Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 4. Migrating from NIS to Identity Management

A Network Information Service (NIS) server can contain information about users, groups, hosts, netgroups and automount maps. As a system administrator you can migrate these entry types, authentication, and authorization from NIS server to an Identity Management (IdM) server so that all user management operations are performed on the IdM server. Migrating from NIS to IdM will also allow you access to more secure protocols such as Kerberos.

4.1. Enabling NIS in IdM
Copier lien

To allow communication between NIS and Identity Management (IdM) server, you must enable NIS compatibility options on IdM server.

Prerequisites

  • You have root access on IdM server.

Procedure

  1. Enable the NIS listener and compatibility plug-ins on IdM server: 

    [root@ipaserver ~]# ipa-nis-manage enable
[root@ipaserver ~]# ipa-compat-manage enable
    Copy to Clipboard Toggle word wrap

  2. Optional: For a more strict firewall configuration, set a fixed port.

    For example, to set the port to unused port 514: 

    [root@ipaserver ~]# ldapmodify -x -D 'cn=directory manager' -W
dn: cn=NIS Server,cn=plugins,cn=config
changetype: modify
add: nsslapd-pluginarg0
nsslapd-pluginarg0: 514
    Copy to Clipboard Toggle word wrap
    Warning

    To avoid conflict with other services do not use any port number above 1024.

  3. Enable and start the port mapper service: 

    [root@ipaserver ~]# systemctl enable rpcbind.service
[root@ipaserver ~]# systemctl start rpcbind.service
    Copy to Clipboard Toggle word wrap

  4. Restart Directory Server: 

    [root@ipaserver ~]# systemctl restart dirsrv.target
    Copy to Clipboard Toggle word wrap

4.2. Migrating user entries from NIS to IdM
Copier lien

The NIS passwd map contains information about users, such as names, UIDs, primary group, GECOS, shell, and home directory. Use this data to migrate NIS user accounts to Identity Management (IdM):

Prerequisites

  • You have root access on NIS server.
  • NIS is enabled in IdM.
  • The NIS server is enrolled into IdM.
  • You have ID ranges that can store UIDs of importing users.

Procedure

  1. Install the yp-tools package: 

    [root@nis-server ~]# dnf install yp-tools -y
    Copy to Clipboard Toggle word wrap

  2. On the NIS server create the /root/nis-users.sh script with the following content: 

    #!/bin/sh
# $1 is the NIS domain, $2 is the primary NIS server
ypcat -d $1 -h $2 passwd > /dev/shm/nis-map.passwd 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.passwd) ; do
	IFS=' '
	username=$(echo $line | cut -f1 -d:)
	# Not collecting encrypted password because we need cleartext password
	# to create kerberos key
	uid=$(echo $line | cut -f3 -d:)
	gid=$(echo $line | cut -f4 -d:)
	gecos=$(echo $line | cut -f5 -d:)
	homedir=$(echo $line | cut -f6 -d:)
	shell=$(echo $line | cut -f7 -d:)

	# Now create this entry
	echo passw0rd1 | ipa user-add $username --first=NIS --last=USER \
	     --password --gidnumber=$gid --uid=$uid --gecos="$gecos" --homedir=$homedir \
	     --shell=$shell
	ipa user-show $username
done
    Copy to Clipboard Toggle word wrap

  3. Authenticate as the IdM admin user: 

    [root@nis-server ~]# kinit admin
    Copy to Clipboard Toggle word wrap

  4. Run the script. For example: 

    [root@nis-server ~]# sh /root/nis-users.sh nisdomain nis-server.example.com
    Copy to Clipboard Toggle word wrap
    Important

    This script uses hard-coded values for first name, last name, and sets the password to passw0rd1. The user must change the temporary password at the next login.

4.3. Migrating user group from NIS to IdM
Copier lien

The NIS group map contains information about groups, such as group names, GIDs, or group members. Use this data to migrate NIS groups to Identity Management (IdM):

Prerequisites

Procedure

  1. Install the yp-tools package: 

    [root@nis-server ~]# dnf install yp-tools -y
    Copy to Clipboard Toggle word wrap

  2. Create the /root/nis-groups.sh script with the following content on the NIS server: 

    #!/bin/sh
# $1 is the NIS domain, $2 is the primary NIS server
ypcat -d $1 -h $2 group > /dev/shm/nis-map.group 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.group); do
	IFS=' '
	groupname=$(echo $line | cut -f1 -d:)
	# Not collecting encrypted password because we need cleartext password
	# to create kerberos key
	gid=$(echo $line | cut -f3 -d:)
	members=$(echo $line | cut -f4 -d:)

	# Now create this entry
	ipa group-add $groupname --desc=NIS_GROUP_$groupname --gid=$gid
	if [ -n "$members" ]; then
		useropts=$(eval echo --users={$members})
		ipa group-add-member $groupname $useropts
	fi
	ipa group-show $groupname
done
    Copy to Clipboard Toggle word wrap
    Note

    Make sure your usernames do not contain any special characters to ensure successful migration of the user group.

  3. Authenticate as the IdM admin user: 

    [root@nis-server ~]# kinit admin
    Copy to Clipboard Toggle word wrap

  4. Run the script. For example: 

    [root@nis-server ~]# sh /root/nis-groups.sh nisdomain nis-server.example.com
    Copy to Clipboard Toggle word wrap

4.4. Migrating host entries from NIS to IdM
Copier lien

The NIS hosts map contains information about hosts, such as host names and IP addresses. Use this data to migrate NIS host entries to Identity Management (IdM):

Note

When you create a host group in IdM, a corresponding shadow NIS group is automatically created. Do not use the ipa netgroup-* commands on these shadow NIS groups. Use the ipa netgroup-* commands only to manage native netgroups created via the netgroup-add command.

Prerequisites

Procedure

  1. Install the yp-tools package: 

    [root@nis-server ~]# dnf install yp-tools -y
    Copy to Clipboard Toggle word wrap

  2. Create the /root/nis-hosts.sh script with the following content on the NIS server: 

    #!/bin/sh
# $1 is the NIS domain, $2 is the primary NIS server
ypcat -d $1 -h $2 hosts | egrep -v "localhost|127.0.0.1" > /dev/shm/nis-map.hosts 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.hosts); do
	IFS=' '
	ipaddress=$(echo $line | awk '{print $1}')
	hostname=$(echo $line | awk '{print $2}')
	primary=$(ipa env xmlrpc_uri | tr -d '[:space:]' | cut -f3 -d: | cut -f3 -d/)
	domain=$(ipa env domain | tr -d '[:space:]' | cut -f2 -d:)
	if [ $(echo $hostname | grep "\." |wc -l) -eq 0 ] ; then
		hostname=$(echo $hostname.$domain)
	fi
	zone=$(echo $hostname | cut -f2- -d.)
	if [ $(ipa dnszone-show $zone 2>/dev/null | wc -l) -eq 0 ] ; then
		ipa dnszone-add --name-server=$primary --admin-email=root.$primary
	fi
	ptrzone=$(echo $ipaddress | awk -F. '{print $3 "." $2 "." $1 ".in-addr.arpa."}')
	if [ $(ipa dnszone-show $ptrzone 2>/dev/null | wc -l) -eq 0 ] ; then
		ipa dnszone-add  $ptrzone --name-server=$primary --admin-email=root.$primary
	fi
	# Now create this entry
	ipa host-add $hostname --ip-address=$ipaddress
	ipa host-show $hostname
done
    Copy to Clipboard Toggle word wrap

  3. Authenticate as the IdM admin user: 

    [root@nis-server ~]# kinit admin
    Copy to Clipboard Toggle word wrap

  4. Run the script. For example: 

    [root@nis-server ~]# sh /root/nis-hosts.sh nisdomain nis-server.example.com
    Copy to Clipboard Toggle word wrap
    Note

    This script does not migrate special host configurations, such as aliases.

4.5. Migrating netgroup entries from NIS to IdM
Copier lien

The NIS netgroup map contains information about netgroups. Use this data to migrate NIS netgroups to Identity Management (IdM):

Prerequisites

Procedure

  1. Install the yp-tools package: 

    [root@nis-server ~]# dnf install yp-tools -y
    Copy to Clipboard Toggle word wrap

  2. Create the /root/nis-netgroups.sh script with the following content on the NIS server: 

    #!/bin/sh
# $1 is the NIS domain, $2 is the primary NIS server
ypcat -k -d $1 -h $2 netgroup > /dev/shm/nis-map.netgroup 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.netgroup); do
	IFS=' '
	netgroupname=$(echo $line | awk '{print $1}')
	triples=$(echo $line | sed "s/^$netgroupname //")
	echo "ipa netgroup-add $netgroupname --desc=NIS_NG_$netgroupname"
	if [ $(echo $line | grep "(," | wc -l) -gt 0 ]; then
		echo "ipa netgroup-mod $netgroupname --hostcat=all"
	fi
	if [ $(echo $line | grep ",," | wc -l) -gt 0 ]; then
		echo "ipa netgroup-mod $netgroupname --usercat=all"
	fi

	for triple in $triples; do
		triple=$(echo $triple | sed -e 's/-//g' -e 's/(//' -e 's/)//')
		if [ $(echo $triple | grep ",.*," | wc -l) -gt 0 ]; then
			hostname=$(echo $triple | cut -f1 -d,)
			username=$(echo $triple | cut -f2 -d,)
			domain=$(echo $triple | cut -f3 -d,)
			hosts=""; users=""; doms="";
			[ -n "$hostname" ] && hosts="--hosts=$hostname"
			[ -n "$username" ] && users="--users=$username"
			[ -n "$domain"   ] && doms="--nisdomain=$domain"
			echo "ipa netgroup-add-member $netgroup $hosts $users $doms"
		else
			netgroup=$triple
			echo "ipa netgroup-add $netgroup --desc=<NIS_NG>_$netgroup"
		fi
	done
done
    Copy to Clipboard Toggle word wrap

  3. Authenticate as the IdM admin user: 

    [root@nis-server ~]# kinit admin
    Copy to Clipboard Toggle word wrap

  4. Run the script. For example: 

    [root@nis-server ~]# sh /root/nis-netgroups.sh nisdomain nis-server.example.com
    Copy to Clipboard Toggle word wrap

4.6. Migrating automount maps from NIS to IdM
Copier lien

Automount maps are a series of nested and interrelated entries that define the location (the parent entry), the associated keys, and maps. To migrate NIS automount maps to Identity Management (IdM):

Prerequisites

Procedure

  1. Install the yp-tools package: 

    [root@nis-server ~]# dnf install yp-tools -y
    Copy to Clipboard Toggle word wrap

  2. Create the /root/nis-automounts.sh script with the following content on the NIS server: 

    #!/bin/sh
# $1 is for the automount entry in ipa

ipa automountlocation-add $1

# $2 is the NIS domain, $3 is the primary NIS server, $4 is the map name

ypcat -k -d $2 -h $3 $4 > /dev/shm/nis-map.$4 2>&1

ipa automountmap-add $1 $4

basedn=$(ipa env basedn | tr -d '[:space:]' | cut -f2 -d:)
cat > /tmp/amap.ldif <<EOF
dn: nis-domain=$2+nis-map=$4,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
nis-domain: $2
nis-map: $4
nis-base: automountmapname=$4,cn=$1,cn=automount,$basedn
nis-filter: (objectclass=\*)
nis-key-format: %{automountKey}
nis-value-format: %{automountInformation}
EOF

# $5 is the LDAP server

ldapadd -x -h $5 -D "cn=Directory Manager" -W -f /tmp/amap.ldif

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.$4); do
	IFS=" "
	key=$(echo "$line" | awk '{print $1}')
	info=$(echo "$line" | sed -e "s^$key[ \t]*")
	ipa automountkey-add nis $4 --key="$key" --info="$info"
done
    Copy to Clipboard Toggle word wrap
    Note

    The script exports the NIS automount information, generates an LDAP Data Interchange Format (LDIF) for the automount location and associated map, and imports the LDIF file into the IdM Directory Server.

  3. Authenticate as the IdM admin user: 

    [root@nis-server ~]# kinit admin
    Copy to Clipboard Toggle word wrap

  4. Run the script. For example: 

    [root@nis-server ~]# sh /root/nis-automounts.sh location nisdomain
     nis-server.example.com map_name
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red HatRetour au début