|
Ian Kent |
cc4062 |
autofs-5.0.5 - add autofs_ldap_auth.conf man page
|
|
Ian Kent |
cc4062 |
|
|
Ian Kent |
cc4062 |
From: Ian Kent <raven@themaw.net>
|
|
Ian Kent |
cc4062 |
|
|
Ian Kent |
cc4062 |
|
|
Ian Kent |
cc4062 |
---
|
|
Ian Kent |
cc4062 |
|
|
Ian Kent |
cc4062 |
CHANGELOG | 1
|
|
Ian Kent |
cc4062 |
man/auto.master.5.in | 3 +
|
|
Ian Kent |
cc4062 |
man/autofs.5 | 1
|
|
Ian Kent |
cc4062 |
man/autofs.8.in | 1
|
|
Ian Kent |
cc4062 |
man/autofs_ldap_auth.conf.5.in | 93 +++++++++++++++++++++++++++++++++++++++++
|
|
Ian Kent |
cc4062 |
man/automount.8 | 1
|
|
Ian Kent |
cc4062 |
samples/autofs_ldap_auth.conf | 64 ----------------------------
|
|
Ian Kent |
cc4062 |
7 files changed, 101 insertions(+), 63 deletions(-)
|
|
Ian Kent |
cc4062 |
create mode 100644 man/autofs_ldap_auth.conf.5.in
|
|
Ian Kent |
cc4062 |
|
|
Ian Kent |
cc4062 |
|
|
Ian Kent |
cc4062 |
--- autofs-5.0.5.orig/CHANGELOG
|
|
Ian Kent |
cc4062 |
+++ autofs-5.0.5/CHANGELOG
|
|
Ian Kent |
cc4062 |
@@ -29,6 +29,7 @@
|
|
Ian Kent |
cc4062 |
- add locality as valid ldap master map attribute fix.
|
|
Ian Kent |
cc4062 |
- add simple bind authentication.
|
|
Ian Kent |
cc4062 |
- fix master map source server unavailable handling.
|
|
Ian Kent |
cc4062 |
+- add autofs_ldap_auth.conf man page.
|
|
Ian Kent |
cc4062 |
|
|
Ian Kent |
cc4062 |
03/09/2009 autofs-5.0.5
|
|
Ian Kent |
cc4062 |
-----------------------
|
|
Ian Kent |
cc4062 |
--- autofs-5.0.5.orig/man/auto.master.5.in
|
|
Ian Kent |
cc4062 |
+++ autofs-5.0.5/man/auto.master.5.in
|
|
Ian Kent |
cc4062 |
@@ -365,6 +365,8 @@ and set the location of the client certi
|
|
Ian Kent |
cc4062 |
in the per-user configuration. The location of these files and the configuration
|
|
Ian Kent |
cc4062 |
entry requirements is system dependent so the documentation for your
|
|
Ian Kent |
cc4062 |
installation will need to be consulted to get further information.
|
|
Ian Kent |
cc4062 |
+.P
|
|
Ian Kent |
cc4062 |
+See \fBautofs_ldap_auth.conf\fP(5) for more information.
|
|
Ian Kent |
cc4062 |
.SH EXAMPLE
|
|
Ian Kent |
cc4062 |
.sp
|
|
Ian Kent |
cc4062 |
.RS +.2i
|
|
Ian Kent |
cc4062 |
@@ -399,6 +401,7 @@ configuration will be used to locate the
|
|
Ian Kent |
cc4062 |
.BR automount (8),
|
|
Ian Kent |
cc4062 |
.BR autofs (5),
|
|
Ian Kent |
cc4062 |
.BR autofs (8).
|
|
Ian Kent |
cc4062 |
+.BR autofs_ldap_auth.conf (5)
|
|
Ian Kent |
cc4062 |
.SH AUTHOR
|
|
Ian Kent |
cc4062 |
This manual page was written by Christoph Lameter <chris@waterf.org>,
|
|
Ian Kent |
cc4062 |
for the Dean GNU/Linux system. Edited by <hpa@transmeta.com> and
|
|
Ian Kent |
cc4062 |
--- autofs-5.0.5.orig/man/autofs.5
|
|
Ian Kent |
cc4062 |
+++ autofs-5.0.5/man/autofs.5
|
|
Ian Kent |
cc4062 |
@@ -229,6 +229,7 @@ and LDAP only.
|
|
Ian Kent |
cc4062 |
.BR auto.master (5),
|
|
Ian Kent |
cc4062 |
.BR autofs (8),
|
|
Ian Kent |
cc4062 |
.BR mount (8).
|
|
Ian Kent |
cc4062 |
+.BR autofs_ldap_auth.conf (5)
|
|
Ian Kent |
cc4062 |
.SH AUTHOR
|
|
Ian Kent |
cc4062 |
This manual page was written by Christoph Lameter <chris@waterf.org>,
|
|
Ian Kent |
cc4062 |
for the Debian GNU/Linux system. Edited by H. Peter Avian
|
|
Ian Kent |
cc4062 |
--- autofs-5.0.5.orig/man/autofs.8.in
|
|
Ian Kent |
cc4062 |
+++ autofs-5.0.5/man/autofs.8.in
|
|
Ian Kent |
cc4062 |
@@ -50,6 +50,7 @@ will display the status of,
|
|
Ian Kent |
cc4062 |
.BR automount (8),
|
|
Ian Kent |
cc4062 |
.BR autofs (5),
|
|
Ian Kent |
cc4062 |
.BR auto.master (5).
|
|
Ian Kent |
cc4062 |
+.BR autofs_ldap_auth.conf (5)
|
|
Ian Kent |
cc4062 |
.SH AUTHOR
|
|
Ian Kent |
cc4062 |
This manual page was written by Christoph Lameter <chris@waterf.org>,
|
|
Ian Kent |
cc4062 |
for the Debi GNU/Linux system. Edited by H. Peter Anvin
|
|
Ian Kent |
cc4062 |
--- /dev/null
|
|
Ian Kent |
cc4062 |
+++ autofs-5.0.5/man/autofs_ldap_auth.conf.5.in
|
|
Ian Kent |
cc4062 |
@@ -0,0 +1,93 @@
|
|
Ian Kent |
cc4062 |
+.\" t
|
|
Ian Kent |
cc4062 |
+.TH AUTOFS_LDAP_AUTH.CONF 5 "19 Feb 2010"
|
|
Ian Kent |
cc4062 |
+.SH NAME
|
|
Ian Kent |
cc4062 |
+autofs_ldap_auth.conf \- autofs LDAP authentication configuration
|
|
Ian Kent |
cc4062 |
+.SH "DESCRIPTION"
|
|
Ian Kent |
cc4062 |
+LDAP authenticated binds, TLS encrypted connections and certification
|
|
Ian Kent |
cc4062 |
+may be used by setting appropriate values in the autofs authentication
|
|
Ian Kent |
cc4062 |
+configuration file and configuring the LDAP client with appropriate
|
|
Ian Kent |
cc4062 |
+settings. The default location of this file is
|
|
Ian Kent |
cc4062 |
+.nh
|
|
Ian Kent |
cc4062 |
+.BR @@autofsmapdir@@/autofs_ldap_auth.conf .
|
|
Ian Kent |
cc4062 |
+.hy
|
|
Ian Kent |
cc4062 |
+If this file exists it will be used to establish whether TLS or authentication
|
|
Ian Kent |
cc4062 |
+should be used.
|
|
Ian Kent |
cc4062 |
+.P
|
|
Ian Kent |
cc4062 |
+An example of this file is:
|
|
Ian Kent |
cc4062 |
+.sp
|
|
Ian Kent |
cc4062 |
+.RS +.2i
|
|
Ian Kent |
cc4062 |
+.ta 1.0i
|
|
Ian Kent |
cc4062 |
+.nf
|
|
Ian Kent |
cc4062 |
+
|
|
Ian Kent |
cc4062 |
+
|
|
Ian Kent |
cc4062 |
+ usetls="yes"
|
|
Ian Kent |
cc4062 |
+ tlsrequired="no"
|
|
Ian Kent |
cc4062 |
+ authrequired="no"
|
|
Ian Kent |
cc4062 |
+ authtype="DIGEST-MD5"
|
|
Ian Kent |
cc4062 |
+ user="xyz"
|
|
Ian Kent |
cc4062 |
+ secret="abc"
|
|
Ian Kent |
cc4062 |
+/>
|
|
Ian Kent |
cc4062 |
+.fi
|
|
Ian Kent |
cc4062 |
+.RE
|
|
Ian Kent |
cc4062 |
+.sp
|
|
Ian Kent |
cc4062 |
+If TLS encryption is to be used the location of the Certificate Authority
|
|
Ian Kent |
cc4062 |
+certificate must be set within the LDAP client configuration in
|
|
Ian Kent |
cc4062 |
+order to validate the server certificate. If, in addition, a certified
|
|
Ian Kent |
cc4062 |
+connection is to be used then the client certificate and private key file
|
|
Ian Kent |
cc4062 |
+locations must also be configured within the LDAP client.
|
|
Ian Kent |
cc4062 |
+.SH "OPTIONS"
|
|
Ian Kent |
cc4062 |
+This files contains a single XML element, as shown in the example above, with
|
|
Ian Kent |
cc4062 |
+several attributes.
|
|
Ian Kent |
cc4062 |
+.TP
|
|
Ian Kent |
cc4062 |
+The possible attributes are:
|
|
Ian Kent |
cc4062 |
+.TP
|
|
Ian Kent |
cc4062 |
+\fBusetls="yes"|"no"\fP
|
|
Ian Kent |
cc4062 |
+Determines whether an encrypted connection to the ldap server
|
|
Ian Kent |
cc4062 |
+should be attempted.
|
|
Ian Kent |
cc4062 |
+.TP
|
|
Ian Kent |
cc4062 |
+\fBtlsrequired="yes"|"no"\fP
|
|
Ian Kent |
cc4062 |
+This flag tells whether the ldap connection must be encrypted. If set to "yes",
|
|
Ian Kent |
cc4062 |
+the automounter will fail to start if an encrypted connection cannot be
|
|
Ian Kent |
cc4062 |
+established.
|
|
Ian Kent |
cc4062 |
+.TP
|
|
Ian Kent |
cc4062 |
+\fBauthrequired="yes"|"no"|"autodetect"|"simple"\fP
|
|
Ian Kent |
cc4062 |
+This option tells whether an authenticated connection to the ldap server is
|
|
Ian Kent |
cc4062 |
+required in order to perform ldap queries. If the flag is set to yes, only
|
|
Ian Kent |
cc4062 |
+sasl authenticated connections will be allowed. If it is set to no then
|
|
Ian Kent |
cc4062 |
+authentication is not needed for ldap server connections. If it is set to
|
|
Ian Kent |
cc4062 |
+autodetect then the ldap server will be queried to establish a suitable sasl
|
|
Ian Kent |
cc4062 |
+authentication mechanism. If no suitable mechanism can be found, connections
|
|
Ian Kent |
cc4062 |
+to the ldap server are made without authentication. Finally, if it is set to
|
|
Ian Kent |
cc4062 |
+simple, then simple authentication will be used instead of SASL.
|
|
Ian Kent |
cc4062 |
+.TP
|
|
Ian Kent |
cc4062 |
+\fBauthtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5"\fP
|
|
Ian Kent |
cc4062 |
+This attribute can be used to specify a preferred authentication mechanism.
|
|
Ian Kent |
cc4062 |
+ In normal operations, the automounter will attempt to authenticate to the
|
|
Ian Kent |
cc4062 |
+ldap server using the list of supportedSASLmechanisms obtained from the
|
|
Ian Kent |
cc4062 |
+directory server. Explicitly setting the authtype will bypass this selection
|
|
Ian Kent |
cc4062 |
+and only try the mechanism specified.
|
|
Ian Kent |
cc4062 |
+.TP
|
|
Ian Kent |
cc4062 |
+\fBuser="<username>"\fP
|
|
Ian Kent |
cc4062 |
+This attribute holds the authentication identity used by authentication
|
|
Ian Kent |
cc4062 |
+mechanisms that require it. Legal values for this attribute include any
|
|
Ian Kent |
cc4062 |
+printable characters that can be used by the selected authentication
|
|
Ian Kent |
cc4062 |
+mechanism.
|
|
Ian Kent |
cc4062 |
+.TP
|
|
Ian Kent |
cc4062 |
+\fBsecret="<password>"\fP
|
|
Ian Kent |
cc4062 |
+This attribute holds the secret used by authentication mechanisms that
|
|
Ian Kent |
cc4062 |
+require it. Legal values for this attribute include any printable
|
|
Ian Kent |
cc4062 |
+characters that can be used by the selected authentication mechanism.
|
|
Ian Kent |
cc4062 |
+.TP
|
|
Ian Kent |
cc4062 |
+\fBclientprinc="<GSSAPI client principal>"\fP
|
|
Ian Kent |
cc4062 |
+When using GSSAPI authentication, this attribute is consulted to determine
|
|
Ian Kent |
cc4062 |
+the principal name to use when authenticating to the directory server. By
|
|
Ian Kent |
cc4062 |
+default, this will be set to "autofsclient/<fqdn>@<REALM>.
|
|
Ian Kent |
cc4062 |
+.TP
|
|
Ian Kent |
cc4062 |
+\fBcredentialcache="<external credential cache path>"\fP
|
|
Ian Kent |
cc4062 |
+When using GSSAPI authentication, this attribute can be used to specify an
|
|
Ian Kent |
cc4062 |
+externally configured credential cache that is used during authentication.
|
|
Ian Kent |
cc4062 |
+By default, autofs will setup a memory based credential cache.
|
|
Ian Kent |
cc4062 |
+.SH "SEE ALSO"
|
|
Ian Kent |
cc4062 |
+.BR auto.master (5),
|
|
Ian Kent |
cc4062 |
+.SH AUTHOR
|
|
Ian Kent |
cc4062 |
+This manual page was written by Ian Kent <raven@themaw.net>.
|
|
Ian Kent |
cc4062 |
--- autofs-5.0.5.orig/man/automount.8
|
|
Ian Kent |
cc4062 |
+++ autofs-5.0.5/man/automount.8
|
|
Ian Kent |
cc4062 |
@@ -152,6 +152,7 @@ constructed has been detached from the m
|
|
Ian Kent |
cc4062 |
.BR autofs (8),
|
|
Ian Kent |
cc4062 |
.BR auto.master (5),
|
|
Ian Kent |
cc4062 |
.BR mount (8).
|
|
Ian Kent |
cc4062 |
+.BR autofs_ldap_auth.conf (5)
|
|
Ian Kent |
cc4062 |
.SH BUGS
|
|
Ian Kent |
cc4062 |
Don't know, I've fixed everything I know about.
|
|
Ian Kent |
cc4062 |
|
|
Ian Kent |
cc4062 |
--- autofs-5.0.5.orig/samples/autofs_ldap_auth.conf
|
|
Ian Kent |
cc4062 |
+++ autofs-5.0.5/samples/autofs_ldap_auth.conf
|
|
Ian Kent |
cc4062 |
@@ -1,69 +1,7 @@
|
|
Ian Kent |
cc4062 |
|
|
Ian Kent |
cc4062 |
|
|
Ian Kent |
cc4062 |
This files contains a single entry with multiple attributes tied to it.
|
|
Ian Kent |
cc4062 |
-The attributes are:
|
|
Ian Kent |
cc4062 |
-
|
|
Ian Kent |
cc4062 |
-usetls - Determines whether an encrypted connection to the ldap server
|
|
Ian Kent |
cc4062 |
- should be attempted. Legal values for the entry are:
|
|
Ian Kent |
cc4062 |
- "yes"
|
|
Ian Kent |
cc4062 |
- "no"
|
|
Ian Kent |
cc4062 |
-
|
|
Ian Kent |
cc4062 |
-tlsrequired - This flag tells whether the ldap connection must be
|
|
Ian Kent |
cc4062 |
- encrypted. If set to "yes", the automounter will fail to start
|
|
Ian Kent |
cc4062 |
- if an encrypted connection cannot be established. Legal values
|
|
Ian Kent |
cc4062 |
- for this option include:
|
|
Ian Kent |
cc4062 |
- "yes"
|
|
Ian Kent |
cc4062 |
- "no"
|
|
Ian Kent |
cc4062 |
-
|
|
Ian Kent |
cc4062 |
-authrequired - This option tells whether an authenticated connection to
|
|
Ian Kent |
cc4062 |
- the ldap server is required in order to perform ldap queries.
|
|
Ian Kent |
cc4062 |
- If the flag is set to yes, only sasl authenticated connections
|
|
Ian Kent |
cc4062 |
- will be allowed. If it is set to no then authentication is not
|
|
Ian Kent |
cc4062 |
- needed for ldap server connections. If it is set to autodetect
|
|
Ian Kent |
cc4062 |
- then the ldap server will be queried to establish a suitable
|
|
Ian Kent |
cc4062 |
- sasl authentication mechanism. If no suitable mechanism can be
|
|
Ian Kent |
cc4062 |
- found, connections to the ldap server are made without
|
|
Ian Kent |
cc4062 |
- authentication. Finally, if it is set to simple, then simple
|
|
Ian Kent |
cc4062 |
- authentication will be used instead of SASL.
|
|
Ian Kent |
cc4062 |
-
|
|
Ian Kent |
cc4062 |
- Legal values for this option include:
|
|
Ian Kent |
cc4062 |
- "yes"
|
|
Ian Kent |
cc4062 |
- "no"
|
|
Ian Kent |
cc4062 |
- "autodetect"
|
|
Ian Kent |
cc4062 |
- "simple"
|
|
Ian Kent |
cc4062 |
-
|
|
Ian Kent |
cc4062 |
-authtype - This attribute can be used to specify a preferred
|
|
Ian Kent |
cc4062 |
- authentication mechanism. In normal operations, the
|
|
Ian Kent |
cc4062 |
- automounter will attempt to authenticate to the ldap server
|
|
Ian Kent |
cc4062 |
- using the list of supportedSASLmechanisms obtained from the
|
|
Ian Kent |
cc4062 |
- directory server. Explicitly setting the authtype will bypass
|
|
Ian Kent |
cc4062 |
- this selection and only try the mechanism specified. Legal
|
|
Ian Kent |
cc4062 |
- values for this attribute include:
|
|
Ian Kent |
cc4062 |
- "GSSAPI"
|
|
Ian Kent |
cc4062 |
- "LOGIN"
|
|
Ian Kent |
cc4062 |
- "PLAIN"
|
|
Ian Kent |
cc4062 |
- "ANONYMOUS"
|
|
Ian Kent |
cc4062 |
- "DIGEST-MD5"
|
|
Ian Kent |
cc4062 |
-
|
|
Ian Kent |
cc4062 |
-user - This attribute holds the authentication identity used by
|
|
Ian Kent |
cc4062 |
- authentication mechanisms that require it. Legal values for
|
|
Ian Kent |
cc4062 |
- this attribute include any printable characters that can be
|
|
Ian Kent |
cc4062 |
- used by the selected authentication mechanism.
|
|
Ian Kent |
cc4062 |
-
|
|
Ian Kent |
cc4062 |
-secret - This attribute holds the secret used by authentication
|
|
Ian Kent |
cc4062 |
- mechanisms that require it. Legal values for this attribute
|
|
Ian Kent |
cc4062 |
- include any printable characters that can be used by the
|
|
Ian Kent |
cc4062 |
- selected authentication mechanism.
|
|
Ian Kent |
cc4062 |
-
|
|
Ian Kent |
cc4062 |
-clientprinc - When using GSSAPI authentication, this attribute is
|
|
Ian Kent |
cc4062 |
- consulted to determine the principal name to use when
|
|
Ian Kent |
cc4062 |
- authenticating to the directory server. By default, this will
|
|
Ian Kent |
cc4062 |
- be set to "autofsclient/<fqdn>@<REALM>.
|
|
Ian Kent |
cc4062 |
-
|
|
Ian Kent |
cc4062 |
-credentialcache - When using GSSAPI authentication, this attribute
|
|
Ian Kent |
cc4062 |
- can be used to specify an externally configured credential
|
|
Ian Kent |
cc4062 |
- cache that is used during authentication. By default, autofs
|
|
Ian Kent |
cc4062 |
- will setup a memory based credential cache.
|
|
Ian Kent |
cc4062 |
+See autofs_ldap_auth.conf(5) for more information.
|
|
Ian Kent |
cc4062 |
-->
|
|
Ian Kent |
cc4062 |
|
|
Ian Kent |
cc4062 |
|