The Virtualization Cookbook for SLES 10 SP2 - z/VM - IBM
The Virtualization Cookbook for SLES 10 SP2 - z/VM - IBM
The Virtualization Cookbook for SLES 10 SP2 - z/VM - IBM
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
export/unixdata/homedirs \<br />
@hgrp_autohome_admin(rw,no_root_squash,insecure,sync) \<br />
@hgrp_autohome_hosts(rw,root_squash,insecure,sync)<br />
I look <strong>for</strong>ward to going to NFSv4 with kerberos authentication, but we're not there yet.<br />
Regarding automount maps in LDAP, this works very well <strong>for</strong> us with one exception. <strong>The</strong><br />
problem is that there's a significant number of automount map schemas out there, and<br />
different OS's (and different revisions of OS's) use different ones. As we are a fairly<br />
heterogeneous environment, I found it near impossible to keep a master map in LDAP. Right<br />
now we're just keeping a /etc/auto.master or /etc/auto_master on each host.<br />
In order to make the individual map entries work heterogeneously, I had to add several object<br />
classes and a few redundant attributes to each entry. Here's what my home directory<br />
automount map entry looks like:<br />
# ap00375, auto_home, unix.example.com<br />
dn: automountKey=ap00375,automountMapName=auto_home,dc=unix,dc=example,dc=com<br />
automountIn<strong>for</strong>mation: linux01.example.com:/vol/vol2/unixhomes-5gb/75/ap00375<br />
cn: ap00375<br />
automountKey: ap00375<br />
objectClass: automount<br />
objectClass: nisNetId<br />
objectClass: top<br />
Regarding heterogeneous clients, we found AIX in particular to be the hardest of our clients to<br />
configure, and Linux the easiest. Insure on AIX that you have the latest available LDAP client<br />
package from <strong>IBM</strong>. Also be aware that AIX wants to use it's extended LDAP schema rather<br />
than RFC2307, and wants full write access to the LDAP servers from every AIX client.<br />
Despite that, it will work with RFC2307 and read only access. Solaris, like Linux, has an<br />
option to not use an LDAP proxy account at all via anonymous binding, but I never got Solaris<br />
anonymous binding to work.<br />
I recommend making LDAP use TLS or SSL on the wire, in order to keep clear-text<br />
passwords from flying about. Both AIX and Solaris require the server public SSL certificates<br />
to be loaded on every client to do LDAP over TLS or SSL. Linux can be configured to ignore<br />
authenticating the LDAP servers' certificates and proceed with TLS/SSL anyway - this is<br />
convenient, but does open the possibility of man in the middle attacks. In our environment this<br />
isn't a big deal, but it might be in yours.<br />
We've found POSIX group membership management to be one of our more challenging<br />
issues overall. Some older systems (e.g. solaris