PADL Software Pty Ltd

PADL Software Pty Ltd


About PADL


Commercial Software

Contacting PADL


Open Source Software



Research and Development

Technical Support


Active Directory and the NIS/LDAP Gateway

The NIS/LDAP Gateway is able to act as a NIS front-end to an Active Directory server configured with the Microsoft Services for UNIX schema. This article discusses how to configure the gateway in this situation. Note that Microsoft Services for UNIX already contains a NIS server, so this will be primarily useful when one wishes to:

  • separate the topologies providing NIS and Active Directory service, or;
  • use the Services for UNIX schema without using Microsoft Services for UNIX, or;
  • provide NIS service on UNIX for political or historical reasons.

First, ensure that you have the Services for UNIX schema installed. Schema support is available with:

Please note that the Services for UNIX 3.0 schema is not supported at this time.

Users' and groups' UNIX properties may be configured using the Active Directory management tools. Note that only Microsoft Services for UNIX provides the password synchronization component necessary for seamless integration with existing NIS clients. A password change will be necessary for each user that wishes to authenticate via NIS, as the UNIX crypt(3) password cannot be derived from the hashes stored in Active Directory. If you are using the MKSADExtPlugin, the mSSFUPassword attribute will need to be manually synchronized. This document provides further information on configuring MKSADExtPlugin.

Configure the gateway as you would normally, and then replace the following line in the ypldapd configuration file, ypldapd.conf:

namingcontexts namingcontexts.conf

with the two lines:

namingcontexts namingcontexts-mssfu.conf
schema mssfu

If you are using the gateway for entities other than users and groups, you will need to edit namingcontexts-mssfu.conf to add the NIS domain between the map name and cn=DefaultMigrationContainer. For example, if your NIS domain was, you would need to change all instances of:



A common problem when configuring the Services for UNIX schema support is that groups lack some of their members. If you experience this problem, please check the following:

  • you have upgraded to ypldapd-97 or greater; previous versions would not expand group membership correctly
  • NIS group membership is indicated by distinguished name values of the posixMember attribute (not by, for example, the member attribute)
  • ACLs permit the gateway proxy user (anonymous in the default installation) to read both group entries and the mSSFUName attribute of each group member's entry

Please report any problems to

Home | Bugzilla

Copyright 1999-2014 PADL Software Pty Ltd ABN 16 085 895 585. All rights reserved.
PADL is a registered trademark of PADL Software Pty Ltd.