From Fedora Project Wiki

Revision as of 16:11, 1 May 2012 by Jhrozek (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Feature Name

SSSD AutoFS Integration

Summary

Integrate SSSD and autofs for looking up automounter data stored in centralized remote directories such as LDAP.

Owner

Current status

  • Targeted release: Fedora 17
  • Last updated: 2012-02-09
  • Percentage of completion: 100%
    • sssd-1.8.0-1.fc17.beta1
    • autofs-5.0.6-11.fc17


Detailed Description

Autofs is able to look up maps stored in LDAP. However, autofs currently performs all the lookups on its own. Even though autofs uses the nsswitch.conf configuration file, there is no glibc interface such as those for retreiving users and groups and by extension no nscd caching.

The goal of this feature is integrate autofs and SSSD in a more centralized manner in order to perform the lookups through SSSD. SSSD would provide access to the remote directory, while autofs would leverage all the benefits SSSD brings over performing the lookups in autofs directly (see below for more details).


Benefit to Fedora

The benefits of the integration are:

  • unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
  • autofs would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
  • only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
  • caching of the data - again, less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
  • offline access - even though if the client cannot connect to the LDAP server chances are that the NFS server is unreachable as well
  • back end abstraction - data may be stored in NIS or other databases and accessed by the automounter transparently


Scope

This feature needs work on both the SSSD side and autofs side. A very detailed design document is available on the SSSD wiki

  1. The autofs developers need to create a new autofs lookup module that would be specific to SSSD. Autofs implements one lookup module per each information source and provides access to the infromation source - there is a module for plain files, a module for LDAP etc. The lookup module would load the libnss_sss library and use the API provided there to fetch data from SSSD transparently.
  2. SSSD developers need to provide the API in the libnss_sss library and corresponding code for actually downloading the data from remote directories and and storing the data into SSSD cache on the back end side of SSSD.


How To Test

  1. configure an autofs map stored in LDAP. This would do the trick on an IPA server:
    1. ipa automountlocation-add Brno
    2. ipa automountmap-add Brno auto.share
    3. ipa automountkey-add Brno auto.master --key=/share --info=auto.share
    4. ipa automountkey-add Brno auto.share --key=mirror --info="my.nfs.server:/export/"
  2. configure SSSD with an LDAP back end as described in the SSSD documentation (sssd.conf)
    1. append autofs to the "services" line in the sssd section
    2. create am [autofs] section
    3. specify the correct search base with the ldap_autofs_search_base option
    4. restart the SSSD
  3. configure autofs to perform lookups via SSSD
    1. put "sss" at the automount line in nsswitch.conf
    2. restart the automount service
  4. test that mounting shares still works as expected
    1. cd /share/mirror should work with the above configuration
    2. perform the first mount while the LDAP server is running in order to cache the data on the client side
    3. stop the LDAP service that contains the maps. SSSD would serve the maps from cache and mounting shares should still work

User Experience

The user would benefit from centralizing the LDAP configuration at one place, including advanced features that were not available before such as server fail over or DNS SRV lookups. The user would also likely notice better performance due to caching support and better load on the LDAP server because SSSD only opens a single connection at a time. In case the LDAP server is not reachable, the user would leverage the offline support SSSD provides.

Dependencies

As stated above, this feature depends on changes in both autofs and SSSD. There are no other external dependencies.

Contingency Plan

None required, Fedora would keep using the LDAP lookup module in autofs.

Documentation

A design document is available at the SSSD wiki. An in-depth discussion also happened in the Red Hat Bugzilla.

The options are documented in the sssd-ldap manual page. User-facing documentation along with instruction on migrating the setup from plain LDAP lookup module to the sss lookup module is available in a blog post

Release Notes

Fedora 17 integrates autofs with SSSD, bringing caching support, offline access to the automounter maps and centralized configuration of autofs LDAP lookups in sssd.conf. By perfoming the automounter lookups via SSSD, the system also opens only one connection to the LDAP server and answers some requests from cache, which results in better performance.

Comments and Discussion