Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 20. Using SSSD component from IdM to cache the autofs maps


The System Security Services Daemon (SSSD) is a system service to access remote service directories and authentication mechanisms. The data caching is useful in case of the slow network connection. To configure the SSSD service to cache the autofs map, follow the procedures below in this section.

20.1. Configuring autofs manually to use IdM server as an LDAP server

Configure autofs to use IdM server as an LDAP server.

Procedure

  1. Edit the /etc/autofs.conf file to specify the schema attributes that autofs searches for:

    #
    # Other common LDAP naming
    #
    map_object_class = "automountMap"
    entry_object_class = "automount"
    map_attribute = "automountMapName"
    entry_attribute = "automountKey"
    value_attribute = "automountInformation"
    Note

    User can write the attributes in both lower and upper cases in the /etc/autofs.conf file.

  2. Optional: Specify the LDAP configuration. There are two ways to do this. The simplest is to let the automount service discover the LDAP server and locations on its own:

    ldap_uri = "ldap:///dc=example,dc=com"

    This option requires DNS to contain SRV records for the discoverable servers.

    Alternatively, explicitly set which LDAP server to use and the base DN for LDAP searches:

    ldap_uri = "ldap://ipa.example.com"
    search_base = "cn=location,cn=automount,dc=example,dc=com"
  3. Edit the /etc/autofs_ldap_auth.conf file so that autofs allows client authentication with the IdM LDAP server.

    • Change authrequired to yes.
    • Set the principal to the Kerberos host principal for the IdM LDAP server, host/FQDN@REALM. The principal name is used to connect to the IdM directory as part of GSS client authentication.

      <autofs_ldap_sasl_conf
           usetls="no"
           tlsrequired="no"
           authrequired="yes"
           authtype="GSSAPI"
           clientprinc="host/server.example.com@EXAMPLE.COM"
           />

      For more information about host principal, see Using canonicalized DNS host names in IdM.

      If necessary, run klist -k to get the exact host principal information.

20.2. Configuring SSSD to cache autofs maps

The SSSD service can be used to cache autofs maps stored on an IdM server without having to configure autofs to use the IdM server at all.

Prerequisites

  • The sssd package is installed.

Procedure

  1. Open the SSSD configuration file:

    # vim /etc/sssd/sssd.conf
  2. Add the autofs service to the list of services handled by SSSD.

    [sssd]
    domains = ldap
    services = nss,pam,autofs
  3. Create a new [autofs] section. You can leave this blank, because the default settings for an autofs service work with most infrastructures.

    [nss]
    
    [pam]
    
    [sudo]
    
    [autofs]
    
    [ssh]
    
    [pac]

    For more information, see the sssd.conf man page on your system.

  4. Optional: Set a search base for the autofs entries. By default, this is the LDAP search base, but a subtree can be specified in the ldap_autofs_search_base parameter.

    [domain/EXAMPLE]
    
    ldap_search_base = "dc=example,dc=com"
    ldap_autofs_search_base = "ou=automount,dc=example,dc=com"
  5. Restart SSSD service:

    # systemctl restart sssd.service
  6. Check the /etc/nsswitch.conf file, so that SSSD is listed as a source for automount configuration:

    automount: sss files
  7. Restart autofs service:

    # systemctl restart autofs.service
  8. Test the configuration by listing a user’s /home directory, assuming there is a master map entry for /home:

    # ls /home/userName

    If this does not mount the remote file system, check the /var/log/messages file for errors. If necessary, increase the debug level in the /etc/sysconfig/autofs file by setting the logging parameter to debug.

Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.