On 06/30/2011 12:04 PM, Ondrej Valousek wrote: > Hmm, > To me, these instructions are very vague - for example it completely > omits LDAP security configuration for the automounter (stored in > /etc/autofs_ldap_auth.conf). How does the automounter bind to the ldap > server? Anonymously? > I would not recommend it. > > I would recommend to configure automounter to use the host/ principal > in the local Kerberos system database and bind using SASL/GSSAPI > instead. It is more secure and elegant solution. >
Sure but the point is to give you an example of how to do it with IPA. I .e. to demonstrate the IPA specific context which is the "location". We do not control the autofs on the client side so the configuration of it is out of scope of the IPA documentation. Good description on how to set up the autofs with GSSAPI or using other security mechanisms is always welcome but it has no specifics to IPA (unless I am missing something). It is nothing different from any other kerberos enabled LDAP server so any generic guidelines documented in autofs (I assume they exist) should apply. Thanks Dmitri > Ondrej > > > On 30.06.2011 17:26, Adam Young wrote: >> Good point. >> >> Take a look at the test day instructions, I found them very useful >> for setting up both SUDO and automount. >> >> https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount >> >> >> On 06/30/2011 11:08 AM, Ondrej Valousek wrote: >>> >>> >>> On 30.06.2011 16:55, Rob Crittenden wrote: >>>> Look at the output of this for details: ipa help automount >>> >>> I see, thanks! >>> It would be nice to update man pages like: >>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html >>> to say something like: >>> LDAP_URI="ldap:///dc=example,dc=com"; >>> SEARCH_BASE="cn=<location>,cn=automount,dc=example,dc=com" >>> So people know more automounter's ability to locate ldap server via >>> DNS SRV.... >>> >>> Thanks! >>> Ondrej >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
