System Administration Guide: Naming and Directory Services (FNS and NIS+)

Merging NIS+ and LDAP Data

"NIS+ to LDAP Migration Scenarios" showed how to synchronize NIS+ and LDAP data when data conflicts between the two should be resolved by letting either the NIS+ or the LDAP data be authoritative. Merging data requires a more complicated procedure.

The example procedure in this section assumes the following.

You are putting a backup of the NIS+ data in the /nisbackup directory.
Valid mapping configuration already exists in /etc/default/rpc.nisd and /var/nis/tmpmap (for tables that should be merged).
Flat file representations of the NIS+ data before the merge are stored in /before, and after-merge representations in /after.
niscat is used to dump flat file representations of custom NIS+ tables not supported by nisaddent(1M). You might have your own commands or scripts for dumping and loading such custom tables from and to NIS+. If so, those commands/scripts should be used in preference to niscat since the latter has no convenient counterpart to load data back into NIS+.

If you are forced to dump data using niscat(1), you can use nistbladm(1) to load entries back into NIS+ one by one.
Your command path includes /usr/lib/nis (which is where nisaddent(1M) resides).

How to merge NIS+ and LDAP data

Caution - If the LDAP data should change between the download in Step 4 and the upload in Step 10, the upload might overwrite those changes. For this reason, you should try to prevent modifications to the LDAP data during this procedure. Consult your LDAP server documentation for more information.

Back up all NIS+ data using the nisbackup command.
# nisbackup -a /nisbackup

Identify the NIS+ tables that have data which must be merged with LDAP. Dump the contents of these tables to flat files. For example, dump the contents of group.org_dirusing nisaddent as follows.
# nisaddent -d group | sort > /before/group

Piping the nisaddent output to sort will make for convenient comparison later on.

Stop the rpc.nisd daemon.
# pkill rpc.nisd

Download LDAP data to NIS+.
# /usr/sbin/rpc.nisd -D -m tmpmap \

-x nisplusLDAPinitialUpdateAction=from_ldap \

-x nisplusLDAPinitialUpdateOnly=yes

Start the rpc.nisd daemon.
# /usr/sbin/rpc.nisd

The rpc.nisd daemon will now be serving the data downloaded from LDAP. If the conflicts to be resolved are such that NIS+ clients should not be exposed to them, make sure to perform this and the following steps when there are few (preferably no) active NIS+ clients.

Dump the NIS+ data for the affected tables.
The following example uses the group.org_dir table.

# nisaddent -d group | sort > /after/group

Use your favorite file merge procedure to produce merged versions of the tables. If no other tools are available, you can use diff(1) to collect differences between the /before and /after files, and merge manually with a text editor.
The following example assumes that the merged results are available in /after.

Load the merged data into NIS+. The following example uses the group table.
# nisaddent -m -f /after/group group

Remove LDAP entries that should not exist after the merge.
A. If there are LDAP entries that do not exist in the (now merged) NIS+ data, and that should not exist in LDAP after the upload, you must remove those LDAP entries.

Your LDAP server might provide a convenient method for removing multiple entries, such as a way to delete all entries in a container. If this is not the case, you can use ldapsearch(1) to generate a list of entries for each container. For example, to generate a list of all entries in the ou=Rpc container, use ldapsearch(1) as follows.

# ldapsearch -h server-address -D bind-DN -w password \

-b ou=Rpc,search-base 'objectClass=*' dn | \

grep -i ou=Rpc | grep -v -i \^ou=Rpc > \

/tmp/delete-dn

See "Performance and Indexing" for an explanation of the meta-arguments (server-address, bind-DN, for example).

B. You can now edit the result file (/tmp/delete-dn) to specify only those entries that should be removed. Alternatively, in order to remove all entries in the container, use the file as is, and rely on the NIS+ upload to restore the LDAP data. Either way, you should backup the LDAP data before performing the ldapdelete operation below.

C. Use ldapdelete to remove LDAP entries, redirecting stdout (which usually is one blank line for each entry removed) to /dev/null.

# ldapdelete --h server-address --D bind-DN --w password \

/tmp/delete-dn /dev/null

D. Repeat the above procedure for each container that has at least one entry which must be removed.

NIS+ now contains the merged data, which can be uploaded to LDAP. Do the following.
Stop the rpc.nisd daemon.

# pkill rpc.nisd

Perform the upload.

# /usr/sbin/rpc.nisd -D -m tmpmap \

-x nisplusLDAPinitialUpdateAction=to_ldap \

-x nisplusLDAPinitialUpdateOnly=yes

Restart the rpc.nisd daemon.
- If the rpc.nisd daemon uses the LDAP repository, specify an appropriate mapping file.
# /usr/sbin/rpc.nisd -m mappingfile [ -Y ]

Alternatively, omit -x nisplusLDAPinitialUpdateOnly=yes from the upload command in Step 10. This will make the rpc.nisd daemon start serving NIS+ data when the upload is done.


27. Transitioning From NIS+ to LDAP Getting Started NIS+ to LDAP Migration Scenarios How to Convert All LDAP Data to NIS+ in One Operation


	Merging NIS+ and LDAP Data "NIS+ to LDAP Migration Scenarios" showed how to synchronize NIS+ and LDAP data when data conflicts between the two should be resolved by letting either the NIS+ or the LDAP data be authoritative. Merging data requires a more complicated procedure. The example procedure in this section assumes the following. You are putting a backup of the NIS+ data in the `/nisbackup` directory. Valid mapping configuration already exists in `/etc/default/rpc.nisd` and `/var/nis/tmpmap` (for tables that should be merged). Flat file representations of the NIS+ data before the merge are stored in `/before`, and after-merge representations in `/after`. `niscat` is used to dump flat file representations of custom NIS+ tables not supported by `nisaddent`(1M). You might have your own commands or scripts for dumping and loading such custom tables from and to NIS+. If so, those commands/scripts should be used in preference to `niscat` since the latter has no convenient counterpart to load data back into NIS+. If you are forced to dump data using `niscat`(1), you can use `nistbladm`(1) to load entries back into NIS+ one by one. Your command path includes `/usr/lib/nis` (which is where `nisaddent`(1M) resides). How to merge NIS+ and LDAP data Caution - If the LDAP data should change between the download in Step 4 and the upload in Step 10, the upload might overwrite those changes. For this reason, you should try to prevent modifications to the LDAP data during this procedure. Consult your LDAP server documentation for more information. Back up all NIS+ data using the `nisbackup` command. # `nisbackup -a /nisbackup` Identify the NIS+ tables that have data which must be merged with LDAP. Dump the contents of these tables to flat files. For example, dump the contents of `group.org_dir`using `nisaddent` as follows. # `nisaddent -d group \| sort > /before/group` Piping the `nisaddent` output to `sort` will make for convenient comparison later on. Stop the `rpc.nisd` daemon. # `pkill rpc.nisd` Download LDAP data to NIS+. # `/usr/sbin/rpc.nisd -D -m tmpmap \` `-x nisplusLDAPinitialUpdateAction=from_ldap \` `-x nisplusLDAPinitialUpdateOnly=yes` Start the `rpc.nisd` daemon. # `/usr/sbin/rpc.nisd` The `rpc.nisd` daemon will now be serving the data downloaded from LDAP. If the conflicts to be resolved are such that NIS+ clients should not be exposed to them, make sure to perform this and the following steps when there are few (preferably no) active NIS+ clients. Dump the NIS+ data for the affected tables. The following example uses the `group.org_dir` table. # `nisaddent -d group \| sort > /after/group` Use your favorite file merge procedure to produce merged versions of the tables. If no other tools are available, you can use `diff`(1) to collect differences between the `/before` and `/after` files, and merge manually with a text editor. The following example assumes that the merged results are available in `/after`. Load the merged data into NIS+. The following example uses the `group` table. # `nisaddent -m -f /after/group group` Remove LDAP entries that should not exist after the merge. A. If there are LDAP entries that do not exist in the (now merged) NIS+ data, and that should not exist in LDAP after the upload, you must remove those LDAP entries. Your LDAP server might provide a convenient method for removing multiple entries, such as a way to delete all entries in a container. If this is not the case, you can use `ldapsearch`(1) to generate a list of entries for each container. For example, to generate a list of all entries in the `ou=Rpc` container, use `ldapsearch`(1) as follows. # `ldapsearch -h server-address -D bind-DN -w password \` `-b ou=Rpc,search-base 'objectClass=' dn \| \` `grep -i ou=Rpc \| grep -v -i \^ou=Rpc > \` `/tmp/delete-dn` See "Performance and Indexing" for an explanation of the meta-arguments (server-address, bind-DN, for example). B. You can now edit the result file (`/tmp/delete-dn`) to specify only those entries that should be removed. Alternatively, in order to remove all entries in the container, use the file as is, and rely on the NIS+ upload to restore the LDAP data. Either way, you should backup the LDAP data before performing the `ldapdelete` operation below. C. Use `ldapdelete` to remove LDAP entries, redirecting `stdout` (which usually is one blank line for each entry removed) to `/dev/null`. # `ldapdelete --h server-address --D bind-DN --w password \` `/tmp/delete-dn /dev/null` D. Repeat the above procedure for each container that has at least one entry which must be removed. NIS+ now contains the merged data, which can be uploaded to LDAP. Do the following.* Stop the `rpc.nisd` daemon. # `pkill rpc.nisd` Perform the upload. # `/usr/sbin/rpc.nisd -D -m tmpmap \` `-x nisplusLDAPinitialUpdateAction=to_ldap \` `-x nisplusLDAPinitialUpdateOnly=yes` Restart the `rpc.nisd` daemon. If the `rpc.nisd` daemon uses the LDAP repository, specify an appropriate mapping file. If the `rpc.nisd daemon` provides NIS (YP) emulation, specify the `-Y` option. # `/usr/sbin/rpc.nisd -m mappingfile [ -Y ]` Alternatively, omit `-x nisplusLDAPinitialUpdateOnly=yes` from the upload command in Step 10. This will make the `rpc.nisd` daemon start serving NIS+ data when the upload is done.