White Paper
Table of Contents
NIS+: An Enterprise Naming ServiceSummaryNetwork Information Service Plus (NIS+), a component of ONC+ in SunSoft's Solaris 2.0 and beyond, is an enterprise naming service designed to replace the widely-installed ONC Network Information Service (NIS) in customer environments. NIS+ is a secure and robust repository of information about network entities, such as users, servers, and printers, enabling efficient administration of enterprise client/server networks. Administration tasks, such as addition, removal, or reassignment of systems and users, are facilitated through efficient addition to or modification of information in NIS+. An important benefit of NIS+ is scalability: NIS+ simplifies administration of small networks as well as enterprise-wide networks containing tens of thousands of systems and users. As organizations grow and decentralize, NIS+ continues to provide administrative efficiency. A key enhancement in NIS+ is its update performance. Changes made to the NIS+ information base are automatically and instantaneously propagated to replicated servers across the network. The result is that tasks, such as bringing online of new users and systems, are implemented much more rapidly than before. Security is an integral aspect of NIS+ operation. NIS+ allows access to network resources to be flexibly controlled by preventing unauthorized sources from reading, changing, or destroying naming service information. NIS+ will lower the cost of ownership of enterprise client/server networks. As major corporations increasingly adopt the client/server model to gain competitive advantage, use of NIS+ as the administrative information repository will enhance such an advantage. IntroductionThe last few years have seen enormous growth in client/server computing. Accompanying this growth has been a fundamental change in the nature of applications supported by such networks. For example, the recent corporate "rightsizing" trend has been accompanied by expanded use of client/server networks for personal productivity and commercial applications. This growth in use has been accompanied by a corresponding growth in size of typical client/server networks, which today commonly consist of tens of thousands of systems across an enterprise. These trends present new requirements for efficient administration of entities, such as users, systems and printers, across enterprise networks. This paper discusses how NIS+ supports the administrative requirements of enterprise client/server networks, and explains how sites using the current NIS naming service can benefit from migrating to NIS+. NIS+ is used by Solaris distributed systems management software for storage of administrative data. NIS+ is a component of the ONC+ family of distributed services. ONC+, the next generation of Open Network Computing (ONC) in Solaris 2.0 and beyond, consists of a set of new and enhanced core services for enterprise-wide distributed computing. Client/Server Computing and Naming ServicesThis section presents an overview of the evolution in client/server network characteristics. It also discusses how the original ONC NIS and the new ONC+ NIS+ naming services support efficient administration of such networks. ONC NIS OverviewThe first generation of client/server computing began in the mid-1980s. Such networks had specific characteristics, including:
The original ONC NIS naming service (initially called yellow pages or YP) was designed to address the administration requirements of client/server networks in the 1980s. NIS was a vehicle for centralized administration of the first generation of heterogenous client/server networks. NIS replaced the UNIX /etc and corresponding configuration files for other operating environments with a central repository. (The original configuration files specified the address and other characteristics of all network-accessible entities and resided on each system on the network). The NIS implementation had the following characteristics:
Enterprise-Wide Client/Server ComputingClient/server networks have undergone tremendous growth since the mid- 1980s. Enterprise-wide networks of client/server systems, typically spanning multiple sites across the globe, are now being used for corporate mission- critical applications. Such networks typically have the following characteristics:
The evolution of enterprise-wide client/server networks presents a new set of requirements for naming services. These include:
The NIS+ naming service, a replacement for NIS, is designed to address the administrative requirements of enterprise networks of the 1990s. It provides a highly secure and available storage facility for administrative information for enterprise networks. The following sections present an in-depth look at NIS+ capabilities for administering enterprise networks, particularly in relation to NIS. NIS+: Evolution from NISThis section outlines how sites currently supporting NIS will benefit from migrating to NIS+. NIS has been widely deployed on dozens of hardware and software platforms and has an installed base exceeding two million users. Feedback from these users has greatly shaped the design of NIS+. Like its predecessor, NIS+ serves as a central repository for information on users, systems, printers, and other network entities. In addition, NIS+ contains several major enhancements over NIS, which are summarized in Table 1. Table 1: Comparison of NIS and NIS+ Features
NIS+ includes features allowing NIS sites to migrate to the new naming service in a phased and smooth manner. NIS sites that migrate to NIS+ will gain the following benefits:
Distributed AdministrationAs corporations grow, they frequently reach a point where administration of the overall organization as a single entity becomes too difficult. At this stage, most corporations undergo reorganizations, typically involving breaking up the corporation into autonomous components to promote efficiency. Decentralizations typically affect the use and administration of corporate information resources. Expanded use of client/server computing is one aspect of decentralization of these resources. Another aspect is decentralizing authority to administer the distributed information systems. The original NIS was designed to support only centralized administration of information resources. NIS+ makes possible flexible system and network administration to support the growth and decentralization of corporations. It allows both centralized administration of such networks and (as requirements emerge for distributed administration) selective distribution of administrative authority across the corporation. Specifically, it provides the following capabilities for distributed system administration:
Manageable Growth through Hierarchical Domain CreationNIS+ has been designed to allow effective utilization of system administration personnel within corporations. For smaller organizations desiring centralized administration. NIS+ allows the entire network to be treated as a single domain or administrative entity. NIS+ replicated servers provide a central, high-performance, and secure repository of configuration information, optimally addressing the administration needs of a smaller organization. As corporations grow or reorganize, requirements emerge for decentralized administration. For example, entities such as business units, functional groups, and departments within such corporations may define their own budgets and policies for system and network administration. In addition, such entities may also desire independent system and network administration groups for control and on-going support, while relying on the corporate information resource group for training and support. NIS+ addresses this requirement by allowing the creation of multiple domains, or subsets of the enterprise network, that may be administered on an autonomous basis. As a domain grows to consist of two or more organizational entities requiring autonomous system administration, the domain can be subdivided by authorized administrators into two or more hierarchical sub- domains. The NIS+ directory for the original domain, containing administrative information for domain-specific resources, can be partitioned into several directories, each supporting a new sub-domain. This process of creation of new domains and partitioning of directories can be continued as the network grows. NIS+ domain hierarchies allow the following benefits.
As an example, Figure 1 illustrates the process of domain creation and its benefits for a fictitious company, ACME Corporation.
Figure 1 - Creation of Administrative Domains Initially, NIS+ is used for centralized system and network administration of the Acme enterprise network. As Acme Corporation grows, the corresponding growth in size of its NIS+ directory, beyond supporting a few hundred systems, affects the directory's manageability and performance. Further, functional groups such as Engineering and Sales/Marketing may choose to devote resources for autonomous administration of their networks, to offload administration tasks from the central administration group and improve response time for such tasks as installing new users. NIS+ allows the ACME enterprise network to be sub-divided into three autonomously administered domains: Acme Corporate domain, Acme Engineering domain, and the Acme Sales/Marketing domain. The NIS+ directory for the enterprise network can be partitioned easily into smaller directories, supporting the three new domains for increased manageability and performance. As ACME Corporation grows and as further decentralized administration requirements emerge, the domain creation can be continued along functional group or other administratively intuitive lines. Figure 2 illustrates how ACME's network may be organized to promote continued administrative efficiency as it evolves.
Figure 2 - Hierarchical Domains Highlights of Distributed Administration ModelNIS+ includes a flexible administrative interface that facilitates and automates administrative operations. Managing NIS+ servers, including creating directories and setting up domains and server replication, can be performed with ease. Information within NIS+ directories, which consists of a number of multi-column tables, can also be modified efficiently using the administrative interface. Distributed NIS+ Server AdministrationThe NIS+ command-line or programmatic interface allows authorized administrators to interactively administer and add, delete, or change information in NIS+ servers, from systems across the domain or enterprise network. Administrators do not need to remotely log into or have super-user privileges on these servers in order to perform administrative functions. In addition, the interface allows the creation of scripts to automate execution of routine service administration tasks. Distributed administration of the naming service allows efficiency, ease of growth, and setting of site-specific policies. For example, authority for specific NIS+ administration tasks for servers in different domains can be easily distributed to groups or personnel across the corporation, depending on their level of expertise and other considerations. Distributed Access to NIS+ InformationA major enhancement in NIS+, over NIS, is that its command-line and programmatic interface allows authorized users direct read/write access to information served by NIS+. This access can further be controlled to a fine- granularity (discussed later in the "Security in NIS+" section). This makes it significantly easier and faster to change NIS+ tables and directories on servers, without requiring the creation of text files and conversion of these files into databases, as is required for updating information in NIS "maps". Tasks such as addition of users and systems to a particular domain only require changing information in that domain's NIS+ directory. These operations can also be performed remotely (i.e., from systems around the domain) without requiring super-user privileges or having to remotely log into NIS+ master servers. The read/write programmatic access to NIS+ information allows the development of interactive and innovative system administration applications atop NIS+. NIS+ is used by all Solaris distributed system management applications as the storage facility for administration data. Solaris Database Manager, a Graphical User Interface (GUI) tool in Solaris 2.x, allows easy editing of NIS+ tables containing, for example, host, RPC and password information. Solaris User Manager and Printer Manager GUI tools, allowing simplified creation of Solaris user accounts and printer installation respectively are other applications that use NIS+. It is also expected that the flexible NIS+ interface will spur the development of easy-to-use system administration applications from Independent Software Vendors (ISVs). To return to the Acme Corporation example, here is how the NIS+ hierarchical model and its information and administrative interfaces allow efficient administration of changes to the corporate network. As shown in Figure 3, NIS+ servers in each domain of the Acme Corp. maintain directories, consisting of multi-column tables, having administrative information on resources local to that domain. To accomplish an administration task, such as the addition of a new workstation and user within the Acme Engineering domain, changes need only be made to the NIS+ master server for that domain. Authorized users or administrators in the domain can use NIS+ table access utilities (either manually or programmatically) to easily add IP address, password, and aliases information to local NIS+ tables. Thus, a new user and system can be easily brought online in the Acme Engineering domain. Next, this new information is automatically transmitted to replicated servers for this domain using the NIS+ updating utility.
Figure 3 - NIS+ Directories allow Autonomous Administration Through this simple set of operations, the new user and system are quickly visible to users and hosts across the Acme enterprise network, and network applications, such as electronic mail and remote file access, are easily enabled for the new user. Table-Based Storage of InformationNIS+ directories consist of a set of tables containing domain-specific administrative information. There are 16 standard NIS+ tables for storage of different kinds of administrative information in Solaris, including tables for host name and network address information, location of boot, swap, and dump partitions of diskless clients, and password information about every authorized NIS+ user or system. Tables have multiple columns and entries and each column in the table can be specified as searchable. Finally, tables can support ASCII as well as binary information. NIS+'s multi-column tables, in conjunction with utilities allowing column-level access to this information, provide significant flexibility and ease in administering NIS+ information. Multi-column search capability of NIS+ tables also obviates the need to have reverse maps as was required with NIS. For example, with NIS, two different maps (hosts.byname and hosts.byaddr) containing the same information were required to allow searches using host name or host address keys. With NIS+, administrators can easily find the network address of a workstation by using its hostname - or vice versa. For the former task, the table search function looks through the Hostname column until it finds the hostname ("baseball", in the example in Figure 4), then moves along that entry to find the host's network address. NIS+ provides utilities for easy searching of tables for displaying, adding, modifying or deleting information in those tables.
Figure 4 - NIS+ Table Search An additional area of flexibility within NIS+ is the ability to easily create new kinds of tables and store custom information in these tables. Access to these custom tables can be controlled on a selective basis (for further information on table access controls, see "Security in NIS+" section). NIS+ has no built-in limitations on the kind or size of information that can be stored in it. However, NIS+ is not a general-purpose distributed database or a full fledged directory service, such as OSI X.500 Directory Service, which is used to store large and complex amounts of information for inter-organizational networks. The design of NIS+ is optimized for storage of an enterprise network's administrative information, such as host addresses, e-mail aliases, network addresses, file system mount points, and user passwords. There are significant practical constraints that will affect NIS+'s performance and efficiency, if used to store information that is not of this type. First and foremost is the resource constraint on NIS+ servers, which need to have adequate physical memory and disk space to support NIS+ directories. For example, if a NIS+ directory is used to store large binary files or tables having entries of bit-map image information, it would need high, possibly prohibitive, amounts of memory on an NIS+ server. Such data is better stored in NFS files, with NIS+ tables being used to store pointers to such files. Second, updating information, such as large files and bit-map images in NIS+ directories and tables, would cause degradation in update performance. High -Performance ReplicationThe NIS+ replication model provides high performance, availability and reliability for naming service operations. This section discusses the benefits of the replication model and specific replication enhancements in NIS+ that allow improved performance and reliability for system administration. Master and Slave ServersNIS+ allows for a primary copy of a directory to be stored on a master server, with zero or more slave servers storing replicas of the primary copy. Updates are made only to the master server, which then propagates them to its replica servers. An NIS+ client can send lookup requests to any of the replicas and update requests to only the master server. This arrangement has two benefits: it avoids inconsistent updates between tables because only one master exists; and it makes the NIS+ service much more reliable and available. If either master or slave is down, the other server can act as backup server for lookup requests. Each domain in an NIS+ network has its own master server and may also have a number of slave replicated servers. The number of slave servers in a domain depends upon domain size and server capabilities, such as memory and swap space. The overall reliability of the network is enhanced when there are multiple master servers across the network, one for each domain, as opposed to a single master for an NIS network. If a master server is down, only updates for its particular domain are disabled, while updates to the rest of the network are not affected. Finally, the NIS+ replication model allows for an improved server-to-client ratio, as the master and slave servers can serve clients on multiple IP subnets. High-Performance UpdatingOne of the most significant enhancements in NIS+ is in the area of replica update performance. NIS updates, normally handled manually, usually took a day in large organizations. NIS+ master servers generally update replicated slave servers on an incremental basis (as opposed to the NIS case of whole "maps" being transferred from master to slave servers for updating). A change to a table in an NIS+ directory is automatically and instantaneously propagated by the master server to its replicas. The result is that updates are received by replica servers much more rapidly than before, allowing for rapid implementation of administration tasks, such as change of Ethernet or IP address information in NIS+ for system upgrade and relocation. This new updating scheme has several additional benefits. It allows for efficient use of network bandwidth, since only the changes to the tables are transmitted from master to slave servers, as opposed to complete maps. In addition, slave servers are contacted only once with an aggregate update to all tables occurring within a short time interval, as opposed to separate updates for each map in the NIS case. Reliable UpdatingNIS+ updating model includes a transaction-based facility for consistent and reliable updating. It guarantees that the requested change has been made to the server's database correctly, even in face of failures. When a change is made to a table in an NIS+ directory, the NIS+ master server logs the update, waits for a few seconds for any further updates and then send its replica servers a message with the timestamp of the latest update. If replicas are out of date, they ask for updated information since their last updating. The transaction log model provides rollback recovery and consistency of NIS+ databases, even in face of server failures during updates. NIS+ master and replica servers are able to automatically repair their databases to their state before such failures occur. Security in NIS+NIS+ is designed to protect the information in its directories and tables from unauthorized access. The goals of the security functionality in NIS+ are to not only prevent access to information in the NIS+ directories by unauthorized clients, but also to also ensure that unfriendly sources are not able to destroy or change such information. Unlike NIS, this functionality allows NIS+ to be a very secure repository of system and network administration information, without restricting the capability of changing information in NIS+ to only the super-user of the master server. For example, an authorized user can create a table listing the home telephone number and address of members of the Acme Engineering domain as part of the domain's NIS+ directory, with access to this table limited to all or part of the Engineering organization. Or, a desktop application can create NIS+ tables of application-specific information which is required to have network-wide visibility. Or, finally, confidential personnel information, such as company identification number and job category for employees, can be stored in an NIS+ table granting authorized access on a very selective basis. NIS+ controls access to servers, directories, and tables in two ways:
AuthenticationEvery request to a NIS+ server is actually made by a NIS+ principal. A NIS+ principal can be a user or workstation. Authentication is the process of identifying the principal who made a request to the NIS+ server by checking credentials, which are based on encrypted verification information stored in NIS+ tables. The purpose of authentication is to obtain the principal's name so that the principal`s access rights to information in the name server can be looked up and verified. All interactions that a NIS+ principal has with a NIS+ server are authenticated. There are several benefits to authentication. In addition to protecting NIS+ information from access by untrusted clients, it provides much more flexible and secure administration of NIS+ servers. The use of authentication means that administrators do not need to have root privileges or remotely log into master servers. Authentication allows all authorized administrators to administer NIS+ servers from systems across the network. NIS+ authentication can be turned off for sites that have minimal or no security requirements. However, this is hazardous because any NIS+ principal in such an environment could modify or destroy information in the master NIS+ directory by mistake and then have these changes quickly propagated to all slave servers in the domain. AuthorizationOnce the identity of the NIS+ principal is known, authorization is used for granting users or systems access rights to NIS+ directories and tables, as shown in Figure 5.
Figure 5 - Use of Authorization in Controlling Access to NIS+ Tables The first step in the process is a request for access to a table by an NIS+ principal to an NIS+ server. This request includes the principal's credentials for authentication purposes. The server then verifies the identity of the principal using its credentials. If the verification proceeds successfully, the NIS+ server looks up the definition of the table to verify that principal has rights (discussed in the following section) to access it, performs the principal's request and replies. Table and Directory Access RightsAccess rights for tables or directories are granted not to specific NIS+ principals but to four categories of NIS+ principals: Owner, Group, World, and Nobody. The possible rights are Read, Modify, Destroy and Create. The Owner is a NIS+ principal who owns that particular NIS+ directory, table or table entry. By default, a directory or table's owner is the principal who created it. A NIS+ Group is simply a collection of NIS+ principals, grouped together as a security convenience. The access rights granted to a NIS+ Group apply to all the principals who are members of that group. The World is the category of all NIS+ principals who are authenticated by NIS+. The Nobody class includes everybody, including all authenticated and unauthenticated NIS+ principals (see later section on "NIS Compatibility Mode" for an explanation of unauthenticated NIS+ principals). An NIS+ table or directory can grant one or more access rights to one or more categories of clients. For example, a directory could grant Read access to the World category, but Modify access only to the Group and Owner. NIS+ authorization supports flexible and secure administration. For example, the Group access right allows finer granularity of control for NIS+ administration. It can be used as a means of maintaining security and control as administrative authority evolves along decentralized lines. In the initial stages of NIS+ domain creation, a group consisting of only central administrative personnel could have Modify and Create access rights to directories across the network. As the domain creation evolves and administrative expertise builds up across the corporation, directories could grant such access rights to new groups consisting of local and central administrative personnel, allowing smooth transition of control. Table Column and Entry SecurityIn addition to the security assigned to the entire table, NIS+ tables provide additional levels of security allowing access to information stored in tables to be controlled at a finer granularity. A NIS+ table itself provides two levels of security: entry and column. Access rights assigned to a table can apply to all the columns and entries in the table. In addition, individual columns and entries can assign multi-level access rights to NIS+ principals. A table may grant Read-only access rights to a group, which means that any member of the group can read the contents of the entire table but not modify it. A particular column, however, may then assign the group Modify rights. This means that although the group members can read the contents of the entire table, they can only modify the contents of that particular column. As an example, let's take the case of a table containing three columns of host information for a particular domain: Hostname, IP Address, and Ethernet Address.
The table grants Read access rights to the World principal category. All authenticated users and systems will thus be able to read information in the table. Modify access for the Hostname and IP Address columns may further be given to the group allowing the domain administrative group to easily update the table as host names are changed and as hosts are moved to different subnets within the domain. The Ethernet address column, which is changed less frequently, provides Modify access only to the Owner. Thus, access rights can be flexibly controlled for each column and entry. Compatibility with ONC NISNIS is supported on all major UNIX variants including Solaris 1.0, DEC® Ultrix®, IBM® AIX, and HP-UXc. In addition, PC-based products such as PC-NFS also provide client-side NIS support. NIS+ has been designed to be a replacement for environments and systems using NIS. It includes a number of capabilities that allow NIS clients and servers to coexist with and easily migrate to NIS+. These capabilities, taken together, provide a number of options for NIS/NIS+ compatibility and migration. Table 2: NIS+/NIS Client and Server Compatibility
The specific capabilities allowing NIS/NIS+ migration and coexistence are:
NIS Compatibility ModeNIS+ provides an NIS Compatibility Mode. This mode enables an NIS+ server running Solaris 2.0 to answer requests from NIS clients while continuing to answer requests from NIS+ clients. The NIS Compatibility Mode can be selected while setting up the NIS+ server. NIS clients require no additional setup or changes. In fact, they are not even aware that the server that is responding isn't an NIS server. An NIS+ server running in NIS Compatibility Mode has the same security requirements for both NIS+ and NIS clients as a normal NIS+ server. However, because NIS clients do not provide the credentials that NIS+ servers use to authenticate all clients, they end up classified as unauthenticated clients belonging to the nobody principal category. Therefore, to allow NIS clients to access any of the information in NIS+ tables, those tables must provide access rights to unauthenticated principals. Note, however, that an NIS client cannot update information in NIS+ tables, and that all administrative activity would have to be done from an NIS+ client. NIS+ servers running in the NIS compatibility mode only respond to queries from NIS clients and do not exchange information with other NIS servers using the NIS server transfer protocols. However, NIS+ provides utilities (described below) that allow information in NIS+ and NIS to be synchronized and kept up-to-date. Information Transfer UtilitiesNIS+ includes utilities to transfer contents of an NIS map into an NIS+ table. The contents of the map can replace, be appended to, or be merged with, the contents of the NIS+ table. NIS maps containing both administrative and custom information can be transferred to NIS+ tables. In order for this utility to be used, the maps need to reside on or be transferred to a system running NIS+. In addition, NIS+ includes utilities allowing transfer of NIS+ tables into NIS maps on a Solaris 1.0 server. These maps can then be transferred to Solaris or non-Solaris NIS servers using NIS transfer utilities. NIS+ information transfer utilities allow NIS+ master servers to provide up-to- date information to NIS master servers, or vice versa. In this way, NIS+ or NIS servers can effectively act as master servers for NIS or NIS+ sites respectively. NIS+ 4.1 DistributionAlthough NIS+ is an integrated component of Solaris 2.x and beyond, there is also a version of NIS+ that runs on a Solaris 1.x server. It is called the NIS+ 4.1 Distribution, and it allows Solaris 1.x servers to also be NIS+ servers without having to upgrade to Solaris 2.x. This simplifies Solaris 1.x and NIS-to-NIS+ migration. Migration to Solaris 2.x at the desktop level can proceed independently of Solaris 1.x-to-2.x and NIS to NIS+ migrations at the server level. NIS+ 4.1 Distribution is a component of the Solaris 2.0 CD-ROM release. Solaris 1.x NIS+ servers can also run in NIS Compatibility Mode. Name Service Switch Capability in Solaris 2.xThe Name Service Switch in Solaris 2.x is the means by which multiple name services can easily coexist within Solaris, and by which administrators can set up policies for the use of such services. The Switch allows Solaris 2.x systems to be clients of multiple naming services. The Solaris 2.x operating system and its applications/scripts can thus access system configuration information from the following sources:
Once these services are set up, one can obtain system administration information from one or more of these sources, in place of, or in addition to NIS+ tables. The Switch includes a configuration file that allows administrators to specify which name service(s) will be used for each type of configuration information, such as password and host IP address. Further, administrators can specify the order in which different naming services are used for each type of such information, and the criteria for search continuation if information is not found or if a naming service is unavailable. The Name Service Switch also allows the setting of flexible policies for naming service use. The Switch can be used to easily describe and change these policies once site requirements change. The Switch allows Solaris 2.x system to easily take advantage of information served by different naming services. For example, a system running Solaris 2.x could obtain its hosts information from an NIS+ table, its group information from NIS maps, and its password information from a local /etc file. It further simplifies the NIS-to-NIS+ migration process, as both Solaris 1.x and Solaris 2.x systems can be clients of Solaris 1.x NIS servers. Further, Solaris 2.x systems can be NIS and NIS+ clients simultaneously, allowing coexistence of the two naming services during the migration phase. NIS+ and Other Naming/Directory ServicesNIS+ is one among a number of naming services available for use in client/server computing environments. Directory services, a specialized form of naming services, are typically designed to support larger and more complex information about network entities. This section presents an overview of the role of different types of naming and directory services in client/server environments, technologies for allowing interoperability across these services, and the benefits that NIS+ provides versus other existing and emerging naming/directory services. Each type of network entity, such as user, file, application, printer, or system, typically has its own naming system. Naming systems maintain a mapping of names with network entities, and allow applications and users to access these entities. These naming systems include:
The properties of different network entities are sufficiently diverse to require use of a range of naming systems in client/server computing environments in the future. These properties include:
Interoperability Across Naming/Directory ServicesThe continued existence of multiple naming systems supporting different types of network entities presents a challenge for users and applications in transparently accessing resources across the heterogenous enterprise network. SunSoft's strategy for such interoperability is to provide standard naming interfaces allowing applications to easily access information and resources supported by different naming systems. The two announced technologies supporting this goal are the Name Service Switch (described in the preceding section) and federated naming. Name Service SwitchThe Name Service Switch capability in Solaris 2.x allows application and system software to use the UNIX/POSIX standard getXXbyYY naming interface to access naming information from NIS, NIS+, DNS, and /etc local configuration files to access resources within and beyond the enterprise. The switch design is modular, allowing it to easily accommodate other naming systems, such as CDS or X.500. Federated NamingFederated naming is the second and more extensive solution for naming interoperability. It is a component of SunSoft's Federated Services technology for integrated interoperability of different computing technologies within Solaris (for further information, see SunSoft's "Federated Services" white paper). Federated Naming allows integrated and consistent support within Solaris of multivendor naming systems, including global and enterprise naming services supporting high-level entities (such as hosts and users) and specialized naming systems for files, printers, spreadsheets, and personal calendars. Federated naming will permit Solaris applications to consistently and easily access this diverse range of entities through a simple naming interface. SunSoft is working with system and application software vendors to ensure global, enterprise-level, and application-specific naming systems support the federated naming architecture. In addition, the federated naming service interface will be published, allowing developers to easily incorporate their naming systems into the federated naming architecture. Comparison of NIS+ and other Naming/Directory ServicesThis section compares and contrasts NIS+ with three other such services: DNS, X.500 Directory Service, and OSF DCE Cell Directory Service. NIS+ and Internet Domain Name System (DNS)DNS is a naming service; it obtains and provides information about hosts on the Internet network. DNS supports the model of a hierarchical namespace with autonomously administered name servers. DNS has been very successfully used on the Internet, supporting communication among hundreds of thousands of nodes across many organizational entities. Although NIS+ uses the DNS hierarchical naming model, it focuses on supporting system administration data and other requirements of enterprise networks. DNS differs considerably from NIS+ in the kinds of information and environments that it supports. Its main strength is in supporting hierarchical database partitions and replicas containing hundred of thousands of entries of relatively static information (e.g., hostname and IP address), and ensuring compatibility in an inter-organization environment. NIS+, on the other hand, is a secure repository of frequently updated administrative information for enterprise networks, such as e-mail aliases, RPC program numbers, and user passwords. In short, both are complementary naming services, with DNS being used for inter-company communication and NIS+ supporting administration of enterprise networks. SunSoft expects a significant proportion of customers to be using both DNS and NIS+ in parallel. In view of this, both NIS+ and DNS client and server software are being shipped with Solaris 2.x, with the Name Service Switch allowing smooth coexistence between the two services. NIS+ and OSI X.500 Directory ServicesOSI X.500 is an emerging International Standards Organization (ISO) specification for directory services for global, inter-company applications. X.500 directory services are primarily being used for storing "white pages" information about people, such as telephone number and e-mail address. The goal is to enable communication among users in different corporations in an easier manner. X.500 is similar to DNS in two ways: it is a "global" directory service, facilitating inter-company communication and, as such, it is intended to hold relatively static information. Thus NIS+, being an enterprise service, is a complementary service to X.500. As with DNS, customers and vendors can easily use or offer NIS+ and X.500 together to allow effective support of both enterprise and global application requirements. Mechanisms such as Solaris 2.x Name Service Switch and federated naming are designed to facilitate such coexistence. NIS+ and Cell Directory Service (CDS)CDS is the "cell" or organizational naming service within the Open Software Foundation's Distributed Computing Environment. NIS+ is similar to CDS in that both services are designed to address the naming and resource location requirements of higher-level network entities such as users, systems and network services within enterprise networks. NIS+ provides a significant advantage for the installed base of enterprise client/server networks. NIS+ represents a natural and cost-effective evolution for software and hardware vendors, and for end-user environments supporting NIS. In addition, sites requiring support for DCE CDS can use naming interoperability features, such as the Name Service Switch and federated naming (discussed in the preceding section), to have it coexist with NIS+. Multivendor Support for NIS+ONC distributed computing technology (a foundation technology of SunSoft's Solaris 1.0 operating system) has become the de facto industry standard for heterogeneous connectivity and the development of next-generation distributed applications. NIS is a component of the ONC platform. ONC specifications are widely published and the source code can be licensed from SunSoft, Inc. Currently, more than 100 implementations of ONC are available for diverse operating environments like DOS, Microsoft Windows, Novell NetWare, OS/2, Apple Macintosh, UNIX System V Release 4, DEC Ultrix, IBM AIX, HP-UX, DEC VMS, IBM MVS and IBM VM. The installed base of ONC exceeds 3.1 million systems, while the installed base of ONC NIS exceeds 2.8 million systems. The new NIS+ enterprise naming service is a component of ONC+, the next- generation version of Open Network Computing (ONC) in Solaris 2.0 and beyond. ONC+ consists of a set of new and enhanced core services for enterprise-wide distributed computing. ONC+ services, including NIS+, TI- RPC, and enhanced NFS, are completely compatible and will interoperate with the installed base of ONC services, including NFS, NIS, and RPC services. In addition to offering NIS+ as an integrated component of the Solaris operating environment, SunSoft is actively marketing NIS+ to software and hardware vendors. This is to ensure availability of NIS+ on multivendor platforms and to allow vendors currently supporting NIS to provide the benefits of NIS+ to their customers. If you fall into such a vendor category and desire to license NIS+, please contact your SunSoft sales representative. If you're a user of NIS and require NIS+ support on multivendor platforms, please contact your software and hardware suppliers for their plans and timeframes for NIS+ support. Appendix A: ReferencesSome of the references are from the SunOS 5.1 Documentation Set. SunOS 5.1 is the base operating system component of Solaris 2.1 operating environment currently scheduled for release in early 1993. 1. NIS+ Architecture White Paper. This paper presents an overview of the architecture of NIS+. 2. SunOS 5.1 Document Set: Administering NIS+ and DNS (Part Number 801- 2856-10). A technical manual that describes how to set up and administer NIS+ and DNS 3. "All About NIS+", a book to be published by Sun Microsystems Press/Prentice Hall in November 1992. It describes the NIS+ service, compares it to DNS and NIS, and provides instructions for setting up and administering NIS+. 4. SunOS 5.0 NIS+ manual pages. nis(1) manual page provides a high-level introduction to the concepts and capabilities of NIS+. 5. Solaris Federated Services white paper. This paper describes SunSoft's vision for distributed computing and how federated services supports that vision in allowing transparent access to Solaris applications and users to resources across the multivendor, global network.  Solaris Home | FAQs | Software Site Map | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
Copyright 2004-2009 Sun Microsystems, Inc.