[SSSD] Re: [PATCH] LDAP: Change the default rfc2307 autofs attribute mappings

[Jakub Hrozek]

On Wed, Jun 29, 2016 at 12:48:36PM +0200, Lukas Slebodnik wrote:
> On (28/06/16 11:50), Jakub Hrozek wrote:
> >From b493cee9976b8dd62bea3d8f09b88ce809a40980 Mon Sep 17 00:00:00 2001
> >From: Jakub Hrozek <jhro...@redhat.com>
> >Date: Thu, 19 Nov 2015 10:40:39 +0100
> >Subject: [PATCH] LDAP: Change the default rfc2307 autofs attribute mappings
> >
> >Resolves:
> >    https://fedorahosted.org/sssd/ticket/2858
> >
> >The default attribute mappings we used to have:
> >    ldap_autofs_map_object_class        automountMap
> >    ldap_autofs_map_name                ou
> >    ldap_autofs_entry_object_class      automount
> >    ldap_autofs_entry_key               cn
> >    ldap_autofs_entry_value             automountInformation
> >
> >Was wrong. Instead, this patch switches to:
> >    ldap_autofs_map_object_class        nisMap
> >    ldap_autofs_map_name                nisMapName
> >    ldap_autofs_entry_object_class      nisObject
> >    ldap_autofs_entry_key               cn
> >    ldap_autofs_entry_value             nisMapEntry
> >
> >Which are attributes that are available with servers running the default
> >rfc2307 schema. In addition, this patch adds a syslog and DEBUG message
> >that warns administrators to double-check their configuration.
> >
> >We don't warn when the autofs provider is set to AD, because that one
> >is already correct.
> >---
> > src/man/sssd-ldap.5.xml           | 17 ++++----
> > src/providers/ldap/ldap_common.h  |  6 +++
> > src/providers/ldap/ldap_options.c | 83 
> > ++++++++++++++++++++++++++++++++++++++-
> > src/providers/ldap/ldap_opts.c    |  8 ++--
> > src/providers/ldap/sdap_autofs.c  | 17 ++++++++
> > 5 files changed, 119 insertions(+), 12 deletions(-)
> >
> >diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
> >index 
> >ff9bf0d8b6d4a8f677e08219e5105e3750b7a4a8..524579d4fcd478f20678bebf2c3ce18f61ed0cb9
> > 100644
> >--- a/src/providers/ldap/ldap_opts.c
> >+++ b/src/providers/ldap/ldap_opts.c
> >@@ -349,15 +349,15 @@ struct sdap_attr_map service_map[] = {
> > };
> > 
> > struct sdap_attr_map rfc2307_autofs_mobject_map[] = {
> >-    { "ldap_autofs_map_object_class", "automountMap", SYSDB_AUTOFS_MAP_OC, 
> >NULL },
> >-    { "ldap_autofs_map_name", "ou", SYSDB_AUTOFS_MAP_NAME, NULL },
> >+    { "ldap_autofs_map_object_class", "nisMap", SYSDB_AUTOFS_MAP_OC, NULL },
> >+    { "ldap_autofs_map_name", "nisMapName", SYSDB_AUTOFS_MAP_NAME, NULL },
> >     SDAP_ATTR_MAP_TERMINATOR
> > };
> > 
> > struct sdap_attr_map rfc2307_autofs_entry_map[] = {
> >-    { "ldap_autofs_entry_object_class", "automount", SYSDB_AUTOFS_ENTRY_OC, 
> >NULL },
> >+    { "ldap_autofs_entry_object_class", "nisObject", SYSDB_AUTOFS_ENTRY_OC, 
> >NULL },
> >     { "ldap_autofs_entry_key", "cn", SYSDB_AUTOFS_ENTRY_KEY, NULL },
> >-    { "ldap_autofs_entry_value", "automountInformation", 
> >SYSDB_AUTOFS_ENTRY_VALUE, NULL },
> >+    { "ldap_autofs_entry_value", "nisMapEntry", SYSDB_AUTOFS_ENTRY_VALUE, 
> >NULL },
> >     SDAP_ATTR_MAP_TERMINATOR
> > };
> > 
> >diff --git a/src/providers/ldap/sdap_autofs.c 
> >b/src/providers/ldap/sdap_autofs.c
> >index 
> >c02c04d5ca5addbfd1552176cac5f74fdd592503..db41b650ddcda99e6c221e856c259fcc43a10436
> > 100644
> >--- a/src/providers/ldap/sdap_autofs.c
> >+++ b/src/providers/ldap/sdap_autofs.c
> >@@ -313,6 +313,23 @@ errno_t sdap_autofs_init(TALLOC_CTX *mem_ctx,
> >         return ret;
> >     }
> > 
> >+    if (id_ctx->opts->schema_type == SDAP_SCHEMA_AD) {
> >+        if (ldap_ad_autofs_schema_defaults(be_ctx->cdb,
> >+                                           be_ctx->conf_path)) {
> >+        DEBUG(SSSDBG_IMPORTANT_INFO,
> >+              "Your configuration uses the ldap autofs provider "
> >+              "with schema set to \"ad\" and default autofs attribute "
> >+              "mappings. The default map changed in this release, "
> >+              "please make sure the sssd configuration explicitly matches "
> >+              "the server attributes.");
> >+        sss_log(SSS_LOG_NOTICE,
> >+                _("Your configuration uses the ldap autofs provider "
> >+                  "with schema set to \"ad\" and default autofs attribute "
> >+                  "mappings. The default map changed in this release, "
> >+                  "please make sure the sssd configuration explicitly 
> >matches "
> >+                  "the server attributes."));
> Do we really need to log message for ad schema?
> I thought we will log message about change just for rfc2307.

I tried to catch this scenario:
    id_provider=ldap
    autofs_provider=ldap
    ldap_schema=ad

With the previous versions, the attributes pointed to automountMap etc.
And there is a chance (unlikely) the admin extended the schema to keep
the config using defaults.

> 
> IIRC AD does not have by default schema for autofs.

Right, that's the reason we should to change the defaults. AD only has
the most basic rfc2307 and our previous defaults forced the AD SSSD
admins to either change the mappings in the config file or extend the
schema.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org