Unify Automounter Maps Using LDAP in Raspberry Pi

by mirza irwan osman in Circuits > Raspberry Pi

1701 Views, 7 Favorites, 0 Comments

Unify Automounter Maps Using LDAP in Raspberry Pi

FXFXGSTI7CVLZRU.png

Introduction

Besides the ability to store password and user accounts, LDAP can also store automounter maps. This makes maintenance of automounter map fast and easy.

Scope

This instructable will show how to:

  • Install automount-LDAP related files
  • Install automount schema in OpenLDAP
  • Create automount maps in LDIF format
  • Add the automount maps to LDAP database
  • Configure autofs and automount to access automount maps
  • Test

This instructable will show how to configure encryption and TLS

Prerequisite

Complete the "Unify User Passwords and Home Directories Across More Than One Raspberry Pi Devices" instructable before starting on this instructable.

Solution

We need to have at least 2 Raspberry Pi runnung Raspbian OS. For simplicity, I will call the 2 Raspberry Pi devices as Rpi1 and Rpi2:

Rpi1 will have:

  • LDAP server with user account database and automounter maps
  • NFSv4 server sharing home directories

Rpi2 will have:

  • Automounter mount users' home directory located in Rpi1's NFSv4 server but now it looks up autofs maps in LDAP server of Rpi1
  • LDAP authentication using Rpi1's LDAP server

Environment

The following are data of the 2 Raspberry Pi:

Distributor ID: Debian

Description: Debian GNU/Linux 7.8 (wheezy)

Release: 7.8

Codename: wheezy

Linux rpipro.example.com 3.18.9+ #767 PREEMPT Sat Mar 7 21:41:13 GMT 2015 armv6l GNU/Linux

References

/usr/share/doc/autofs-ldap/examples

https://help.ubuntu.com/community/AutofsLDAP

https://access.redhat.com/documentation/en-US/Red_...

Install Automounter Schema

Open terminal emulator in Rpi1

Install autofs LDAP related software and schema: 

sudo apt-get update
<br>sudo apt-get install autofs-ldap

Configure OpenLDAP Server to Load the Autofs Schema

Open terminal emulator in Rpi1

Check if LDAP is configured with autofs schema:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn | grep autofs

If output is empty, then LDAP is NOT configured with autofs schema. It is assumed the LDAP server is not configured with autofs schema from here on.

Locate the autofs schema:

ls -l /etc/ldap/schema/autofs.schema

Convert autofs.schema into ldif format:

cd ~
mkdir ldap_wip
cd ~/ldap_wip

Create the conversion configuration file schema_convert.conf containing the following lines:

vi ~/ldap_wip/schema_convert.conf
<br>include /etc/ldap/schema/core.schema<br>include /etc/ldap/schema/collective.schema <br>include /etc/ldap/schema/corba.schema <br>include /etc/ldap/schema/cosine.schema <br>include /etc/ldap/schema/duaconf.schema <br>include /etc/ldap/schema/dyngroup.schema <br>include /etc/ldap/schema/inetorgperson.schema <br>include /etc/ldap/schema/java.schema <br>include /etc/ldap/schema/misc.schema <br>include /etc/ldap/schema/nis.schema <br>include /etc/ldap/schema/openldap.schema <br>include /etc/ldap/schema/ppolicy.schema <br>include /etc/ldap/schema/pmi.schema <br>include /etc/ldap/schema/autofs.schema

Create the output directory ldif_output:

mkdir ~/ldap_wip/ldif_output

Determine the index of the schema:

slapcat -f schema_convert.conf -F ldif_output -n 0 | grep autofs,cn=schema<br><br>Output: <br>dn: cn={13}autofs,cn=schema,cn=config

Use slapcat to perform the conversion:

slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={13}autofs,cn=schema,cn=config -l cn=autofs.ldif

The converted schema is now in cn=autofs.ldif file

Edit cn=autofs.ldif

vi ~/ldap_wip/cn\=autofs.ldif
<br>Change:
<br>dn: cn={13}autofs
<br>To:
<br>dn: cn=autofs
<br>Change:
<br>cn: {13}autofs
<br>To:
cn: autofs
<br>Remove the following lines:
<br>structuralObjectClass: olcSchemaConfig
<br>entryUUID: adafd1aa-61b8-1034-8caa-a9ffd93db1c1
<br>creatorsName: cn=config
<br>createTimestamp: 20150318124727Z
<br>entryCSN: 20150318124727.871648Z#000000#000#000000
<br>modifiersName: cn=config
<br>modifyTimestamp: 20150318124727Z

Save the file

use ldapadd to add the new schema to the slapd-config DIT:

sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f ~/ldap_wip/cn\=autofs.ldif

Confirm autofs schema is one of the currently loaded schemas:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
<br>Output:
<br>dn: cn=schema,cn=config
<br>dn: cn={0}core,cn=schema,cn=config
<br>dn: cn={1}cosine,cn=schema,cn=config
<br>dn: cn={2}nis,cn=schema,cn=config
<br>dn: cn={3}inetorgperson,cn=schema,cn=config
<br>dn: cn={4}autofs,cn=schema,cn=config

Add Automounter Map to OpenLDAP

Open terminal emulator in Rpi1

Download the ldif into the I uploaded into ~/ldap_wip directory and rename it to automounttree.ldif

Read the data entries in the ldif and note that it is a automounter map written is ldif format

Add the entries to LDAP:

sudo ldapadd -D cn=admin,dc=example,dc=com -W -f ~/ldap_wip/automounttree.ldif

Configure Automounter to Access OpenLDAP

Open terminal emulator in Rpi2

Make backup:

sudo cp /etc/default/autofs /etc/default/autofs.pristine

Change /etc/default/autofs:

sudo vi /etc/default/autofs
Change: 
MASTER_MAP_NAME="/etc/auto.master" 
To: 
MASTER_MAP_NAME="ldap://192.168.0.6/ou=auto.master,ou=automount,ou=etc,dc=example,dc=com"

Change: 
#LOGGING="none" 
To: 
LOGGING="verbose" #Change it back to "none" when you get successful results

Change: 
#LDAP_URI="" 
To: 
LDAP_URI="ldap://192.168.x.x" # This is the IP address of your LDAP machine/device or Rpi1

Change: 
#SEARCH_BASE="" 
To: 
SEARCH_BASE="ou=automount,ou=etc,dc=example,dc=com"

Uncomment the following lines: 
MAP_OBJECT_CLASS="automountMap" 
ENTRY_OBJECT_CLASS="automount" 
MAP_ATTRIBUTE="ou" 
ENTRY_ATTRIBUTE="cn" 
VALUE_ATTRIBUTE="automountInformation"

Configure Autofs_ldap_auth.conf

This instructable will NOT have automounter do TLS and authentication

Open terminal emulator in Rpi2

vi /etc/autofs_ldap_auth.conf
<
autofs_ldap_sasl_conf
usetls="no"         
tlsrequired="no"         
authrequired="no" 
/>

Configure Nsswitch With Automount

Open terminal emulator in Rpi2

Make backup: 

sudo cp /etc/nsswitch.conf /etc/nsswitch.conf.pristine

Add automount entry:

sudo vi /etc/nsswitch.conf
Add the following:
automount:      files ldap

Save the file.

Configure Ldap.conf

Open terminal emulator in Rpi2

sudo vi /etc/ldap/ldap.conf

BASE    dc=example,dc=com

URI     ldap://192.168.x.x # LDAP IP address

Initial Test

Open 2 terminal emulator windows in Rpi2

In first window, monitor syslog:

tail -f /var/log/syslog

In second window, we can disable file-based auto.master during testing to make sure automounter is reading from LDAP server: 

sudo mv /etc/auto.master /etc/auto.master.disable

In second window, restart the service

sudo service autofs stop
sudo service autofs start

The output of syslog should not indicate any failure to lookup any maps:

Mar 19 09:19:38 raspberrypi automount[4880]: Starting automounter version 5.0.7, master map ldap://192.168.0.6/ou=auto.master,ou=automount,ou=etc,dc=example,dc=com

Mar 19 09:19:38 raspberrypi automount[4880]: using kernel protocol version 5.02

Mar 19 09:19:38 raspberrypi automount[4880]: mounted indirect on /home/ldap with timeout 60, freq 15 seconds

Re-enable the auto.master file (Although automounter is not going to use it):

sudo mv /etc/auto.master.disable /etc/auto.master

Functional Test

Open terminal emulator in Rpi2

Reboot Rpi2:

sudo reboot

Enter John's credential in login screen:

user: john

password: johnldap

Rpi2 will take between 1 to 2 minutes to authenticate and automount the home directory

If the desktop is loaded, then the LDAP authentication is successful.

Open terminal emulator in Rpi2:

pwd

If output of above command shows /home/ldap/john, then automounter is using maps stored in LDAP.