[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap + Solaris + Linux automounter

Here are my notes (cut and paste'ed from html doc) on the automounter
and ldap. This is working fine for me on Linux, solaris and irix. Note
you probably dont want the servicesearchdescriptors in unless your map
names contain periods. This is because solaris assumes the period is a
field seperator to distinguish the key (as in host.byname). I've changed
all our auto.* maps to auto_* in the ldap directory so they will be
phased out as we migrate to ldap, this means that I am no longer using
the SSDs mentioned in the notes.

The /etc/auto_master file can look like this:
/xfn    -xfn
/net    -hosts          -nosuid,nobrowse

and if you have:
automount: files ldap
in your nsswitch.conf file the solaris automounter will look for
/etc/auto_foo and then auto_foo in the directory, which means you can
local overrides. Like I said - very well behaved!

ethereal is your friend when debugging ldap configurations (altho has
anyone seen what a mess it makes of Irix LDAP packets?) use some
intelligent display filters to cut down the crud.

hope this helps


notes follow:
The Automounter
The Solaris automounter is pretty well behaved and will carry out is
duties with little tweaking. It is worth noting that Sun have adopted
the schema which defines automountMap and automount objectclasses and
the automountInformation attribute in Solaris 9 (note they also define
automountKey but I haven't seen this anywhere else, this seems to
correspond directly to cn) as opposed to nisMap and nisObject
objectclasses and nisMapEntry and nisMapName attributes which have been
used until recently by Solaris and Linux distributions. This is why the
Solaris profile above has schema and attribute mapping so that the
client will look for nis* information. If Solaris (>=8) and recent Linux
distributions (tested Redhat9 and Debian(sarge)) are to be used
exclusively then this mapping is not necessary. With patch 108993
Solaris 8 will happily use the new schema and will also be able to cope
with mappings (previously not possible on Solaris 8).

The Linux automounter is a bit different. It requires anonymous access
to the directory and it needs to bind to the server using the dn of the
map, using ldap protocol version 2, and with no password. Therefore, the
following configuration options need to be set in slapd.conf:

allow bind_v2 bind_anon_dn

note that these two options (and presumably any others) need to be
entered in a single 'allow' entry otherwise only the last one parsed is
recognised - there is no error or warning in the debug information. Also
the Linux automounter does not honour encryption options setup on the
client and therefore, the server must accept unencrypted access although
this can be restricted (see ACLs above).

Redhat9 can be configured to take auto.master automount information from
the server by putting the following line in /etc/nsswitch.conf

automount: ldap

however, this does not work on Debian(sarge) which must get its
auto.master from a flat file but that file can then point at the ldap
server using the following syntax:

/users ldap:<your.slapd.server:ou=auto.users,dc=your,dc=base

in this example the automountMap type schema is used.

Examples of the two formats for the LDIF entries are illustrated below:

dn: nisMapName=auto_master,dc=your,dc=base
nisMapName: auto_master
objectClass: top
objectClass: nisMap

dn: cn=/users,nisMapName=auto_master,dc=your,dc=base
objectClass: top
objectClass: nisObject
nisMapName: auto_master
cn: /users
nismapentry: auto_users

dn: nisMapName=auto_users,dc=your,dc=base
objectClass: top
objectClass: nisMap
nisMapName: auto_users

dn: cn=itss,nisMapName=auto_users,dc=your,dc=base
objectClass: top
objectClass: nisObject
nisMapName: auto_users
cn: itss
nismapentry: -rw,hard,timeo=10,quota,intr nfs-server:/path/to/nfs


dn: ou=auto.master,dc=your,dc=base
objectClass: top
objectClass: automountMap
ou: auto.master

dn: cn=/users,ou=auto.master,dc=your,dc=base
objectClass: top
objectClass: automount
cn: /users
automountInformation: ou=auto.users,dc=your,dc=base

dn: ou=auto.users,dc=your,dc=base
objectClass: top
objectClass: automountMap
ou: auto.users

dn: cn=itss,ou=auto.users,dc=your,dc=base
objectClass: top
objectClass: automount
cn: itss
automountInformation: nfs-server:/path/to/nfs

I remain mystified as to which of these formats is the correct and
future-proof way to go. Both appear in RFC2307.  The PADL migration
tools use the nisObject objectclass. RedHat appear to have changed from
automount to nisObject and released patches for autofs, on the other
hand, Solaris appear to have changed from nisObject (in Solaris 8) to
automount (in Solaris 9).

The problems encountered with automounting NFS filestores place a few
restrictions on configuration. RedHat is fairly flexible in that it will
search for automount maps using both schemas, Solaris can be made to
search either by using mappings, Debian(sarge) only looks for automount
schema definitions, Irix requires maps for everything so should be able
to use either. So far untested on any other platforms. Older versions of
Solaris are LDAP blind and so can be discounted, Linux comes in many
flavours and may behave differently depending on implementation.

On the other hand, separate NIS maps are currently maintained for Linux
and Solaris automounters as Linux does not support direct automount
maps, so it may be feasible to maintain separate maps for each schema.
The BSD amd automounter may be more flexible than the Linux one, it
appears to have more ldap specific options and I think it supports
direct maps but it requires a schema all of its own.

My own opinion is that we should adopt the automount schema as used by
default on Solaris and recent Linux distributions, especially as Solaris
8 can be made to work with this schema. Other (older?) distributions can
be accommodated by creating maps with the nis schema.

Problem encountered with Solaris /etc/auto_master file; I had problems
using a period in automount map names, e.g. auto.users. To get around
this I replace the period with an underscore and put
ServiceSearchDescriptors in the ldap profile. My Solaris profile now
looks (something) like this:

dn: cn=profilename,ou=profile,dc=my,dc=base
objectClass: top
objectClass: DUAConfigProfile
defaultSearchBase: dc=my,dc=base
cn: profilename
credentialLevel: proxy
followReferrals: true
objectclassMap: automount:automountMap=nisMap
objectclassMap: automount:automount=nisObject
attributeMap: automount:automountMapName=nisMapName
attributeMap: automount:automountInformation=nismapentry
attributeMap: automount:automountKey=cn
authenticationMethod: tls:simple
serviceSearchDescriptor: auto_users:nismapname=auto.users,dc=my,dc=base
serviceSearchDescriptor: auto_data:nismapname=auto.data,dc=my,dc=base
serviceSearchDescriptor: auto_nerc:nismapname=auto.nerc,dc=my,dc=base
profileTTL: 43200

This way I can have one set of universal maps on the directory server.

Extra: I would expect it is possible to configure the server to do the
relevant mapping/redirection so that only one schema and information set
is needed, but I haven't yet discovered how to do this even when asking
on the OpenLDAP mailing list.


On Mon, 2003-09-15 at 20:47, Tibbetts, Ric wrote:
> Has anyone gotten Openldap to serve up automount to both Solaris & Linux?
> I have the Linux portion working, but not the Solaris half.
> Any pointers, or tips would be greatly appreciated
> Thanx!
> Ric
Greg Matthews
iTSS Wallingford	01491 692445