The NIS Driver and Its Configuration in eDirectory

The behavior of the DirXML driver is governed by its configuration. The configuration of the NIS driver is stored in the NIS driver object in eDirectory. The various configuration parameters, rules, and transformations are stored as objects and attributes for this driver object. This section describes the various configuration objects and attributes that form the NIS driver configuration.


Filter

The filter attribute is used to restrict the data that is sent to eDirectory from NIS or from NIS to eDirectory to the DirXML Driver for NIS. For example, if your driver is configured to synchronize only user account information on the Subscriber channel, the filter can restrict eDirectory to notify the driver only when changes are made to User objects.

The following table lists the class and attributes for filter on the Subscriber channel:

Class Attributes

User

CN, uidNumber, gidNumber, authPassword, homeDirectory, loginShell, gecos, shadowMax, shadowMin, shadowWarning, shadowLastChange, shadowInactive, shadowExpire, shadowFlag

Group

CN, gidNumber, Member

The following table lists the class and attributes for filter on the Publisher channel:

Class Attributes

User

CN, uidNumber, gidNumber, gecos, authPassword, GroupMembership, homeDirectory, loginShell, shadowMax, shadowMin, shadowWarning, shadowLastChange, shadowInactive, shadowExpire, shadowFlag,

Group

CN, gidNumber, Member

Schema Mapping Rule

The schema mapping rule specifies how eDirectory objects and attributes correspond to NIS entries.

The DirXML Driver for NIS has been developed according to RFC-2307 and RFC-3112 conventions. The attributes from RFC-2307 and RFC-3112 except those listed below are directly mapped. The following are the mappings for the eDirectory objects and attributes:

eDirectory Name for Object/Attribute Application Name for Object/Attribute

User

User

Group

Group

CN (User)

loginName (User)

CN (Group)

groupName (Group)

GroupMembership (User)

gidNumber (User)

Member (Group)

memberUid (Group)

Rules

This sections explains about the rules used by the DirXML Driver for NIS:


Matching Rule

The Matching Rule imposes a restriction on the correspondence between eDirectory objects and NIS entries before DirXML can create an association.

In the case of the DirXML driver for NIS, matching is based on the CN attribute for both users and groups.

The following table lists the user and group attributes for the Matching Rule on the Subscriber channel:

User Attribute Group Attribute

CN

CN

The following table lists the user and group attributes for the Matching Rule on the Publisher channel:

User Attributes Group Attributes

CN

CN

The User and Group containers are prompted, in which Users or Groups are to be matched in the Matching Rule on the Publisher channel during configuration.


Placement Rule

This rule specifies the location of the container where the newly created objects in NIS are to be placed in eDirectory.

The DN of the User and Group containers are prompted, in which Users or Groups are to be placed in the Placement Rule on the Publisher channel during configuration.

NOTE:  There is no Placement Rule for the Subscriber channel.


Create Rule

The Create Rule specifies the mandatory information that the driver must have before a new entry can be created in NIS. For example, you could specify that the first name and login name must be supplied in order to create a corresponding record.

The NIS driver requires the following mandatory attributes for creating user and group in NIS on the Subscriber channel:

User Attributes Group Attributes

CN

CN

uidNumber

gidNumber

gidNumber

 

homeDirectory

 

The uidNumber of User and gidNumber of Group are not mandatory attributes if ID Generation is configured. For more information, refer ID Generation.

The following table lists the mandatory attributes for creating user and group in eDirectory on the Publisher channel:

User Attributes Group Attributes

CN

CN

uidNumber

gidNumber

GroupMembership

 

homeDirectory

 

Style Sheets

The NIS Driver uses the following style sheets:


Create Rule Transform

The Create Rule Transform style sheet for the Publisher channel is used to specify the default values for SurName and uniqueID attributes for Add events of users. The value that is used is the value of the CN attribute. This is required because SurName and uniqueID are mandatory attributes for creating user and UNIX profile in eDirectory.

In order to prevent the hashed users' (commented out users) Ex: #loginName from being synchronized to eDirectory, edit the Create Rule Transform style sheet on the Publisher channel.

To edit the Create Rule Transform style sheet from Publisher channel using ConsoleOne:

  1. In the ConsoleOne left panel, select the driver > click Publisher.

    2.

  2. In the right panel, right-click Create Rule Transform > Properties.

  3. Click the Edit XML tab.

    4.

  4. Replace the following line:

    <!-- <xsl:if test="not(starts-with(normalize-space(./[@attr-name='CN']/value),'#')) "> -->

    with

    <xsl:if test="not(starts-with(normalize-space(./[@attr-name='CN']/value),'#')) ">

    5.

  5. Uncomment the enclosing <xsl:if> statement.

    6.

To edit the Create Rule Transform style sheet from Publisher channel using iManager:

  1. In iManager, click DirXML Management > Overview.

    2.

  2. Locate the driver in its driver set.

    3.

  3. Click the driver to open the Driver Overview Page.

    4.

  4. Click the Creation Rule on the Publisher channel.

  5. Click the Create Rule Transform style sheet and replace the following line:

    <!-- <xsl:if test="not(starts-with(normalize-space(./[@attr-name='CN']/value),'#')) "> -->

    with

    <xsl:if test="not(starts-with(normalize-space(./[@attr-name='CN']/value),'#')) ">

    6.

  6. Uncomment the enclosing <xsl:if> statement.

    7.

The Create Rule Transform style sheet for the Subscriber channel is used to specify the default values for gidNumber, homeDirectory, default password, and loginShell.

The default password allows you to set up passwords for initial User account creation on UNIX machines. The Create Rule Transform style sheet must be configured for the driver that creates a default password for Users. The clear-text password must be provided in the style sheet in the <password> tag. The driver will then set this as the initial driver password for the User.

  1. In the ConsoleOne left panel, select the driver > click Subscriber.

    2.

  2. In the right panel, right-click Create Rule Transform > Properties.

  3. Click the Edit XML tab.

    4.

  4. Replace /home with the desired home directory prefix for user in the following line:

    <xsl:variable name="prefix">/home</xsl:variable>

    This prefix is used as a prefix to build the home directory path with user's name concatenated to it.

    5.

  5. Replace /bin/sh with the desired login shell for user in the following line:

    <xsl:variable name="login-shell">/bin/sh</xsl:variable>

    NOTE:  Ensure that the shell exists on the application platform

    6.

  6. Replace 500 with the desired primary group ID for the user in the following line:

    <xsl:variable name="gid-number">500</xsl:variable>

    7.

  7. Replace <xsl:value-of select="./value"/> with the desired default password in the following line:

    <password> <xsl:value-of select="./value"/> </password>

    8.

To edit the Create Rule Transform style sheet from Subscriber channel using iManager:

  1. In iManager, click DirXML Management > Overview.

    2.

  2. Locate the driver in its driver set.

    3.

  3. Click the driver to open the Driver Overview Page.

    4.

  4. Click the Creation Rule on the Subscriber channel.

  5. Click the Create Rule Transform style sheet and replace /home with the desired home directory prefix for user in the following line:

    <xsl:variable name="prefix">/home</xsl:variable>

    This prefix is used as a prefix to build the home directory path with the user's name concatenated to it.

    6.

  6. Replace /bin/sh with the desired login shell for user in the following line:

    <xsl:variable name="login-shell">/bin/sh</xsl:variable>

    NOTE:  Ensure that the shell exists on the application platform

    7.

  7. Replace 500 with the desired primary group ID for the user in the following line:

    <xsl:variable name="gid-number">500</xsl:variable>

    8.

  8. Replace <xsl:value-of select="./value"/> with the desired default password in the following line:

    <password> <xsl:value-of select="./value"/> </password>

    9.

NOTE:  If multiple drivers are running, only one driver should have a default password enabled for users, and only one driver should have ID generation enabled for a particular user or group.


Command Transform

The Command Transform style sheet is available both on the Subscriber and Publisher channels.

On the Subscriber channel, the Command Transform style sheet does the following:

On the Publisher channel, the Command Transform style sheet does the following:

IMPORTANT:  Do not edit the contents of this style sheet.


Account Restrictions

The Account Restrictions style sheet restricts the privileged user and group accounts from being synchronized to or from eDirectory. This restriction is based on the user's uidNumber and the group's gidNumber being greater than a specified value.

On the Subscriber channel, this style sheet specifies a minimum value of 100 for the uidNumber for the user and gidNumber for group attributes because on UNIX systems all smaller values of uidNumber and gidNumber are reserved. This restricts the events going from eDirectory to NIS.

To edit this value, you can change it in the Account Restrictions style sheet using ConsoleOne:

  1. In the ConsoleOne left panel, select the driver > click Subscriber.

    2.

  2. In the right panel, right-click Account Restrictions > Properties.

  3. Click the Edit XML tab.

    4.

  4. Replace the value 100 with the required value of uidNumber in the following line:

    <xsl:variable name="min-user-uid" select="100"/>

  5. Replace the value 100 with the required value of gidNumber in the following line:

    <xsl:variable name="min-group-gid" select="100"/>

    6.

To edit this value, you can change it in the Account Restrictions style sheet using iManager:

  1. In iManager, click DirXML Management > Overview.

    2.

  2. Locate the driver in its driver set.

    3.

  3. Click the driver to open the Driver Overview Page.

    4.

  4. Click the Matching Rule on the Subscriber channel.

  5. Click the Account Restrictions style sheet and replace the value 100 with the required value of uidNumber in the following line:

    <xsl:variable name="min-user-uid" select="100"/>

  6. Replace the value 100 with the required value of gidNumber in the following line:

    <xsl:variable name="min-group-gid" select="100"/>

    7.

NOTE:  If ID Generation is configured, the Account Restrictions style sheet is not attached in the Subscriber channel. For more information, refer to ID Generation.

On the Publisher channel, the Account Restrictions style sheet for the user specifies a minimum value of 100 for the uidNumber for the user and gidNumber for the group because on UNIX systems all smaller values of uidNumber and gidNumber are reserved. This restricts the events going from NIS to eDirectory.

To edit this value, you can change it in the Account Restrictions style sheet using ConsoleOne:

  1. In the ConsoleOne left panel, select the driver > click Publisher.

    2.

  2. In the right panel, right-click Account Restrictions > Properties.

  3. Click the Edit XML tab.

    4.

  4. Replace the value 100 with the required value of uidNumber in the following line:

    <xsl:variable name="min-user-uid" select="100"/>

    5.

  5. Replace the value 100 with the required value of gidNumber in the following line:

    <xsl:variable name="min-group-gid" select="100"/>

    6.

To edit this value, you can also change it in the Account Restrictions style sheet using iManager:

  1. In iManager, click DirXML Management > Overview.

    2.

  2. Locate the driver in its driver set.

    3.

  3. Click the driver to open the Driver Overview Page.

    4.

  4. Click the Matching Rule on the Publisher channel.

  5. Click the Account Restrictions style sheet and replace the value 100 with the required value of uidNumber in the following line:

    <xsl:variable name="min-user-uid" select="100"/>

    6.

  6. Replace the value 100 with the required value of gidNumber in the following line:

    <xsl:variable name="min-group-gid" select="100"/>

    7.

Event Transform

The Event Transform style sheet is available on both the Subscriber and Publisher channels.

On the Subscriber channel, this style sheet allows the creation of association-ref attributes when remove value nodes of type DN.

On the Publisher channel, this style sheet allows updating the gidNumber for a user even if the corresponding GroupMembership attribute is already present in eDirectory.

IMPORTANT:  Do not edit the contents of this style sheet.


Event Restrictions

The Event Restrictions style sheet specifies the container in eDirectory from where the users or groups are synchronized to the NIS database. This style sheet enables you to allow add events for users and groups only from the specified containers in eDirectory.

On the Subscriber channel, replace the sub-user-dn variable for the user with the user container and sub-grp-dn variable for group with the FDN of the group container.

To edit this value, you can change it in the Event Restrictions style sheet using ConsoleOne:

  1. In the ConsoleOne left panel, select the driver > click Subscriber.

    2.

  2. In the right panel, right-click Event Restrictions > Properties.

  3. Click the Edit XML tab.

    4.

  4. Replace the variable sub-user-dn with the required fully distinguished name of the container in slash format whose users are to be synchronized in the following line:

    <xsl:variable name="sub-user-dn">\TREE-NAME\USERS_O</xsl:variable>

  5. Replace the variable sub-grp-dn with the required fully distinguished name of the container in slash format whose groups are to be synchronized in the following line:

    <xsl:variable name="sub-grp-dn">\TREE-NAME\GROUPS_O</xsl:variable>

    6.

To edit this value, you can also change it in the Event Restrictions style sheet using iManager:

  1. In iManager, click DirXML Management > Overview.

    2.

  2. Locate the driver in its driver set.

    3.

  3. Click the driver to open the Driver Overview Page.

    4.

  4. Click the Matching Rule on the Subscriber channel.

  5. Click the Event Restrictions style sheet and replace the variable sub-user-dn with the required fully distinguished name of the container in slash format whose users are to be synchronized in the following line:

    <xsl:variable name="sub-user-dn">\TREE-NAME\USERS_O</xsl:variable>

  6. Replace the variable sub-grp-dn with the required fully distinguished name of the container in slash format whose groups are to be synchronized in the following line:

    <xsl:variable name="sub-grp-dn">\TREE-NAME\GROUPS_O</xsl:variable>

    7.

Ensure that the FDN of containers for users and groups is the same as the DN of containers for users and groups in Placement and Matching rules.

NOTE:  There is no Event Restrictions style sheet for the Publisher channel.



  Previous Page: Overview  Next Page: Installing the DirXML Driver for NIS