Learn more about these different git repos.
Other Git URLs
In my test case I use: autofs_provider = ldap ldap_schema = rfc2307
But from the logs I see that SSSD is expecting automounter maps in RFC2307bis format instead: ...
(Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value ou (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value cn (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation
As according to RFC2307, automounter maps are stored as general NIS maps, i.e. :
ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap
Fields changed
description: In my test case I use: autofs_provider = ldap ldap_schema = rfc2307
But from the logs I see that SSSD is expecting automounter maps in RFC2307bis format instead: ... (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value ou (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value cn (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation
=> In my test case I use: autofs_provider = ldap ldap_schema = rfc2307
But from the logs I see that SSSD is expecting automounter maps in RFC2307bis format instead: ... {{{ (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value ou (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value cn (Tue Nov 3 14:22:28 2015) [sssd[be[default]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation }}}
As according to RFC2307, automounter maps are stored as general NIS maps, i.e. : {{{ ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap }}}
The current attribute maps were IIRC modeled after talking to the autofs maintainer, so I'm suprised they would be wrong.
I see nisMapEntry mentioned in rfc2307, but it doesn't seem it's in the context of automounter maps..
In fact, automounter (i.e. its ldap plugin) supports both schemas - rfc2307 and rfc2307bis. So Ian Kent was right that SSSD should expect rfc2307bis schema as it is newer that its predecessor.
What I am saying is, that if we explicitly instruct SSSD to use older rfc2307 schema, it should do it properly - rfc2307 lack the automount* attributes so we need to use general nis map attributes for this - much like automounter itself would do if we configured it directly to bypass sssd.
The beauty of using older schema (rfc2307) to store automount information is, that we do not need to extend AD schema - which is in many cases quite troublesome action.
Replying to [comment:4 ondrejv2]:
The beauty of using older schema (rfc2307) to store automount information is, that we do not need to extend AD schema - which is in many cases quite troublesome action. It seems like an opportunity to explore the beauty of FreeIPA. ;-)
It seems like an opportunity to explore the beauty of FreeIPA. ;-)
Not really - if I also needed to integrate sudo rules or HBAC - maybe. For just an automounter is is not worth to deploy yet another directory service (not saying that IPA is a bad product :-)
And why wouldn't you take advantage of those wonderful features too?
Out of scope for this case :). This case is to inform SSSD developers that behavior of the daemon violates RFC recommendations.
well, I'm pretty sure we can't change the defaults, that might break existing setups. I will ask Ian if he also thinks the current defaults are wrong.
FWIW, the current defaults are at: https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration#TheLDAPschemausedbyautofs
Yes, there was a misunderstanding between Jakub and myself, probably my poor communication and not Jakub, sorry about that.
I'm not sure what the identifies are in the sssd config but if I assume the columns in the table above should be the values (but are lower case) then, nis should be rfc2307, but rfc2307 should be literally what it is in the table, rfc2307bis.
So that is going to be quite a big problem due to existing configurations, double oops!
Once again, sorry, but this was probably my fault from the beginning.
_comment0: Yes, there was a misunderstanding between Jakub and myself, probably my poor communication and not and not Jakub, sorry about that.
Once again, sorry, but this is probably my fault from the beginning. => 1446774101269657 _comment1: Yes, there was a misunderstanding between Jakub and myself, probably my poor communication and not Jakub, sorry about that.
Once again, sorry, but this is probably my fault from the beginning. => 1446774152699086
Code-wise, this is easy to fix, but we need to figure out a way to change the defaults without breaking everyone else's
I think the best would be to file a downstream bug report and change the defaults when releasing a version with other major changes.
AFAIK - SSSD defaults to rfc2307bis so I do not think many people should be affected by this change. But I agree that it needs to be taken into consideration. Downstream bug report #1278691 opened
I wonder if we could get away with changing the defaults in the next major release (1.14) provided we print some warning to the syslog.
According to my analysis of quite a few real-world config files, very few people use the affected configuration without explicit attribute mappings.
1.14 + some syslog warning sounds reasonable to me.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1278691 (Red Hat Enterprise Linux 6)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1278691 1278691]
milestone: NEEDS_TRIAGE => SSSD 1.14 alpha owner: somebody => jhrozek status: new => assigned
Replying to [comment:10 iankent]:
Yes, there was a misunderstanding between Jakub and myself, probably my poor communication and not Jakub, sorry about that. I'm not sure what the identifies are in the sssd config but if I assume the columns in the table above should be the values (but are lower case) then, nis should be rfc2307, but rfc2307 should be literally what it is in the table, rfc2307bis. So that is going to be quite a big problem due to existing configurations, double oops!
I have a patch here that changes the rfc2307 schema to the nis mappings and warns users who might have used the old defaults: https://github.com/jhrozek/sssd/commit/79d0bc5e517678a8122b65069cd39f752dc6af51
It's not upstream yet, but I wanted to double check with you the new defaults are OK.
Were the rfc2307bis defaults also wrong? I'm pretty sure they are correct when IPA is the server and IPA uses a variant of rfc2307bis. FWIW the defaults for rfc2307bis currently are:
ldap_autofs_map_object_class = automountMap ldap_autofs_map_name = automountMapName ldap_autofs_entry_object_class = automount ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
Patch is available for some time, but shouldn't block the Beta release.
milestone: SSSD 1.14 alpha => SSSD 1.14.0
patch: 0 => 1
resolution: => fixed status: assigned => closed
Metadata Update from @ondrejv2: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.14.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3899
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.