AIX 5.2 introduces a new name resolution method, NIS_LDAP, which uses the schema defined by RFC 2307. This appendix describes the process of migrating from NIS or NIS+ to the new method.
To prepare the server, you will need to do the following:
mksecldap -s -a cn=admin -p adminpwd -S rfc2307 -u NONE
The -u NONE option prevents the mksecldap command from migrating users and groups. If users and groups are to be migrated from NIS or NIS+, this is necessary. See the mksecldap command description in AIX 5L Version 5.2 Commands Reference for more details.
Data is migrated to the LDAP directory using the nistoldif command. The nistoldif command can operate in two modes: it can output LDIF data, or it can write the data directly to the server. The nistoldif command will not add a user or a group with a UID or GID that conflicts with one already on the server.
For more information, see the nistoldif command description in AIX 5L Version 5.2 Commands Reference.
If you are migrating data from the default NIS domain, the nistoldif command will use this data by default. If you wish to use a NIS domain other than the default, you should use the -y flag to specify a domain. Following is an example:
nistoldif -h server1.ibm.com -a cn=admin -p adminpwd -d cn=aixdata
This migrates NIS maps from the default domain to the LDAP server server1.ibm.com under the cn=aixdata DN. If no NIS maps are present, it will fall back to the data in the /etc directory. The -f flag changes the fallback directory.
See the nistoldif command description in AIX 5L Version 5.2 Commands Reference for more details.
The nistoldif command cannot directly migrate data from NIS+ to the server (or to LDIF). In this case, the data must be extracted from the tables using the nisaddent command. An example follows:
/usr/lib/nis/nisaddent -d -t table tabletype > filename
These files must have the same name as the files in the /etc directory that would contain the data. For example, the data from the hosts.org_dir file must be dumped into a file called hosts. They should all be placed in the same directory. The nistoldif command will have to be run once for each directory containing some of the files.
Migration from hierarchical domains must be handled differently. The administrator must be careful to get the correct maps from each subdomain. A non-root master server by default takes its data from the domain of which it is a member, not the domain it is serving. For example, if lilac belonged to domain wiz.com and was the master server for subdomain1.wiz.com, lilac would take data from wiz.com. The nistoldif command must be run for each set of data.
For example, to move the domain wiz.com with subdomains subdomain1.wiz.com and subdomain2.wiz.com, the nistoldif command would have to be run three times, once for each set of data. In this case, the administrator may also want to use the LDIF option and check the data before uploading it to the server. If the server was set up to use cn=aixdata as the suffix, the procedure would then be as follows:
nistoldif -f /wizdatapath -d "cn=aixdata" > out.ldif nistoldif -f /sub1datapath -d "cn=aixdata" >> out.ldif nistoldif -f /sub2datapath -d "cn=aixdata" >> out.ldif
Add the data in out.ldif to the server after reviewing it.
For more information, see the nisaddent and nistoldif command descriptions in AIX 5L Version 5.2 Commands Reference.
The server must be set up before the client. Client setup depends on the migrated data being on the server.
Once the data has been migrated to the server, each client must be set up using the mksecldap command.
mksecldap -c -a cn=admin -p adminpwd -h server1.ibm.com
This sets up the local system to use the LDAP server on server1.ibm.com.
See the mksecldap command description in AIX 5L Version 5.2 Commands Reference for more details.