1AUTOFS_LDAP_AUTH.CONF(5)      File Formats Manual     AUTOFS_LDAP_AUTH.CONF(5)
2
3
4

NAME

6       autofs_ldap_auth.conf - autofs LDAP authentication configuration
7

DESCRIPTION

9       LDAP  authenticated  binds, TLS encrypted connections and certification
10       may be used by setting appropriate values in the autofs  authentication
11       configuration  file  and  configuring  the LDAP client with appropriate
12       settings.     The    default    location    of     this     file     is
13       /etc/autofs_ldap_auth.conf.  If this file exists it will be used to es‐
14       tablish whether TLS or authentication should be used.
15
16       An example of this file is:
17
18         <?xml version="1.0" ?>
19         <autofs_ldap_sasl_conf
20                 usetls="yes"
21                 tlsrequired="no"
22                 authrequired="no"
23                 authtype="DIGEST-MD5"
24                 user="xyz"
25                 secret="abc"
26         />
27
28       If TLS encryption is to be used the location of the Certificate Author‐
29       ity certificate must be set within the LDAP client configuration in or‐
30       der to validate the server certificate. If, in  addition,  a  certified
31       connection  is  to  be used then the client certificate and private key
32       file locations must also be configured within the LDAP client.
33

OPTIONS

35       This files contains a single XML  element,  as  shown  in  the  example
36       above, with several attributes.
37
38       The possible attributes are:
39
40       usetls="yes"|"no"
41              Determines  whether  an  encrypted connection to the ldap server
42              should be attempted.
43
44       tlsrequired="yes"|"no"
45              This flag tells whether the ldap connection must  be  encrypted.
46              If  set  to  "yes", the automounter will fail to start if an en‐
47              crypted connection cannot be established.
48
49       authrequired="yes"|"no"|"autodetect"|"simple"
50              This option tells whether an  authenticated  connection  to  the
51              ldap server is required in order to perform ldap queries. If the
52              flag is set to yes, only sasl authenticated connections will  be
53              allowed.  If  it  is set to no then authentication is not needed
54              for ldap server connections. If it is set to autodetect then the
55              ldap server will be queried to establish a suitable sasl authen‐
56              tication mechanism. If no suitable mechanism can be found,  con‐
57              nections to the ldap server are made without authentication. Fi‐
58              nally, if it is set to simple, then simple  authentication  will
59              be used instead of SASL.
60
61       authtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5|EXTERNAL"
62              This attribute can be used to specify a preferred authentication
63              mechanism.  In normal operations, the automounter  will  attempt
64              to  authenticate to the ldap server using the list of supported‐
65              SASLmechanisms obtained from the directory  server.   Explicitly
66              setting the authtype will bypass this selection and only try the
67              mechanism specified. The EXTERNAL mechanism may be used  to  au‐
68              thenticate  using a client certificate and requires that authre‐
69              quired set to "yes" if using SSL or usetls, tlsrequired and  au‐
70              threquired  all  set  to  "yes" if using TLS, in addition to au‐
71              thtype being set to EXTERNAL.
72
73              If using authtype EXTERNAL two additional configuration  entries
74              are required:
75
76              external_cert="<client certificate path>"
77
78              This  specifies  the path of the file containing the client cer‐
79              tificate.
80
81              external_key="<client certificate key path>"
82
83              This specifies the path of the file containing the  client  cer‐
84              tificate key.
85
86              These two configuration entries are mandatory when using the EX‐
87              TERNAL method as the HOME environment variable cannot be assumed
88              to be set or, if it is, to be set to the location we expect.
89
90       user="<username>"
91              This attribute holds the authentication identity used by authen‐
92              tication mechanisms that require it.  Legal values for this  at‐
93              tribute include any printable characters that can be used by the
94              selected authentication mechanism.
95
96       secret="<password>"
97              This attribute holds the secret used  by  authentication  mecha‐
98              nisms  that  require it. Legal values for this attribute include
99              any printable characters that can be used by  the  selected  au‐
100              thentication mechanism.
101
102       encoded_secret="<base64 encoded password>"
103              This attribute holds the base64 encoded secret used by authenti‐
104              cation mechanisms that require it. If this entry is  present  as
105              well as the secret entry this value will take precedence.
106
107
108       clientprinc="<GSSAPI client principal>"
109              When  using GSSAPI authentication, this attribute is con‐
110              sulted to determine the principal name to  use  when  au‐
111              thenticating  to  the  directory server. By default, this
112              will be set to "autofsclient/<fqdn>@<REALM>.
113
114       credentialcache="<external credential cache path>"
115              When using GSSAPI authentication, this attribute  can  be
116              used to specify an externally configured credential cache
117              that is used during authentication.  By  default,  autofs
118              will setup a memory based credential cache.
119

SEE ALSO

121       auto.master(5), autofs.conf(5).
122

AUTHOR

124       This manual page was written by Ian Kent <raven@themaw.net>.
125
126
127
128                                  19 Feb 2010         AUTOFS_LDAP_AUTH.CONF(5)
Impressum