Hello,
I am in the process of deploying a new LDAP cluster. Y'all were very helpful in getting SSSD configured properly. We were doing not using SSSD at all before. That really freaks me out, given we have all of our NFS mounts defined in LDAP, so consequently I have added autofs. Our LDAP schema does not conform to any "standard" so I have attached my sanitized sssd.conf and autofs.conf, as well as nsswitch.conf, in case anyone had issues doing autofs and sssd with aliases.
Eg:
# autofs.maps, server, machines, blah.blah.blah.blah dn: ou=autofs.maps,cn=server,ou=machines,dc=blah,dc=blah,dc=blah,dc=blah
ou: autofs.maps objectClass: automountMap objectClass: top
# scratch, autofs.maps, server, machines, blah.blah.blah.blah dn: cn=scratch,cn=server,ou=machines,dc=blah,dc=blah,dc=blah,dc=blah ou: autofs.maps cn: scratch objectClass: alias objectClass: extensibleObject aliasedObjectName: ou=scratch,ou=autofs.maps,dc=blah,dc=blah,dc=blah,dc=bla h
# scratch, autofs.maps, davinci.med.cornell.edu dn: ou=scratch,ou=autofs.maps,dc=dc=blah,dc=blah,dc=blah,dc=bla h objectClass: top objectClass: organizationalUnit ou: scratch
# 31337lab_scratch, scratch, autofs.maps, blah.blah.blah.blah dn: cn=fclab_scratch,ou=scratch,ou=autofs.maps,dc=blah,dc=blah,dc=blah,dc=bla h cn: 31337lab_scratch objectClass: automount automountInformation: exporting.nfs.server:/important/stuff/located/here
"ldap_deref = always" made this work. Anyway, hope someone finds that useful.
So caching. Would such a long LDAP caching policy, shown in my sssd.conf, have any downsides? I thought the longer the better though what if users change their password? Does sssd poll LDAP server for changes in order to make sure the cache doesn't fall behind state present in LDAP?
Best Doug
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-5454 F: 212-746-8690
On Fri, Oct 21, 2016 at 02:28:34PM -0400, Douglas Duckworth wrote:
So caching. Would such a long LDAP caching policy, shown in my sssd.conf, have any downsides? I thought the longer the better though what if users change their password? Does sssd poll LDAP server for changes in order to make sure the cache doesn't fall behind state present in LDAP?
The caching mechanims is documented here: https://fedorahosted.org/sssd/wiki/InternalsDocs#a3.2.2.DataFlow
sssd-users@lists.fedorahosted.org