Removal of NIS+ [PSARC/2009/530 FastTrack timeout 10/12/2009]

Garrett D'Amore gdamore at sun.com
Mon Oct 5 17:36:36 PDT 2009 

+1, and good riddance!

    - Garrett

Gary Winiger wrote:
> I'm sponsoring this Fast Track for Raja Gopal Andra, the RPE naming team,
> and the NIS+ core team.  It requests removal of all the NIS+ related
> interfaces and documentation in a Minor Release.  While this is somewhat
> long, the case owner and project team believe it still qualifies for a
> Fast Track as the length details the how the EOL required dependences are
> satisfied.
>
> This project is unrelated to pam_ldap(5) and has no effect on it or
> the Sun Java System Directory Server.
>
> The current NIS+(1) man page and redacted opinions for PSARC/2000/370 (EOL of
> NIS+) and PSARC/2004/638 (Removal of Sun Directory Server 5.1 from Solaris WOS)
> are in the case directory.
>
> The timer is set for 12 Oct., 2009.
>
> Gary..
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Background:
> ==========
> NIS+(1) seems to have been introduced prior to the recording of PSARC cases
> in 1991.  The first references I've found are Vikul Khosla's nisaddcred flag
> (PSARC/1992/187) and Chuck McManis' NIS+ diagnostics (PSARC/1992/188) cases.
> They refer to NIS+, but not to any previous cases, though ZNS demos
> (PSARC/1991/023) seems somehow related.  The NIS+ promise never achieved
> sufficient traction to supplant NIS (nee YP).  X500 directory servers and
> the Lightweight Directory Access Protocol (LDAP) have supplanted the promise
> of NIS+.  EOL of NIS+ (PSARC/2000/370) started the process leading to this
> case.
>
> Dependences:
> ===========
> o PSARC/2000/370 (EOL of NIS+) opinion states:
>
>     2.  Decision & Precedence Information
>     	. . .
>     Note: the approval of  this  case  does	 not  authorize	 the
>     actual	removal	 of NIS+ support from Solaris.	That removal
>     will need to be the subject of another case.  That case will
>     depend on at least:
>     
>          PSARC/2000/311  NIS+/LDAP Migration
>          
>          PSARC/2000/363  Native LDAP phase II
>          
>          LSARC/2001/101  Bundling of LDAP Directory Server
> 	 {actually PSARC/2001/101 -gww}
>     
>     4.  Opinion
>     
>     The main issue raised for this case was	 that  of  providing
>     adequate  notice  and  support	to existing NIS+ users.	 The
>     requirement to announce the upcoming EOL of NIS+ as soon  as
>     possible in order to head off new adoption of the technology
>     was seen as conflicting with the requirement  not  to  panic
>     existing users.
>     
>     The committee decided that a three step schedule:
>     
>          1.	  adequate notice
>          
>          2.	  availability of all replacement technology
>          
>          3.	  actual EOL
>          
>     would  satisfy	both  requirements  and	 imposed   technical
>     changes	 needed	 to  obtain  such  a  schedule.	 See [2] for
>     opposing views.
>     
>     {[2] Email discussion.  File:  mail}
>
> o PSARC/2004/638 (Removal of Sun Directory Server 5.1 from Solaris WOS) was
>   denied.  The denial was overturned on appeal and iDS was removed from
>   the Solaris WOS.  That removal impacts the removal of NIS+ as the
>   opinion states:
>
>     4.10.  Potential Impact on NIS+ Removal
>     
>     PSARC/2000/370 "EOL of NIS+" states:
>          "Note: the approval of this case {PSARC/2000/370}	does
>          not  authorize  the actual removal of NIS+ support from
>          Solaris.  That removal will need to be the	 subject  of
>          another case.  That case will depend on at least:
>          
>     	 PSARC/2000/311  NIS+/LDAP Migration
>     	 
>     	 PSARC/2000/363  Native LDAP phase II
>     	 
>     	 PSARC/2001/101  Bundling of LDAP Directory Server"
>     	 
>     Without a bundled LDAP directory server,  the  preconditions
>     for  the  removal  of NIS+ from Solaris are not met and NIS+
>     may not be removed from Solaris based on the approved archi-
>     tectural decisions.
>
> Details:
> =======
>     * PSARC/2000/311 NIS+/LDAP Migration and PSARC/2000/363 Native LDAP
>       phase II have both been delivered since Solaris 9.
>
>     * 1) adequate notice
>         The announcement of the EOL of NIS+ has been completed since Solaris 9
> 	The current (S10u8) NIS+ man pages contain the note:
> 	    NIS+ might not  be  supported  in  future  releases  of  the
> 	    Solaris  operating  system.  Tools to aid the migration from
> 	    NIS+ to LDAP are available in the current  Solaris  release.
> 	    For            more            information,            visit
> 	    http://www.sun.com/directory/nisplus/transition.html.
>
>     * 2) availability of all replacement technology
> 	 With the integration of PSARC/2008/745 nss_ldap shadowAccount support
> 	 in the current development release and the back port to S10u8,
> 	 all the functionality that was provided by NIS+ is now available
> 	 using a LDAP directory server as a name service (i.e., nsswitch.conf
> 	 configuration such as shown in the delivered sample nsswitch.ldap).
>
>     * With the permission to remove the bundled LDAP Directory Server by
>       the approval upon appeal of PSARC/2004/638, the conditions of
>       PSARC/2000/370 are not met by the Solaris "letter of the law".
>
> 	The "traditional" Solaris view of what is bundled software appears
> 	to be changing with the next Minor release's introduction of the
> 	"OpenSolaris" distribution and "Solaris Next" "marketing release".
> 	The project team believes that OpenLDAP for OpenSolaris
> 	(PSARC/2008/507) and/or Sun OpenDS (LSARC/2008/372) meet the
> 	"intent of the law" as written in PSARC/2000/370 for having a
> 	"Bundled" LDAP Directory Server.  They are "distributed" with
> 	OpenSolaris/Solaris Next.  The project team has verified that both
> 	OpenLDAP and OpenDS support at least all the name service databases
> 	and attributes supported by NIS+.  (As does the "unbundled" Sun
> 	Java System Directory Server.)
>
> Proposal:
> ========
> As all the requirements outlined in PSARC/2000/370 have been met, remove
> all the NIS+ related interfaces and documentation in the a Minor release.
> (PSARC/2000/370 details the user and administrative commands, RPC services,
> and Programming API to be removed.)
>
> Issues:
> ======
> Conversion of an existing NIS+ server's Tables to LDAP needs to be
> completed on a system that supports NIS+.  Once NIS+ has been removed.
> conversion using the processes described in "Transitioning From NIS+ to LDAP"
> (http://docs.sun.com/app/docs/doc/817-2655/6mia7mum5?a=view) isn't
> available.  To mitigate this, the project team notes that the announcement
> was made in Solaris 9 and the project will ensure that the installation
> documentation of the Minor release that removes NIS+ will clearly state
> that the conversion must take place before installation.
>
> The project team proposes adding to the Solaris Next System
> Administration Guide a section similar to:
> Transitioning from NIS+ to LDAP on Solaris Next:
> <Warning> An existing Solaris 9 or 10 NIS+ Server and Client system must
> 	  be available for the Transition.
>
>     1. On a system, install Solaris Next (or Solaris 9 or Solaris 10)
>        with the desired Directory server.
>     2. Configure the Directory server as documented in System admin guide
>        http://docs.sun.com/app/docs/doc/816-4556/sundssetup-13?l=en&a=view
>        This details the steps for Sun ONE Directory server, similar
>        configuration steps need to be done if other Directory servers
>        like OpneLDAP or OpenDS are used.
>     3. Migrate the NIS+ tables as documented in System admin guide
>        http://docs.sun.com/app/docs/doc/816-4556/nisplus2ldap-1?l=en&a=view
>     4. Continue by installing Solaris next with a configured name server
>        that refers to the Directory server of step 1.
>

More information about the opensolaris-arc mailing list