<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    On 06/30/2011 12:04 PM, Ondrej Valousek wrote:
    <blockquote cite="mid:4E0C9E8F.6010208@s3group.cz" type="cite">
      <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
      Hmm,<br>
      To me, these instructions are very vague - for example it
      completely omits LDAP security configuration for the automounter
      (stored in /etc/autofs_ldap_auth.conf). How does the automounter
      bind to the ldap server? Anonymously?<br>
      I would not recommend it.<br>
      <br>
      I would recommend to configure automounter to use the host/
      principal in the local Kerberos system database and bind using
      SASL/GSSAPI instead. It is more secure and elegant solution.<br>
      <br>
    </blockquote>
    <br>
    <br>
    Sure but the point is to give you an example of how to do it with
    IPA. I .e. to demonstrate the IPA specific context which is the
    "location".<br>
    We do not control the autofs on the client side so the configuration
    of it is out of scope of the IPA documentation. <br>
    <br>
    Good description on how to set up the autofs with GSSAPI or using
    other security mechanisms is always welcome but it has no specifics
    to IPA (unless I am missing something). It is nothing different from
    any other kerberos enabled LDAP server so any generic guidelines
    documented in autofs (I assume they exist) should apply. <br>
    <br>
    Thanks<br>
    Dmitri<br>
    <br>
    <blockquote cite="mid:4E0C9E8F.6010208@s3group.cz" type="cite">
      Ondrej<br>
      <br>
      <br>
      On 30.06.2011 17:26, Adam Young wrote:
      <blockquote cite="mid:4E0C95BA.9060004@redhat.com" type="cite">
        <meta content="text/html; charset=UTF-8"
          http-equiv="Content-Type">
        Good point. <br>
        <br>
         Take a look at the test day instructions, I found them very
        useful for setting up both SUDO and automount.<br>
        <br>
        <a moz-do-not-send="true" class="moz-txt-link-freetext"
          href="https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount">https://fedoraproject.org/wiki/QA:Testcase_freeipav2_automount</a><br>
        <br>
        <br>
        On 06/30/2011 11:08 AM, Ondrej Valousek wrote:
        <blockquote cite="mid:4E0C9153.6000602@s3group.cz" type="cite">
          <meta content="text/html; charset=UTF-8"
            http-equiv="Content-Type">
          <br>
          <br>
          On 30.06.2011 16:55, Rob Crittenden wrote:
          <blockquote cite="mid:4E0C8E60.8000806@redhat.com" type="cite">Look



            at the output of this for details: ipa help automount <br>
          </blockquote>
          <br>
          I see, thanks!<br>
          It would be nice to update man pages like:<br>
          <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html">http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html</a><br>
          to say something like:<br>
          <pre class="programlisting">LDAP_URI=<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="ldap:///dc=example,dc=com">"ldap:///dc=example,dc=com"</a>
SEARCH_BASE="cn=<location>,cn=automount,dc=example,dc=com"
</pre>
          So people know more automounter's ability to locate ldap
          server via DNS SRV....<br>
          <br>
          Thanks!<br>
          Ondrej<br>
          <pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
        </blockquote>
        <br>
        <pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
      </blockquote>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>


</pre>
  </body>
</html>