AUTOFS_LDAP_AUTH.CONF(5)AUTOFS_LDAP_AUTH.CONF(5)NAMEautofs_ldap_auth.conf - autofs LDAP authentication configuration
DESCRIPTION
LDAP authenticated binds, TLS encrypted connections and certification
may be used by setting appropriate values in the autofs authentication
configuration file and configuring the LDAP client with appropriate
settings. The default location of this file is
/etc/autofs/autofs_ldap_auth.conf. If this file exists it will be used
to establish whether TLS or authentication should be used.
An example of this file is:
<?xml version="1.0" ?>
<autofs_ldap_sasl_conf
usetls="yes"
tlsrequired="no"
authrequired="no"
authtype="DIGEST-MD5"
user="xyz"
secret="abc"
/>
If TLS encryption is to be used the location of the Certificate Author‐
ity certificate must be set within the LDAP client configuration in or‐
der to validate the server certificate. If, in addition, a certified
connection is to be used then the client certificate and private key
file locations must also be configured within the LDAP client.
OPTIONS
This files contains a single XML element, as shown in the example
above, with several attributes.
The possible attributes are:
usetls="yes"|"no"
Determines whether an encrypted connection to the ldap server
should be attempted.
tlsrequired="yes"|"no"
This flag tells whether the ldap connection must be encrypted.
If set to "yes", the automounter will fail to start if an en‐
crypted connection cannot be established.
authrequired="yes"|"no"|"autodetect"|"simple"
This option tells whether an authenticated connection to the
ldap server is required in order to perform ldap queries. If the
flag is set to yes, only sasl authenticated connections will be
allowed. If it is set to no then authentication is not needed
for ldap server connections. If it is set to autodetect then the
ldap server will be queried to establish a suitable sasl authen‐
tication mechanism. If no suitable mechanism can be found, con‐
nections to the ldap server are made without authentication. Fi‐
nally, if it is set to simple, then simple authentication will
be used instead of SASL.
authtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5|EXTERNAL"
This attribute can be used to specify a preferred authentication
mechanism. In normal operations, the automounter will attempt
to authenticate to the ldap server using the list of supported‐
SASLmechanisms obtained from the directory server. Explicitly
setting the authtype will bypass this selection and only try the
mechanism specified. The EXTERNAL mechanism may be used to au‐
thenticate using a client certificate and requires that authre‐
quired set to "yes" if using SSL or usetls, tlsrequired and au‐
threquired all set to "yes" if using TLS, in addition to au‐
thtype being set to EXTERNAL.
If using authtype EXTERNAL two additional configuration entries
are required:
external_cert="<client certificate path>"
This specifies the path of the file containing the client cer‐
tificate.
external_key="<client certificate key path>"
This specifies the path of the file containing the client cer‐
tificate key.
These two configuration entries are mandatory when using the EX‐
TERNAL method as the HOME environment variable cannot be assumed
to be set or, if it is, to be set to the location we expect.
user="<username>"
This attribute holds the authentication identity used by authen‐
tication mechanisms that require it. Legal values for this at‐
tribute include any printable characters that can be used by the
selected authentication mechanism.
secret="<password>"
This attribute holds the secret used by authentication mecha‐
nisms that require it. Legal values for this attribute include
any printable characters that can be used by the selected au‐
thentication mechanism.
encoded_secret="<base64 encoded password>"
This attribute holds the base64 encoded secret used by authenti‐
cation mechanisms that require it. If this entry is present as
well as the secret entry this value will take precedence.
clientprinc="<GSSAPI client principal>"
When using GSSAPI authentication, this attribute is con‐
sulted to determine the principal name to use when au‐
thenticating to the directory server. By default, this
will be set to "autofsclient/<fqdn>@<REALM>.
credentialcache="<external credential cache path>"
When using GSSAPI authentication, this attribute can be
used to specify an externally configured credential cache
that is used during authentication. By default, autofs
will setup a memory based credential cache.
SEE ALSOauto.master(5),
AUTHOR
This manual page was written by Ian Kent <raven@themaw.net>.
19 Feb 2010 AUTOFS_LDAP_AUTH.CONF(5)