nistoldif Command

Purpose

Exports user, group, name resolution, and rpc data to rfc 2307-compliant form.

Syntax

nistoldif -d Suffix [ -a BindDN -h Host -p Password [-n Port ] ] [ -f Directory ] [ -y domain ] [ -S Schema ] [ -k KeyPath -w SSLPassword ] [ -s Maps ] [ -m ldap_mapname ]

Description

The nistoldif command converts the data from passwd, group, hosts, services, protocols, rpc, networks, netgroup, and automount into forms compliant with rfc2307. It will first attempt to read data from NIS, and if it cannot find a NIS map it will fall back to the flat files.

If the server information (the -a, -h, and -p flags) is given on the command line, data will be written directly to the server. If any data conflicts with an entry already on the server, either because the entry already exists, or because the uid or gid already exists, a warning will be printed. If the server information is not given, the data will be written to stdout in LDIF. In either case, nistoldif does not add an entry for the suffix itself; if that entry does not exist, attempts to add data to the server will fail. This entry will be added during server setup, usually by the mksecldap command.

Translation is not exact. Because of the limitations of the rfc2307 definitions, some attributes are defined in a case-insensitive way; for example, TCP, Tcp, and tcp are all the same protcol name to the LDAP server. Uids and gids greater than 2^31-1 will be translated to their negative twos complement equivalent for storage.

The nistoldif command reads the /etc/security/ldap/sectoldif.cfg file to determine what to name the sub-trees that the passwd, group, hosts, services, protocols, rpc, networks and netgroup data will be exported to. The names specified in the file will be used to create sub-trees under the base DN specified with the -d flag. For more information, see the /etc/security/ldap/sectoldif.cfg file documentation.

Flags

Item Description
-a Specifies the administrative bind DN used to connect to the LDAP server. If this flag is used, -h and -p must also be used, and data will be written directly to the LDAP server.
-d Specifies the suffix that the data should be added under.
-f Specifies the directory to look for flat files in, or the name of the automount map file. If this flag is not used, nistoldif will look for files in /etc. This flag is required for automount maps.
-h Specifies the host name which is running the LDAP server. If this flag is used, -a and -p must also be used, and data will be written directly to the LDAP server. This flag will be ignored for automount data.
-k Specifies the SSL key path. If this flag is used, -w must also be used.
-m Specifies the automount map on the LDAP server.
-n Specifies the port to connect to the LDAP server on. If this flag is used, -a, -h and -p must also be used; if it is not used, the default LDAP port is used.
-p Specifies the password used to connect to the LDAP server. If this flag is used, -a and -h must also be used, and data will be written directly to the LDAP server.
-s Specifies a set of maps to be written to the server. This flag should be followed by a list of letters representing the maps that should be migrated. If this flag is not used, all maps will be migrated. The letters are: a for automount, e for netgroup, g for group, h for hosts, n for networks, p for protocols, r for rpc, s for services, and u for passwd.
-S Specifies the LDAP schema to use for users and groups. This can be either RFC2307 or RFC2307AIX; RFC2307AIX gives extended AIX® schema support. If this flag is not used, RFC2307 is the default.
-w Specifies the SSL password. If this flag is used, -k must also be used.
-y Specifies the NIS domain to read maps from. If this flag is not used, the default domain will be used.

Exit Status

This command returns the following exit values:

0
No errors occurred. Note that failure to find a map is not considered an error.
>0
An error occurred.

Security

Access Control: Only the root user can run this command.

Examples

  1. To export the NIS maps from the domain austin.ibm.com (falling back to the flat files in /tmp/etc) to LDIF under the suffix cn=aixdata, type: 
    nistoldif -d cn=aixdata -y austin.ibm.com -f /tmp/etc > ldif.out
  2. To export the hosts and services maps from the default domain (falling back to the flat files in /etc) to the LDAP server ldap.austin.ibm.com with administrator bind DNcn=root and password secret under the suffix cn=aixdata, type: 
    nistoldif -d cn=aixdata -h ldap.austin.ibm.com -a cn=root -p secret -s hs
  3. To convert the /etc/auto_master automount map file into LDIF, type: 
    nistoldif -s a -f /etc/auto_master > ldif.out
  4. In order to remove automount data, the LDIF file must be created manually. For example, suppose the user user1 was erroneously added to the auto_home automount map in the dc=austin,dc=ibm,dc=com suffix, and needs to be deleted. Create the following LDIF: 
    # cat /tmp/del_user1.ldif
dn: automountKey=user1,automountMapName=auto_home,dc=austin,dc=ibm,dc=com
changetype: delete
    Then run the following command: 
    ldapmodify -f /tmp/del_user1.ldif
  5. In order to edit automount data, the LDIF file must be created manually. For example, suppose the user user2 was given the wrong mount point in the auto_home automount map in the dc=austin,dc=ibm,dc=com suffix, and needs to be changed to the correct location of /home/user2. Create the following LDIF: 
    # cat /tmp/ch_user2.ldif
dn: automountKey=user2,automountMapName=auto_home,dc=austin,dc=ibm,dc=com
changetype: modify
replace: automountInformation
automountInformation: /home/user2
    The run the following command: 
    ldapmodify -f /tmp/ch_user2.ldif

Files

Item Description
/usr/sbin/nistoldif Contains the nistoldif command.