Automount is the modern way to mount directories over a network. It is far easier to manage and is more economic in bandwidth.

In this howto, autofs will be configured through an LDAP directory: in that way, we have a centralised configuration and make maximum use of the LDAP that has been setup. Great, isn't it?


First of all, automount is composed of two parts: a kernel module and user land utilities. Kernels in modern GNU/Linux distributions are compiled with support for automount. You just have to install the user land utilities: install the following packages autofs-ldap ldap-utils (see InstallingSoftware).

If you plan to only use flat files configuration, you do not need to install the autofs-ldap  package: installation is described in Autofs howto.


Configuring LDAP automount consists of several parts:

  • configure openldap server to load the autofs-ldap schema
  • entering LDAP entries for defining mountpoints
  • entering LDAP entries for defining directories
  • defining on the client to use LDAP for automount configuration

This guide presumes you've already set up an LDAP server and are familiar with ldap-utils (ldapmodify, ldapadd, etc).

On the server

When you install autofs-ldap, it puts a copy of the schema in /etc/ldap/schema/autofs-ldap.schema. Copy the file to the same directory on your server. Your next step will depend on whether your LDAP server is configured with slapd.conf (older LDAP versions) or with cn=config database entries (the newer, "correct" way).

Note: Autofs actually supports three different schemas for LDAP. This walk-through assumes the one that ships with the Ubuntu distribution of autofs-ldap. The steps are the same but your LDAP entries will depend on which you use. The three different schemas are covered in some detail on this blog.

With slapd.conf

Add the following to your /etc/ldap/slapd.conf file:

#Schema and objectClass definitions
include /etc/ldap/schema/autofs.schema

The autofs.schema line must be inserted after core.schema and cosine.schema

Now restart the slapd service:

sudo /etc/init.d/slapd restart

Or with Upstart:

sudo service slapd restart

With cn=config

The autofs-ldap.schema file needs to be converted to LDIF format. You can do this with the slapcat utility as described in the OpenLDAPServer guide, or you can just visit and grab this one that's already been converted (rename it autofs-ldap.ldif and put it in /etc/ldap/schema for consistency's sake).

Use ldapadd to import it into the database.

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs-ldap.ldif

(The -Y EXTERNAL option tells the server to authenticate you external to the server, as the user performing the this case, root.)

Populating LDAP

In the LDAP directory, you have to enter two kinds of entries:

  • entry that defines the mountpoint
  • entry that defines the directory under a mountpoint

Here is an example of LDAP entries based on the OpenLDAPServer installation.

dn: ou=admin,dc=example,dc=com
ou: admin
objectClass: top
objectClass: organizationalUnit

dn: ou=automount,ou=admin,dc=example,dc=com
ou: automount
objectClass: top
objectClass: organizationalUnit

dn: ou=auto.master,ou=automount,ou=admin,dc=example,dc=com
ou: auto.master
objectClass: top
objectClass: automountMap
dn: cn=/home,ou=auto.master,ou=automount,ou=admin,dc=example,dc=com
cn: /home
objectClass: top
objectClass: automount
automountInformation: ldap:ou=auto.home,ou=automount,ou=admin,dc=example,dc=com --timeout=60 --ghost

dn: ou=auto.home,ou=automount,ou=admin,dc=example,dc=com
ou: auto.home
objectClass: top
objectClass: automountMap

dn: cn=lionel,ou=auto.home,ou=automount,ou=admin,dc=example,dc=com
cn: lionel
objectClass: top
objectClass: automount
automountInformation: -fstype=nfs,rw,hard,intr,nodev,exec,nosuid,rsize=8192,wsize=8192

Save your map to a .ldif file and add it with ldapadd (depending on your database's ACL you might have to authenticate as your admin user instead of using the external option).

sudo ldapadd -D cn=admin,dc=example,dc=com -W -f automounttree.ldif

Some notes:

  • You need ObjectClass: automountMap in every ou: auto.x entry. This was always required, but autofs version 4 let you get away with having the objectClass of maps be organizationalUnit. Autofs5 does not. If you upgraded from v4 to v5 and your LDAP mappings stop working, this might be one reason why. You'll have to delete your old entries and their children and replace them with the corrected ones.

  • The ou: admin group is optional, and could be named anything else (something you may wish to do if you want to avoid confusion with, say, the LDAP admin user).

On the client

There are three files you need to concern yourself with:

  • /etc/default/autofs
  • /etc/autofs_ldap_auth.conf
  • /etc/nsswitch.conf


Open up /etc/default/autofs and read it though. Some of the entries are explained in more detail in man auto.master. What follows are the minimal settings to get autofs talking to your LDAP tree.


You could write this in the form //servername/ou=auto.master... instead; without it autofs will check nsswitch for the server location, which is fine.


Be sure to uncomment it. Log output goes to var/log/syslog You can set it back to its default later but for now you really want it on. Use "debug" instead for even more detailed output.


The address of your LDAP server. Use ldaps:// if your setup calls for it, though you may wish to test that everything else works before adding encryption into the mix.


Where in the tree autofs should look for auto.master

# Define the LDAP schema to used for lookups
# If no schema is set autofs will check each of the schemas
# below in the order given to try and locate an appropriate
# basdn for lookups. If you want to minimize the number of
# queries to the server set the values here.
# (...)

If using a different schema, uncomment the one that applies to you.


The contents of this file will vary greatly depending on your LDAP and NFS setup. You should read man autofs_ldap_auth.conf for a full description. The default config looks like this:


This is sufficient for many "basic" configurations, allowing reads without any extra authentication. TLS users will want to change the usetls and (if applicable) the tlsrequired entries to "yes". If you are using your own Certificate Authority to sign your certs, you need the CA certificate installed on the client machine and it's location defined in ldap.conf (see below).

If your NFS setup relies on Kerebos authentication, you need to add/change the following lines:


Change the values of clientprinc and credentialcache to match your setup.


Lastly, you have to add the LDAP map to the automount entry of /etc/nsswitch.conf. Edit your /etc/nsswitch.conf and add the line:

automount:      files ldap

If you haven't already (and you may have for other purposes), you should also edit /etc/ldap/ldap.conf with the appropriate values for your LDAP server:

BASE    dc=example,dc=com
URI     ldap://

#If using TLS:
TLS_CACERT /usr/share/ca-certificates/


Start or restart autofs:

sudo /etc/init.d/autofs restart


sudo service autofs restart

Have a look in /var/log/syslog:

Apr  7 12:54:44 vm-sandbox1 automount[7951]: Starting automounter version 5.0.5, master map ou=auto.master,ou=automount,ou=sysconfig,dc=tempe,dc=grindwork,dc=com
Apr  7 12:54:44 vm-sandbox1 automount[7951]: using kernel protocol version 5.01
Apr  7 12:54:44 vm-sandbox1 automount[7951]: ignoring duplicate indirect mount /common
Apr  7 12:54:44 vm-sandbox1 automount[7951]: mounted indirect on /common with timeout 60, freq 15 seconds
Apr  7 12:54:44 vm-sandbox1 automount[7951]: ghosting enabled

So far, so good - it found auto.master. Try to ls or cd to your subdirectories and make sure they mount properly. If the mount is failing at any point, check the log again and see what it's complaining about. Restart autofs again after making configuration changes.

AutofsLDAP (last edited 2013-01-21 03:30:49 by 3-14-pi-wm)