Chapter 19. Using SSSD component from IdM to cache the autofs maps
The System Security Services Daemon (SSSD) is a system service to access remote service directories and authentication mechanisms. The data caching is useful in case of the slow network connection. To configure the SSSD service to cache the autofs map, follow the procedures below in this section.
19.1. Configuring autofs manually to use IdM server as an LDAP server
This procedure shows how to configure
autofs to use IdM server as an LDAP server.
/etc/autofs.conffile to specify the schema attributes that
# # Other common LDAP naming # map_object_class = "automountMap" entry_object_class = "automount" map_attribute = "automountMapName" entry_attribute = "automountKey" value_attribute = "automountInformation"Note
User can write the attributes in both lower and upper cases in the
Optionally, specify the LDAP configuration. There are two ways to do this. The simplest is to let the automount service discover the LDAP server and locations on its own:
ldap_uri = "ldap:///dc=example,dc=com"
This option requires DNS to contain SRV records for the discoverable servers.
Alternatively, explicitly set which LDAP server to use and the base DN for LDAP searches:
ldap_uri = "ldap://ipa.example.com" search_base = "cn=location,cn=automount,dc=example,dc=com"
/etc/autofs_ldap_auth.conffile so that autofs allows client authentication with the IdM LDAP server.
Set the principal to the Kerberos host principal for the IdM LDAP server, host/fqdn@REALM. The principal name is used to connect to the IdM directory as part of GSS client authentication.
<autofs_ldap_sasl_conf usetls="no" tlsrequired="no" authrequired="yes" authtype="GSSAPI" clientprinc="host/server.example.com@EXAMPLE.COM" />
For more information about host principal, see Using canonicalized DNS host names in IdM.
If necessary, run
klist -kto get the exact host principal information.
19.2. Configuring SSSD to cache autofs maps
autofs for the manual use allows an IdM server to bypass a System Security Service (SSS) altogether. This procedure shows how to configure SSSD to cache autofs map.
sssdpackage is installed.
Open the SSSD configuration file:
# vim /etc/sssd/sssd.conf
autofsservice to the list of services handled by SSSD.
[sssd] domains = ldap services = nss,pam,
Create a new
[autofs]section. You can leave this blank, because the default settings for an
autofsservice work with most infrastructures.
[nss] [pam] [sudo]
For more information, see the
Optionally, set a search base for the
autofsentries. By default, this is the LDAP search base, but a subtree can be specified in the
[domain/EXAMPLE] ldap_search_base = "dc=example,dc=com" ldap_autofs_search_base = "ou=automount,dc=example,dc=com"
Restart SSSD service:
# systemctl restart sssd.service
/etc/nsswitch.conffile, so that SSSD is listed as a source for automount configuration:
# systemctl restart autofs.service
Test the configuration by listing a user’s
# ls /home/userName
If this does not mount the remote file system, check the
/var/log/messagesfile for errors. If necessary, increase the debug level in the
/etc/sysconfig/autofsfile by setting the