The NIS+ Namespace

The NIS+ namespace is the arrangement of information stored by NIS+. You can arrange the information in the namespace in a variety of ways to suit the needs of your organization. The hierarchical namespace of NIS+ is similar to that used by DNS and by the UNIX file system. With a hierarchical namespace, you can decentralize administration and improve security. When NIS was developed, the basic assumption was that the network and organization-wide namespace would be small enough for one person to administer. The growth of networked computing has resulted in a need to change this assumption.

NIS+ works best when the information in the NIS+ namespace is arranged into configurations called domains. An NIS+ domain is a collection of information about the systems, users, and network services in a portion of an organization. In the sample network shown in Figure 17, the domains for a fictitious company, Starlight Corporation, are organized by division.

As Starlight Corporation grows beyond a few hundred systems, the corresponding growth of its NIS+ directory begins to affect manageability and performance. Functional groups, such as Engineering and Sales/Marketing, may choose to create local subdomains and appoint (or hire) autonomous system administrators for these subdomains. These local administrators take responsibility for administering their own subdomains, thus relieving the central administration group of some of its workload.

As Starlight Corporation continues to grow, further decentralized administrative requirements may emerge. Administrators will be able to continue to subdivide the domains along functional groups or other natural administrative lines, such as by location or by building. Figure 18 shows how the Starlight network has decentralized the Sales domain.

Each domain can be administered either locally or centrally. Alternatively, some portions of domain administration can be performed locally while others remain under the control of a central administrator. A domain can even be administered from within another domain. As more domains are created, NIS+ clients continue to have the same access to the information in other NIS+ domains of the company.

The NIS+ commands enable authorized administrators to interactively administer and add, delete, or change information in NIS+ servers from systems across the domain or enterprise network. Administrators do not need to remotely log in to or have superuser privileges on these servers to be able to perform administrative functions. The following sections describe the components of the NIS+ namespace. NIS+ security is discussed in “NIS+ Security” .

Components of the NIS+ Namespace

The NIS+ namespace contains the following components.

• Directory objects.

• Table objects.

• Group objects.

• Entry objects.

• Link objects.

Directory, table, and group objects are organized into NIS+ domains. Entry objects are contained in tables. Link objects provide connections between different objects. Directory and table objects are described in detail in the following sections.

Directory Objects

Directory objects, which are the framework of the namespace, divide the namespace up into separate parts. Each domain consists of a directory object; its two administrative directories, org_dir and groups_dir; and a set of NIS+ tables, as shown in Figure 19.

The org_dir directory contains NIS+ tables that store information about users and systems on your network. The tables are described in “Table Objects” . The groups_dir directory stores information about the NIS+ groups for the domain. A directory object is considered a domain only if it contains its own administrative tables in the org_dir and groups_dir subdirectories. The NIS+ scripts that are run when NIS+ is set up create these two default directories. Figure 20 shows the contents of the org_dir directory for the Starlight Corporation top-level domain and two subdomains.

The top-level domain in an NIS+ hierarchy is called the root domain. The root domain is the first NIS+ domain installed. Each directory contains administrative information on resources local to that domain.

Domain Name Syntax

NIS+ domain names consist of a string of ASCII characters separated by a dot (.). These character sequences, which identify the directories in an NIS+ domain, are called labels. The order of labels is hierarchical. The directory at the left of the sequence is the most local, and the directories identifying the parts of the domain become more global the closer they are to the right, as is the convention for most e-mail domain addresses. You must use a dot at the end of a fully qualified NIS+ domain name. The dot identifies the global root of the namespace. NIS+ names are fully qualified when the name includes all of the labels that identify all of the directories. Figure 21 shows examples of some fully qualified names in an NIS+ namespace. Note that an NIS+ principal is a user or system whose credentials have been stored in the NIS+ namespace. See “NIS+ Security” for more information.

Names without a trailing dot are called partially qualified. For example, hosts.org_dir is a partially qualified domain name that specifies the hosts table in the org_dir directory of the default domain.

Figure 22 shows a more detailed example of a hierarchical namespace. In Figure 22, Starlight.Com. is the root domain, Sales and Corp are subdomains of the root domain, Int is a subdomain of Sales, and hostname.int.sales.starlight.com. is a client system in the int.sales.starlight.com. domain. The system hostname.corp.starlight.com. is a client of the Corp domain.

Table Objects

NIS+ table objects use columns and entries (rows) to store information for NIS+ domains. NIS+ tables provide two major improvements over the maps used by NIS.

• You can access any searchable column in an NIS+ table; with NIS maps you could search only in the first column. Duplicate maps (which were used by NIS) are unnecessary. Instead of providing NIS hosts.byname and hosts.byaddr as separate maps, NIS+ commands can search any column (name or address) marked searchable in the hosts.org_dir table.

• An NIS+ principal's access to NIS+ tables can be controlled at three levels: at the object level of the table itself, at the column level, and at the row or entry level. If access is given at the table level, it cannot be restricted at the column or entry level. Any access granted at the column level cannot be taken away at the entry level.

In addition, you can specify a search path for each table, and you can create symbolic links between table objects and entries with the nisln command. See the nisln(1) manual page for more information about creating links.

Each table object has its own access security information that controls whether a principal has access to the table object itself. Table security is similar to UNIX file security. See “NIS+ Security” for more information.

NIS+ org_dir Tables

The tables in org_dir provide much of the functionality that you need to administer your network. Although you can create your own tables, you do most of the standard NIS+ table administration with the tables in the org_dir.

Table 23 lists the tables in the org_dir directory in alphabetical order and briefly describes the contents of each table.

Table 23. NIS+ org_dir Tables

Table	Description
aliases	Information about the e-mail aliases in the domain.
auto_home	The location of automounted home directories in the domain.
auto_master	The master automount map.
bootparams	Location of the root, swap, and dump partitions of every diskless client in the domain.
cred	NIS+ credentials for principals who have permission to access the information or objects in the domain.
ethers	The Ethernet address for systems in the domain.
group	Group password, group ID, and the list of members for every UNIX group in the domain. Note that the group table is for UNIX groups and should not be confused with the NIS+ groups in the groups.dir directory.
hosts	IPv4 network address and host name of every system in the domain. If you use DNS, leave the hosts table empty.
ipnodes	IPv4 and IPv6 addresses for the host. You must manually keep the ipnodes table consistent with the hosts table. If you use DNS, leave the ipnodes table empty.
netgroup	The netgroups to which systems and users in the domain may belong.
netmasks	The networks in the domain and their associated netmasks.
networks	The networks in the domain and their canonical names.
passwd	Password information about every user in the domain.
protocols	The list of IP protocols used in the domain.
RPC	The RPC program numbers for RPC services available in the domain.
services	The names of IP services used in the domain and their port numbers.
timezone	The time zone of the domain.

See “Table Information Display” for a brief explanation of how to display information about these tables.

The following sections briefly describe how the org_dir tables are created and populated. Creating and populating these tables is part of the procedure for setting up NIS+.

As part of setting up NIS+, a set of empty tables is created in the org_dir directory. Once the tables are created, authorized principals can add information from existing NIS maps or text files with the nispopulate(1M) NIS+ script, or with the nisaddent or the nistbladm command. If NIS+ entries already exist in the table, authorized principals can use the nisaddent command to merge NIS map information with existing NIS+ information. See the nispopulate(1M), nisaddent(1), and nistbladm(1) manual pages for more information.