I am playing since recently with FreeIPA, Red Hat's identity management solution built on top of Red Hat's DS389 directory server. One of the main reasons why I decided for FreeIPA (apart from integrated Kerberos for single sign-on and possible integration with Microsoft Active Directory in the future) is, also integrated, NIS server - proxy system that receives requests from NIS clients, gets the data from LDAP server and sends it back to clients. Now, in order to understand why I need to support both LDAP and NIS you need to know few things about the environment I'm in charge of.
I'm working for a software development company. We produce billing software for telecommunication operators - mainly used by mobile telecommunication companies. That means, when you make a call, your call needs to be tracked, recorded and properly billed on the end, all done by our software (called BSCS btw). Sounds simple enough. Multiply that by one hundred million customers making calls and it's not so simple anymore. :) Anyway, our customers use our software on different platforms, most of them use HP-UX, some are on Solaris, some AIX, some are on Linux and we even have some customers on Tru64. In order to provide support to all those customers we need to have all those systems as well. So on the end we end up 100+ servers of all types of UNIX systems. That's not a big problem, it's even interesting, but the problem comes up when those systems are not being upgraded. We have Solaris 2.6 servers and Tru64 4.0D servers, until recently we even had AIX 4.3 and HP-UX 10.30 servers. All of the mentioned systems are 13 years old! Scary!
As you can imagine, those outdated systems do not support many things we take for granted today. Shadow passwords and LDAP authentication are few of those things. And this gets us back to the main topic of this post. FreeIPA (or rather DS389) provides integrated NIS server for unlucky people like myself via SLAPI-NIS plugin. All you have to do in order to use it, is to enable compat and NIS plugin.
# ipa-compat-manage enable
Directory Manager password:
Enabling plugin
This setting will not take effect until you restart Directory Server.
# ipa-nis-manage enable
Directory Manager password:
Enabling plugin
This setting will not take effect until you restart Directory Server.
The rpcbind service may need to be started.
And after directory server restart you have a working NIS server.
# rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 49833 status
100024 1 tcp 36837 status
100004 2 udp 699 ypserv
100004 2 tcp 699 ypserv
By default only passwd, group and netgroup maps are supported but other maps can easily be added. In our environment we are heavily relaying on automounter maps so I had to find a way to add them into FreeIPA NIS server. Luckily, as everything else with FreeIPA, this is very simple. First let me show you how to add automount entries in FreeIPA, it is surprisingly easy.
When it comes to automounter, FreeIPA has support for different locations. So for example, you can have different maps for your production environment, test environment and DMZ environment. Pretty neat. In my example, I will create a new location for our DMZ environment.
# ipa automountlocation-add dmz
Location: dmz
New location is automatically created with auto.master and auto.direct maps.
# ipa automountmap-find dmz
Map: auto.master
Map: auto.direct
----------------------------
Number of entries returned 2
----------------------------
I would like to add a new map for user home folders.
# ipa automountmap-add dmz auto.home
Map: auto.home
Then we need to add an entry in auto.master map to associate /home mount point with auto.home map.
# ipa automountkey-add dmz auto.master /home --info=auto.home
Key: /home
Mount information: auto.home
Finally, we add an entry into auto.home map specifying which share to mount for user miljan.
# ipa automountkey-add dmz auto.home miljan --info=filer01:/vol/users/home/miljan
Key: miljan
Mount information: filer01:/vol/users/home/miljan
And voila, when user miljan logs-on he will have his home folder mounted.
Final step would be to have this in NIS as well. For this we need to manually add few entries into LDAP server. In the example below we add support for auto.master map. There are probably few things you would need to change, though. First, the domain name in DN and nis-domain lines - in the example I am using example.com as a domain. Second, nis-base line - value of this attribute needs to be the DN of your automount map.
# ldapadd -x -D "cn=Directory Manager" -W
dn: nis-domain=example.com+nis-map=auto.master,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
nis-domain: example.com
nis-map: auto.master
nis-base: automountmapname=auto.master,cn=dmz,cn=automount,dc=example,dc=com
nis-filter: (objectclass=*)
nis-key-format: %{automountKey}
nis-value-format: %{automountInformation}
Repeat the same for auto.home map and you are set to go.
$ ypcat -d example.com -h freeipa.example.com -k auto.master
/home auto.home
$ ypcat -d example.com -h freeipa.example.com -k auto.home
miljan filer01:/vol/users/home/miljan
Nice and easy. :)
You might also like to know that by default FreeIPA creates a mirrored nisnetgroup for every native FreeIPA hostgroup you make. This is designed to help bridge the gap in mixed environments such as yours. That way you can control access via the FreeIPA HBAC (host based access control) and native NIS / access.conf mechanisms.