Chapter 20. Using SSSD component from IdM to cache the autofs maps

Procedure

1. Edit the /etc/autofs.conf file to specify the schema attributes that autofs searches for:

   #
   # Other common LDAP naming
   #
   map_object_class = "automountMap"
   entry_object_class = "automount"
   map_attribute = "automountMapName"
   entry_attribute = "automountKey"
   value_attribute = "automountInformation"

   Copy to Clipboard Toggle word wrap
   Note

   User can write the attributes in both lower and upper cases in the /etc/autofs.conf file.

2. Optional: Specify the LDAP configuration. There are two ways to do this. The simplest is to let the automount service discover the LDAP server and locations on its own:

   ldap_uri = "ldap:///dc=example,dc=com"

   Copy to Clipboard Toggle word wrap

   This option requires DNS to contain SRV records for the discoverable servers.

   Alternatively, explicitly set which LDAP server to use and the base DN for LDAP searches:

   ldap_uri = "ldap://ipa.example.com"
   search_base = "cn=location,cn=automount,dc=example,dc=com"

   Copy to Clipboard Toggle word wrap

3. Edit the /etc/autofs_ldap_auth.conf file so that autofs allows client authentication with the IdM LDAP server.

   • Change authrequired to yes.

   • Set the principal to the Kerberos host principal for the IdM LDAP server, host/FQDN@REALM. The principal name is used to connect to the IdM directory as part of GSS client authentication.

     <autofs_ldap_sasl_conf
          usetls="no"
          tlsrequired="no"
          authrequired="yes"
          authtype="GSSAPI"
          clientprinc="host/server.example.com@EXAMPLE.COM"
          />

     Copy to Clipboard Toggle word wrap

     For more information about host principal, see Using canonicalized DNS host names in IdM.

     If necessary, run klist -k to get the exact host principal information.

Procedure

1. Open the SSSD configuration file:

   # vim /etc/sssd/sssd.conf

   Copy to Clipboard Toggle word wrap

2. Add the autofs service to the list of services handled by SSSD.

   [sssd]
   domains = ldap
   services = nss,pam,autofs

   Copy to Clipboard Toggle word wrap

3. Create a new [autofs] section. You can leave this blank, because the default settings for an autofs service work with most infrastructures.

   [nss]
   
   [pam]
   
   [sudo]
   
   [autofs]
   
   [ssh]
   
   [pac]

   Copy to Clipboard Toggle word wrap

   For more information, see the sssd.conf man page on your system.

4. Optional: Set a search base for the autofs entries. By default, this is the LDAP search base, but a subtree can be specified in the ldap_autofs_search_base parameter.

   [domain/EXAMPLE]
   
   ldap_search_base = "dc=example,dc=com"
   ldap_autofs_search_base = "ou=automount,dc=example,dc=com"

   Copy to Clipboard Toggle word wrap

5. Restart SSSD service:

   # systemctl restart sssd.service

   Copy to Clipboard Toggle word wrap

6. Check the /etc/nsswitch.conf file, so that SSSD is listed as a source for automount configuration:

   automount: sss files

   Copy to Clipboard Toggle word wrap

7. Restart autofs service:

   # systemctl restart autofs.service

   Copy to Clipboard Toggle word wrap

8. Test the configuration by listing a user’s /home directory, assuming there is a master map entry for /home:

   # ls /home/userName

   Copy to Clipboard Toggle word wrap

   If this does not mount the remote file system, check the /var/log/messages file for errors. If necessary, increase the debug level in the /etc/sysconfig/autofs file by setting the logging parameter to debug.