Sunday, February 22, 2009

How to configure autofs maps in LDAP using different schemas?

Through this blog, I am explaining how to configure autofs maps in LDAP using different schemas supported by autofs in Red Hat Enterprise Linux 5. In this blog, I am not explaining details of how to configure LDAP server. It's assumed that you have an LDAP server in your environment which is already working perfectly, anonymous read access is allowed for the autofs maps and autofs clients are allowed to contact port 389 of the ldap server. Different LDAP servers provide different interfaces to manage databases. So explaining how to add the data to ldap database and how to manage them are outside the scope of this doc.

It's also assumed that every client in the network is already configured as a client of the ldap server to take user Information from the LDAP server via authconfig-tui. If no, please configure all clients as below.

Run "authconfig-tui". In the "User Information" section, select "Use LDAP" -> Next -> Type in the server name as ldap://ip-of-ldap-server-> Enter "dc=example,dc=com" as the "Base DN". Click "ok".

Currently there are three different schemas supported by autofs. I would take the below scenario as an example to explain these three schemas. This scenario includes examples for both direct mounts and indirect mounts. If you don't know what is the difference between direct and indirect mounts, please stop here, search the web and get a thorough understanding and come back.

  1. /direct (nfs share) from a remote server need to be auto mounted on /diret-mnt on the client whenever a user tries to access /direct-mnt.
  2. /isos/debian-40r7-i386-netinst.iso (kept locally on every client) should be auto mounted on /debian whenever a user tries to access /debian.
  3. /homedirs/$username from a remote server need to be auto mounted on /home/$username whenever a user attempts to log in to the client.
  4. If user x tries to access /projects/x, /projects/x from the remote system should be auto mounted.

We would configure #1 and #2 using direct mount and #3 and #4 using indirect mount. If ldap is not used, the equivalent local configuration file (/etc/auto.master and other mapped files) would look like as below.

/etc/auto.master

+auto.master
/- /etc/auto.direct
/home /etc/auto.home

/projects /etc/auto.project

/etc/auto.direct

/direct-mnt -fstype=nfs,rw ip-of-nfs-server:/direct
/debian -fstype=iso9660,ro,loop :/iso/debian-40r7-i386-netinst.iso

/etc/auto.home

* -fstype=nfs,rw ip-of-nfs-server:/homedirs/&

/etc/auto.project

x -fstype=nfs,rw ip-of-nfs-server:/projects/x

Now we are exploring how we can define all these maps in ldap server and configure the autofs in client to read the maps from ldap server instead of local files. The only thing needed locally is the below entry in /etc/auto.master which is there in all RHEL5 systems by default..

+auto.master

Schema I

The LDIF file to populate the above maps to ldap server would look like as below. The ldap suffix used in my example is dc=example,dc=com which is already defined in the ldap server.

Below is the definition of the schema for LDAPv3 servers.

attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
SUP name )

attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} SINGLE-VALUE )

objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap'
DESC 'A generic abstraction of a NIS map'
SUP top STRUCTURAL
MUST nisMapName
MAY description )

objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject'
DESC 'An entry in a NIS map'
SUP top STRUCTURAL
MUST ( cn $ nisMapEntry $ nisMapName )
MAY description )


Below is the LDIF file which defines the ldap maps for autofs for the above mentioned example.

#defining auto.master

dn: nisMapName=auto.master,dc=example,dc=com
objectClass: top
objectClass: nisMap
nisMapName: auto.master

#Defining all those required for auto.direct (1 & 2)

dn: cn=/-,nisMapName=auto.master,dc=example,dc=com
objectClass: nisObject
cn: /-
nisMapName: auto.master
nisMapEntry: auto.direct

dn: nisMapName=auto.direct,dc=example,dc=com
objectClass: top
objectClass: nisMap
nisMapName: auto.direct

dn: cn=/direct-mnt,nisMapName=auto.direct,dc=example,dc=com
objectClass: nisObject
cn: /direct-mnt
nisMapName: auto.direct
nisMapEntry: -fstype=nfs,rw ip-of-nfs-server:/direct

dn: cn=/debian,nisMapName=auto.direct,dc=example,dc=com
objectClass: nisObject
cn: /debian
nisMapName: auto.direct
nisMapEntry: -fstype=iso9660,ro,loop :/iso/debian-40r7-i386-netinst.iso

#Defining all those required for auto.home (3)

dn: cn=/home,nisMapName=auto.master,dc=example,dc=com
objectClass: nisObject
cn: /home
nisMapName: auto.master
nisMapEntry: auto.home

dn: nisMapName=auto.home,dc=example,dc=com
objectClass: top
objectClass: nisMap
nisMapName: auto.home

dn: cn=/,nisMapName=auto.home,dc=example,dc=com
objectClass: nisObject
cn: /
nisMapName: auto.home
nisMapEntry: -fstype=nfs,rw ip-of-nfs-server:/homedirs/&

#Defining all those required for auto.project (4)

dn: cn=/projects,nisMapName=auto.master,dc=example,dc=com
objectClass: nisObject
cn: /projects
nisMapName: auto.master
nisMapEntry: auto.project

dn: nisMapName=auto.project,dc=example,dc=com
objectClass: top
objectClass: nisMap
nisMapName: auto.project

dn: cn=x,nisMapName=auto.project,dc=example,dc=com
objectClass: nisObject
cn: x
nisMapName: auto.project
nisMapEntry: -fstype=nfs,rw ip-of-nfs-server:/projects/x


- Populate the ldap databae with the above ldif file. Please refer the respective ldap server docs to know more on how to do that.

- On the client, edit /etc/sysconfig/autofs and uncomment the below lines.

MAP_OBJECT_CLASS="nisMap"
ENTRY_OBJECT_CLASS="nisObject"
MAP_ATTRIBUTE="nisMapName"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="nisMapEntry"

- Restart autofs and verify everything is working as expected.

Schema II

Below is the definition of the schema for LDAPv3 servers.

attributetype ( 1.3.6.1.1.1.1.25 NAME 'automountInformation'
DESC 'Information used by the autofs automounter'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

objectclass ( 1.3.6.1.1.1.1.13 NAME 'automount' SUP top STRUCTURAL
DESC 'An entry in an automounter map'
MUST ( cn $ automountInformation )
MAY ( description ) )

objectclass ( 1.3.6.1.4.1.2312.4.2.2 NAME 'automountMap' SUP top STRUCTURAL
DESC 'An group of related automount objects'
MUST ( ou ) )


Below is the LDIF file which defines the ldap maps for autofs for the above mentioned example.

#Defines auto.master

dn: ou=auto.master,dc=example,dc=com
objectClass: top
objectClass: automountMap
ou: auto.master

#Defining all those required for auto.direct (1 & 2)

dn: cn=/-,ou=auto.master,dc=example,dc=com
objectClass: top
objectClass: automount
cn: /-
automountInformation: auto.direct

dn: ou=auto.direct,dc=example,dc=com
objectClass: top
objectClass: automountMap
ou: auto.direct

dn: cn=/direct-mnt,ou=auto.direct,dc=example,dc=com
objectClass: top
objectClass: automount
cn: /direct-mnt
automountInformation: -fstype=nfs,rw ip-of-nfs-server:/direct

dn: cn=/debian,ou=auto.direct,dc=example,dc=com
objectClass: top
objectClass: automount
cn: /debian
automountInformation: -fstype=iso9660,ro,loop :/iso/debian-40r7-i386-netinst.iso

#Defining all those required for auto.home (3)

dn: cn=/home,ou=auto.master,dc=example,dc=com
objectClass: top
objectClass: automount
cn: /home
automountInformation: auto.home

dn: ou=auto.home,dc=example,dc=com
objectClass: top
objectClass: automountMap
ou: auto.home

dn: cn=/,ou=auto.home,dc=example,dc=com
objectClass: top
objectClass: automount
cn: /
automountInformation: -fstype=nfs,rw ip-of-nfs-server:/homedirs/&

#Defining all those required for auto.project (4)

dn: cn=/projects,ou=auto.master,dc=example,dc=com
objectClass: top
objectClass: automount
cn: /projects
automountInformation: auto.project

dn: ou=auto.project,dc=example,dc=com
objectClass: top
objectClass: automountMap
ou: auto.project

dn: cn=x,ou=auto.project,dc=example,dc=com
objectClass: top
objectClass: automount
cn: x
automountInformation: -fstype=nfs,rw ip-of-nfs-server:/projects/x

- Populate the ldap databae with the above ldif file. Please refer the respective ldap server docs to know more on how to do that.

- On the client, edit /etc/sysconfig/autofs and uncomment the below lines.

MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"

- Restart autofs and verify everything is working as expected.

Schema III

Below is the definition of the schema for LDAPv3 servers.

attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
DESC 'automount Map Name'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
DESC 'Automount Key value'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
DESC 'Automount information'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
MUST ( automountMapName )
MAY description )

objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
DESC 'Automount information'
MUST ( automountKey $ automountInformation )
MAY description )

Below is the LDIF file which defines the ldap maps for autofs for the above mentioned example.

#Defines auto.master

dn: automountMapName=auto.master,dc=example,dc=com
automountMapName: auto.master
objectClass: top
objectClass: automountMap

#Defining all those required for auto.direct (1 & 2)

dn: automountKey=/-,automountMapName=auto.master,dc=example,dc=com
objectClass: automount
automountKey: /-
automountInformation: auto.direct

dn: automountMapName=auto.direct,dc=example,dc=com
automountMapName: auto.direct
objectClass: top
objectClass: automountMap

dn: automountKey=/direct-mnt,automountMapName=auto.direct,dc=example,dc=com
automountKey: /direct-mnt
objectClass: automount
automountInformation: -fstype=nfs,rw ip-of-nfs-server:/direct

dn: automountKey=/debian,automountMapName=auto.direct,dc=example,dc=com
automountKey: /debian
objectClass: automount
automountInformation: -fstype=iso9660,ro,loop :/iso/debian-40r7-i386-netinst.iso

#Defining all those required for auto.home (3)

dn: automountKey=/home,automountMapName=auto.master,dc=example,dc=com
objectClass: automount
automountKey: /home
automountInformation: auto.home

dn: automountMapName=auto.home,dc=example,dc=com
automountMapName: auto.home
objectClass: top
objectClass: automountMap

dn: automountKey=/,automountMapName=auto.home,dc=example,dc=com
automountKey: /
objectClass: automount
automountInformation: -fstype=nfs,rw ip-of-nfs-server:/homedirs/&

#Defining all those required for auto.project (4)

dn: automountKey=/projects,automountMapName=auto.master,dc=example,dc=com
objectClass: automount
automountKey: /projects
automountInformation: auto.project

dn: automountMapName=auto.project,dc=example,dc=com
automountMapName: auto.project
objectClass: top
objectClass: automountMap

dn: automountKey=x,automountMapName=auto.project,dc=example,dc=com
automountKey: x
objectClass: automount
automountInformation: -fstype=nfs,rw ip-of-nfs-server:/projects/x


- Populate the ldap databae with the above ldif file. Please refer the respective ldap server docs to know more on how to do that.

- On the client, edit /etc/sysconfig/autofs and uncomment the below lines.

MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"

- Restart autofs and verify everything is working as expected.

Note: In all maps, please replace ip-of-nfs-server with the actual IP address of the nfs server.

13 comments:

alicause said...

Thanks much for your post. However, I am confused as to when to use schema 3 and why.

If I use your schema 3 file, it fails to start on my openldap server running on RHES V5.3 as follows:

Checking configuration files for slapd: /etc/openldap/schema/autofs3.schema: line 21: Inconsistent duplicate attributeType: "automountInformation"
slaptest: bad configuration file!

I have been working with schema 2 but have yet to get autofs v4 to accept the home maps despite the fact that I see them downloading from the ldap server.

Can you suggest a futher debugging method ?

Thanks,
Al

Sadique Puthen said...

autofs2.schema and autofs3.schema may not coexist. Please remove the first one!

Kandy71 said...

Hi
I am able to have working the home directory but not the auto.direct
dn:

ou=auto.direct,dc=dms,dc=local,dc=cc
objectClass: top
objectClass: automountMap
ou: auto.direct

dn: cn=/direct-mnt,ou=auto.direct,dc=dms,dc=local,dc=cc
objectClass: top
objectClass: automount
cn: /direct-mnt
automountInformation: -fstype=nfs,rw 10.10.53.101:/usr/local/F8

What I am doing wrong?

Sadique Puthen said...

What is the version of autofs? What error message is getting while you turn on debugging?

Note that you have to have the equivalent of the below ldap entry first in auto.master map.

dn: cn=/-,ou=auto.master,dc=example,dc=com
objectClass: top
objectClass: automount
cn: /-
automountInformation: auto.direct

Kandy71 said...

I had two mistakes
the line

/- ldap:10.10.53.248:ou=auto.master,dc=dms,dc=local,dc=cc
in auto.master
and checking with df

thank you

James said...

Very nice info Sadique.
Will the version 3 schema allow for SUN Sol10 clients to use these maps?

Thanks
Jimmy

Sadique Puthen said...

James,

Yes.

upen said...

Excellent information Sadique. Must thank you! as it is very useful.
Good job, God bless.

zensuite said...

Great post!
I wonder how could I override autofs to coexist with local homes that are on same /home/ path. I need local and LDAP users to be able to have /home/userid as path for they homes.

Sadique Puthen said...

Not trivial. You should have to use direct mount via autofs to /home/userid instead of indirect mount. AFAIK, it's not possible to override via indirect mount since adding /home as indirect mount will hide the underlying local filesystem.

Warron French said...

Hello, do you have anything that works with CentOS-6.5? I assume that 389-ds might be a slight difference, but it appears that implementing autofs configurations through LDAP on CentOS-6.5 is updated in syntax.

I can't find the updated syntax yet.

With CentOS-6.5 and attempting the steps in these instructions, the ldapadd complains about missing attribute "ou" required by object class "automountMap".

I don't know if that is a CentOS-6 or a 389-ds difference from your RHES-5.3 and OpenLDAP setup.

Warron French said...

Sadique,

Hello, do you have anything that works with CentOS-6.5? I assume that 389-ds might be a slight difference, but it appears that implementing autofs configurations through LDAP on CentOS-6.5 is updated in syntax.

I can't find the updated syntax yet.

With CentOS-6.5 and attempting the steps in these instructions, the ldapadd complains about missing attribute "ou" required by object class "automountMap".

I don't know if that is a CentOS-6 or a 389-ds difference from your RHES-5.3 and OpenLDAP setup.

Jeff said...

This may be the solution I was looking for to convert my rfc2307 schema to rfv2307bis to make it "smell" more like AD to vendor products that think AD IS LDAP.