For the port of LCFG to SL7, we have been thinking about our LDAP client provision. Historically we have run a full slapd server on all clients, replicating hourly from the master. This was largely for reasons of stability and also the ability to support disconnected operation.
Our OpenLDAP: DICE client configuration project page contains a lot of information on our thoughts and discussions on this matter.
For our initial configurations of SL7, we’ve been investigating using sssd as a connection/caching daemon (the caching functionality in particular has made moving to sssd from nslcd an attractive option).
Our openldap LCFG component currently configures and manages both server and client side operation. The latter is much simpler as it runs no daemon and just populates the files
/etc/ldap.conf and optionally
/etc/nslcd.conf. Separating the component into individual client and server openldap components is something we are considering.
We have decided to configure sssd separately from the openldap component (in contrast to nslcd, which was configured (and partially managed) from lcfg-openldap). This will help to reduce the complexity of the component and also make it easier to manage sssd properly.
To this end we have modified the
openldap.nss_package resource so that it now accepts the value “none”, in addition to the existing “nss_ldap” and “nss-pam-ldapd” values. Setting it to “none” will result in only
/etc/openldap/ldap.conf, of the three client configuration files mentioned above, being configured.
For configuration and management of sssd, we need to decide whether to write a new component, or use an existing one. We may well decide on the former in the longer term, but for our initial testing we have made use of the lcfg-inifile component, as sssd’s configuration is in inifile format. We have made a few local modifications to this
component – firstly to add support for setting user and group ownership and permissions; secondly, we have added support for using the new Service() function in ngeneric to restart sssd when its configuration changes. The component we use for sssd will be under ongoing consideration.
We are using the version of sssd as provided by SL7, but patched to fix a bug when using DNS service discovery.
All of this is in testing and seems to work. The component versions are lcfg-openldap-3.1.71-1 and lcfg-inifile-1.0.2_dev-4.
It should also be noted that the shadow of systemd looms long over any attempts to configure component boot-time dependencies. We need to be very careful to get this right.
Informatics computing staff wishing to use this on their test SL7 machines can do so with:
#define TESTING_SSSD_CLIENT #include <inf/options/dicehacks.h>