- Use the passwd command to change passwords for Files/NIS/NIS+ users. You must make appropriate changes to the nsswitch.conf file for the passwd command to work. Do not use the yppasswd and passwd -r commands because they will bypass PAM and, consequently the NIS PAM module will not be able to capture passwords.
If a local user has the same name as the NIS user, make sure that the nsswitch.conf is configured properly so that the NIS password also changes in addition to the local user password.
- In a setup where NIS drivers are installed on AIX, we do not recommend modifying the GID of a group that has members in it. If you change the GID of a group, the members of that group will continue to have references to the previous GID; when the user record changes. AIX will not allow changes to the user GID because the GID that exists in the user record does not exist in the system.
- If you add a user using the useradd command and specify the password during useradd, the NIS PAM module will not be able to capture the password and hence the password synchronization to eDirectory fails.
- Password sync from UNIX to eDirectory fails if the earlier Unix and eDirectory passwords are different.
- If the YP files are placed in a directory other than /etc/, ensure that the yppasswdd daemon is started with the yppasswdd /var/yp/etc/ -m option. This will enable the yppasswdd daemon to locate the updated password files from a specified directory for building maps after the password changes.
- If the NIS+ Publisher takes a long time to process events: The NIS+ Publisher picks events from the NIS+ transaction log. After all the events have been processed by the DirXML Driver for NIS, checkpoint the log to speed up the Publisher channel. Ensure that the transaction log is checkpointed by verifying the drivers' log files only after the DirXML Driver for NIS has processed all the events.
Checkpoint the transaction log using the following command at the prompt:
/usr/lib/nis/nisping -Ca
- When a User is deleted in NIS and NIS+ on the application platform, the name is not removed from the Group's member list of its secondary groups. Ensure that you manually update the groups member list on the application platform.
- While adding or modifying a Group with a user list in Files, ensure that all the users in the user list are present in the /etc/passwd file and none of the users are currently logged in.
- In AIX, renaming the User or Group and the shadow attributes for the user are not supported; moreover, the Create/Remove Home Directory option cannot be configured for Files. The home directory for a User is created by default; however it is not removed for deletion. This setting is governed by the mkuser.default file from /usr/lib/security/ directory and login.cfg file from /etc/security directory.
- Addition of a User or Group to Files fails if the same name exists for User or Group in NIS or NIS+ and the /etc/nsswitch.conf file contains an entry for NIS or NIS+.
- We strongly recommend that the User or Group record size should not exceed 1024 bytes in any of the databases.
- The default User or Group attributes should be consistent across all platforms. Ensure that these attributes are acceptable in all the platforms. For example: In Linux, a default value of 99999 for shadowMax will not synchronize to AIX.
- The nistbladm command should be used instead of the nisaddent or nispopulate command to modify indexed attributes such as name and gid for groups, and name and UID for users on NIS(+).
- Avoid running any database administration utility when the driver is running.
- Ensure that the appropriate locale is set before running the DirXML Remote Loader or the Novell eDirectory server while synchronizing non-English accounts.
- If the create-homeDirectory is set for users, ensure that you have enough privileges to create the home directory on the application platform.
- The client machines should have access to the home directories created by the driver for NIS(YP) and NIS(+). The access can be set by using the NFS appropriately.
- Ensure that you set the merge-password option based on you system's current settings. For information on recommended values, refer to Driver Settings.
- Ensure that there is only a single space between the string -class and the class name in the config file.
- If a user login to NIS database fails, check the default password, homeDirectory, and Login shell.
- If a large number of users (more than 10,000) are to be migrated to eDirectory, the DHOST_JVM_OPTIONS environment variable should be set to -Xmx256m before starting the Remote Loader and eDirectory. This increases the memory available for the JVM.
To set the above environment variable, use the following command at the shell prompt:
DHOST_JVM_OPTIONS=Xmx256m
export DHOST_JVM_OPTIONS
- If multiple drivers are running, only a single driver should have a default password enabled for a particular user.
- If multiple drivers are running, only a single driver should be configured for ID generation of the UID or GID for a particular user or group.
- The NIS(YP) driver caches map entries. Because of this, some events are not reflected immediately. Use the makedbm -c command to refresh the ypserv.
- Synchronizing passwords is not supported for groups. The group password will be reset if a group is modified in the eDirectory. On Solaris, if the Remove Directory option is selected, users will not be deleted if their home directory is not removable.The asterisk character (*) cannot be given in the gecos field. If given, it will remove the already existing value.
- Users or Groups added to eDirectory using the ICE Forward Referencing feature will not be synchronized by the NIS driver. You can use the Migrate from eDirectory option in iManager to synchronize such users or groups.
- In case of a fatal error:
- Ensure that all the mandatory configuration parameters during driver import/creation are correct.
- Ensure that NIS YP database is set up correctly and there are no errors while building password and group maps by running make on /var/yp/Makefile.