From Linux NFS

Revision as of 18:12, 3 February 2014 by Chucklever (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Project: fedfs-utils

[ Project Home | News | Downloads | Docs | Mailing Lists | Source Control | Issues ]


Before a fileserver can create and resolve FedFS junctions, or a FedFS administrative client can contact an NSDB, information about how to connect to the NSDB must be stored locally. This information consists of details about the NSDB's hostname and port number, possibly an x.509 certificate that can authenticate the NSDB, and other information. This information is known as an NSDB's connection parameters.

On Linux, these parameters are stored in a database on each fileserver that accesses NSDBs. Setting up the NSDB connection parameters database is a simple step, but is a requirement for fileservers and administrative tools that connect to a FedFS domain's NSDB. This article describes how to populate an NSDB connection parameter database on fileservers and administrative clients.

Create the database and add an NSDB

NSDBs are identified by their hostname and port number. If the port number isn't specified, the standard LDAP port 389 is assumed.

For example, suppose your NSDB will reside on the host nsdb.example.net, and it listens on the standard LDAP port. On your fileserver, start with this:

# nsdbparams update nsdb.example.net

This allows your fileserver to contact this LDAP server to resolve junctions. The fileserver will use in-the-clear LDAP requests by default.

To see information about this NSDB's connection parameters, use:

# nsdbparams show nsdb.example.net

Each NSDB that your fileserver contacts must have an entry in the fileserver's NSDB connection parameters database. For example, a fileserver in a FedFS domain that employs a single NSDB typically has just one entry in its NSDB connection parameter database. The act of creating a record for the first NSDB automatically initializes the NSDB connection parameter database on your fileserver.

Additional parameters

There is some additional information that can be stored in a NSDB connection parameter database.

You can allow fileservers to follow LDAP referrals when performing NSDB queries. This is useful if you have multiple LDAP servers and want to use LDAP referrals to direct NSDB queries to a particular host. Use the -R option to enable this feature:

# nsdbparams update -R yes nsdb.example.net

The default is to prohibit following LDAP referrals, as a security precaution.

On your administrative hosts, it is convenient to specify the NSDB administrative DN and the NCE to use for administrative operations. If you do this, you don't need to specify these each time you invoke an NSDB administrative tool. Use the -D option to specify the admin DN, and the -e option to specify the default NCE. For example:

# nsdbparams update -D cn=Manager,cn=config -e ou=fedfs,dc=example,dc=net nsdb.example.net

These settings apply only to the specified NSDB.

Connection security

Fileservers can use secure transports to communicate with LDAP servers. The nsdbparams command is one way to set this up.

Support you have a PEM-encoded trust chain for nsdb.example.net in the file /tmp/cert.pem. Use the -f option to configure the fileserver to use this chain to establish a TLS connection:

# nsdbparams update -f /tmp/cert.pem nsdb.example.net

The certificate material is copied to a private directory by this command. You can issue this command again with a fresh certificate to replace an expired certificate.

To disable the use of TLS when contacting this LDAP server, use this:

# nsdbparams update -t none nsdb.example.net
Personal tools