autofs-5.0.5 - add autofs_ldap_auth.conf man page

From: Ian Kent <raven@themaw.net>

---

 CHANGELOG                      |    1 

 man/auto.master.5.in           |    3 +

 man/autofs.5                   |    1 

 man/autofs.8.in                |    1 

 man/autofs_ldap_auth.conf.5.in |   93 +++++++++++++++++++++++++++++++++++++++++

 man/automount.8                |    1 

 samples/autofs_ldap_auth.conf  |   64 ----------------------------

 7 files changed, 101 insertions(+), 63 deletions(-)

 create mode 100644 man/autofs_ldap_auth.conf.5.in

--- autofs-5.0.5.orig/CHANGELOG

+++ autofs-5.0.5/CHANGELOG

@@ -29,6 +29,7 @@

 - add locality as valid ldap master map attribute fix.

 - add simple bind authentication.

 - fix master map source server unavailable handling.

+- add autofs_ldap_auth.conf man page.

 03/09/2009 autofs-5.0.5

 -----------------------

--- autofs-5.0.5.orig/man/auto.master.5.in

+++ autofs-5.0.5/man/auto.master.5.in

@@ -365,6 +365,8 @@ and set the location of the client certi

 in the per-user configuration. The location of these files and the configuration

 entry requirements is system dependent so the documentation for your

 installation will need to be consulted to get further information.

+.P

+See \fBautofs_ldap_auth.conf\fP(5) for more information.

 .SH EXAMPLE

 .sp

 .RS +.2i

@@ -399,6 +401,7 @@ configuration will be used to locate the

 .BR automount (8),

 .BR autofs (5),

 .BR autofs (8).

+.BR autofs_ldap_auth.conf (5)

 .SH AUTHOR

 This manual page was written by Christoph Lameter <chris@waterf.org>,

 for the Dean GNU/Linux system.  Edited by <hpa@transmeta.com> and

--- autofs-5.0.5.orig/man/autofs.5

+++ autofs-5.0.5/man/autofs.5

@@ -229,6 +229,7 @@ and LDAP only.

 .BR auto.master (5),

 .BR autofs (8),

 .BR mount (8).

+.BR autofs_ldap_auth.conf (5)

 .SH AUTHOR

 This manual page was written by Christoph Lameter <chris@waterf.org>,

 for the Debian GNU/Linux system.  Edited by H. Peter Avian

--- autofs-5.0.5.orig/man/autofs.8.in

+++ autofs-5.0.5/man/autofs.8.in

@@ -50,6 +50,7 @@ will display the status of,

 .BR automount (8),

 .BR autofs (5),

 .BR auto.master (5).

+.BR autofs_ldap_auth.conf (5)

 .SH AUTHOR

 This manual page was written by Christoph Lameter <chris@waterf.org>,

 for the Debi GNU/Linux system.  Edited by H. Peter Anvin

--- /dev/null

+++ autofs-5.0.5/man/autofs_ldap_auth.conf.5.in

@@ -0,0 +1,93 @@

+.\" t

+.TH AUTOFS_LDAP_AUTH.CONF 5 "19 Feb 2010"

+.SH NAME

+autofs_ldap_auth.conf \- autofs LDAP authentication configuration

+.SH "DESCRIPTION"

+LDAP authenticated binds, TLS encrypted connections and certification

+may be used by setting appropriate values in the autofs authentication

+configuration file and configuring the LDAP client with appropriate

+settings.  The default location of this file is

+.nh

+.BR @@autofsmapdir@@/autofs_ldap_auth.conf .

+.hy

+If this file exists it will be used to establish whether TLS or authentication

+should be used.

+.P

+An example of this file is:

+.sp

+.RS +.2i

+.ta 1.0i

+.nf

+

+

+        usetls="yes"

+        tlsrequired="no"

+        authrequired="no"

+        authtype="DIGEST-MD5"

+        user="xyz"

+        secret="abc"

+/>

+.fi

+.RE

+.sp

+If TLS encryption is to be used the location of the Certificate Authority

+certificate must be set within the LDAP client configuration in 

+order to validate the server certificate. If, in addition, a certified

+connection is to be used then the client certificate and private key file

+locations must also be configured within the LDAP client.

+.SH "OPTIONS"

+This files contains a single XML element, as shown in the example above, with

+several attributes.

+.TP

+The possible attributes are:

+.TP

+\fBusetls="yes"|"no"\fP

+Determines whether an encrypted connection to the ldap server

+should be attempted.

+.TP

+\fBtlsrequired="yes"|"no"\fP

+This flag tells whether the ldap connection must be encrypted. If set to "yes",

+the automounter will fail to start if an encrypted connection cannot be

+established.

+.TP

+\fBauthrequired="yes"|"no"|"autodetect"|"simple"\fP

+This option tells whether an authenticated connection to the ldap server is

+required in order to perform ldap queries. If the flag is set to yes, only

+sasl authenticated connections will be allowed. If it is set to no then

+authentication is not needed for ldap server connections. If it is set to

+autodetect then the ldap server will be queried to establish a suitable sasl

+authentication  mechanism. If no suitable mechanism can be found, connections

+to the ldap server are made without authentication. Finally, if it is set to

+simple, then simple authentication will be used instead of SASL.

+.TP

+\fBauthtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5"\fP

+This attribute can be used to specify a preferred authentication mechanism.

+ In normal operations, the automounter will attempt to authenticate to the

+ldap server using the list of supportedSASLmechanisms obtained from the

+directory server.  Explicitly setting the authtype will bypass this selection

+and only try the mechanism specified.

+.TP

+\fBuser="<username>"\fP

+This attribute holds the authentication identity used by authentication

+mechanisms that require it.  Legal values for this attribute include any

+printable characters that can be used by the selected authentication

+mechanism.

+.TP

+\fBsecret="<password>"\fP

+This attribute holds the secret used by authentication mechanisms that

+require it. Legal values for this attribute include any printable

+characters that can be used by the selected authentication mechanism.

+.TP

+\fBclientprinc="<GSSAPI client principal>"\fP

+When using GSSAPI authentication, this attribute is consulted to determine

+the principal name to use when authenticating to the directory server. By

+default, this will be set to "autofsclient/<fqdn>@<REALM>.

+.TP

+\fBcredentialcache="<external credential cache path>"\fP

+When using GSSAPI authentication, this attribute can be used to specify an

+externally configured credential cache that is used during authentication.

+By default, autofs will setup a memory based credential cache.

+.SH "SEE ALSO"

+.BR auto.master (5),

+.SH AUTHOR

+This manual page was written by Ian Kent <raven@themaw.net>.

--- autofs-5.0.5.orig/man/automount.8

+++ autofs-5.0.5/man/automount.8

@@ -152,6 +152,7 @@ constructed has been detached from the m

 .BR autofs (8),

 .BR auto.master (5),

 .BR mount (8).

+.BR autofs_ldap_auth.conf (5)

 .SH BUGS

 Don't know, I've fixed everything I know about.

--- autofs-5.0.5.orig/samples/autofs_ldap_auth.conf

+++ autofs-5.0.5/samples/autofs_ldap_auth.conf

@@ -1,69 +1,7 @@

 This files contains a single entry with multiple attributes tied to it.

-The attributes are:

-

-usetls  -  Determines whether an encrypted connection to the ldap server

-	   should be attempted.  Legal values for the entry are:

-	   "yes"

-	   "no"

-

-tlsrequired  -  This flag tells whether the ldap connection must be

-	   encrypted.  If set to "yes", the automounter will fail to start

-	   if an encrypted connection cannot be established.  Legal values

-	   for this option include:

-	   "yes"

-	   "no"

-

-authrequired  -  This option tells whether an authenticated connection to

-	    the ldap server is required in order to perform ldap queries.

-	    If the flag is set to yes, only sasl authenticated connections

-	    will be allowed. If it is set to no then authentication is not

-	    needed for ldap server connections. If it is set to autodetect

-	    then the ldap server will be queried to establish a suitable

-	    sasl authentication mechanism. If no suitable mechanism can be

-	    found, connections to the ldap server are made without

-	    authentication. Finally, if it is set to simple, then simple

-	    authentication will be used instead of SASL.

-

-	    Legal values for this option include:

-	    "yes"

-	    "no"

-	    "autodetect"

-	    "simple"

-

-authtype  -  This attribute can be used to specify a preferred

-	    authentication mechanism.  In normal operations, the

-	    automounter will attempt to authenticate to the ldap server

-	    using the list of supportedSASLmechanisms obtained from the

-	    directory server.  Explicitly setting the authtype will bypass

-	    this selection and only try the mechanism specified.  Legal

-	    values for this attribute include:

-	    "GSSAPI"

-	    "LOGIN"

-	    "PLAIN"

-	    "ANONYMOUS"

-	    "DIGEST-MD5"

-

-user  -  This attribute holds the authentication identity used by

-	    authentication mechanisms that require it.  Legal values for

-	    this attribute include any printable characters that can be

-	    used by the selected authentication mechanism.

-

-secret  -  This attribute holds the secret used by authentication

-	    mechanisms that require it.  Legal values for this attribute

-	    include any printable characters that can be used by the

-	    selected authentication mechanism.

-

-clientprinc  -  When using GSSAPI authentication, this attribute is

-	    consulted to determine the principal name to use when

-	    authenticating to the directory server.  By default, this will

-	    be set to "autofsclient/<fqdn>@<REALM>.

-

-credentialcache - When using GSSAPI authentication, this attribute

-	    can be used to specify an externally configured credential

-	    cache that is used during authentication. By default, autofs

-	    will setup a memory based credential cache.

+See autofs_ldap_auth.conf(5) for more information.

 -->