Autofs LDAP info

Autofs LDAP info

[Jim Kusznir]

Hello all:

I've been tasked with making AutoFS get its maps from a Windows 2003 
Active Directory server via LDAP.  I know AutoFS works with LDAP in some 
fashon or another, however the documentation seems very sparce, and 
information on the net seems very fragmented and contradictory in areas.

My primary questions at this point:

What schema(s) does the latest AutoFS support?  Does it support 
standards such as NisMap?  (I've found both "yes" and "no" answers to 
this on the net, and no details in either)

How are maps entered in such schema?

Are there any HOWTOs that cover LDAP specifically?  (I'm familiar with 
the amd-autofs howto at linuxconsulting, however I haven't found any 
useful (as of yet) LDAP info in there).

I currently have AutoFS working via NIS maps wonderfuly, but my work 
over the next few months is to migrate everything from NIS into the AD 
server so as to retire it.

Thanks!
--Jim

Re: Autofs LDAP info

[Ian Kent]

On Thu, 29 Sep 2005, Jim Kusznir wrote:

> Hello all:
> 
> I've been tasked with making AutoFS get its maps from a Windows 2003 
> Active Directory server via LDAP.  I know AutoFS works with LDAP in some 
> fashon or another, however the documentation seems very sparce, and 
> information on the net seems very fragmented and contradictory in areas.
> 
> My primary questions at this point:
> 
> What schema(s) does the latest AutoFS support?  Does it support 
> standards such as NisMap?  (I've found both "yes" and "no" answers to 
> this on the net, and no details in either)

autofs supports the NisMap and automountMap schemas.

I've recently become aware of a couple of problems.

The autofs-4.1.3 in RHEL doesn't seem to ba able to talk to the Sun LDAP 
server however autofs-4.1.4 appears to work OK.

The schema attributes used by Sun (automountMap) implementations have 
probably been incorrect since before I started maintaining autofs and 
I've perpetuated that without realizing the problem. Now we likely have 
a bunch of people that will be inconvenienced if I fix it. In particular 
autofs uses the "cn" attribute to contain the map key but I believe this 
should be the "automountKey" attribute.

> 
> How are maps entered in such schema?
> 
> Are there any HOWTOs that cover LDAP specifically?  (I'm familiar with 
> the amd-autofs howto at linuxconsulting, however I haven't found any 
> useful (as of yet) LDAP info in there).

Have you looked at the LDAP examples in the samples directory of the 
tarball?

Ian

Re: Autofs LDAP info

[Jim Kusznir]

Ian Kent wrote:

>On Thu, 29 Sep 2005, Jim Kusznir wrote:
>
>  
>
>>Hello all:
>>
>>I've been tasked with making AutoFS get its maps from a Windows 2003 
>>Active Directory server via LDAP.  I know AutoFS works with LDAP in some 
>>fashon or another, however the documentation seems very sparce, and 
>>information on the net seems very fragmented and contradictory in areas.
>>
>>My primary questions at this point:
>>
>>What schema(s) does the latest AutoFS support?  Does it support 
>>standards such as NisMap?  (I've found both "yes" and "no" answers to 
>>this on the net, and no details in either)
>>    
>>
>
>autofs supports the NisMap and automountMap schemas.
>
>I've recently become aware of a couple of problems.
>
>The autofs-4.1.3 in RHEL doesn't seem to ba able to talk to the Sun LDAP 
>server however autofs-4.1.4 appears to work OK.
>
>The schema attributes used by Sun (automountMap) implementations have 
>probably been incorrect since before I started maintaining autofs and 
>I've perpetuated that without realizing the problem. Now we likely have 
>a bunch of people that will be inconvenienced if I fix it. In particular 
>autofs uses the "cn" attribute to contain the map key but I believe this 
>should be the "automountKey" attribute.
>
>  
>
>>How are maps entered in such schema?
>>
>>Are there any HOWTOs that cover LDAP specifically?  (I'm familiar with 
>>the amd-autofs howto at linuxconsulting, however I haven't found any 
>>useful (as of yet) LDAP info in there).
>>    
>>
>
>Have you looked at the LDAP examples in the samples directory of the 
>tarball?
>
>  
>
I actually haven't found the tarball yet.  So far, all I've found is the
RHEL RPMS (distributed through RH).  They don't appear to include the
examples (I did look on my devel system a fair bit, but found nothing
but a few configure readme's.

Where is the autofs project homepage / tarball download?  (Google seems
to point me to a bunch of howtos and blog-type pages).

--Jim

Re: Autofs LDAP info

[Ian Kent]

On Thu, 29 Sep 2005, Jim Kusznir wrote:

> >
> I actually haven't found the tarball yet.  So far, all I've found is the
> RHEL RPMS (distributed through RH).  They don't appear to include the
> examples (I did look on my devel system a fair bit, but found nothing
> but a few configure readme's.

How about adding the examples to the rpm Jeff?

> 
> Where is the autofs project homepage / tarball download?  (Google seems
> to point me to a bunch of howtos and blog-type pages).

http://www.kernel.org/pub/linux/daemons/autofs/v4

Ian

Re: Autofs LDAP info

[Chris Feist]

The ldap examples should be in the following directory for RHEL-3 & RHEL-4:
/usr/share/doc/autofs-4.1.3/ldap*

Thanks,
Chris

Ian Kent wrote:
> On Thu, 29 Sep 2005, Jim Kusznir wrote:
> 
> 
>>I actually haven't found the tarball yet.  So far, all I've found is the
>>RHEL RPMS (distributed through RH).  They don't appear to include the
>>examples (I did look on my devel system a fair bit, but found nothing
>>but a few configure readme's.
> 
> 
> How about adding the examples to the rpm Jeff?
> 
> 
>>Where is the autofs project homepage / tarball download?  (Google seems
>>to point me to a bunch of howtos and blog-type pages).
> 
> 
> http://www.kernel.org/pub/linux/daemons/autofs/v4
> 
> Ian
> 
> _______________________________________________
> autofs mailing list
> autofs@linux.kernel.org
> http://linux.kernel.org/mailman/listinfo/autofs

Re: Autofs LDAP info

[Timo Felbinger]

On Thu, Sep 29, 2005 at 05:28:28PM -0700, Jim Kusznir wrote:
> 
> Hello all:
> 
> I've been tasked with making AutoFS get its maps from a Windows 2003 
> Active Directory server via LDAP.  I know AutoFS works with LDAP in some 
> fashon or another, however the documentation seems very sparce, and 
> information on the net seems very fragmented and contradictory in areas.
> 
> My primary questions at this point:
> 
> What schema(s) does the latest AutoFS support?  Does it support 
> standards such as NisMap?  (I've found both "yes" and "no" answers to 
> this on the net, and no details in either)
> 
> How are maps entered in such schema?
>
The current stable version of autofs (4.1.4) does support nis.schema
and autofs.schema. With the nis.schema, entries must have objectclass
"nisObject"; the relevant attributes are "cn" (the mount point, as in
the second argument of the mount command) and "nismapentry" (the
"automount information": options and first argument of the mount
command).

If you need greater flexibility (want to use a different schema), or
if you need to authenticate to the LDAP server: there is a patch for
autofs-4.1.4 to allow this:
  http://timof.qipc.org/autofs
The page also shows some examples. It works for me with an OpenLDAP
server. I've never tried it with Windows AD, but I would like to learn
whether it does.


Regards,

Timo Felbinger


-- 
Timo Felbinger                  <Timo.Felbinger@physik.uni-potsdam.de>
Quantum Physics Group           http://www.quantum.physik.uni-potsdam.de
Institut fuer Physik            Tel: +49 331 977 1793      Fax: -1767
Universitaet Potsdam, Germany   PGP key-id: E92567B2

RE: Autofs LDAP info

[Wolfe, Allan]

 Maybe I can help a bit here.  Microsoft supposedly uses the standard
rfc2307 schema, however, they seem to embellish the standard with their
own naming -- particularly prefacing the names with "mssfu" (Microsoft
Services for UNIX).  

I have a couple of broader questions along this line that I've not been
able to discern/decipher out of the information to implement LDAP with
autofs.  

(1) How does one utilize ldaps. All the notes I've seen has been
insecure transport.  We can't justify GSSAPI and TLS simple fits our
needs. 

(2) Why doesn't autofs (or maybe it does and it doesn't make sense)
utilize NSS?  Using NSS would give flexibility to create service search
descriptors to deal with the Microsoft and Sun deviations in object
definition without having to maintain duplicate data to accommodate any
version.  SSD support would logically be built into nss_ldap framework.

-----Original Message-----
From: autofs-bounces@linux.kernel.org
[mailto:autofs-bounces@linux.kernel.org] On Behalf Of Timo Felbinger
Sent: Friday, September 30, 2005 6:50 AM
To: autofs@linux.kernel.org
Subject: Re: [autofs] Autofs LDAP info

On Thu, Sep 29, 2005 at 05:28:28PM -0700, Jim Kusznir wrote:
> 
> Hello all:
> 
> I've been tasked with making AutoFS get its maps from a Windows 2003 
> Active Directory server via LDAP.  I know AutoFS works with LDAP in 
> some fashon or another, however the documentation seems very sparce, 
> and information on the net seems very fragmented and contradictory in
areas.
> 
> My primary questions at this point:
> 
> What schema(s) does the latest AutoFS support?  Does it support 
> standards such as NisMap?  (I've found both "yes" and "no" answers to 
> this on the net, and no details in either)
> 
> How are maps entered in such schema?
>
The current stable version of autofs (4.1.4) does support nis.schema and
autofs.schema. With the nis.schema, entries must have objectclass
"nisObject"; the relevant attributes are "cn" (the mount point, as in
the second argument of the mount command) and "nismapentry" (the
"automount information": options and first argument of the mount
command).

If you need greater flexibility (want to use a different schema), or if
you need to authenticate to the LDAP server: there is a patch for
autofs-4.1.4 to allow this:
  http://timof.qipc.org/autofs
The page also shows some examples. It works for me with an OpenLDAP
server. I've never tried it with Windows AD, but I would like to learn
whether it does.


Regards,

Timo Felbinger


-- 
Timo Felbinger                  <Timo.Felbinger@physik.uni-potsdam.de>
Quantum Physics Group           http://www.quantum.physik.uni-potsdam.de
Institut fuer Physik            Tel: +49 331 977 1793      Fax: -1767
Universitaet Potsdam, Germany   PGP key-id: E92567B2

_______________________________________________
autofs mailing list
autofs@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/autofs

-----------------------------------------
Anadarko Confidentiality Notice:  
This electronic transmission and any attached documents or other
writings are intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential
or otherwise protected from disclosure.  If you have received this
communication in error, please immediately notify sender by return
e-mail and destroy the communication. Any disclosure, copying,
distribution or the taking of any action concerning the contents of
this communication or any attachments by anyone other than the named
recipient is strictly prohibited.

Re: Autofs LDAP info

[Timo Felbinger]

On Fri, Sep 30, 2005 at 08:39:38AM -0500, Wolfe, Allan wrote:
> 
> 
> I have a couple of broader questions along this line that I've not been
> able to discern/decipher out of the information to implement LDAP with
> autofs.  
> 
> (1) How does one utilize ldaps. All the notes I've seen has been
> insecure transport.

You were not only top-posting, but quoted my entire previous message
without reading it? ;-)

> (2) Why doesn't autofs (or maybe it does and it doesn't make sense)
> utilize NSS?

Not sure what exactly you mean, but maybe that's because functions
to support automount map lookup have not (yet) been implented into
glibc? (and neither are such functions mentioned in section 5.2 of
rfc2307, afaik)


Regards,

Timo Felbinger


-- 
Timo Felbinger                  <Timo.Felbinger@physik.uni-potsdam.de>
Quantum Physics Group           http://www.quantum.physik.uni-potsdam.de
Institut fuer Physik            Tel: +49 331 977 1793      Fax: -1767
Universitaet Potsdam, Germany   PGP key-id: E92567B2

RE: Autofs LDAP info

[Jim Carter]

On Fri, 30 Sep 2005, Wolfe, Allan wrote:
> (1) How does one utilize ldaps. All the notes I've seen has been
> insecure transport.  We can't justify GSSAPI and TLS simple fits our
> needs. 

I'm following this thread with interest because I want to dump NIS and 
switch all the tables to LDAP, specifically autofs maps.  I'm just starting 
out here, but it looks to me like you specify in /etc/ldap.conf "URI 
ldaps:/server.example.com" (assuming the name can be resolved by DNS 
without using a host map in LDAP :-), or use a numeric IP address.

This would use TLS for every LDAP lookup, which is overkill.  It wasn't 
immediately obvious how to use one URI (no TLS) for one set of maps and the 
TLS URI for others where it makes a difference.  I'm sure I'll be able to 
figure it out.  In my environment, encryption is not useful for the autofs 
maps.

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA  90095-1555
Email: jimc@math.ucla.edu    http://www.math.ucla.edu/~jimc (q.v. for PGP key)