Latest revision as of 16:11, 1 May 2012

Feature Name

SSSD AutoFS Integration

Summary

Integrate SSSD and autofs for looking up automounter data stored in centralized remote directories such as LDAP.

Owner

Name: Jakub Hrozek
Email: <jhrozek@redhat.com>
Name: Ian Kent
Email: <ikent@redhat.com>

Current status

Targeted release: Fedora 17
Last updated: 2012-02-09
Percentage of completion: 100%
- sssd-1.8.0-1.fc17.beta1
- autofs-5.0.6-11.fc17

Detailed Description

Autofs is able to look up maps stored in LDAP. However, autofs currently performs all the lookups on its own. Even though autofs uses the nsswitch.conf configuration file, there is no glibc interface such as those for retreiving users and groups and by extension no nscd caching.

The goal of this feature is integrate autofs and SSSD in a more centralized manner in order to perform the lookups through SSSD. SSSD would provide access to the remote directory, while autofs would leverage all the benefits SSSD brings over performing the lookups in autofs directly (see below for more details).

Benefit to Fedora

The benefits of the integration are:

unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
autofs would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
caching of the data - again, less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
offline access - even though if the client cannot connect to the LDAP server chances are that the NFS server is unreachable as well
back end abstraction - data may be stored in NIS or other databases and accessed by the automounter transparently

Scope

This feature needs work on both the SSSD side and autofs side. A very detailed design document is available on the SSSD wiki

The autofs developers need to create a new autofs lookup module that would be specific to SSSD. Autofs implements one lookup module per each information source and provides access to the infromation source - there is a module for plain files, a module for LDAP etc. The lookup module would load the libnss_sss library and use the API provided there to fetch data from SSSD transparently.
SSSD developers need to provide the API in the libnss_sss library and corresponding code for actually downloading the data from remote directories and and storing the data into SSSD cache on the back end side of SSSD.

How To Test

configure an autofs map stored in LDAP. This would do the trick on an IPA server:
1. ipa automountlocation-add Brno
2. ipa automountmap-add Brno auto.share
3. ipa automountkey-add Brno auto.master --key=/share --info=auto.share
4. ipa automountkey-add Brno auto.share --key=mirror --info="my.nfs.server:/export/"
configure SSSD with an LDAP back end as described in the SSSD documentation (sssd.conf)
1. append autofs to the "services" line in the sssd section
2. create am [autofs] section
3. specify the correct search base with the ldap_autofs_search_base option
4. restart the SSSD
configure autofs to perform lookups via SSSD
1. put "sss" at the automount line in nsswitch.conf
2. restart the automount service
test that mounting shares still works as expected
1. cd /share/mirror should work with the above configuration
2. perform the first mount while the LDAP server is running in order to cache the data on the client side
3. stop the LDAP service that contains the maps. SSSD would serve the maps from cache and mounting shares should still work

User Experience

The user would benefit from centralizing the LDAP configuration at one place, including advanced features that were not available before such as server fail over or DNS SRV lookups. The user would also likely notice better performance due to caching support and better load on the LDAP server because SSSD only opens a single connection at a time. In case the LDAP server is not reachable, the user would leverage the offline support SSSD provides.

Dependencies

As stated above, this feature depends on changes in both autofs and SSSD. There are no other external dependencies.

Contingency Plan

None required, Fedora would keep using the LDAP lookup module in autofs.

Documentation

A design document is available at the SSSD wiki. An in-depth discussion also happened in the Red Hat Bugzilla.

The options are documented in the sssd-ldap manual page. User-facing documentation along with instruction on migrating the setup from plain LDAP lookup module to the sss lookup module is available in a blog post

Release Notes

Fedora 17 integrates autofs with SSSD, bringing caching support, offline access to the automounter maps and centralized configuration of autofs LDAP lookups in sssd.conf. By perfoming the automounter lookups via SSSD, the system also opens only one connection to the LDAP server and answers some requests from cache, which results in better performance.

Comments and Discussion

See Talk:Features/YourFeatureName

@@ Line 9: / Line 9: @@
 == Summary ==
+Integrate SSSD and autofs for looking up automounter data stored in centralized remote directories such as LDAP.
 <!-- A sentence or two summarizing what this feature is and what it will do.  This information is used for the overall feature summary page for each release. -->
 == Owner ==
 <!--This should link to your home wiki page so we know who you are-->
-* Name: [[User:FASAcountName| Your Name]]
+* Name: [[User:jhrozek| Jakub Hrozek]]
+* Email: <jhrozek@redhat.com>
+* Name: [[User:iankent| Ian Kent]]
+* Email: <ikent@redhat.com>
 <!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or  technical issues need to be resolved-->
-* Email: <your email address so we can contact you, invite you to meetings, etc.>
 == Current status ==
-* Targeted release: [[Releases/<number> | Fedora <number> ]]
+* Targeted release: [[Releases/17 | Fedora 17 ]]
-* Last updated: (DATE)
+* Last updated: 2012-02-09
-* Percentage of completion: XX%
+* Percentage of completion: 100%
+** sssd-1.8.0-1.fc17.beta1
+** autofs-5.0.6-11.fc17
 <!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
 == Detailed Description ==
+Autofs is able to look up maps stored in LDAP. However, autofs currently performs all the lookups on its own. Even though autofs uses the nsswitch.conf configuration file, there is no glibc interface such as those for retreiving users and groups and by extension no nscd caching.
+The goal of this feature is integrate autofs and SSSD in a more centralized manner in order to perform the lookups through SSSD. SSSD would provide access to the remote directory, while autofs would leverage all the benefits SSSD brings over performing the lookups in autofs directly (see below for more details).
 <!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
 == Benefit to Fedora ==
+The benefits of the integration are:
+* unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
+* autofs would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
+* only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
+* caching of the data - again, less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
+* offline access - even though if the client cannot connect to the LDAP server chances are that the NFS server is unreachable as well
+* back end abstraction - data may be stored in NIS or other databases and accessed by the automounter transparently
 <!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
 == Scope ==
+This feature needs work on both the SSSD side and autofs side. A very detailed design document is available on the [https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration SSSD wiki]
+# The autofs developers need to create a new autofs lookup module that would be specific to SSSD. Autofs implements one lookup module per each information source and provides access to the infromation source - there is a module for plain files, a module for LDAP etc. The lookup module would load the libnss_sss library and use the API provided there to fetch data from SSSD transparently.
+# SSSD developers need to provide the API in the libnss_sss library and corresponding code for actually downloading the data from remote directories and and storing the data into SSSD cache on the back end side of SSSD.
 <!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 == How To Test ==
+# configure an autofs map stored in LDAP. This would do the trick on an IPA server:
+## <code>ipa automountlocation-add Brno</code>
+## <code>ipa automountmap-add Brno auto.share</code>
+## <code>ipa automountkey-add Brno auto.master --key=/share --info=auto.share</code>
+## <code>ipa automountkey-add Brno auto.share --key=mirror --info="my.nfs.server:/export/"</code>
+# configure SSSD with an LDAP back end as described in the SSSD documentation (sssd.conf)
+## append <code>autofs</code> to the "services" line in the <code>sssd</code> section
+## create am <code>[autofs]</code> section
+## specify the correct search base with the <code>ldap_autofs_search_base</code> option
+## restart the SSSD
+# configure autofs to perform lookups via SSSD
+## put "sss" at the <code>automount</code> line in <code>nsswitch.conf</code>
+## restart the automount service
+# test that mounting shares still works as expected
+## cd /share/mirror should work with the above configuration
+## perform the first mount while the LDAP server is running in order to cache the data on the client side
+## stop the LDAP service that contains the maps. SSSD would serve the maps from cache and mounting shares should still work
 <!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.
@@ Line 50: / Line 89: @@
 == User Experience ==
+The user would benefit from centralizing the LDAP configuration at one place, including advanced features that were not available before such as server fail over or DNS SRV lookups. The user would also likely notice better performance due to caching support and better load on the LDAP server because SSSD only opens a single connection at a time. In case the LDAP server is not reachable, the user would leverage the offline support SSSD provides.
 <!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
 == Dependencies ==
+As stated above, this feature depends on changes in both autofs and SSSD. There are no other external dependencies.
 <!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
 == Contingency Plan ==
+None required, Fedora would keep using the LDAP lookup module in autofs.
 <!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
 == Documentation ==
+A design document is available at the [https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration SSSD wiki]. An in-depth discussion also happened in the [https://bugzilla.redhat.com/show_bug.cgi?id=683523 Red Hat Bugzilla].
+The options are documented in the <code>sssd-ldap</code> manual page. User-facing documentation along with instruction on migrating the setup from
+plain LDAP lookup module to the <code>sss</code> lookup module is available in [http://jhrozek.livejournal.com/2500.html a blog post]
 <!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
-*
 == Release Notes ==
+Fedora 17 integrates autofs with SSSD, bringing caching support, offline access to the automounter maps and centralized configuration of autofs LDAP lookups in sssd.conf. By perfoming the automounter lookups via SSSD, the system also opens only one connection to the LDAP server and answers some requests from cache, which results in better performance.
 <!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 <!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
-*
 == Comments and Discussion ==
@@ Line 71: / Line 116: @@
-[[Category:FeaturePageIncomplete]]
+[[Category:FeatureAcceptedF17]]
 <!-- When your feature page is completed and ready for review -->
 <!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 <!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 <!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Search

Features/SSSDAutoFSSupport: Difference between revisions