From: Ondrej Valousek <webserv@s3group.cz>
Cc: autofs@linux.kernel.org
Subject: Re: autofs & system libnss* libraries
Date: Wed, 24 Sep 2008 16:00:53 +0200 [thread overview]
Message-ID: <48DA4815.2020806@s3group.cz> (raw)
In-Reply-To: <x493ajp7jrz.fsf@segfault.boston.devel.redhat.com>
> You have to understand that nss doesn't actually support the interfaces
> autofs needs. We would have to extend the API and get that approved by
> the libc folks (which they have actually agreed to do, should we choose
> that route).
>
Yes, I have heard the libc API needs some extension....
> Now, the reason autofs doesn't use the SASL and TLS configuration
> options from the ldap.conf file is simply that autofs has no business
> parsing that file. Autofs *does* use the ldap library, so whatever
> you've configured in /etc/openldap/ldap.conf should work for autofs.
>
>
Ok, let me explain in detail what I was after, actually:
In my company, we use Centrify (www.centrify.com) DirectControl to
integrate Linux RHEL boxes into Win 2003 Active Directory.
Now, in Centrify they did quite an amount of work to make everything
working nicely:
1) they provide the system with their own set of libnss_centrifydc
libraries so you can use them in nsswitch.conf like this:
passwd centrifydc files
group centrifydc files
2) The libnss_centrifydc library does all the heck with communicating
with AD. AD is nothing strange, having it extended with RFC 2307
attributes, it behaves like a normal LDAP server. What the
libnss_centrifydc does for you is SASL encrypted channel with the
Windows domain controller - something PAINFUL (if possible) to do with a
plain libss_ldap.
3) The libnss_centrifydc will also provide you with a Kerberos principal
so that SASL is possible for other apps
...
4) That means that I can gather all necessary info securely from AD. But
the automounter. How perfect would it be if I could just add:
automount centrifydc files
in my nsswitch.conf to add support for automounter, too! I know, both
libc and centrify folks would have to be informed and API changed to
support autofs in general, but the benefit would be massive for me - I
could solely rely on centrifydc_nss and encrypted SASL channel for
everything.
Now, I have to feed automounter via NIS which is something I would like
to get rid of, if possible.
I understand I do not care as much about Centrify, but hopefully it will
give you some explanation why I (and other system integrators too) would
welcome the libc & autofs merge.
Ondrej
> I hope this helps.
>
> Cheers,
>
> Jeff
>
next prev parent reply other threads:[~2008-09-24 14:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-24 9:57 autofs & system libnss* libraries Ondrej Valousek
2008-09-24 12:16 ` Ian Kent
2008-09-24 12:47 ` Ondrej Valousek
2008-09-24 13:31 ` Jeff Moyer
2008-09-24 14:00 ` Ondrej Valousek [this message]
2008-09-24 13:33 ` Ian Kent
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48DA4815.2020806@s3group.cz \
--to=webserv@s3group.cz \
--cc=autofs@linux.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.