The NIS Driver and Its Configuration in eDirectory

The behavior of the DirXML driver is governed by its configuration. The configuration of the NIS driver is stored in the NIS driver object in eDirectory. The various configuration parameters, rules, and transformations are stored as objects and attributes for this driver object. This section describes the various configuration objects and attributes that form the NIS driver configuration.


Filter

The filter attribute is used to restrict the data that is sent to eDirectory from NIS or from NIS to eDirectory to the DirXML Driver for NIS. For example, if your driver is configured to synchronize only user account information on the Subscriber channel, the filter can restrict eDirectory to send the driver only when changes are made to User objects.

Using filters, you can also set the datastore (eDirectory or NIS) that would be the merge-authority in case of a conflict.

The following table lists the class and attributes for filter on the Subscriber channel:

Class Attributes

User

CN, uidNumber, gidNumber, authPassword, homeDirectory, loginShell, gecos, shadowMax, shadowMin, shadowWarning, shadowLastChange, shadowInactive, shadowExpire, shadowFlag, nspmDistributionPassword, DirXML-SPEntitlements

Group

CN, gidNumber, Member

The following table lists the class and attributes for filter on the Publisher channel:

Class Attributes

User

CN, uidNumber, gidNumber, gecos, authPassword, GroupMembership, homeDirectory, loginShell, shadowMax, shadowMin, shadowWarning, shadowLastChange, shadowInactive, shadowExpire, shadowFlag,

Group

CN, gidNumber, Member


Schema Mapping Policies

The schema mapping policies specifies how eDirectory objects and attributes correspond to NIS entries.

The DirXML Driver for NIS has been developed according to the RFC-2307 convention. The attributes from RFC-2307 except those listed below are directly mapped. The following are the mappings for the eDirectory objects and attributes:

eDirectory Name for Object/Attribute Application Name for Object/Attribute

User

User

Group

Group

CN (User)

loginName (User)

CN (Group)

groupName (Group)

GroupMembership (User)

gidNumber (User)

Member (Group)

memberUid (Group)


Policies

This sections explains about the policies used by the DirXML Driver for NIS:


Matching Policies

The Matching Policies imposes a restriction on the correspondence between eDirectory objects and NIS entries before DirXML can create an association.

In the case of the DirXML driver for NIS, matching is based on the CN attribute for both users and groups.

The following table lists the user and group attributes for the Matching Policies on the Subscriber channel:

User Attribute Group Attribute

CN

CN

The following table lists the user and group attributes for the Matching Policies on the Publisher channel:

User Attributes Group Attributes

CN

CN

The User and Group containers are prompted, in which Users or Groups are to be matched in the Matching Policies on the Publisher channel during configuration.


Placement Policies

This policy specifies the location of the container where the objects synchronized from NIS are to be placed in eDirectory.

The DN of the User and Group containers in which Users or Groups are to be placed are prompted, in which Users or Groups are to be placed in the Placement Policies on the Publisher channel during configuration.

注:  There is no Placement Policy for the Subscriber channel.


Creation Policies

The Creation Policies specifies the mandatory information that the driver must have before a new entry can be created in NIS. For example, you could specify that the first name and login name must be supplied in order to create a corresponding record.

The NIS driver requires the following mandatory attributes for creating user and group in NIS on the Subscriber channel:

User Attributes Group Attributes

CN

CN

uidNumber

gidNumber

gidNumber

 

homeDirectory

 

The uidNumber of User and gidNumber of Group are not mandatory attributes if ID Generation is configured. For more information, refer ID Generation.

The following table lists the mandatory attributes for creating user and group in eDirectory on the Publisher channel:

User Attributes Group Attributes

CN

CN

uidNumber

gidNumber

GroupMembership

 

homeDirectory

 


DirXML Policies

The NIS Driver uses the following DirXML policies:


Create Rule Transform

The Create Rule Transform policy for the Publisher channel is used to specify the default values for Surname and uniqueID attributes for Add events of users. The value that is used is the value of the CN attribute. This is required because SurName and uniqueID are mandatory attributes for creating user and UNIX profile in eDirectory.

The Create Rule Transform policy for the Subscriber channel is used to specify the default values for gidNumber, homeDirectory, default password, and loginShell.

The default password allows you to set up passwords for initial User account creation on UNIX machines. The Create Rule Transform policy must be configured for the driver that creates a default password for Users. The clear-text password must be provided in the policy in the <password> tag. The driver will then set this as the initial driver password for the User.

To edit the Create Rule Transform policy from Subscriber channel:

  1. In iManager, click DirXML Management > Overview.

  2. Locate the driver in its driver set.

  3. Click the driver to open the Driver Overview Page.

  4. Click the Creation Policies on the Subscriber channel.

  5. Click the Create Rule Transform policy and replace /home with the desired home directory prefix for user in the last line of the following section of the policy: 

    <do-add-dest-attr-value name="homeDirectory">
      <arg-value>
      <token-text>/home</token-text>

    This prefix is used as a prefix to build the home directory path with the user's name concatenated to it.

  6. Replace /bin/sh with the desired login shell for user in the following:

    <do-add-dest-attr-value name="loginShell">
      <arg-value>
        <token-text>/bin/sh</token-text>

    注:  Ensure that the shell exists on the application platform

  7. Replace 500 with the desired primary group ID for the user in the following:

    <do-add-dest-attr-value name="gidNumber">
      <arg-value>
        <token-text>500</token-text>

  8. Replace ./add-attr[@attr-name='CN']/value with the desired default password in the following line:

    <do-set-dest-password>
      <arg-string>
       <token-xpath expression="string(./add-attr[@attr-name='CN']/value)" />

注:  If multiple drivers are running, only one driver should have a default password enabled for users, and only one driver should have ID generation enabled for a particular user or group.


Command Transform

The Command Transform policy is available both on the Subscriber and Publisher channels.

On the Subscriber channel, the Command Transform policy does the following:

  • Suppresses any add or modify events for member attributes of groups that do not correspond to secondary memberships.
  • Converts the add or modify event value of gidNumber for users to the corresponding group DN.

On the Publisher channel, the Command Transform policy does the following:

  • Allows only posixAccount and shadowAccount classes for users.
  • Allows only posixGroup for groups.
  • Allows updating the secondary members of a group. The previous secondary members are deleted and new secondary members are added upon a modify event for a group's member attribute.
  • Allows updating of group membership for users. The previous primary group is deleted and new group is added upon an add or modify event for a groupmembership attribute.
  • Allows adding an add or modify attribute node for gidNumber based on an add or modify attribute node for GroupMembership.

重要:  Do not edit the contents of this policy.


Account Restrictions

The Account Restrictions policy restricts the hashed, as well as the privileged user and group accounts from being synchronized to or from eDirectory. This restriction is based on the user's uidNumber and the group's gidNumber being greater than a specified value.

In order to prevent the hashed users' (commented out users) Ex: #loginName from being synchronized to eDirectory, edit the Account Restrictions policy on the Publisher channel.

To edit the Create Rule Transform policy from Publisher channel:

  1. In iManager, click DirXML Management > Overview.

  2. Locate the driver in its driver set.

  3. Click the driver to open the Driver Overview Page.

  4. Click the Creation Policies on the Publisher channel.

  5. Click the Create Rule Transform policy and replace the following line: 

    <!--if-xpath op="true">not(starts-with(normalize-space(add-attr[@attr-name='CN']/value),'#'))</if-xpath-->

    with 

    <if-xpath op="true">not(starts-with(normalize-space(add-attr[@attr-name='CN']/value),'#'))</if-xpath>

On the Subscriber channel, this policy specifies a minimum value of 100 for the uidNumber for the user and gidNumber for group attributes because on UNIX systems all smaller values of uidNumber and gidNumber are reserved. This restricts the events going from eDirectory to NIS.

To edit this value, you can change it in the Account Restrictions policy:

  1. In iManager, click DirXML Management > Overview.

  2. Locate the driver in its driver set.

  3. Click the driver to open the Driver Overview Page.

  4. Click the Matching Policy on the Subscriber channel.

  5. Click the Account Restrictions policy and replace the value 100 with the required value of uidNumber in the following line:

    <if-xpath op="true">add-attr[@attr-name='uidNumber']/value[number(.) <= 100]</if-xpath>

  6. Replace the value 100 with the required value of gidNumber in the following line:

    <if-xpath op="true">add-attr[@attr-name='gidNumber']/value[number(.) <= 100]</if-xpath>

注:  If ID Generation is configured, the Account Restrictions policy is not attached in the Subscriber channel. For more information, refer to ID Generation.

On the Publisher channel, the Account Restrictions policy for the user specifies a minimum value of 100 for the uidNumber for the user and gidNumber for the group because on UNIX systems all smaller values of uidNumber and gidNumber are reserved. This restricts the events going from NIS to eDirectory.

To edit this value, you can also change it in the Account Restrictions policy:

  1. In iManager, click DirXML Management > Overview.

  2. Locate the driver in its driver set.

  3. Click the driver to open the Driver Overview Page.

  4. Click the Matching Policy on the Publisher channel.

  5. Click the Account Restrictions policy and replace the value 100 with the required value of uidNumber in the following line:

    <if-xpath op="true">add-attr[@attr-name='uidNumber']/value[number(.) <= 100]</if-xpath>

  6. Replace the value 100 with the required value of gidNumber in the following line:

    <if-xpath op="true">add-attr[@attr-name='gidNumber']/value[number(.) <= 100]</if-xpath>


Event Restrictions

The Event Restrictions policy specifies the container in eDirectory from where the users or groups are synchronized to the NIS database. This policy enables you to allow add events for users and groups only from the specified containers in eDirectory.

On the Subscriber channel, replace the \TREE-NAME\ORG_O\USERS_OU variable for the user with the user container and \TREE-NAME\ORG_O\GROUPS_OU variable for group with the FDN of the group container.

To edit this value, you can also change it in the Event Restrictions policy:

  1. In iManager, click DirXML Management > Overview.

  2. Locate the driver in its driver set.

  3. Click the driver to open the Driver Overview Page.

  4. Click the Matching Rule on the Subscriber channel.

  5. Click the Event Restrictions policy and replace the variable \TREE-NAME\ORG_O\USERS_OU with the required fully distinguished name of the container in slash format whose users are to be synchronized in the following line:

    <if-src-dn op="not-in-container">\TREE-NAME\ORG_O\USERS_OU</if-src-dn>

  6. Replace the variable \TREE-NAME\ORG_O\GROUPS_OU with the required fully distinguished name of the container in slash format whose groups are to be synchronized in the following line:

    <if-src-dn op="not-in-container">\TREE-NAME\ORG_O\GROUPS_OU</if-src-dn>

Ensure that the FDN of containers for users and groups is the same as the DN of containers for users and groups in Placement and Matching policies.

注:  There is no Event Restrictions policy for the Publisher channel.