From Fedora Project Wiki
No edit summary
No edit summary
Line 22: Line 22:
* Targeted release: [[Releases/17 | Fedora 17 ]]  
* Targeted release: [[Releases/17 | Fedora 17 ]]  
* Last updated: 2011-12-13
* Last updated: 2011-12-13
* Percentage of completion: 10% (Design done and signed-off by both parties. Needs implementation, review and testing)
* Percentage of completion: 10%
** Design done and agreed on by both parties. Needs implementation, review and testing


<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->


== Detailed Description ==
== Detailed Description ==
Autofs is able to look up maps stored in LDAP. However, autofs does all the lookups on its own. Even though autofs uses the nsswitch.conf configuration file, there is no glibc interface such as those for retreiving users and groups and by extension no nscd caching.
Autofs is able to look up maps stored in LDAP. However, autofs currently performs all the lookups on its own. Even though autofs uses the nsswitch.conf configuration file, there is no glibc interface such as those for retreiving users and groups and by extension no nscd caching.


The goal of this feature is to integrate autofs and SSSD in a more centralized manner to be able to leverage all the benefits SSSD brings over performing the lookups in autofs directly (see below for more details).
The goal of this feature is integrate autofs and SSSD in a more centralized manner in order to perform the lookups through SSSD. SSSD would provide access to the remote directory, while autofs would leverage all the benefits SSSD brings over performing the lookups in autofs directly (see below for more details).


<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
Line 36: Line 37:
The benefits of the integration are:
The benefits of the integration are:


* unified configuration of LDAP servers, timeout parameters, DNS SRV lookups in one place (sssd.conf)
* unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
* only one connection to the LDAP server open resulting in less load on the LDAP server
* autofs would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
* caching of the data - again, less load on the LDAP server
* only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
* caching of the data - again, less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
* offline access - even though if the client cannot connect to the LDAP server chances are that the NFS server is unreachable as well
* offline access - even though if the client cannot connect to the LDAP server chances are that the NFS server is unreachable as well
* back end abstraction - data may be stored in NIS or other databases and accessed by the automounter transparently
* back end abstraction - data may be stored in NIS or other databases and accessed by the automounter transparently
Line 45: Line 47:


== Scope ==
== Scope ==
This feature needs work on both the SSSD side and autofs side. A very detailed design documents is available on the [[https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration SSSD wiki]]
This feature needs work on both the SSSD side and autofs side. A very detailed design document is available on the [https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration SSSD wiki]


The autofs developers need to create a new autofs lookup module that would be specific to SSSD. A lookup module is implemented for each information source and provides access to the infromation source - there is a module for plain files, a module for LDAP etc. The lookup module that would load the libnss_sss library and use the provided API to fetch data from SSSD transparently.
# The autofs developers need to create a new autofs lookup module that would be specific to SSSD. Autofs implements one lookup module per each information source and provides access to the infromation source - there is a module for plain files, a module for LDAP etc. The lookup module would load the libnss_sss library and use the API provided there to fetch data from SSSD transparently.
 
# SSSD developers need to provide the API in the libnss_sss library and corresponding code for actually downloading the data from remote directories and and storing the data into SSSD cache on the back end side of SSSD.
SSSD developers need to provide the API in the libnss_sss library and corresponding code for actually downloading and storing the data on the back end side of SSSD.


<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


== How To Test ==
== How To Test ==
# configure the setup (details TBD as we work out the config options)
## configure SSSD with an LDAP back end as described in the SSSD documentation (sssd.conf)
## configure autofs to perform lookups via SSSD (nsswitch.conf)
# test that mounting shares still works as expected
## perform the first mount while the LDAP server is running in order to cache the data on the client side
## stop the LDAP service that contains the maps. SSSD would serve the maps from cache and mounting shares should still work
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  


Line 69: Line 76:


== User Experience ==
== User Experience ==
The user would benefit from centralizing the LDAP configuration at one place, including advanced features that were not available before such as server fail over or DNS SRV lookups. The user would also likely notice better performance due to caching support and better load on the LDAP server because SSSD only opens a single connection at a time. In case the LDAP server is not reachable, the user would leverage the offline support SSSD provides.
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->


== Dependencies ==
== Dependencies ==
As stated above, this feature depends on changes in both autofs and SSSD. There are no other external dependencies.
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->


== Contingency Plan ==
== Contingency Plan ==
None required, Fedora would keep using the LDAP lookup module in autofs.
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->


== Documentation ==
== Documentation ==
A design document is available at the [https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration SSSD wiki]. An in-depth discussion also happened in the [https://bugzilla.redhat.com/show_bug.cgi?id=683523 Red Hat Bugzilla].
There is no user-visible documentation as of now, but the feature will be documented in the SSSD (and possibly autofs) manual pages. The SSSD team is also going to provide a migration guide which will help users transition from the old plain LDAP setup to the SSSD setup. No automatic migration would be performed, though.
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
*


== Release Notes ==
== Release Notes ==
Fedora 17 integrates autofs with SSSD, bringing caching support, offline access to the automounter maps and centralized configuration of autofs LDAP lookups in sssd.conf. By perfoming the automounter lookups via SSSD, the system also opens only one connection to the LDAP server and answers some requests from cache, which results in better performance.
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
*


== Comments and Discussion ==
== Comments and Discussion ==

Revision as of 12:11, 14 December 2011


Feature Name

SSSD AutoFS Integration

Summary

Integrate SSSD and autofs for looking up automounter data stored in cetralized remote directories such as LDAP.

Owner

  • Email: <jhrozek@redhat.com>

Current status

  • Targeted release: Fedora 17
  • Last updated: 2011-12-13
  • Percentage of completion: 10%
    • Design done and agreed on by both parties. Needs implementation, review and testing


Detailed Description

Autofs is able to look up maps stored in LDAP. However, autofs currently performs all the lookups on its own. Even though autofs uses the nsswitch.conf configuration file, there is no glibc interface such as those for retreiving users and groups and by extension no nscd caching.

The goal of this feature is integrate autofs and SSSD in a more centralized manner in order to perform the lookups through SSSD. SSSD would provide access to the remote directory, while autofs would leverage all the benefits SSSD brings over performing the lookups in autofs directly (see below for more details).


Benefit to Fedora

The benefits of the integration are:

  • unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
  • autofs would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
  • only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
  • caching of the data - again, less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
  • offline access - even though if the client cannot connect to the LDAP server chances are that the NFS server is unreachable as well
  • back end abstraction - data may be stored in NIS or other databases and accessed by the automounter transparently


Scope

This feature needs work on both the SSSD side and autofs side. A very detailed design document is available on the SSSD wiki

  1. The autofs developers need to create a new autofs lookup module that would be specific to SSSD. Autofs implements one lookup module per each information source and provides access to the infromation source - there is a module for plain files, a module for LDAP etc. The lookup module would load the libnss_sss library and use the API provided there to fetch data from SSSD transparently.
  2. SSSD developers need to provide the API in the libnss_sss library and corresponding code for actually downloading the data from remote directories and and storing the data into SSSD cache on the back end side of SSSD.


How To Test

  1. configure the setup (details TBD as we work out the config options)
    1. configure SSSD with an LDAP back end as described in the SSSD documentation (sssd.conf)
    2. configure autofs to perform lookups via SSSD (nsswitch.conf)
  2. test that mounting shares still works as expected
    1. perform the first mount while the LDAP server is running in order to cache the data on the client side
    2. stop the LDAP service that contains the maps. SSSD would serve the maps from cache and mounting shares should still work

User Experience

The user would benefit from centralizing the LDAP configuration at one place, including advanced features that were not available before such as server fail over or DNS SRV lookups. The user would also likely notice better performance due to caching support and better load on the LDAP server because SSSD only opens a single connection at a time. In case the LDAP server is not reachable, the user would leverage the offline support SSSD provides.

Dependencies

As stated above, this feature depends on changes in both autofs and SSSD. There are no other external dependencies.

Contingency Plan

None required, Fedora would keep using the LDAP lookup module in autofs.

Documentation

A design document is available at the SSSD wiki. An in-depth discussion also happened in the Red Hat Bugzilla.

There is no user-visible documentation as of now, but the feature will be documented in the SSSD (and possibly autofs) manual pages. The SSSD team is also going to provide a migration guide which will help users transition from the old plain LDAP setup to the SSSD setup. No automatic migration would be performed, though.

Release Notes

Fedora 17 integrates autofs with SSSD, bringing caching support, offline access to the automounter maps and centralized configuration of autofs LDAP lookups in sssd.conf. By perfoming the automounter lookups via SSSD, the system also opens only one connection to the LDAP server and answers some requests from cache, which results in better performance.

Comments and Discussion