[Network Administration]: Automounter over LDAP

This is basically an update to the autofs and automounter page that was published earlier to reflect some changes to how things are set up now. I still have my automount maps in the LDAP directory, but the DN for the maps is updated to the currently provided autofs schema that comes with the Ubuntu package instead of the rfc2307bis schema which seems to have languished in draft form. I’ve also unified some of the files across both Linux machines and OS X.
Automount Maps in the LDAP directory
I’ve just gone back to using the rfc2307 schema instead of the rfc2307bis schema which I’ve used earlier. The schema is already loaded into my LDAP database from when I created the slapd backend to OpenLDAP. Using that schema, we add the automount maps to the directory. I’ve put them under the branch ou=daemon,dc=example,dc=com that I created. The entries look like:

## This is the branch for automounter
dn: ou=autofs,ou=daemon,dc=example,dc=com
ou: autofs
objectClass: organizationalUnit
description: Container for autofs daemon mapping information

## This defines the autofs master table
dn: ou=auto_master,ou=autofs,ou=daemon,dc=example,dc=com
ou: auto_master
objectClass: automountMap

## Entry for /home indirect table in master table
dn: cn=/home,ou=auto_master,ou=autofs,ou=daemon,dc=example,dc=com
cn: /home
objectClass: automount
automountInformation: auto_home

## This defines auto_home indirect table
dn: ou=auto_home,ou=autofs,ou=daemon,dc=example,dc=com
ou: auto_home
objectClass: automountMap

dn: cn=*,ou=auto_home,ou=autofs,ou=daemon,dc=example,dc=com
cn: *
objectClass: automount
automountInformation: -fstype=nfs,rw,atime,sync,hard,intr filer-01:/volume1/accounts/&

dn: cn=projects,ou=auto_home,ou=autofs,ou=daemon,dc=example,dc=com
cn: projects
objectClass: automount
automountInformation: -fstype=nfs,rw,atime,sync,hard,intr filer-01:/volume2/common/projects

This creates a new container under the daemon container for the autofs maps. The first entry is the master map container, auto_master, of class automountMap. The master map has just one entry, an indirect map at /home. The entry specifies that the indirect map is called auto_home. The entries have an objectClass of automount and follow the format set forth in the auto.master man page. Following the master map, is the auto_home indirect map. The first entry mounts the NFS home directories from the filer, and the second mounts a shared NFS mount across all machines. The first entry uses a wildcard to mount directories of type /home/<username> from the filer. The wildcard is “*” and eliminates the need to add every user to the map. The ampersand (“&”) will replace the key from the mount in the map. I’ve added a number of NFS options to the entries. They are detailed in the nfs fstab man page, and the mount man page. The options basically follow what one would have in the /etc/fstab file.

Linux Autofs Configuration
Before anything else, I need to clear out my /home directory so that I can use it as a mount point with the automounter. I’ve remounted my entire /home partition with my home directories to /vol.

sudo mkdir -p /vol/home
sudo chown -R root:root /vol
sudo chmod -R 755 /vol

And updated the /etc/fstab file to mount them to the new location that I just created.

# 20140204 - root - Modified from "/dev/mapper/hopper--vg-home /home     ext4 defaults,usrquota         0       2"
/dev/mapper/hopper--vg-home /vol/home      ext4 defaults,usrquota      0       2

What’s described below basically follows the Ubuntu AutofsLDAP community page.
The package to install autofs with LDAP support under Ubuntu is autofs-ldap.

sudo apt-get install autofs-ldap

To look in the LDAP directory for automount maps, the Name Service Switch config file, /etc/nsswitch.conf, needs to specify ldap in the search path:

automount:      files ldap

The automounter reads its configuration from the file /etc/default/autofs. I’ve updated the master map name to match the expected master map file name in OSX since that master map name is not configurable, and I would like to unify both into a single file. Also, the LDAP host and search base are specified, as well as the schema that we are using for our maps. The changes are:

# MASTER_MAP_NAME - default map name for the master map.
#MASTER_MAP_NAME="/etc/auto.master"
MASTER_MAP_NAME="/etc/auto_master"
# Change logging to verbose
#LOGGING="none"
LOGGING="verbose"
# point at ldap server
#LDAP_URI=""
LDAP_URI="ldap://ldap.internal.foodclaw.net"
# autofs is under deamon in root base
#SEARCH_BASE=""
SEARCH_BASE="ou=autofs,ou=daemon,dc=foodclaw,dc=net"
# This is the mapping that we're using  (uncomment below)
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="ou"
ENTRY_ATTRIBUTE="cn"
VALUE_ATTRIBUTE="automountInformation"
USE_MISC_DEVICE="yes"

Also, since our LDAP server requires TLS for connections, the ldap auth file /etc/autofs_ldap_auth.conf is updated:

<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
        usetls="yes"
        tlsrequired="yes"
        authrequired="no"
/>

Our LDAP server requires TLS, and the client also requires a TLS connection. To verify the certificate that the server provides, the CA to verify the certificate needs to be specified. This is specified in the ldap utile configuration file, /etc/ldap/ldap.conf. Why this is in a different file is beyond me, but that’s where it’s done. Anyway, make sure that the proper CA file is specified there. You can test it by using ldapsearch to read out of the LDAP directory.
At this point, the automounter should be able to query the LDAP directory for maps.

OS X Autofs Configuration
OS X has built in support for autofs, and can support automount map lookups from LDAP directories with proper setup through Director Utility, and described in Apple’s Autofs White Paper. The mapping for looking up the proper records in the LDAP directory is setup through Directory Utility like before, but additional records are added for automount records.
Automount:

  • Map to “all” items in list: “automount
  • Search Base is all subtrees of “ou=autofs,ou=daemon,ou=groups,dc=example,dc=com” — The OU that the entries that we added sit under.
    • Mapping:

    • AutomountInformation -> automountInformation
    • Comment -> description
    • CreationTimestamp -> createTimestamp
    • ModificationTimestamp -> modifyTimestamp
    • RecordName -> cn

AutomountMap:

  • Map to “all” items in list: “automountMap
  • Search Base is first level only of “ou=autofs,ou=daemon,ou=groups,dc=example,dc=com” — The OU that the entries that we added sit under.
    • Mapping:

    • Comment -> description
    • CreationTimestamp -> createTimestamp
    • ModificationTimestamp -> modifyTimestamp
    • RecordName -> ou

Automount Map files
The automounter will read the master map file first. I’ve changed the master map filename on Linux to match the filename in OSX so that I can unify the two into a single file. The master map located in /etc/auto_master will perform any local mounts that need to be done, and then query the LDAP directory for the master map.

# Load any misc locations that we need to mount before
# reading out of the LDAP directory
# autofs will honor first found
+/etc/auto_local

# Load the master map from LDAP service
+auto_master

The master map will first read the file /etc/auto_local, if it exists, for any initial maps before it queries the directory. The local maps come first because the automounter will perform the first mount that it finds. This allows the local file to override anything that is in the LDAP directory. For OSX, I’ve added the /etc/auto_local file to perform all of the actions that the default /etc/auto_master file performs.

#
# Automounter local map
#
/net			-hosts		nosuid
/Network/Servers	-fstab
/-			-static

Next, the auto_master map is read in the directory when reading the second line the /etc/auto_master file. When the directory is read, the automounter will read the maps in the master map, which in our case is the auto_home indirect map. I added this also as the file /etc/auto_home. I’ve added this here as a local file because the local home directories on the machine need to be added to the /home map. These are specific to the machine. The file /etc/auto_home on Linux machines looks like:

# Adding entries to remount local home directories back to /home
admin		:/vol/home/&

and on OS X machines looks like:

#
# Automounter map for /home
#

# Any local home directories here

+auto_home	# Use directory service
#
# Get /home records synthesized from user records
#
+/usr/libexec/od_user_homes

The /etc/auto_home file on a Linux machine first has an entry for the local accounts to have their home directories mounted in the proper location, and then the directory will be queried for any additional /home directories that are mounted. The /etc/auto_home file on an OS X machine doesn’t have any home directories mounted for local accounts, because OS X uses the /Users directory for local account home directories. It does however explicitly call out to query the directory for any additional automount map entries.
NOTE: If encryption is enabled on local home directories
the encrypted volume needs to also be mounted. This will require
the following before the call to read the auto_home map from the directory:

# Adding the encrypted volumes to the automounter to make them available
.ecryptfs                 :/vol/home/&
Advertisements

3 thoughts on “[Network Administration]: Automounter over LDAP

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s