Yes, you are right and thinking about this a bit more, the configuration that I said
works fine on 15.6
doesn’t really work very well on closer examination: it retrieves the master map from sss, but then gets the indirect map using ldap. This means that I am not getting the advantages of sssd in practice, for the autofs service. The sssd configuration is:
[sssd]
config_file_version = 2
services = nss,pam,autofs,ifp
domains = default
[autofs]
[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
chpass_provider = ldap
ldap_uri = ldap://ldap.example.com,ldap://ldapfailover.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/certs
cache_credentials = True
ldap_tls_reqcert = allow
I have already looked for a way of configuring sssd so that indirect maps are resolved through sss as you say, but haven’t found anything (although this is not my area of expertise). If you can point me to anything that describes how to do this, I would be very grateful.
As for openSUSE, I guess the issue is:
- If the withdrawal of autofs_ldap.so is deliberate (and I guess that it is, maybe coming from SLE?), this should be discussed in the release notes. As far as I have been able to find, there is no mention of this (in for example the documents at Index of /release-notes/x86_64/openSUSE/Leap/16.0)
- OTOH, if autofs_ldap.so was omitted by accident, it should be restored. Even in this case, I would still be very interested in improving my sssd configuration though
