I manange and HPC lab, and we have new equipment coming in. As part of this new deployment, management wants us to use Rocky 9. We’ve used 8 for a very long time, and have well-established builds. But in this case, we need get off of NIS+ and go to LDAP for user and system ID. The plan is to migrate our Kerberos authentication from NIS+ to LDAP. What I need is a methodology to get our YP data into LDAP. Most of the “tools” I’ve seen are from dead pages or no longer available. Is there any modern way to do this?
Best solution would be to migrate to freeipa by installing the ipa-server package, and using ipa-client to connect other systems. Also known as Red Hat iDM.
It includes LDAP, so far better option than say OpenLDAP.
We’re using Kerberos for authentication.
LDAP is just to have our netgroup, users, and groups managed.
We’re not implementing iDM.
Hi @RenegadeSithLord
Alternatively, a custom script in Python or Perl could help parse the YP/NIS maps and output proper LDIF entries for ldapadd.
iDM also has kerberos, but fair enough if you don’t want to use it. The official replacement for using NIS in RHEL, or Rocky is to use iDM/freeipa. If you wish to do it differently, then you can of course.
An alternative is to use configuration management system (e.g. Ansible) to deploy all that data to every machine. (Ansible can be used for other system management and installation too.)
The only possible downsides are if hosts are occasionally down (but they could re-deploy on boot), and if users do cusmizations (e.g. chsh) that they should repeat on every system (but they could use Ansible for that).
After some consideration and discussion with management, they are liking the idea with go with Rocky’s freeipa install. Looks like I was able to script in my NIS+ files, but it looks like the data needs some significant “curing”. Groups don’t show user members, hosts only have hostname, netgroups look like they were imported but don’t show. For reference, our hosts file has over 1500 entries (HPC server clusters with multiple interfaces per system). It’s a lot and I’m dreading having to rebuild it all by hand.
Anyone know of a good tutorial for the use of this system? I think for now we’re just going to have it be our LDAP server to start as we do migration to Rocky 9 / 10 (future).
Probably best take a look here at all the docs available: Red Hat Enterprise Linux | 9 | Red Hat Documentation
Whilst for RHEL, it still applies to the packages in all other EL distros based on it.
1 Like
It’s good documentation, and I’m already using that. But I’m also trying to find something of a tutorial / walkthrough for the specifics. This tool has a lot of features that we’re not quite ready to implement, and I am trying to focus on my specific needs.
One at random: How to Install FreeIPA Identity Management System on Rocky Linux 9
From these search results: rocky linux freeipa at DuckDuckGo
As you say, it has a lot of features, so it’s difficult to find walkthroughs/tutorials for everything that you are looking for specifically. I’m guessing you’ve probably already searched anyway, but if not you will probably need to refine the search for the exact thing you are trying to do. Whether someone has actually written a walkthrough/tutorial or made a video for what you want to do is another thing entirely. I’m guessing if you’ve not found anything when searching, chances are that there isn’t anything showing up yet or doesn’t exist.
The documentation I linked is what I used when I was playing with iDM and integrating for example with AD, or making replicas, etc. Has covered all my needs so far anyway.
1 Like
IdM has that data in LDAP (so you could have encountered the same issue with plain LDAP too).
The LDAP has more than one schema for the group data. (I wrestled with schemas for autofs maps.)
On client machine the SSSD uses backend to talk to LDAP/AD/FreeIPA, etc. Its config chooses which schema’s values it looks for. I assume that the FreeIPA setup would be consistent about schema.
SSSD has domain option enumeration. See Frequently Asked Questions — SSSD documentation
That is false by default, deprecated in Rocky 9, and totally removed from Rocky 10.
However, enumeration = false does mean that getent group does not list any groups that are in LDAP. You should still get result with getent group sith (if LDAP has group sith).
Rocky defaults to “personal groups”. For user mark the default (primary) group would have name mark and nobody else would be member of that group. The getent group does not show user as member of the group that is the primary group of that user.
The non-personal groups, like sith, could have members, but nobody would have them as primary group. For them one can see all members. (This is true at least with the schema that mimics /etc/group behaviour.)
Similar boat here, migration to Rocky 9 on our HPC system and need to ditch NIS. I didn’t think that there was a free NIS+ server and it was removed from Solaris a long time ago now.
We have been using NIS for account information in combination with the University’s AD via Kerberos for authentication. Currently, HPC users get an account created in NIS with the same username as their University AD account.
I am opting for 389-directory rather than FreeIPA because the latter offers more features than we need, We absolutely don’t do authentication. Like you I found the tools out there are outdated and well we have been abusing the GECOS field for years. Therefore, migration is achieved via a custom Perl script that iterates through users and groups using getpwent and getgrent, producing a script that can be run directly on one of the LDAP servers to import all data. It breaks down our abuse of the GECOS field to instead populate the relevant attributes in LDAP.
We gave up on /etc/hosts a long time ago, and embraced the 1990s with DNS 
Trying to keep /etc/hosts in sync on hundreds of machines is more trouble than just using DNS and forgetting about it. We also don’t use netgroups
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.