NAME
autofs_ldap_auth.conf - autofs LDAP authentication configuration
DESCRIPTION
LDAP authenticated binds, TLS encrypted connections and certification
may be used by setting appropriate values in the autofs authentication
configuration file and configuring the LDAP client with appropriate
settings. The default location of this file is
/etc/autofs_ldap_auth.conf. If this file exists it will be used to
establish whether TLS or authentication should be used.
An example of this file is:
<?xml version="1.0" ?>
<autofs_ldap_sasl_conf
usetls="yes"
tlsrequired="no"
authrequired="no"
authtype="DIGEST-MD5"
user="xyz"
secret="abc"
/>
If TLS encryption is to be used the location of the Certificate
Authority certificate must be set within the LDAP client configuration
in order to validate the server certificate. If, in addition, a
certified connection is to be used then the client certificate and
private key file locations must also be configured within the LDAP
client.
OPTIONS
This files contains a single XML element, as shown in the example
above, with several attributes.
The possible attributes are:
usetls="yes"|"no"
Determines whether an encrypted connection to the ldap server
should be attempted.
tlsrequired="yes"|"no"
This flag tells whether the ldap connection must be encrypted.
If set to "yes", the automounter will fail to start if an
encrypted connection cannot be established.
authrequired="yes"|"no"|"autodetect"|"simple"
This option tells whether an authenticated connection to the
ldap server is required in order to perform ldap queries. If the
flag is set to yes, only sasl authenticated connections will be
allowed. If it is set to no then authentication is not needed
for ldap server connections. If it is set to autodetect then the
ldap server will be queried to establish a suitable sasl
authentication mechanism. If no suitable mechanism can be
found, connections to the ldap server are made without
authentication. Finally, if it is set to simple, then simple
authentication will be used instead of SASL.
authtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5"
This attribute can be used to specify a preferred authentication
mechanism.
In normal operations, the automounter will attempt to
authenticate to the ldap server using the list of
supportedSASLmechanisms obtained from the directory server.
Explicitly setting the authtype will bypass this selection and
only try the mechanism specified.
user="<username>"
This attribute holds the authentication identity used by
authentication mechanisms that require it. Legal values for
this attribute include any printable characters that can be used
by the selected authentication mechanism.
secret="<password>"
This attribute holds the secret used by authentication
mechanisms that require it. Legal values for this attribute
include any printable characters that can be used by the
selected authentication mechanism.
clientprinc="<GSSAPI client principal>"
When using GSSAPI authentication, this attribute is consulted to
determine the principal name to use when authenticating to the
directory server. By default, this will be set to
"autofsclient/<fqdn>@<REALM>.
credentialcache="<external credential cache path>"
When using GSSAPI authentication, this attribute can be used to
specify an externally configured credential cache that is used
during authentication. By default, autofs will setup a memory
based credential cache.
SEE ALSO
auto.master(5),
AUTHOR
This manual page was written by Ian Kent <raven@themaw.net>.
19 Feb 2010