Customizing NIS

Team-Fly    

Solaris™ Operating Environment Boot Camp
By David Rhodes, Dominic Butler
Table of Contents
Chapter 12.  Naming Services and NIS


At times it may be useful to use the features of NIS ourselves. Doing this means we don't have to be concerned about ensuring that the same files are up-to-date on every machine or about distributing them. The problem is that we have to customize the makefile to add this support, which can be quite tricky.

To show how this can be done, we will add a hypothetical map to our setup. The one we'll use will be responsible for controlling which users have access to applications on which machines.

The "userAccessList" File

This is the input file that will be used to build the map. It contains a list of UIDs, the machine each UID can use, and a list of the applications the UIDs are allowed access to:

 tin# cat /etc/userAccess # # UID   hostname    application list # 1234    hydrogen    ls cat who 5678    hydrogen    ls rcp 825     helium      tar ufsdump 22      xenon       ifconfig tin# 

To make things easier to explain and understand, we will use just one key for the mapthe UID field. The map that we'll build will be called userAccess.byuid.

The main task is to edit the makefile so that the map is automatically rebuilt and distributed whenever we do a make. Let's look at the changes we've made before we start to work through them (the changes are in bold):

 tin# cat Makefile <lines removed for clarity> all: passwd group hosts ethers networks rpc services protocols \      netgroup bootparams aliases publickey netid netmasks \      c2secure timezone auto.master auto.home userAccess <lines removed for clarity> c2secure:     -@if [ -f $(PWDIR)/security/passwd.adjunct ]; then \         if [ ! $(NOPUSH) ]; then $(MAKE)  $(MFLAGS) -k \             passwd.adjunct.time group.adjunct.time; \         else $(MAKE) $(MFLAGS) -k NOPUSH=$(NOPUSH) \             passwd.adjunct.time group.adjunct.time; \         fi; \     fi userAccess.time: $(DIR)/userAccess     @(awk 'BEGIN { OFS="\t"; } $$1 !~ /^#/ { print $$1, $$0 }' \         $(DIR)/userAccess $(CHKPIPE)) | \         $(MAKEDBM) - $(YPDBDIR)/$(DOM)/userAccess.byuid;     @touch userAccess.time;     @echo "updated userAccess";     @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOM) userAccess.byuid; fi     @if [ ! $(NOPUSH) ]; then echo "pushed userAccess"; fi passwd.time: $(PWDIR)/passwd $(PWDIR)/shadow     -@if [ -f $(PWDIR)/security/passwd.adjunct ]; then \ <lines removed for clarity> netmasks: netmasks.time timezone: timezone.time auto.master: auto.master.time auto.home: auto.home.time userAccess: userAccess.time $(DIR)/netid: <lines removed for clarity> tin# 

We need to get an idea of what the makefile does and how it works, so let's look at that now. Generally we define a target that we wish to build; with NIS the targets are the maps. Next, we define a series of dependencies that the targets have. Finally we create some rules that dictate how each target will be built.

Let's see how all this relates to our new map by examining each stage in turn as we generate the makefile entries.

The target will be the map named userAccess.byuid. The dependency for the target is the original file, /etc/userAccess. In other words, if the original source file has altered, we need to regenerate the map because it is out-of-date relative to the source file.

The rules show how to build the targetin our case we use makedbm. A simple example would look similar to that shown below:

 userAccess.byuid: /etc/userAccess         makedbm userAccess.byuid /etc/userAccess 

This basically says, "If /etc/userAccess has altered, then use the makedbm command to rebuild the corresponding map."

The NIS makefile makes the dependency checking a little different by using an intermediate file. When the maps are built a time stamp file is created. This is an empty file named, in this case, userAccess.time. The dependencies are altered slightly to check if the time stamp file is older than the /etc/userAccess file; if so, we rebuild the maps. This gives us the following syntax for our target, which says that the userAccess map depends on the userAccess.time time stamp file:

 userAccess: userAccess.time 

Next we add the following dependency and rules:

 userAccess.time: $(DIR)/userAccess     @(awk 'BEGIN { OFS="\t"; } $$1 !~ /^#/ { print $$1, $$0 }' \         $(DIR)/userAccess $(CHKPIPE)) | \         $(MAKEDBM) - $(YPDBDIR)/$(DOM)/userAccess.byuid;     @touch userAccess.time;     @echo "updated userAccess";     @if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOM) userAccess.byuid; fi     @if [ ! $(NOPUSH) ]; then echo "pushed userAccess"; fi 

This uses the same targets, but also uses awk to parse the file and feed its output into makedbm, which builds the actual map. The time stamp of the userAccess.time file is updated using touch. Lastly, the modified maps are transferred out to any slaves with yppush.

The final change made to the makefile is to update the target known as "all." This builds the full set of maps whenever we run make without passing any map names as arguments. In this case, we simply need to add our custom map name to the end to make sure it is built whenever the target is used. This entry will look like the one shown below:

 all: passwd group hosts ethers networks rpc netid services      protocols netgroup bootparams aliases publickey netmasks      c2secure timezone auto.master auto.home userAccess 

Now that the makefile is in place, let's try to build the files:

 tin# cd /var/yp tin# make userAccess updated userAccess pushed userAccess tin# 

The maps appear to have been built correctly, so now we can check that the files have been created as expected. First we'll look in the domain directory to see if the files are there:

 tin# cd nis.solarisbootcamp.com tin# ls userAccess* userAccess.byuid.dir  userAccess.byuid.pag tin# 

And now we can try to read them. At this point, we need to use the full map name:

 tin# ypcat -k userAccess.byuid 5678 5678    hydrogen    ls rcp 1234 1234    hydrogen    ls cat who 825  825     helium      tar ufsdump 22   22      xenon       ifconfig tin# 

Good. We can read the maps themselves, so next we'll create an alias for them by updating the nicknames file. This will allow us to use the "standard" userAccess name without having to include the suffix every time:

 tin# cat /var/yp/nicknames passwd passwd.byname group group.byname networks networks.byaddr hosts hosts.byname protocols protocols.bynumber services services.byname aliases mail.aliases ethers ethers.byname userAccess userAccess.byuid tin# 

Once the nickname has been added, we can try and use the alias itself:

 tin# ypcat userAccess 5678    hydrogen    ls rcp 1234    hydrogen    ls cat who 825     helium      tar ufsdump 22      xenon       ifconfig tin# 

Custom Map Propagation

The map is now usable and works fine on the master, but we have to propagate it to the slave. The first time this is performed we need to do it manually, since the slave won't update the map until it has a copy itself (this process is carried out as part of the slave initialization for the standard maps).

To get it onto the slave we'll do a map transfer from each one back to the master. For example, on fluorine we would run the following command:

 fluorine# /usr/lib/netsvc/yp/ypxfr userAccess.byuid flourine# 

Now, because the slave has a copy of the map, whenever we run make on the master, yppush will send an update request to the slave, which will pull the updated map back from the master.

At this point we have a valid map that can be used on all the configured NIS machines. The only thing we have to do now is document the changes made so that we remember to update the makefile whenever we perform an operating system upgrade.


    Team-Fly    
    Top
     



    Solaris Operating Environment Boot Camp
    Solaris Operating Environment Boot Camp
    ISBN: 0130342874
    EAN: 2147483647
    Year: 2002
    Pages: 301

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net