedure

  1. Install the yp-tools package:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# yum install yp-tools -y

  2. Create the /root/nis-groups.sh script with the following content on the NIS server:

    Copy to Clipboard Toggle word wrap 
    #!/bin/sh
# $1 is the NIS domain, $2 is the primary NIS server
ypcat -d $1 -h $2 group > /dev/shm/nis-map.group 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.group); do
	IFS=' '
	groupname=$(echo $line | cut -f1 -d:)
	# Not collecting encrypted password because we need cleartext password
	# to create kerberos key
	gid=$(echo $line | cut -f3 -d:)
	members=$(echo $line | cut -f4 -d:)

	# Now create this entry
	ipa group-add $groupname --desc=NIS_GROUP_$groupname --gid=$gid
	if [ -n "$members" ]; then
		useropts=$(eval echo --users={$members})
		ipa group-add-member $groupname $useropts
	fi
	ipa group-show $groupname
done
    Note

    Make sure your usernames do not contain any special characters to ensure successful migration of the user group.

  3. Authenticate as the IdM admin user:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# kinit admin

  4. Run the script. For example:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# sh /root/nis-groups.sh nisdomain nis-server.example.com

118.4. Migrating host entries from NIS to IdM

The NIS hosts map contains information about hosts, such as host names and IP addresses. Use this data to migrate NIS host entries to Identity Management (IdM):

Note

When you create a host group in IdM, a corresponding shadow NIS group is automatically created. Do not use the ipa netgroup-* commands on these shadow NIS groups. Use the ipa netgroup-* commands only to manage native netgroups created via the netgroup-add command.

Prerequisites

Procedure

  1. Install the yp-tools package:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# yum install yp-tools -y

  2. Create the /root/nis-hosts.sh script with the following content on the NIS server:

    Copy to Clipboard Toggle word wrap 
    #!/bin/sh
# $1 is the NIS domain, $2 is the primary NIS server
ypcat -d $1 -h $2 hosts | egrep -v "localhost|127.0.0.1" > /dev/shm/nis-map.hosts 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.hosts); do
	IFS=' '
	ipaddress=$(echo $line | awk '{print $1}')
	hostname=$(echo $line | awk '{print $2}')
	primary=$(ipa env xmlrpc_uri | tr -d '[:space:]' | cut -f3 -d: | cut -f3 -d/)
	domain=$(ipa env domain | tr -d '[:space:]' | cut -f2 -d:)
	if [ $(echo $hostname | grep "\." |wc -l) -eq 0 ] ; then
		hostname=$(echo $hostname.$domain)
	fi
	zone=$(echo $hostname | cut -f2- -d.)
	if [ $(ipa dnszone-show $zone 2>/dev/null | wc -l) -eq 0 ] ; then
		ipa dnszone-add --name-server=$primary --admin-email=root.$primary
	fi
	ptrzone=$(echo $ipaddress | awk -F. '{print $3 "." $2 "." $1 ".in-addr.arpa."}')
	if [ $(ipa dnszone-show $ptrzone 2>/dev/null | wc -l) -eq 0 ] ; then
		ipa dnszone-add  $ptrzone --name-server=$primary --admin-email=root.$primary
	fi
	# Now create this entry
	ipa host-add $hostname --ip-address=$ipaddress
	ipa host-show $hostname
done

  3. Authenticate as the IdM admin user:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# kinit admin

  4. Run the script. For example:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# sh /root/nis-hosts.sh nisdomain nis-server.example.com
    Note

    This script does not migrate special host configurations, such as aliases.

118.5. Migrating netgroup entries from NIS to IdM

The NIS netgroup map contains information about netgroups. Use this data to migrate NIS netgroups to Identity Management (IdM):

Prerequisites

Procedure

  1. Install the yp-tools package:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# yum install yp-tools -y

  2. Create the /root/nis-netgroups.sh script with the following content on the NIS server:

    Copy to Clipboard Toggle word wrap 
    #!/bin/sh
# $1 is the NIS domain, $2 is the primary NIS server
ypcat -k -d $1 -h $2 netgroup > /dev/shm/nis-map.netgroup 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.netgroup); do
	IFS=' '
	netgroupname=$(echo $line | awk '{print $1}')
	triples=$(echo $line | sed "s/^$netgroupname //")
	echo "ipa netgroup-add $netgroupname --desc=NIS_NG_$netgroupname"
	if [ $(echo $line | grep "(," | wc -l) -gt 0 ]; then
		echo "ipa netgroup-mod $netgroupname --hostcat=all"
	fi
	if [ $(echo $line | grep ",," | wc -l) -gt 0 ]; then
		echo "ipa netgroup-mod $netgroupname --usercat=all"
	fi

	for triple in $triples; do
		triple=$(echo $triple | sed -e 's/-//g' -e 's/(//' -e 's/)//')
		if [ $(echo $triple | grep ",.*," | wc -l) -gt 0 ]; then
			hostname=$(echo $triple | cut -f1 -d,)
			username=$(echo $triple | cut -f2 -d,)
			domain=$(echo $triple | cut -f3 -d,)
			hosts=""; users=""; doms="";
			[ -n "$hostname" ] && hosts="--hosts=$hostname"
			[ -n "$username" ] && users="--users=$username"
			[ -n "$domain"   ] && doms="--nisdomain=$domain"
			echo "ipa netgroup-add-member $netgroup $hosts $users $doms"
		else
			netgroup=$triple
			echo "ipa netgroup-add $netgroup --desc=<NIS_NG>_$netgroup"
		fi
	done
done

  3. Authenticate as the IdM admin user:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# kinit admin

  4. Run the script. For example:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# sh /root/nis-netgroups.sh nisdomain nis-server.example.com

118.6. Migrating automount maps from NIS to IdM

Automount maps are a series of nested and interrelated entries that define the location (the parent entry), the associated keys, and maps. To migrate NIS automount maps to Identity Management (IdM):

Prerequisites

Procedure

  1. Install the yp-tools package:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# yum install yp-tools -y

  2. Create the /root/nis-automounts.sh script with the following content on the NIS server:

    Copy to Clipboard Toggle word wrap 
    #!/bin/sh
# $1 is for the automount entry in ipa

ipa automountlocation-add $1

# $2 is the NIS domain, $3 is the primary NIS server, $4 is the map name

ypcat -k -d $2 -h $3 $4 > /dev/shm/nis-map.$4 2>&1

ipa automountmap-add $1 $4

basedn=$(ipa env basedn | tr -d '[:space:]' | cut -f2 -d:)
cat > /tmp/amap.ldif <<EOF
dn: nis-domain=$2+nis-map=$4,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
nis-domain: $2
nis-map: $4
nis-base: automountmapname=$4,cn=$1,cn=automount,$basedn
nis-filter: (objectclass=\*)
nis-key-format: %{automountKey}
nis-value-format: %{automountInformation}
EOF

# $5 is the LDAP server

ldapadd -x -h $5 -D "cn=Directory Manager" -W -f /tmp/amap.ldif

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.$4); do
	IFS=" "
	key=$(echo "$line" | awk '{print $1}')
	info=$(echo "$line" | sed -e "s^$key[ \t]*")
	ipa automountkey-add nis $4 --key="$key" --info="$info"
done
    Note

    The script exports the NIS automount information, generates an LDAP Data Interchange Format (LDIF) for the automount location and associated map, and imports the LDIF file into the IdM Directory Server.

  3. Authenticate as the IdM admin user:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# kinit admin

  4. Run the script. For example:

    Copy to Clipboard Toggle word wrap 
    [root@nis-server ~]# sh /root/nis-automounts.sh location nisdomain
     nis-server.example.com map_name
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.