Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

21.5. Migrating from NIS to IdM

Migrating from an existing NIS server to Identity Management (IdM) requires the following steps:
  1. Enable the NIS Listener in Identity Management
  2. Export and import the existing data from NIS

21.5.1. Preparing Netgroup Entries in IdM
Copia collegamento

Before migrating, identify what kind of identities are being managed in the current NIS server:
User Entries
Determine what applications are using the user information provided by NIS. While some utilities, such as sudo, require NIS netgroups, several others can use regular UNIX groups.
To migrate:
  1. Create the corresponding user accounts in IdM. See Section 21.5.3.1, “Migrating User Entries”.
  2. If you additionally require netgroups:
    1. Add the netgroups. See Section 21.3.1, “Adding a Netgroup”.
    2. Add the users to the netgroups. See Section 21.5.3.4, “Migrating Netgroup Entries”.
Host Entries
When you create a host group in IdM, a corresponding shadow NIS group is automatically created. Do not use the ipa netgroup-* commands on these shadow NIS groups. Use the ipa netgroup-* commands only to manage native netgroups created via the netgroup-add command.
For a Direct Conversion
If every user and host entry must use the same name, you can create the entries using the same names in IdM:
  1. Create an entry for every user referenced in a netgroup.
  2. Create an entry for every host referenced in a netgroup.
  3. Create a netgroup with the same name as the original netgroup.
  4. Add the users and hosts as direct members of the netgroup. If the users and hosts are members of groups or host groups, you can alternatively add these groups to the netgroup.

21.5.2. Enabling the NIS Listener in Identity Management
Copia collegamento

See Section 21.2, “Enabling NIS in Identity Management”.

21.5.3. Exporting and Importing the Existing NIS Data
Copia collegamento

A NIS server can contain information about users, groups, hosts, netgroups, and automount maps. You can migrate these entry types to IdM.
In the following sections, we export the data from the current NIS server using the ypcat command, and use the output to import the entries to IdM using the corresponding ipa *-add commands.
  • Make sure you install the yp-tools package, since it provides the ypcat command used in the migration script: 
    [root@nis-server ~]# yum install yp-tools -y
    Copy to Clipboard Toggle word wrap

21.5.3.1. Migrating User Entries
Copia collegamento

The NIS passwd map contains information about users, such as names, UIDs, primary group, GECOS, shell, and home directory. Use this data to migrate NIS user accounts to IdM:
  1. Optional: If you require weak password support, see Section 21.5.4, “Enabling Weak Password Hashing for NIS User Authentication”.
  2. Create the /root/nis-users.sh script with the following content: 
    #!/bin/sh
# $1 is the NIS domain, $2 is the NIS master server
ypcat -d $1 -h $2 passwd > /dev/shm/nis-map.passwd 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.passwd) ; do
	IFS=' '
	username=$(echo $line | cut -f1 -d:)
	# Not collecting encrypted password because we need cleartext password
	# to create kerberos key
	uid=$(echo $line | cut -f3 -d:)
	gid=$(echo $line | cut -f4 -d:)
	gecos=$(echo $line | cut -f5 -d:)
	homedir=$(echo $line | cut -f6 -d:)
	shell=$(echo $line | cut -f7 -d:)

	# Now create this entry
	echo passw0rd1 | ipa user-add $username --first=NIS --last=USER \
	     --password --gidnumber=$gid --uid=$uid --gecos="$gecos" --homedir=$homedir \
	     --shell=$shell
	ipa user-show $username
done
    Copy to Clipboard Toggle word wrap
  3. Authenticate as the IdM admin user: 
    [root@nis-server ~]# kinit admin
    Copy to Clipboard Toggle word wrap
  4. Run the script. For example: 
    [root@nis-server ~]# sh /root/nis-users.sh nisdomain nis-master.example.com
    Copy to Clipboard Toggle word wrap
    Note
    This script uses hard-coded values for first name, last name, and sets the password to passw0rd1. The user must change the temporary password at the next log in.

21.5.3.2. Migrating Group Entries
Copia collegamento

The NIS group map contains information about groups, such as group names, GIDs, or group members. Use this data to migrate NIS groups to IdM:
  1. Create the /root/nis-groups.sh script with the following content: 
    #!/bin/sh
# $1 is the NIS domain, $2 is the NIS master server
ypcat -d $1 -h $2 group > /dev/shm/nis-map.group 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.group); do
	IFS=' '
	groupname=$(echo $line | cut -f1 -d:)
	# Not collecting encrypted password because we need cleartext password
	# to create kerberos key
	gid=$(echo $line | cut -f3 -d:)
	members=$(echo $line | cut -f4 -d:)

	# Now create this entry
	ipa group-add $groupname --desc=NIS_GROUP_$groupname --gid=$gid
	if [ -n "$members" ]; then
		ipa group-add-member $groupname --users={$members}
	fi
	ipa group-show $groupname
done
    Copy to Clipboard Toggle word wrap
  2. Authenticate as the IdM admin user: 
    [root@nis-server ~]# kinit admin
    Copy to Clipboard Toggle word wrap
  3. Run the script. For example: 
    [root@nis-server ~]# sh /root/nis-groups.sh nisdomain nis-master.example.com
    Copy to Clipboard Toggle word wrap

21.5.3.3. Migrating Host Entries
Copia collegamento

The NIS hosts map contains information about hosts, such as host names and IP addresses. Use this data to migrate NIS host entries to IdM:
  1. Create the /root/nis-hosts.sh script with the following content: 
    #!/bin/sh
# $1 is the NIS domain, $2 is the NIS master server
ypcat -d $1 -h $2 hosts | egrep -v "localhost|127.0.0.1" > /dev/shm/nis-map.hosts 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.hosts); do
	IFS=' '
	ipaddress=$(echo $line | awk '{print $1}')
	hostname=$(echo $line | awk '{print $2}')
	master=$(ipa env xmlrpc_uri | tr -d '[:space:]' | cut -f3 -d: | cut -f3 -d/)
	domain=$(ipa env domain | tr -d '[:space:]' | cut -f2 -d:)
	if [ $(echo $hostname | grep "\." |wc -l) -eq 0 ] ; then
		hostname=$(echo $hostname.$domain)
	fi
	zone=$(echo $hostname | cut -f2- -d.)
	if [ $(ipa dnszone-show $zone 2>/dev/null | wc -l) -eq 0 ] ; then
		ipa dnszone-add --name-server=$master --admin-email=root.$master
	fi
	ptrzone=$(echo $ipaddress | awk -F. '{print $3 "." $2 "." $1 ".in-addr.arpa."}')
	if [ $(ipa dnszone-show $ptrzone 2>/dev/null | wc -l) -eq 0 ] ; then
		ipa dnszone-add  $ptrzone --name-server=$master --admin-email=root.$master
	fi
	# Now create this entry
	ipa host-add $hostname --ip-address=$ipaddress
	ipa host-show $hostname
done
    Copy to Clipboard Toggle word wrap
  2. Authenticate as the IdM admin user: 
    [root@nis-server ~]# kinit admin
    Copy to Clipboard Toggle word wrap
  3. Run the script. For example: 
    [root@nis-server ~]# sh /root/nis-hosts.sh nisdomain nis-master.example.com
    Copy to Clipboard Toggle word wrap
    Note
    This script does not migrate special host configurations, such as aliases.

21.5.3.4. Migrating Netgroup Entries
Copia collegamento

The NIS netgroup map contains information about netgroups. Use this data to migrate NIS netgroups to IdM:
  1. Create the /root/nis-netgroups.sh script with the following content: 
    #!/bin/sh
# $1 is the NIS domain, $2 is the NIS master server
ypcat -k -d $1 -h $2 netgroup > /dev/shm/nis-map.netgroup 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.netgroup); do
	IFS=' '
	netgroupname=$(echo $line | awk '{print $1}')
	triples=$(echo $line | sed "s/^$netgroupname //")
	echo "ipa netgroup-add $netgroupname --desc=NIS_NG_$netgroupname"
	if [ $(echo $line | grep "(," | wc -l) -gt 0 ]; then
		echo "ipa netgroup-mod $netgroupname --hostcat=all"
	fi
	if [ $(echo $line | grep ",," | wc -l) -gt 0 ]; then
		echo "ipa netgroup-mod $netgroupname --usercat=all"
	fi

	for triple in $triples; do
		triple=$(echo $triple | sed -e 's/-//g' -e 's/(//' -e 's/)//')
		if [ $(echo $triple | grep ",.*," | wc -l) -gt 0 ]; then
			hostname=$(echo $triple | cut -f1 -d,)
			username=$(echo $triple | cut -f2 -d,)
			domain=$(echo $triple | cut -f3 -d,)
			hosts=""; users=""; doms="";
			[ -n "$hostname" ] && hosts="--hosts=$hostname"
			[ -n "$username" ] && users="--users=$username"
			[ -n "$domain"   ] && doms="--nisdomain=$domain"
			echo "ipa netgroup-add-member $netgroup $hosts $users $doms"
		else
			netgroup=$triple
			echo "ipa netgroup-add $netgroup --desc=NIS_NG_$netgroup"
		fi
	done
done
    Copy to Clipboard Toggle word wrap
  2. Authenticate as the IdM admin user: 
    [root@nis-server ~]# kinit admin
    Copy to Clipboard Toggle word wrap
  3. Run the script. For example: 
    [root@nis-server ~]# sh /root/nis-netgroups.sh nisdomain nis-master.example.com
    Copy to Clipboard Toggle word wrap

21.5.3.5. Migrating Automount Maps
Copia collegamento

Automount maps are a series of nested and interrelated entries that define the location (the parent entry), the associated keys, and maps. To migrate NIS automount maps to IdM:
  1. Create the /root/nis-automounts.sh script with the following content: 
    #!/bin/sh
# $1 is for the automount entry in ipa

ipa automountlocation-add $1

# $2 is the NIS domain, $3 is the NIS master server, $4 is the map name
ypcat -k -d $2 -h $3 $4 > /dev/shm/nis-map.$4 2>&1

ipa automountmap-add $1 $4

basedn=$(ipa env basedn | tr -d '[:space:]' | cut -f2 -d:)
cat > /tmp/amap.ldif <<EOF
dn: nis-domain=$2+nis-map=$4,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
nis-domain: $2
nis-map: $4
nis-base: automountmapname=$4,cn=$1,cn=automount,$basedn
nis-filter: (objectclass=*)
nis-key-format: %{automountKey}
nis-value-format: %{automountInformation}
EOF
ldapadd -x -h $3 -D "cn=Directory Manager" -W -f /tmp/amap.ldif

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.$4); do
	IFS=" "
	key=$(echo "$line" | awk '{print $1}')
	info=$(echo "$line" | sed -e "s#^$key[ \t]*##")
	ipa automountkey-add nis $4 --key="$key" --info="$info"
done
    Copy to Clipboard Toggle word wrap
    The script exports the NIS automount information, generates an LDAP Data Interchange Format (LDIF) for the automount location and associated map, and imports the LDIF file into the IdM Directory Server. For further details, see Section 21.4, “Exposing Automount Maps to NIS Clients”.
  2. Authenticate as the IdM admin user: 
    [root@nis-server ~]# kinit admin
    Copy to Clipboard Toggle word wrap
  3. Run the script. For example: 
    [root@nis-server ~]# sh /root/nis-automounts.sh location nisdomain \
     nis-master.example.com map_name
    Copy to Clipboard Toggle word wrap

21.5.4. Enabling Weak Password Hashing for NIS User Authentication
Copia collegamento

Using the Directory Server component's default setting, passwords stored in the userPassword attribute are hashed using the salted secure hash algorithm (SSHA). If your NIS clients require a weak hashing algorithm for passwords, update the password storage scheme setting.
Enabling a weak password hashing scheme affects only passwords stored in userPassword attribute. Note that Kerberos does not use this attribute and therefore Kerberos encryption is not affected by this setting.
For example, to enable CRYPT hashed passwords: 
[root@server ~]# ldapmodify -D "cn=Directory Manager" -W -p 389 -h ipaserver.example.com -x
dn: cn=config
changetype: modify
replace: passwordStorageScheme
passwordStorageScheme: crypt
Copy to Clipboard Toggle word wrap
Note
Because password hashes cannot be decrypted, Directory Server does not convert existing password hashes. The server applies the new password storage only to passwords set after you changed the storage scheme.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat