Somethings about N2L

Somethings about N2L

NIS to LDAP

NIS to LDAP Migration tool (N2L) provides a migration path from an existing NIS name service to LDAP name service. It is a NIS name service modified to use LDAP server as the repository. The Solaris System Administration Guide contains overview of the service, setup instructions as well as other administrative information. In the following sections I will describe some additional details.

Source code:


Frontend  and Backend 

The frontend consists of modified NIS daemons i.e. ypserv, ypxfrd, and rpc.yppasswdd. The backend consists of the parser, shim, mapping unit and the LDAP-access module, all implemented within the libnisdb.so library. The parser parses the mapping and configuration files, shim intercepts NIS client requests, mapping unit performs NIS/LDAP data conversion and LDAP-access module performs LDAP specific operations.

Cache:
 
N2L maintains local cache of LDAP data in the form of ndbm maps with configurable Time To Live (TTL) values. NIS clients are served using the cached data and the cache is refreshed when the TTLs expire. There are two types of TTLs, viz. per-entry TTLs to refresh individual entries and per-map TTLs for entire map. The initial TTL values are chosen randomly from a configurable range to prevent different maps from expiring at the same time.

How the service works ?

The following examples describes the procedure followed by the N2L server in response to various client requests.

Example 1:
  ypcat hosts.byname

N2L server follows the following algorithm to handle client request for an entire map
	if ( map-TTL for hosts.byname cache expired && hosts.byname cache refresh not in progress) {
		set hosts.byname cache refresh flag
		initiate hosts.byname cache refresh thread in the background.
		return data from old hosts.byname cache
		/\* subsequent calls will return refreshed data \*/
	} else {
		return data from current hosts.byname cache
	}

The refresh thread collects the new data in a temporary map. After a successfull download, the data is moved to the hosts.byname cache. The refresh time depends on variable factors such as the network traffic, load on the LDAP server, indexing of LDAP data, load on the N2L server and the number of entries that needs to be transferred. Hence, instead of waiting for the cache refresh thread to complete, N2L returns stale data to prevent blocking of the client request. All client requests for hosts.byname that coincide with the refresh will receive stale data. All client requests after the refresh completes, will get the refreshed data.

Example 2:  ypmatch myhost hosts.byname

N2L server follows the following algorithm to handle client request for a specific entry.
	if (entry "key=myhost" found in hosts.byname cache) {
		if (entry-TTL for entry "key=myhost" expired && hosts.byname cache refresh not in progress) {
			refresh the entry "key=myhost" from LDAP
			if (no such entry exists in LDAP) {
				delete the entry from hosts.byname cache
				return no entry found
			} else {
				return refreshed entry
			}
		} else {
			return entry from the cache
		}
	} else { /\* entry not found in cache \*/
		if (map-TTL for hosts.byname cache expired && hosts.byname cache refresh not in progress) {
			set hosts.byname cache refresh flag
			initiate hosts.byname cache refresh thread in the background
			return no entry found
			/\* subsequent calls will return refreshed data \*/
		} else {
			return no entry found
		}
	}

During the refresh if multiple LDAP entries matches the given NIS key, then only the first match will be used. Note that, unlike map refresh, single-entry refreshes happen in the foreground and hence the client request will either get the refreshed data or no data. In case of refresh errors, the configuration file specifies the number of retry attempts and if all retries fail whether to return stale cached data or YPERR_YPERR to the client.

Example 3:  yppasswd baban

N2L server follows the following algorithm to handle client request for password change
	get domain list from mapping file (nisLDAPyppasswddDomains)
	if (no domains specified) {
		domain = getdomainname();
	}
	for each domain {
		authenticate user=baban using old password
		update LDAP database for "key=baban"
		update N2L cache for "key=baban" (handles passwd.adjunct)
		push the change to NIS slaves
	}

The default mapping file contains commented entries for C2 security (i.e passwd.adjunct). If C2 security is required, the mapping file needs to be modified accordingly.

How to update NIS slave servers ?

1. Run yppush(1M) on the N2L server to push the N2L maps to the slave servers

OR

2. Run ypxfr(1M) on the slave servers to pull the maps.

OR

3. The tedious part is that the above commands have to be invoked for each map. A simple script as follows can be ran on the N2L server to yppush all maps to slave servers.
	#--------START SCRIPT--------
	#!/bin/ksh
	DMN=`/bin/domainname`
	if [ -d "/var/yp/$DMN" ]
	then
		for n2lmap in /var/yp/$DMN/LDAP_\*_TTL.dir
		do
			map=`/usr/bin/basename $n2lmap _TTL.dir | cut -c 6-`
			echo yppush -d $DMN $map
			/usr/lib/netsvc/yp/yppush -d $DMN $map
			echo $?
		done
	fi
	#---------END SCRIPT---------


Technorati Tag:
Technorati Tag:
Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

baban

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today