# ldap, nfs and automount



## besi (Jul 15, 2004)

Hi everyone!

I got a little problem with automounting the ldap-users homedirs.
Perhaps anyone of you has an idea:

On my SLOX 4.1 (as ldap-server) I use the autofs.schema for autofs 4.0.

slox-ip: 213.252.21.211
nfs-ip: 213.252.21.212
client-username: besi
client-os: suse 9.1 pro
------------
My ldap-entries are as follows:

dn: ou=auto.master,dc=sirlsped,dc=com
objectClass: top
objectClass: automountMap
ou: auto.master

dn: cn=/home,ou=auto.master,dc=sirlsped,dc=com
objectClass: top
objectClass: automount
cn: /home
automountinformation: ldap:213.252.21.211u=auto.home,dc=sirlsped,dc=com

dn: ou=auto.home,dc=sirlsped,dc=com
objectClass: top
objectClass: automountMap
ou: auto.home

dn: cn=besi,ou=auto.home,dc=sirlsped,dc=com
objectClass: top
objectClass: automount
cn: besi
automountinformation: -fstype=nfs,hard,intr,nodev,nosuid
213.252.21.212:/home/exports/besi
-------------
My nnswitch.conf looks like that:
passwd: compat
group: compat
automount: ldap
passwd_compat: ldap
group_compat: ldap
----------------------------
The ldap.conf on the client machine looks like that:
host sirloxs.sirlsped.com (which has the ip 213.252.21.211)
base dc=sirlsped,dc=com
----------------------------
The exports-file on the nfs looks like that:
/home/exports 213.252.21.0/255.255.255.0(rw,async) *.sirlsped.com/rw,async)
----------------------------
The hosts.allow-file on the nfs looks like that:
portmap: 213.252.21.0/255.255.255.0
mountd: 213.252.21.0/255.255.255.0
-----------------------------
Now when I login as 'besi' on the client machine, kde cannot start because
it cannot find the homedir for th user.
But when I login as root, mount the homedir like this:
automount /home ldap 213.252.21.211:cn=besi,ou=auto.home,dc=sirlsped,dc=com
it mounts the directory and i can change user to 'besi'. But when I reboot
the client and want to login in as 'besi' again, the automount doent work
again.

Any ideas, what could be wrong?

FYI: my slapd.conf looks like this:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/dnszone.schema
include /etc/openldap/schema/dhcp.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/suse-email-server.schema
include /etc/openldap/schema/autofs.schema

# Define global ACLs to disable default read access.
access to *
by peername="ip=127\.0\.0\.1" read
by peername="ip=213\.252\.21" read
by peername="ip=213\.252\.21" auth
by peername="ip=213\.252\.21" write
by users read
by * none

#
# Check, if entries will match to db
#
schemacheck on

loglevel 0
sizelimit 1000
#threads 32

pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
password-hash {crypt}

TLSCertificateFile /etc/ssl/certs/cert.pem
TLSCertificateKeyFile /etc/ssl/certs/skey.pem
TLSCACertificateFile /etc/ssl/CA/usedCA.pem

#######################################################################
# ldbm database definitions
#######################################################################

# ******************************* System Backend **********************
database ldbm
cachesize 30000
directory /var/lib/ldap
lastmod on
mode 0600

suffix "dc=sirlsped,dc=com"
rootdn "uid=cyrus,dc=sirlsped,dc=com"

# ******************************* System Backend **********************

#
# cleartext passwords, especially for the rootdn,
# should be avoid. See slapd.conf(5) for details.

# Don't put all your energy in a senseless searching
#
index uid,fn,memberuid,gidnumber,alias,relayClientcert eq
index objectclass,uidnumber,mailenabled,relativeDomainName eq
index 
zoneName,vaddress,reject,comFireGroupID,smtpDomain,MTALocaldomain eq
index cn,sn,givenname eq,sub

# Access controll
#

# Private AddressBook
access to dn="ou=addr,uid=(.*),dc=sirlsped,dc=com"
by dn="uid=$1,dc=sirlsped,dc=com" write
by peername="ip=213\.252\.21" write
by * none

# allow rootDSE queries
access to dn=""
by peername="ip=213\.252\.21" read
by * read

# To let PAM authenticate
access to attr=userpassword
by self write
by peername="ip=213\.252\.21" auth
by peername="ip=213\.252\.21" read
by anonymous auth
by * none

access to attr=shadowLastChange
by self write
by peername="ip=213\.252\.21" read
by * read

# only the Admin is allowed to change the members of the addressadmins group
access to dn.base="cn=AddressAdmins,o=AddressBook,dc=sirlsped,dc=com"
by users read
by * none

# only the members of the AddressAdmins group are allowed to write to the
# Public Address Book
access to dn.subtree="o=AddressBook,dc=sirlsped,dc=com"
by group="cn=AddressAdmins,o=AddressBook,dc=sirlsped,dc=com" write
by peername="ip=213\.252\.21" write
by users read
by * none

# handle write access to the personal data (system address book)
# - first look at the OpenLDAPaci attribute
# - if that doesn't exist or the user-dn is not in the subject clause,
# give write access to the owner of the entry and read acces to anyone else
access to dn="uid=[^,]+,dc=sirlsped,dc=com"
attr=c,cn,telephoneNumber,facsimileTelephoneNumber,pager,title,givenname,sn,l,description,mail,street,postalCode,st,homePhone,ou,initials,mobile,labeledURI,SuSETimeZone,faxDID,smsDID,printID,birthDay,jpegphoto,logindestination,entry,objectclass
by aci write break
by self write
by users read
by peername="ip=213\.252\.21" write
by peername="ip=127\.0\.0\.1" read
by * none

# if the above break statement is reached add read access for everyone
access to dn="uid=[^,]+,dc=sirlsped,dc=com"
attr=c,cn,telephoneNumber,facsimileTelephoneNumber,pager,title,givenname,sn,l,description,mail,street,postalCode,st,homePhone,ou,initials,mobile,labeledURI,SuSETimeZone,faxDID,smsDID,printID,birthDay,jpegphoto,logindestination,entry,objectclass
by users +rsc
by peername="ip=127\.0\.0\.1" +rsc
by peername="ip=213\.252\.21" +rsc
by * none

access to dn="uid=[^,]+,dc=sirlsped,dc=com"
attr=comFireTaskDays,comFireAppointmentDays,FUMSClientConfig,preferredLanguage,userPKCS12
by self write
by peername="ip=127\.0\.0\.1" write
by peername="ip=213\.252\.21" read
by * none

access to attr=lmPassword,ntPassword
by peername="ip=213\.252\.21" read
by * none

allow bind_v2 bind_anon_dn
----------------


----------



## gotissues68 (Sep 7, 2002)

I use ldap as well, but not for nfs mounts. Have you checked the debug log on the nfs server /var/log/syslog or /var/log/messages probably for me its /var/log/debug.log ... so you might have to poke around, I have a feeling this will tell you whats going on. I'm guessing permissions since root is able to mount the shares but not a regular user.


----------



## vsp_123 (Sep 6, 2004)

*A suggestion*

Hi,

Have you figured it out yet. I had a small suggestion. Can you try

automountinformation: ldap 213.252.21.211u=auto.home,dc=sirlsped,dc=co m
instead of
automountinformation: ldap:213.252.21.211u=auto.home,dc=sirlsped,dc=co m

in your ldif file and rebuild the LDAP entry for
dn: cn=/home,ou=auto.master,dc=sirlsped,dc=com

Also can you let me know if you get any error messages (in /var/log/messages) when you restart autofs services?


----------

