SSSD AutoFS Integration
Integrate SSSD and autofs for looking up automounter data stored in centralized remote directories such as LDAP.
- Name: Jakub Hrozek
- Email: <email@example.com>
- Name: Ian Kent
- Email: <firstname.lastname@example.org>
- Targeted release: Fedora 17
- Last updated: 2012-02-09
- Percentage of completion: 100%
Autofs is able to look up maps stored in LDAP. However, autofs currently performs all the lookups on its own. Even though autofs uses the nsswitch.conf configuration file, there is no glibc interface such as those for retreiving users and groups and by extension no nscd caching.
The goal of this feature is integrate autofs and SSSD in a more centralized manner in order to perform the lookups through SSSD. SSSD would provide access to the remote directory, while autofs would leverage all the benefits SSSD brings over performing the lookups in autofs directly (see below for more details).
Benefit to Fedora
The benefits of the integration are:
- unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
- autofs would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
- only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
- caching of the data - again, less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
- offline access - even though if the client cannot connect to the LDAP server chances are that the NFS server is unreachable as well
- back end abstraction - data may be stored in NIS or other databases and accessed by the automounter transparently
This feature needs work on both the SSSD side and autofs side. A very detailed design document is available on the SSSD wiki
- The autofs developers need to create a new autofs lookup module that would be specific to SSSD. Autofs implements one lookup module per each information source and provides access to the infromation source - there is a module for plain files, a module for LDAP etc. The lookup module would load the libnss_sss library and use the API provided there to fetch data from SSSD transparently.
- SSSD developers need to provide the API in the libnss_sss library and corresponding code for actually downloading the data from remote directories and and storing the data into SSSD cache on the back end side of SSSD.
How To Test
- configure an autofs map stored in LDAP. This would do the trick on an IPA server:
ipa automountlocation-add Brno
ipa automountmap-add Brno auto.share
ipa automountkey-add Brno auto.master --key=/share --info=auto.share
ipa automountkey-add Brno auto.share --key=mirror --info="my.nfs.server:/export/"
- configure SSSD with an LDAP back end as described in the SSSD documentation (sssd.conf)
autofsto the "services" line in the
- create am
- specify the correct search base with the
- restart the SSSD
- configure autofs to perform lookups via SSSD
- put "sss" at the
- restart the automount service
- put "sss" at the
- test that mounting shares still works as expected
- cd /share/mirror should work with the above configuration
- perform the first mount while the LDAP server is running in order to cache the data on the client side
- stop the LDAP service that contains the maps. SSSD would serve the maps from cache and mounting shares should still work
The user would benefit from centralizing the LDAP configuration at one place, including advanced features that were not available before such as server fail over or DNS SRV lookups. The user would also likely notice better performance due to caching support and better load on the LDAP server because SSSD only opens a single connection at a time. In case the LDAP server is not reachable, the user would leverage the offline support SSSD provides.
As stated above, this feature depends on changes in both autofs and SSSD. There are no other external dependencies.
None required, Fedora would keep using the LDAP lookup module in autofs.
A design document is available at the SSSD wiki. An in-depth discussion also happened in the Red Hat Bugzilla.
The options are documented in the
sssd-ldap manual page. User-facing documentation along with instruction on migrating the setup from
plain LDAP lookup module to the
sss lookup module is available in a blog post
Fedora 17 integrates autofs with SSSD, bringing caching support, offline access to the automounter maps and centralized configuration of autofs LDAP lookups in sssd.conf. By perfoming the automounter lookups via SSSD, the system also opens only one connection to the LDAP server and answers some requests from cache, which results in better performance.