| Identity Management GuideChapter 7. Identity: Integrating with NIS Domains and NetgroupsNetwork information service (NIS) is one of the most common ways to manage identities and authentication on Unix networks. It is simple and easy to use, but it also has inherent security risks and a lack of flexibility that can make administering NIS domains problematic. Identity Management supplies a way to integrate netgroups and other NIS data into the IdM domain, which incorporates the stronger security structure of IdM over the NIS configuration. Alternatively, administrators can simply migrate user and host identities from a NIS domain into the IdM domain. 7.1. About NIS and Identity ManagementNetwork information service (NIS) centrally manages authentication and identity information such as users and passwords, hosts and IP addresses, and POSIX groups. This was originally called Yellow Pages (abbreviated YP) because of its simple focus on identity and authentication lookups. NIS is considered too insecure for most modern network environments because it provides no host authentication mechanisms and it transmits all of its information over the network unencrypted, including password hashes. Still, while NIS has been falling out of favor with administrators, it is still actively used by many system clients. There are ways to work around those insecurities by integrating NIS with other protocols which offer enhanced security. In Identity Management, NIS objects are integrated into IdM using the underlying LDAP directory. LDAP services offer support for NIS objects (as defined in RFC 2307), which Identity Management customizes to provide better integration with other domain identities. The NIS object is created inside the LDAP service and then a module like nss_ldap or SSSD fetches the object using an encrypted LDAP connection. NIS entities are stored in netgroups. A netgroup allows nesting (groups inside groups), which standard Unix groups don't support. Also, netgroups provide a way to group hosts, which is also missing in Unix group. NIS groups work by defining users and hosts as members of a larger domain. A netgroup sets a trio of information - host, user, domain. This is called a triple. host,user,domain A netgroup triple associates the user or the host with the domain; it does not associate the user and the host with each other. Therefore, a triple usually defines a host or a user for better clarity and management. host.example.com,,nisdomain.example.com-,jsmith,nisdomain.example.com NIS distributes more than just netgroup data. It stores information about users and passwords, groups, network data, and hosts, among other information. Identity Management can use a NIS listener to map passwords, groups, and netgroups to IdM entries. In IdM LDAP entries, the users in a netgroup can be a single user or a group; both are identified by the memberUser parameter. Likewise, hosts can be either a single host or a host group; both are identified by the memberHost attribute. dn: ipaUniqueID=d4453480-cc53-11dd-ad8b-0800200c9a66,cn=ng,cn=accounts,...objectclass: topobjectclass: ipaAssociationobjectclass: ipaNISNetgroupipaUniqueID: d4453480-cc53-11dd-ad8b-0800200c9a66cn: netgroup1memberHost: fqdn=host1.example.com,cn=computers,cn=accounts,...memberHost: cn=VirtGuests,cn=hostgroups,cn=accounts,...memberUser: cn=jsmith,cn=users,cn=accounts,...memberUser: cn=bjensen,cn=users,cn=accounts,...memberUser: cn=Engineering,cn=groups,cn=accounts,...nisDomainName: nisdomain.example.com In Identity Management, these netgroup entries are handled using the netgroup-* commands, which show the basic LDAP entry: # ipa netgroup-show netgroup1Netgroup name: netgroup1Description: my netgroupNIS domain name: nisdomainMember User: jsmithMember User: bjensenMember User: EngineeringMember Host: host1.example.comMember Host: VirtGuests When a client attempts to access the NIS netgroup, then Identity Management translates the LDAP entry into a traditional NIS map and sends it to a client over the NIS protocol (using a NIS plug-in) or it translates it into an LDAP format that is compliant with RFC 2307 or RFC 2307bis. 7.2. Setting the NIS Port for Identity ManagementThe IdM server binds to its NIS services over a random port that is selected when the server starts. It sends that port assignment to the portmapper so that NIS clients know what port to use to contact the IdM server. Administrators may need to open a firewall for NIS clients or may have other services that need to know the port number in advance and need that port number to remain the same. In that case, an administrator can specify the port to use. Any available port number below 1024 can be used for the NIS Plug-in setting. The NIS configuration is in the NIS Plug-in in Identity Management's internal Directory Server instance. To specify the port: Edit the plug-in configuration and add the port number as an argument. For example, to set the port to 514: [root@ipaserver ~]# ldapmodify -x -D 'cn=directory manager' -w secretdn: cn=NIS Server,cn=plugins,cn=config changetype: modifyadd: nsslapd-pluginarg0nsslapd-pluginarg0: 514modifying entry "cn=NIS Server,cn=plugins,cn=config" Restart the Directory Server to load the new plug-in configuration. [root@ipaserver ~]# service dirsrv restart
All netgroups in Identity Management are essentially static groups, meaning that the members of the group are manually and explicitly added to the group. Tangentially, IdM allows nested groups, where a group is a member of another group. In that case, all of the group members of the member group automatically belong to the parent group, as well. Netgroups are added in two steps: the group itself is created, and then members are added to it. Open the Identity tab, and select the Netgroups subtab. Click the Add link at the top of the netgroups list. Enter both a unique name and a description for the netgroup. Both the name and description are required. The group name is the identifier used for the netgroup in the IdM domain, and it cannot be changed after it is created. The name cannot contain spaces, but other separators like an underscore (_) are allowed. Click the Add and Edit button to go immediately to the netgroup's edit pages. Optionally, set the NIS domain for the netgroup. This defaults to the IdM domain, but it can be changed. Click the Settings tab. Enter the name of the alternate NIS domain in the NIS domain name field. The NIS domain name field sets the domain that appears in the netgroup triple. It does not affect which NIS domain the Identity Management listener responds to.
7.3.1.2. With the Command LineNew netgroups are added using the netgroup-add command. This adds only the group; members are added separately. Two attributes are always required: the group name and the group description. If those attributes are not given as arguments, then the script prompts for them. There is also an option to set the NIS domain name to use for the group; this defaults to the IdM domain, but it can be set to something different, depending on the network configuration. $ ipa netgroup-add --desc="description" [--nisdomain=domainName] groupName For example: # ipa netgroup-add --desc="my new netgroup" example-netgroup# ipa netgroup-add-member --hosts=ipa.example.com example-netgroup# ypcat -d example.com -h ipa.example.com netgroup(ipa.example.com,-,example.com) The --nisdomain option sets the domain that appears in the netgroup triple. It does not affect which NIS domain the Identity Management listener responds to. 7.3.2. Adding Netgroup MembersNetgroups can contain user groups, host groups, and other netgroups as their members. These are nested groups. It can take up to several minutes for the members of the child group to show up as members of the parent group. This is especially true on virtual machines where the nested groups have more than 500 members. When creating nested groups, be careful not to create recursive groups. For example, if GroupA is a member of GroupB, do not add GroupB as a member of GroupA. Recursive groups are not supported and can cause unpredictable behavior. Open the Identity tab, and select the Netgroups subtab. Click the name of the netgroup to which to add members. Select the tab for the type of netgroup member to add. Netgroups can have users, user groups, hosts, host groups, and other netgroups as members. Click the Add link at the top of the task area. Click the checkbox by the names of the users to add, and click the right arrows button, >>, to move the names to the selection box. Click the Add button.
7.3.2.2. With the Command LineOnce the group is configured, begin adding netgroup members with the netgroup-add-member command. Users, groups, hosts, host groups, and other netgroups can all be added to the netgroup entry. The entry name of the NIS group being edited usually comes at the end of the command: # ipa netgroup-add-member --users=users --groups=groups --hosts=hosts --hostgroups=hostGroups --netgroups=netgroups groupName To set more than one member, use a comma-separated list with the option. For example, this sets two users and two hosts with the other configuration: # ipa netgroup-add-member --users=jsmith,bjensen --groups=ITadmin --hosts=host1.example.com,host2.example.com --hostgroups=EngDev --netgroups=nisgroup2 example-group 7.4. Exposing Automount Maps to NIS ClientsWhen the NIS service is enabled on a system, the IdM server is automatically configured to set the NIS domain to the IdM domain's name, and to include IdM users, groups, and netgroups as passwd, group, and netgroup maps in the NIS domain. If any automount maps are already defined, these maps need to be manually added to the NIS configuration in Identity Management for them to be exposed to NIS clients. The NIS server is managed by a special plug-in entry in the IdM LDAP directory; this is a container entry, and each NIS domain and map used by the NIS server is configured as a child entry beneath that container. The NIS domain entry in the must have the name of the NIS domain, the name of the NIS map, how to find the directory entries to use as the NIS map's contents, and which attributes to use as the NIS map's key and value. Most of these settings will be the same for every map. The IdM server stores the automount maps, grouped by automount location, in the cn=automount branch of the IdM directory tree. The NIS domain and map is added using LDAP tools, like ldapadd, and editing the directory directly. For example, this adds an automount map that is named auto.example in a location named default and for a server named nisserver: ldapadd -h nisserver.example.com -x -D "cn=Directory Manager" -w secretdn: nis-domain=example.com+nis-map=auto.example,cn=NIS Server,cn=plugins,cn=configobjectClass: extensibleObjectnis-domain: example.comnis-map: auto.examplenis-filter: (objectclass=automount)nis-key-format: %{automountKey}nis-value-format: %{automountInformation}nis-base: automountmapname=auto.example,cn=default,cn=automount,dc=example,dc=comA similar add operation needs to be run for every map that is configured. 7.5. Migrating from NIS to IdMThere is no direct migration path from NIS to Identity Management. This is a manual process with three major steps: setting up netgroup entries in IdM, exporting the existing data from NIS, and importing that data into IdM. There are several options for how to set up the IdM environment and how to export data; the best option depends on the type of data and the overall network environment that you have. 7.5.1. Preparing Netgroup Entries in IdMThe first step is to identify what kinds of identities are being managed by NIS. Frequently, a NIS server is used for either user entries or host entries, but not for both, which can simplify the data migration process. Create an entry for every user referenced in a netgroup. Create an entry for every host referenced in a netgroup. Create a netgroup with the same name as the original netgroup. Add the users and hosts as direct members of the netgroup. Alternatively, put add the users and hosts into IdM groups or other netgroups, and then add those groups as members to the netgroup.
7.5.2. Enabling the NIS Listener in Identity ManagementThe IdM Directory Server can function as a limited NIS server. The slapi-nis plug-in sets up a special NIS listener that receives incoming NIS requests and manages the NIS maps within the Directory Server. Identity Management uses three NIS maps: Using IdM as an intermediate NIS server offers a reasonable way to handle NIS requests while migrating NIS clients and data. The slapi-nis plug-in is not enabled by default. To enable NIS for Identity Management: Obtain new Kerberos credentials as an IdM admin user. [root@ipaserver ~]# kinit admin Enable the NIS listener and compatibility plug-ins: [root@ipaserver ~]# ipa-nis-manage enable[root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind[root@server ~]# service restart dirsrv
7.5.3. Exporting and Importing the Existing NIS DataNIS can contain information for users, groups, DNS and hosts, netgroups, and automount maps. Any of these entry types can be migrated over to the IdM server. Migration is performed by exporting the data using ypcat and then looping through that output and creating the IdM entries with the corresponding ipa *-add commands. While this could be done manually, it is easiest to script it. These examples use a shell script. 7.5.3.1. Importing User EntriesThe /etc/passwd file contains all of the NIS user information. These entries can be used to create IdM user accounts with UID, GID, gecos, shell, home directory, and name attributes that mirror the NIS entries. For example, this is nis-user.sh: ypcat -d $1 -h $2 passwd > /dev/shm/nis-map.passwd 2>&1 IFS=$'\n' for line in $(cat /dev/shm/nis-map.passwd); do IFS=' ' username=$(echo $line|cut -f1 -d:) uid=$(echo $line|cut -f3 -d:) gid=$(echo $line|cut -f4 -d:) gecos=$(echo $line|cut -f5 -d:) homedir=$(echo $line|cut -f6 -d:) shell=$(echo $line|cut -f7 -d:) echo passw0rd1|ipa user-add $username --first=NIS --last=USER --password --gidnumber=$gid --uid=$uid --gecos=$gecos --homedir=$homedir --shell=$shell ipa user-show $username done This can be run for a given NIS domain: [root@nis-server ~]# kinit admin[root@nis-server ~]# ./nis-user.sh nisdomain nis-master.example.com This script does not migrate user passwords. Rather, it creates a temporary password which users are then prompted to change when they next log in. 7.5.3.2. Importing Group EntriesThe /etc/group file contains all of the NIS group information. These entries can be used to create IdM user group accounts with the GID, gecos, shell, home directory, and name attributes that mirror the NIS entries. For example, this is nis-group.sh: ypcat -d $1 -h $2 group > /dev/shm/nis-map.group 2>&1 IFS=$'\n' for line in $(cat /dev/shm/nis-map.group); do IFS=' ' groupname=$(echo $line|cut -f1 -d:) gid=$(echo $line|cut -f3 -d:) members=$(echo $line|cut -f4 -d:) ipa group-add $groupname --desc=NIS_GROUP_$groupname --gid=$gid if [ -n "$members" ]; then ipa group-add-member $groupname --users=$members fi ipa group-show $groupname done This can be run for a given NIS domain: [root@nis-server ~]# kinit admin[root@nis-server ~]# ./nis-group.sh nisdomain nis-master.example.com 7.5.3.3. Importing Host EntriesThe /etc/hosts file contains all of the NIS host information. These entries can be used to create IdM host accounts that mirror the NIS entries. For example, this is nis-hosts.sh: ypcat -d $1 -h $2 hosts | egrep -v "localhost|127.0.0.1" > /dev/shm/nis-map.hosts 2>&1 IFS=$'\n' for line in $(cat /dev/shm/nis-map.hosts); do IFS=' ' ipaddress=$(echo $line|awk '{print $1}') hostname=$(echo $line|awk '{print $2}') master=$(ipa env xmlrpc_uri |tr -d '[:space:]'|cut -f3 -d:|cut -f3 -d/) domain=$(ipa env domain|tr -d '[:space:]'|cut -f2 -d:) if [ $(echo $hostname|grep "\." |wc -l) -eq 0 ]; then hostname=$(echo $hostname.$domain) fi zone=$(echo $hostname|cut -f2- -d.) if [ $(ipa dnszone-show $zone 2>/dev/null | wc -l) -eq 0 ]; then ipa dnszone-add --name-server=$master --admin-email=root.$master fi ptrzone=$(echo $ipaddress|awk -F. '{print $3 "." $2 "." $1 ".in-addr.arpa."}') if [ $(ipa dnszone-show $ptrzone 2>/dev/null|wc -l) -eq 0 ]; then ipa dnszone-add $ptrzone --name-server=$master --admin-email=root.$master fi ipa host-add $hostname --ip-address=$ipaddress ipa host-show $hostname doneThis can be run for a given NIS domain: [root@nis-server ~]# kinit admin[root@nis-server ~]# ./nis-hosts.sh nisdomain nis-master.example.com This script example does not account for special host scenarios, such as using aliases. 7.5.3.4. Importing Netgroup EntriesThe /etc/netgroup file contains all of the NIS netgroup information. These entries can be used to create IdM netgroup accounts that mirror the NIS entries. For example, this is nis-netgroup.sh: ypcat -k -d $1 -h $2 netgroup > /dev/shm/nis-map.netgroup 2>&1 IFS=$'\n' for line in $(cat /dev/shm/nis-map.netgroup); do IFS=' ' netgroupname=$(echo $line|awk '{print $1}') triples=$(echo $line|sed "s/^$netgroupname //") echo "ipa netgroup-add $netgroupname --desc=NIS_NG_$netgroupname" if [ $(echo $line|grep "(,"|wc -l) -gt 0 ]; then echo "ipa netgroup-mod $netgroupname --hostcat=all" fi if [ $(echo $line|grep ",,"|wc -l) -gt 0 ]; then echo "ipa netgroup-mod $netgroupname --usercat=all" fi for triple in $triples; do triple=$(echo $triple|sed -e 's/-//g' -e 's/(//' -e 's/)//') if [ $(echo $triple|grep ",.*,"|wc -l) -gt 0 ]; then hostname=$(echo $triple|cut -f1 -d,) username=$(echo $triple|cut -f2 -d,) domain=$(echo $triple|cut -f3 -d,) hosts=""; users=""; doms=""; [ -n "$hostname" ] && hosts="--hosts=$hostname" [ -n "$username" ] && users="--users=$username" [ -n "$domain" ] && doms="--nisdomain=$domain" echo "ipa netgroup-add-member $hosts $users $doms" else netgroup=$triple echo "ipa netgroup-add $netgroup --desc=NIS_NG_$netgroup" fi done doneAs explained briefly in Section 7.1, "About NIS and Identity Management", NIS entries exist in a set of three values, called a triple. The triple is host,user,domain, but not every component is required; commonly, a triple only defines a host and domain or user and domain. The way this script is written, the ipa netgroup-add-member command always adds a host, user, and domain triple to the netgroup. if [ $(echo $triple|grep ",.*,"|wc -l) -gt 0 ]; then hostname=$(echo $triple|cut -f1 -d,) username=$(echo $triple|cut -f2 -d,) domain=$(echo $triple|cut -f3 -d,) hosts=""; users=""; doms=""; [ -n "$hostname" ] && hosts="--hosts=$hostname" [ -n "$username" ] && users="--users=$username" [ -n "$domain" ] && doms="--nisdomain=$domain" echo "ipa netgroup-add-member $hosts $users $doms" Any missing element is added as a blank, so the triple is properly migrated. For example, for the triple server,,domain the options with the member add command are --hosts=server --users="" --nisdomain=domain. This can be run for a given NIS domain by specifying the NIS domain and NIS server: [root@nis-server ~]# kinit admin[root@nis-server ~]# ./nis-hosts.sh nisdomain nis-master.example.com 7.5.3.5. Importing Automount MapsAutomount maps are actually a series of nested and inter-related entries that define the location (the parent entry), and then associated keys and maps. While the data are the same in the NIS and IdM entries, the way that data are defined is different. The NIS information is exported and then used to construct an LDAP entry for the automount location and associated map; it then creates an entry for every configured key for the map. Unlike the other NIS migration script examples, this script takes options to create an automount location and a map name, along with the migrated NIS domain and server. ipa automountlocation-add $1 ypcat -k -d $2 -h $3 $4 > /dev/shm/nis-map.$4 2>&1 ipa automountmap-add $1 $4 basedn=$(ipa env basedn|tr -d '[:space:]'|cut -f2 -d:) cat > /tmp/amap.ldif <<EOF dn: nis-domain=nisdomain.example.com+nis-map=$4,cn=NIS Server,cn=plugins,cn=config objectClass: extensibleObject nis-domain: $3 nis-map: $4 nis-base: automountmapname=$4,cn=nis,cn=automount,$basedn nis-filter: (objectclass=*) nis-key-format: %{automountKey} nis-value-format: %{automountInformation} EOF ldapadd -x -h $3 -D "cn=directory manager" -w secret -f /tmp/amap.ldif IFS=$'\n' for line in $(cat /dev/shm/nis-map.$4); do IFS=" " key=$(echo "$line" | awk '{print $1}') info=$(echo "$line" | sed -e "s#^$key[ \t]*##") ipa automountkey-add nis $4 --key="$key" --info="$info" doneThis can be run for a given NIS domain: [root@nis-server ~]# kinit admin[root@nis-server ~]# ./nis-hosts.sh location nisdomain nis-master.example.com map 7.5.4. Setting Weak Password Encryption for NIS User Authentication to IdMA NIS server can handle CRYPT password hashes. Once an existing NIS server is migrated to IdM (and its underlying LDAP database), it may still be necessary to preserve the NIS-supported CRYPT passwords. However, the LDAP server does not use CRYPT hashes by default. It uses SSHA or SSHA-256. If the 389 Directory Server password hash is not changed, then NIS users cannot authenticate to the IdM domain, and kinit fails with password failures. To set the underlying 389 Directory Server to use CRYPT as the password hash, change the passwordStorageScheme attribute using ldapmodify: [root@server ~]# ldapmodify -D "cn=directory server" -w secret -p 389 -h ipaserver.example.comdn: cn=configchangetype: modifyreplace: passwordStorageSchemepasswordStorageScheme: crypt Changing the password storage scheme only applies the scheme to new passwords; it does not retroactively change the encryption method used for existing passwords. If weak crypto is required for password hashes, it is better to change the setting as early as possible so that more user passwords use the weaker password hash. |
| |
