Chapter 20. Using SSSD component from IdM to cache the autofs maps
The System Security Services Daemon (SSSD) is a system service to access remote service directories and authentication mechanisms. The data caching is useful in case of the slow network connection. To configure the SSSD service to cache the autofs map, follow the procedures below in this section.
20.1. Configuring autofs manually to use IdM server as an LDAP server
Configure autofs
to use IdM server as an LDAP server.
Procedure
Edit the
/etc/autofs.conf
file to specify the schema attributes thatautofs
searches for:# # Other common LDAP naming # map_object_class = "automountMap" entry_object_class = "automount" map_attribute = "automountMapName" entry_attribute = "automountKey" value_attribute = "automountInformation"
NoteUser can write the attributes in both lower and upper cases in the
/etc/autofs.conf
file.Optional: Specify the LDAP configuration. There are two ways to do this. The simplest is to let the automount service discover the LDAP server and locations on its own:
ldap_uri = "ldap:///dc=example,dc=com"
This option requires DNS to contain SRV records for the discoverable servers.
Alternatively, explicitly set which LDAP server to use and the base DN for LDAP searches:
ldap_uri = "ldap://ipa.example.com" search_base = "cn=location,cn=automount,dc=example,dc=com"
Edit the
/etc/autofs_ldap_auth.conf
file so that autofs allows client authentication with the IdM LDAP server.-
Change
authrequired
to yes. Set the principal to the Kerberos host principal for the IdM LDAP server, host/FQDN@REALM. The principal name is used to connect to the IdM directory as part of GSS client authentication.
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="host/server.example.com@EXAMPLE.COM" />
For more information about host principal, see Using canonicalized DNS host names in IdM.
If necessary, run
klist -k
to get the exact host principal information.
-
Change
20.2. Configuring SSSD to cache autofs maps
The SSSD service can be used to cache autofs
maps stored on an IdM server without having to configure autofs
to use the IdM server at all.
Prerequisites
-
The
sssd
package is installed.
Procedure
Open the SSSD configuration file:
# vim /etc/sssd/sssd.conf
Add the
autofs
service to the list of services handled by SSSD.[sssd] domains = ldap services = nss,pam,
autofs
Create a new
[autofs]
section. You can leave this blank, because the default settings for anautofs
service work with most infrastructures.[nss] [pam] [sudo]
[autofs]
[ssh] [pac]For more information, see the
sssd.conf
man page on your system.Optional: Set a search base for the
autofs
entries. By default, this is the LDAP search base, but a subtree can be specified in theldap_autofs_search_base
parameter.[domain/EXAMPLE] ldap_search_base = "dc=example,dc=com" ldap_autofs_search_base = "ou=automount,dc=example,dc=com"
Restart SSSD service:
# systemctl restart sssd.service
Check the
/etc/nsswitch.conf
file, so that SSSD is listed as a source for automount configuration:automount:
sss
filesRestart
autofs
service:# systemctl restart autofs.service
Test the configuration by listing a user’s
/home
directory, assuming there is a master map entry for/home
:# ls /home/userName
If this does not mount the remote file system, check the
/var/log/messages
file for errors. If necessary, increase the debug level in the/etc/sysconfig/autofs
file by setting thelogging
parameter todebug
.