| 2016-10-23 07:08:46 |
Fati Iseni |
description |
Hi,
The search base parameter for autofs was intented to be set for each domain separately, but it fails to do so. The value of the first occurence of the parameter somehow is set for all domain sections.
I'm posting example configuration below. There are 2 domains, and in this case the ldap_autofs_search_base parameter of the "skp.fids" domain overrides the rest of the occurencies. If you just switch the precedence in the domain defintions "fids, skp.fids", then the oposite is valid.
I have used subdomain in the example and it might be confusing, but nevertheles, I did bunch of tests including completely different domains with same results. In a contrary the sudo_search_base is working just fine.
I tried including scope as well, but it didnt help. I was tracking the ldap request on the ldap server side when autofs service is restarted. It always searches for one record, there is no additional request for the other domain (I'm posting the logs too)
CONFIGURATION
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, sudo, autofs
domains = skp.fids, fids
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[autofs]
[domain/skp.fids]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
autofs_provider = ldap
ldap_uri = ldap://ldap.skp.fids
ldap_search_base = dc=skp,dc=fids
ldap_sudo_search_base = ou=sudoers,dc=skp,dc=fids
ldap_autofs_search_base = ou=automount,ou=admin,dc=skp,dc=fids
ldap_tls_reqcert = never
krb5_kdcip = kerberos.skp.fids
krb5_realm = SKP.FIDS
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
krb5_renewable_lifetime = 5d
[domain/fids]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
autofs_provider = ldap
ldap_uri = ldap://ldap.skp.fids
ldap_search_base = dc=fids
ldap_uri = ldap://ldap.skp.fids
ldap_search_base = dc=fids
ldap_sudo_search_base = ou=sudoers,dc=fids
ldap_autofs_search_base = ou=automount,ou=admin,dc=fids
ldap_tls_reqcert = never
krb5_kdcip = kerberos.skp.fids
krb5_realm = FIDS
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
krb5_renewable_lifetime = 5d
LOGS (this is the only request in the logs)
...
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=1 SRCH base="ou=automount,ou=admin,dc=fids" scope=2 deref=0 filter="(&(ou=auto.master)(objectClass=automountMap))"
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=1 SRCH attr=objectClass ou
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 22 12:15:41 vav slapd[1294]: conn=1077 fd=25 ACCEPT from IP=192.168.91.101:36298 (IP=0.0.0.0:389)
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=2 SRCH base="ou=auto.master,ou=automount,ou=admin,dc=fids" scope=2 deref=0 filter="(&(cn=*)(objectClass=automount))"
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=2 SRCH attr=objectClass cn automountInformation
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=3 SRCH base="ou=automount,ou=admin,dc=fids" scope=2 deref=0 filter="(&(ou=auto.home)(objectClass=automountMap))"
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=3 SRCH attr=objectClass ou
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=4 SRCH base="ou=auto.home,ou=automount,ou=admin,dc=fids" scope=2 deref=0 filter="(&(cn=*)(objectClass=automount))"
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=4 SRCH attr=objectClass cn automountInformation
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 22 12:15:49 vav slapd[1294]: conn=1077 op=5 SRCH base="ou=sudoers,dc=fids" scope=2 deref=0
... |
Hi,
The search base parameter for autofs was intented to be set for each domain separately, but it fails to do so. The value of the first occurence of the parameter somehow is set for all domain sections.
I'm posting example configuration below. There are 2 domains, and in this case the ldap_autofs_search_base parameter of the "skp.fids" domain overrides the rest of the occurencies. If you just switch the precedence in the domain defintions "fids, skp.fids", then the oposite is valid.
I have used subdomain in the example and it might be confusing, but nevertheles, I did bunch of tests including completely different domains with same results. In a contrary the sudo_search_base is working just fine.
I tried including scope as well, but it didnt help. I was tracking the ldap request on the ldap server side when autofs service is restarted. It always searches for one record, there is no additional request for the other domain (I'm posting the logs too)
Environment:
Ubuntu Server 14.04.5 LTS x86_64
SSSD 1.11.8-0ubuntu0.2
CONFIGURATION
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, sudo, autofs
domains = skp.fids, fids
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[autofs]
[domain/skp.fids]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
autofs_provider = ldap
ldap_uri = ldap://ldap.skp.fids
ldap_search_base = dc=skp,dc=fids
ldap_sudo_search_base = ou=sudoers,dc=skp,dc=fids
ldap_autofs_search_base = ou=automount,ou=admin,dc=skp,dc=fids
ldap_tls_reqcert = never
krb5_kdcip = kerberos.skp.fids
krb5_realm = SKP.FIDS
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
krb5_renewable_lifetime = 5d
[domain/fids]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = false
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
autofs_provider = ldap
ldap_uri = ldap://ldap.skp.fids
ldap_search_base = dc=fids
ldap_uri = ldap://ldap.skp.fids
ldap_search_base = dc=fids
ldap_sudo_search_base = ou=sudoers,dc=fids
ldap_autofs_search_base = ou=automount,ou=admin,dc=fids
ldap_tls_reqcert = never
krb5_kdcip = kerberos.skp.fids
krb5_realm = FIDS
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
krb5_renewable_lifetime = 5d
LOGS (this is the only request in the logs)
...
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=1 SRCH base="ou=automount,ou=admin,dc=fids" scope=2 deref=0 filter="(&(ou=auto.master)(objectClass=automountMap))"
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=1 SRCH attr=objectClass ou
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 22 12:15:41 vav slapd[1294]: conn=1077 fd=25 ACCEPT from IP=192.168.91.101:36298 (IP=0.0.0.0:389)
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=2 SRCH base="ou=auto.master,ou=automount,ou=admin,dc=fids" scope=2 deref=0 filter="(&(cn=*)(objectClass=automount))"
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=2 SRCH attr=objectClass cn automountInformation
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=3 SRCH base="ou=automount,ou=admin,dc=fids" scope=2 deref=0 filter="(&(ou=auto.home)(objectClass=automountMap))"
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=3 SRCH attr=objectClass ou
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=4 SRCH base="ou=auto.home,ou=automount,ou=admin,dc=fids" scope=2 deref=0 filter="(&(cn=*)(objectClass=automount))"
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=4 SRCH attr=objectClass cn automountInformation
Oct 22 12:15:41 vav slapd[1294]: conn=1077 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 22 12:15:49 vav slapd[1294]: conn=1077 op=5 SRCH base="ou=sudoers,dc=fids" scope=2 deref=0
... |
|
