Re: [Freeipa-users] Automount cross-location support
On Sun, May 26, 2013 at 09:40:03PM +0200, Sigbjorn Lie wrote: > I did some testing on this. I added an entry to "cn=Schema > Compatibility, cn=plugins, cn=config", and defined the various > settings for the compat plugin. It worked as a charm, the requested > automountmaps we're mirrored. However, one glitch when I attempt to > actually use it. Setting "schema-compat-container-group" to > cn=default hides all the existing keys in automount location > default. Setting it to a level below the cn=default, and the > automounter does not see the entries with the error below. It seem > like the automounter can only handle a single level of a tree, and > does not search subtrees. > > "get_query_dn: lookup(ldap): failed to find query dn under search base dns" Were there any messages preceding that one? I'm looking at the sources and there are a couple of code paths that would get to the point where that message is logged, and I only ever see the plugin searching using scope "subtree", so I can't be sure what's causing it to not find the new entries. > I don't think the flatten trees does any harm, it's already flat, as > long as the container-group could be set to cn=default,cn=automount. > However it would require logic within the IPA framework to follow > any "automountinformation=-fstype=autofs auto_anothermapname" and > also create setup for the additional "auto_anothermapname" in the > compat plugin. And again the idea seem flawed when the additional > maps cannot sit under the same schema-compat-container-group. > > Is there any way to have several entries in the schema compatibility > plugin to share the same level of schema-compat-container-group? Not without at least some changes to its internals, I'm afraid. It's basically reusing the same internal representation that's used for NIS maps and NIS domains, and the one-configuration-entry-per-map relationship is what triggers the module's housekeeping when a config entry is added or removed. But I think it could be done. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automount cross-location support
It may be that the basedn for autofs is just to find the maps. For keys it can use the value directly because they point to real entries. Its good to know that this works, but we still need some way internally to detangle these and present the values in a way that it is easy to pick and choose. I suppose one idea would be to create a new kind of map share, common. This would only allow ldap keys which could point to any valid key. A common map could be added to any location. I also found (not surprisingly) that a full dn had to be used in the target map for sublevel maps if the target map I referred to using "ldap dn-of-other-automount-map" contained additional maps. A way to make sure this is always the case would be update the IPA framework to always set the full dn to the sub map when it's being added in the first place. I see IPA is already automatically adding the key in the Parent map when it's specified during creation of a new indirect automount map. That being said, referring to a full dn for sublevel maps breaks on non-Linux, such as the Solaris' automounter. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automount cross-location support
On 24/05/13 23:48, Nalin Dahyabhai wrote: On Fri, May 24, 2013 at 12:01:04PM +0200, Sigbjorn Lie wrote: The compat module would have to be extended to support displaying selected automount maps from one location in a different location. I do not know the internals of the compat plugin so what I'm asking might be unable/hard to achieve with the compat plugin - I was referring to it because of it's ability to mirror one part of the ldap tree to a different part of the ldap tree. The compat plugin's usually used to make a group of entries appear somewhere else, which isn't _quite_ the same thing as making part of the tree show up elsewhere, since the tree structure isn't preserved, but if you don't mind "flattening" of the results when your source is split up in the hierarchy of a subtree, that won't be a problem. Otherwise, yeah, if that newly-created part of the tree, where the plugin's making the fake entries appear, happens to be under a subtree which autofs is searching for a given map's contents, then I don't see a reason why it shouldn't work. The configuration for the compat plugin would probably simply copy specific attributes rather than doing any real manipulation their values, much like we do for user entries under cn=users,cn=compat. I guess you could either "tag" entries for inclusion in a way that they'd match the filter which the compat plugin's configured to use when searching for source entries, or grab all of the entries in that given source area. Whenever you added a new automount location, you'd need to add a new mostly-boilerplate configuration entry under "cn=Schema Compatibility, cn=plugins, cn=config" to have that same group of entries with the same contents show up in the new location's part of the tree, but that would be about it. Also, if you're not rewriting attribute values, you could probably also ccomplish it with managed entries, since it plays in a similar area. Or perhaps it could be done with just referrals, though that depends on the client to follow them. I did some testing on this. I added an entry to "cn=Schema Compatibility, cn=plugins, cn=config", and defined the various settings for the compat plugin. It worked as a charm, the requested automountmaps we're mirrored. However, one glitch when I attempt to actually use it. Setting "schema-compat-container-group" to cn=default hides all the existing keys in automount location default. Setting it to a level below the cn=default, and the automounter does not see the entries with the error below. It seem like the automounter can only handle a single level of a tree, and does not search subtrees. "get_query_dn: lookup(ldap): failed to find query dn under search base dns" I don't think the flatten trees does any harm, it's already flat, as long as the container-group could be set to cn=default,cn=automount. However it would require logic within the IPA framework to follow any "automountinformation=-fstype=autofs auto_anothermapname" and also create setup for the additional "auto_anothermapname" in the compat plugin. And again the idea seem flawed when the additional maps cannot sit under the same schema-compat-container-group. Is there any way to have several entries in the schema compatibility plugin to share the same level of schema-compat-container-group? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automount cross-location support
On 05/24/2013 05:48 PM, Nalin Dahyabhai wrote: > On Fri, May 24, 2013 at 12:01:04PM +0200, Sigbjorn Lie wrote: >> The compat module would have to be extended to support displaying selected >> automount maps from one >> location in a different location. I do not know the internals of the compat >> plugin so what I'm >> asking might be unable/hard to achieve with the compat plugin - I was >> referring to it because of >> it's ability to mirror one part of the ldap tree to a different part of the >> ldap tree. > The compat plugin's usually used to make a group of entries appear > somewhere else, which isn't _quite_ the same thing as making part of the > tree show up elsewhere, since the tree structure isn't preserved, but if > you don't mind "flattening" of the results when your source is split up > in the hierarchy of a subtree, that won't be a problem. > > Otherwise, yeah, if that newly-created part of the tree, where the > plugin's making the fake entries appear, happens to be under a subtree > which autofs is searching for a given map's contents, then I don't see a > reason why it shouldn't work. The configuration for the compat plugin > would probably simply copy specific attributes rather than doing any > real manipulation their values, much like we do for user entries under > cn=users,cn=compat. I guess you could either "tag" entries for > inclusion in a way that they'd match the filter which the compat > plugin's configured to use when searching for source entries, or grab > all of the entries in that given source area. > > Whenever you added a new automount location, you'd need to add a new > mostly-boilerplate configuration entry under "cn=Schema Compatibility, > cn=plugins, cn=config" to have that same group of entries with the same > contents show up in the new location's part of the tree, but that would > be about it. > > Also, if you're not rewriting attribute values, you could probably also > ccomplish it with managed entries, since it plays in a similar area. Or > perhaps it could be done with just referrals, though that depends on the > client to follow them. > > HTH, > > Nalin > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Thanks Nalin. Sounds like another HOW TO is brewing here. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automount cross-location support
On Fri, May 24, 2013 at 12:01:04PM +0200, Sigbjorn Lie wrote: > The compat module would have to be extended to support displaying selected > automount maps from one > location in a different location. I do not know the internals of the compat > plugin so what I'm > asking might be unable/hard to achieve with the compat plugin - I was > referring to it because of > it's ability to mirror one part of the ldap tree to a different part of the > ldap tree. The compat plugin's usually used to make a group of entries appear somewhere else, which isn't _quite_ the same thing as making part of the tree show up elsewhere, since the tree structure isn't preserved, but if you don't mind "flattening" of the results when your source is split up in the hierarchy of a subtree, that won't be a problem. Otherwise, yeah, if that newly-created part of the tree, where the plugin's making the fake entries appear, happens to be under a subtree which autofs is searching for a given map's contents, then I don't see a reason why it shouldn't work. The configuration for the compat plugin would probably simply copy specific attributes rather than doing any real manipulation their values, much like we do for user entries under cn=users,cn=compat. I guess you could either "tag" entries for inclusion in a way that they'd match the filter which the compat plugin's configured to use when searching for source entries, or grab all of the entries in that given source area. Whenever you added a new automount location, you'd need to add a new mostly-boilerplate configuration entry under "cn=Schema Compatibility, cn=plugins, cn=config" to have that same group of entries with the same contents show up in the new location's part of the tree, but that would be about it. Also, if you're not rewriting attribute values, you could probably also ccomplish it with managed entries, since it plays in a similar area. Or perhaps it could be done with just referrals, though that depends on the client to follow them. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automount cross-location support
On Thu, May 23, 2013 17:23, Rob Crittenden wrote: > Sigbjorn Lie wrote: > >> Hi, >> >> >> I opened a RFE request almost 2 years ago for automount cross-location >> support, and recently I >> discovered how it can be integrated. >> >> https://fedorahosted.org/freeipa/ticket/1699 >> >> >> >> It is possible to reference a LDAP map from outside what is set in the >> BASE_DN in >> /etc/sysconfig/autofs. >> >> >> Consider the following. The BASE_DN is set to: >> cn=default,cn=automount,dc=example,dc=com >> >> >> Add an entry to the auto.master in location "default" like this and restart >> automount: >> /test2 ldap >> automountmapname=auto_test2,cn=secondlocation,cn=automount,dc=example,dc=com >> >> >> I tested this on RHEL 6.4 and it worked just fine. Maps from the default >> location and the >> specificed "test2" map is read and the entries are mounted successfully. >> >> Now I can do this manually, but it would be nice to have this integrated in >> the IPA framework. >> >> >> The only downside to this implementation is that I am not sure if this will >> work across >> platforms. It might be a Linux automount feature only. Using features of >> 389ds such as the >> compat module to mirror maps between automount maps would work on any >> platform. > > It may be that the basedn for autofs is just to find the maps. For keys > it can use the value directly because they point to real entries. > > Its good to know that this works, but we still need some way internally > to detangle these and present the values in a way that it is easy to pick and > choose. > > I suppose one idea would be to create a new kind of map share, common. > This would only allow ldap keys which could point to any valid key. > Yes, a "common" / "linked" map type sounds like a good way to go. > > A common map could be added to any location. > > > I'm not sure how we'd represent this using compat though. > The compat module would have to be extended to support displaying selected automount maps from one location in a different location. I do not know the internals of the compat plugin so what I'm asking might be unable/hard to achieve with the compat plugin - I was referring to it because of it's ability to mirror one part of the ldap tree to a different part of the ldap tree. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automount cross-location support
On Thu, May 23, 2013 17:02, Martin Kosek wrote: > On 05/23/2013 04:56 PM, Sigbjorn Lie wrote: > >> Hi, >> >> >> I opened a RFE request almost 2 years ago for automount cross-location >> support, and recently I >> discovered how it can be integrated. >> >> https://fedorahosted.org/freeipa/ticket/1699 >> >> >> >> It is possible to reference a LDAP map from outside what is set in the >> BASE_DN in >> /etc/sysconfig/autofs. >> >> >> Consider the following. The BASE_DN is set to: >> cn=default,cn=automount,dc=example,dc=com >> >> >> Add an entry to the auto.master in location "default" like this and restart >> automount: >> /test2 ldap >> automountmapname=auto_test2,cn=secondlocation,cn=automount,dc=example,dc=com >> >> >> I tested this on RHEL 6.4 and it worked just fine. Maps from the default >> location and the >> specificed "test2" map is read and the entries are mounted successfully. >> >> Now I can do this manually, but it would be nice to have this integrated in >> the IPA framework. >> >> >> The only downside to this implementation is that I am not sure if this will >> work across >> platforms. It might be a Linux automount feature only. Using features of >> 389ds such as the >> compat module to mirror maps between automount maps would work on any >> platform. >> >> >> >> >> >> Regards, >> Siggi >> >> > > Thanks for sharing this information Sigbjorn! Maybe we should add what you > discovered in the ticket, when other hit too. I see Dmitry has already updated the ticket. :) Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automount cross-location support
Sigbjorn Lie wrote: Hi, I opened a RFE request almost 2 years ago for automount cross-location support, and recently I discovered how it can be integrated. https://fedorahosted.org/freeipa/ticket/1699 It is possible to reference a LDAP map from outside what is set in the BASE_DN in /etc/sysconfig/autofs. Consider the following. The BASE_DN is set to: cn=default,cn=automount,dc=example,dc=com Add an entry to the auto.master in location "default" like this and restart automount: /test2 ldap automountmapname=auto_test2,cn=secondlocation,cn=automount,dc=example,dc=com I tested this on RHEL 6.4 and it worked just fine. Maps from the default location and the specificed "test2" map is read and the entries are mounted successfully. Now I can do this manually, but it would be nice to have this integrated in the IPA framework. The only downside to this implementation is that I am not sure if this will work across platforms. It might be a Linux automount feature only. Using features of 389ds such as the compat module to mirror maps between automount maps would work on any platform. It may be that the basedn for autofs is just to find the maps. For keys it can use the value directly because they point to real entries. Its good to know that this works, but we still need some way internally to detangle these and present the values in a way that it is easy to pick and choose. I suppose one idea would be to create a new kind of map share, common. This would only allow ldap keys which could point to any valid key. A common map could be added to any location. I'm not sure how we'd represent this using compat though. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automount cross-location support
On 05/23/2013 04:56 PM, Sigbjorn Lie wrote: > Hi, > > I opened a RFE request almost 2 years ago for automount cross-location > support, and recently I > discovered how it can be integrated. > > https://fedorahosted.org/freeipa/ticket/1699 > > > It is possible to reference a LDAP map from outside what is set in the > BASE_DN in > /etc/sysconfig/autofs. > > Consider the following. The BASE_DN is set to: > cn=default,cn=automount,dc=example,dc=com > > Add an entry to the auto.master in location "default" like this and restart > automount: > /test2 ldap > automountmapname=auto_test2,cn=secondlocation,cn=automount,dc=example,dc=com > > I tested this on RHEL 6.4 and it worked just fine. Maps from the default > location and the > specificed "test2" map is read and the entries are mounted successfully. > > Now I can do this manually, but it would be nice to have this integrated in > the IPA framework. > > The only downside to this implementation is that I am not sure if this will > work across platforms. > It might be a Linux automount feature only. Using features of 389ds such as > the compat module to > mirror maps between automount maps would work on any platform. > > > > > > Regards, > Siggi > Thanks for sharing this information Sigbjorn! Maybe we should add what you discovered in the ticket, when other hit too. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Automount cross-location support
Hi, I opened a RFE request almost 2 years ago for automount cross-location support, and recently I discovered how it can be integrated. https://fedorahosted.org/freeipa/ticket/1699 It is possible to reference a LDAP map from outside what is set in the BASE_DN in /etc/sysconfig/autofs. Consider the following. The BASE_DN is set to: cn=default,cn=automount,dc=example,dc=com Add an entry to the auto.master in location "default" like this and restart automount: /test2 ldap automountmapname=auto_test2,cn=secondlocation,cn=automount,dc=example,dc=com I tested this on RHEL 6.4 and it worked just fine. Maps from the default location and the specificed "test2" map is read and the entries are mounted successfully. Now I can do this manually, but it would be nice to have this integrated in the IPA framework. The only downside to this implementation is that I am not sure if this will work across platforms. It might be a Linux automount feature only. Using features of 389ds such as the compat module to mirror maps between automount maps would work on any platform. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
