Product SiteDocumentation Site

10.4. Migrating from NIS to FreeIPA

There is no direct migration path from NIS to FreeIPA. This is a manual process with three major steps: setting up netgroup entries in FreeIPA, exporting the existing data from NIS, and importing that data into FreeIPA. There are several options for how to set up the FreeIPA environment and how to export data; the best option depends on the type of data and the overall network environment that you have.

10.4.1. Preparing Netgroup Entries in FreeIPA

The first step is to identify what kinds of identities are being managed by NIS. Frequently, a NIS server is used for either user entries or host entries, but not for both, which can simplify the data migration process.
For user entries
Determine what applications are using the user information in the NIS server. While some clients (like sudo) require NIS netgroups, many clients can use Unix groups instead. If no netgroups are required, then simply create corresponding user accounts in FreeIPA and delete the netgroups entirely. Otherwise, create the user entries in FreeIPA and then create a FreeIPA-managed netgroup and add those users as members. This is described in Section 10.2, “Creating Netgroups”.
For host entries
Whenever a host group is created in FreeIPA, a corresponding shadow NIS group is automatically created. These netgroups can then be managed using the ipa-host-net-manage command.
For a direct conversion
It may be necessary to have an exact conversion, with every NIS user and host having an exact corresponding entry in FreeIPA. In that case, each entry can be created using the original NIS names:
  1. Create an entry for every user referenced in a netgroup.
  2. Create an entry for every host referenced in a netgroup.
  3. Create a netgroup with the same name as the original netgroup.
  4. Add the users and hosts as direct members of the netgroup. Alternatively, put add the users and hosts into FreeIPA groups or other netgroups, and then add those groups as members to the netgroup.

10.4.2. Enabling the NIS Listener in FreeIPA

The FreeIPA Directory Server can function as a limited NIS server. The slapi-nis plug-in sets up a special NIS listener that receives incoming NIS requests and manages the NIS maps within the Directory Server. FreeIPA uses three NIS maps:
  • passwd
  • group
  • netgroup
Using FreeIPA as an interim NIS server offers a reasonable way to handle NIS requests while migrating NIS clients and data.
The slapi-nis plug-in is not enabled by default. To set up the NIS listeners for FreeIPA:
  1. Enable the required schema:
    # ipa-compat-manage enable
  2. Enable the NIS listener:
    # ipa-nis-manage enable
  3. Restart the DNS and Directory Server service:
    # service restart rpcbind
    	# service restart dirsrv

10.4.3. Exporting the Existing NIS Data

There are three main approaches that can be used to obtain the information from the NIS domain:
  1. Export an LDIF file from the NIS server.
    1. Dump the netgroups from the source into an LDIF file.
    2. Convert the entries in the source file so that they use the native FreeIPA NIS schema. The FreeIPA schema elements are defined in /etc/dirsrv/slapd-REALM/schema/60basev2.ldif.
    3. Import the edited LDIF file into FreeIPA using the ldapmodify command.
  2. Use scripts to obtain the information and automatically create the corresponding FreeIPA entries.
    1. Create a script to retrieve data from the source. There are several ways to access this information, such as parsing an LDIF file or connecting to the NIS server and listing the information.
    2. Create a second script that runs through the FreeIPA command-line utilities to create all of the entries, using the NIS information as inputs.
  3. Manually create the required netgroups, users, and hosts.