DBIS and RFC2307: A Comparison

Introduction

DBIS is a modern evolution of RFC2307 and RFC2307bis and is a direct replacement for them, but what are the differences between the standards? Can a DBIS client use an RFC2307 schema? Can an RFC2307 client use the DBIS schema? This article compares the two and discusses the possibilities.

Deployment options

A DBIS client can make use of an RFC2307 or RFC2307bis schema without any changes to the existing LDAP entries. All that is needed is for some configuration maps to be added to LDAP that the client can use for its configuration, see [ConfigurationMaps-RFC2307]. The benefits of taking this approach are:

• DBIS client tool, Python API and Perl API provide more options for accessing the data.

• Unified client configuration, i.e. don't need separate LDAP configurations for each library or application that needs the data.

• A single global cache and single LDAP engine for all LDAP operations relating to NSS lookups, DBIS client and APIs.

• Consistent architecture and common set of capabilities across multiple platforms including Linux and Solaris.

• Centralised client configuration, i.e. clients discover which maps they can read and from where, which classes/attributes to use, and what transformations or overlays to apply, from LDAP and not from a local configuration file on each host.

• All the features enabled via configuration maps are available: [Remapping Rules], [Transformation Rules], [Overlays] and [Netgroup Constraints].

In addition to the benefits above, a DBIS client using a DBIS schema will also have the following benefits:

• Case-compatibility with original NIS maps, i.e. attributes that were case sensitive in NIS but became case insensitive in RFC2307/RFC2307bis are back to being case sensitive again. This helps organisations where the case of map keys is important.

• Support for separating user and host elements from netgroup objects, making it easier to search for different classes of netgroup. See [Map Entries].

• Support for distinguishing IPv4 from IPv6 addresses, making them easier to query. See [Map Entries].

• Support for using LDAP alias objects. See [Aliases].

• Support for disabling individual entries in LDAP.

• NIS-style custom map entries do not need to repeat the map name for every entry.

• Support for [Netservices].

• Support for automounter multiple mount entries. See [Map Entries].

• Can include automounter maps within another. See [Map Entries].

An RFC2307 or RFC2307bis client can use a DBIS schema, and will continue to operate correctly provided that:

• Netgroups are defined in compatibility mode (as triples).

• Legacy multi-value aliases are configured instead of (or as well as) LDAP alias objects.

• NIS custom map entries will need the map name stored in the description attribute.

However, except for case compatibility with NIS, an RFC2307 or RFC2307bis client will not have any of the other benefits listed above for DBIS clients.

Note that the DBIS schema does not support shadow map entries, and attributes for storing encrypted passwords are only included for backwards compatibility. It is recommended that authentication is performed via a PAM library using a more secure mechanism, and that password aging is managed natively within the LDAP Directory Server.

If necessary, it is also possible to use the native nss_ldap library (and not nss_dbis) while also making use of the DBIS client software for its tooling and APIs. This configuration will have the same limitations as that of an RFC2307 or RFC2307bis client above.

Schema comparison

The RFC2307, RFC2307bis and DBIS schemas are compared in [DBIS and RFC2307 schemas].