I'm sponsoring this Fast Track for Raja Gopal Andra, the RPE naming team,
and the NIS+ core team. It requests removal of all the NIS+ related
interfaces and documentation in a Minor Release. While this is somewhat
long, the case owner and project team believe it still qualifies for a
Fast Track as the length details the how the EOL required dependences are
satisfied.
This project is unrelated to pam_ldap(5) and has no effect on it or
the Sun Java System Directory Server.
The current NIS+(1) man page and redacted opinions for PSARC/2000/370 (EOL of
NIS+) and PSARC/2004/638 (Removal of Sun Directory Server 5.1 from Solaris WOS)
are in the case directory.
The timer is set for 12 Oct., 2009.
Gary..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Background:
==========
NIS+(1) seems to have been introduced prior to the recording of PSARC cases
in 1991. The first references I've found are Vikul Khosla's nisaddcred flag
(PSARC/1992/187) and Chuck McManis' NIS+ diagnostics (PSARC/1992/188) cases.
They refer to NIS+, but not to any previous cases, though ZNS demos
(PSARC/1991/023) seems somehow related. The NIS+ promise never achieved
sufficient traction to supplant NIS (nee YP). X500 directory servers and
the Lightweight Directory Access Protocol (LDAP) have supplanted the promise
of NIS+. EOL of NIS+ (PSARC/2000/370) started the process leading to this
case.
Dependences:
===========
o PSARC/2000/370 (EOL of NIS+) opinion states:
2. Decision & Precedence Information
. . .
Note: the approval of this case does not authorize the
actual removal of NIS+ support from Solaris. That removal
will need to be the subject of another case. That case will
depend on at least:
PSARC/2000/311 NIS+/LDAP Migration
PSARC/2000/363 Native LDAP phase II
LSARC/2001/101 Bundling of LDAP Directory Server
{actually PSARC/2001/101 -gww}
4. Opinion
The main issue raised for this case was that of providing
adequate notice and support to existing NIS+ users. The
requirement to announce the upcoming EOL of NIS+ as soon as
possible in order to head off new adoption of the technology
was seen as conflicting with the requirement not to panic
existing users.
The committee decided that a three step schedule:
1. adequate notice
2. availability of all replacement technology
3. actual EOL
would satisfy both requirements and imposed technical
changes needed to obtain such a schedule. See [2] for
opposing views.
{[2] Email discussion. File: mail}
o PSARC/2004/638 (Removal of Sun Directory Server 5.1 from Solaris WOS) was
denied. The denial was overturned on appeal and iDS was removed from
the Solaris WOS. That removal impacts the removal of NIS+ as the
opinion states:
4.10. Potential Impact on NIS+ Removal
PSARC/2000/370 "EOL of NIS+" states:
"Note: the approval of this case {PSARC/2000/370} does
not authorize the actual removal of NIS+ support from
Solaris. That removal will need to be the subject of
another case. That case will depend on at least:
PSARC/2000/311 NIS+/LDAP Migration
PSARC/2000/363 Native LDAP phase II
PSARC/2001/101 Bundling of LDAP Directory Server"
Without a bundled LDAP directory server, the preconditions
for the removal of NIS+ from Solaris are not met and NIS+
may not be removed from Solaris based on the approved archi-
tectural decisions.
Details:
=======
* PSARC/2000/311 NIS+/LDAP Migration and PSARC/2000/363 Native LDAP
phase II have both been delivered since Solaris 9.
* 1) adequate notice
The announcement of the EOL of NIS+ has been completed since Solaris 9
The current (S10u8) NIS+ man pages contain the note:
NIS+ might not be supported in future releases of the
Solaris operating system. Tools to aid the migration from
NIS+ to LDAP are available in the current Solaris release.
For more information, visit
http://www.sun.com/directory/nisplus/transition.html.
* 2) availability of all replacement technology
With the integration of PSARC/2008/745 nss_ldap shadowAccount support
in the current development release and the back port to S10u8,
all the functionality that was provided by NIS+ is now available
using a LDAP directory server as a name service (i.e., nsswitch.conf
configuration such as shown in the delivered sample nsswitch.ldap).
* With the permission to remove the bundled LDAP Directory Server by
the approval upon appeal of PSARC/2004/638, the conditions of
PSARC/2000/370 are not met by the Solaris "letter of the law".
The "traditional" Solaris view of what is bundled software appears
to be changing with the next Minor release's introduction of the
"OpenSolaris" distribution and "Solaris Next" "marketing release".
The project team believes that OpenLDAP for OpenSolaris
(PSARC/2008/507) and/or Sun OpenDS (LSARC/2008/372) meet the
"intent of the law" as written in PSARC/2000/370 for having a
"Bundled" LDAP Directory Server. They are "distributed" with
OpenSolaris/Solaris Next. The project team has verified that both
OpenLDAP and OpenDS support at least all the name service databases
and attributes supported by NIS+. (As does the "unbundled" Sun
Java System Directory Server.)
Proposal:
========
As all the requirements outlined in PSARC/2000/370 have been met, remove
all the NIS+ related interfaces and documentation in the a Minor release.
(PSARC/2000/370 details the user and administrative commands, RPC services,
and Programming API to be removed.)
Issues:
======
Conversion of an existing NIS+ server's Tables to LDAP needs to be
completed on a system that supports NIS+. Once NIS+ has been removed.
conversion using the processes described in "Transitioning From NIS+ to LDAP"
(http://docs.sun.com/app/docs/doc/817-2655/6mia7mum5?a=view) isn't
available. To mitigate this, the project team notes that the announcement
was made in Solaris 9 and the project will ensure that the installation
documentation of the Minor release that removes NIS+ will clearly state
that the conversion must take place before installation.
The project team proposes adding to the Solaris Next System
Administration Guide a section similar to:
Transitioning from NIS+ to LDAP on Solaris Next:
<Warning> An existing Solaris 9 or 10 NIS+ Server and Client system must
be available for the Transition.
1. On a system, install Solaris Next (or Solaris 9 or Solaris 10)
with the desired Directory server.
2. Configure the Directory server as documented in System admin guide
http://docs.sun.com/app/docs/doc/816-4556/sundssetup-13?l=en&a=view
This details the steps for Sun ONE Directory server, similar
configuration steps need to be done if other Directory servers
like OpneLDAP or OpenDS are used.
3. Migrate the NIS+ tables as documented in System admin guide
http://docs.sun.com/app/docs/doc/816-4556/nisplus2ldap-1?l=en&a=view
4. Continue by installing Solaris next with a configured name server
that refers to the Directory server of step 1.
