.\" t

.TH AUTOFS_LDAP_AUTH.CONF 5 "19 Feb 2010"

.SH NAME

autofs_ldap_auth.conf \- autofs LDAP authentication configuration

.SH "DESCRIPTION"

LDAP authenticated binds, TLS encrypted connections and certification

may be used by setting appropriate values in the autofs authentication

configuration file and configuring the LDAP client with appropriate

settings.  The default location of this file is

.nh

.BR @@autofsmapdir@@/autofs_ldap_auth.conf .

.hy

If this file exists it will be used to establish whether TLS or authentication

should be used.

.P

An example of this file is:

.sp

.RS +.2i

.ta 1.0i

.nf

        usetls="yes"

        tlsrequired="no"

        authrequired="no"

        authtype="DIGEST-MD5"

        user="xyz"

        secret="abc"

/>

.fi

.RE

.sp

If TLS encryption is to be used the location of the Certificate Authority

certificate must be set within the LDAP client configuration in 

order to validate the server certificate. If, in addition, a certified

connection is to be used then the client certificate and private key file

locations must also be configured within the LDAP client.

.SH "OPTIONS"

This files contains a single XML element, as shown in the example above, with

several attributes.

.TP

The possible attributes are:

.TP

\fBusetls="yes"|"no"\fP

Determines whether an encrypted connection to the ldap server

should be attempted.

.TP

\fBtlsrequired="yes"|"no"\fP

This flag tells whether the ldap connection must be encrypted. If set to "yes",

the automounter will fail to start if an encrypted connection cannot be

established.

.TP

\fBauthrequired="yes"|"no"|"autodetect"|"simple"\fP

This option tells whether an authenticated connection to the ldap server is

required in order to perform ldap queries. If the flag is set to yes, only

sasl authenticated connections will be allowed. If it is set to no then

authentication is not needed for ldap server connections. If it is set to

autodetect then the ldap server will be queried to establish a suitable sasl

authentication  mechanism. If no suitable mechanism can be found, connections

to the ldap server are made without authentication. Finally, if it is set to

simple, then simple authentication will be used instead of SASL.

.TP

\fBauthtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5|EXTERNAL"\fP

This attribute can be used to specify a preferred authentication mechanism.

In normal operations, the automounter will attempt to authenticate to the

ldap server using the list of supportedSASLmechanisms obtained from the

directory server.  Explicitly setting the authtype will bypass this selection

and only try the mechanism specified. The EXTERNAL mechanism may be used to

authenticate using a client certificate and requires that authrequired

set to "yes" if using SSL or usetls, tlsrequired and authrequired all set to

"yes" if using TLS, in addition to authtype being set to EXTERNAL.

.sp

If using authtype EXTERNAL two additional configuration entries are

required:

.sp

\fBexternal_cert="<client certificate path>"\fP

.sp

This specifies the path of the file containing the client certificate.

.sp

\fBexternal_key="<client certificate key path>"\fP

.sp

This specifies the path of the file containing the client certificate key.

.sp

These two configuration entries are mandatory when using the EXTERNAL method

as the HOME environment variable cannot be assumed to be set or, if it is,

to be set to the location we expect.

.TP

\fBuser="<username>"\fP

This attribute holds the authentication identity used by authentication

mechanisms that require it.  Legal values for this attribute include any

printable characters that can be used by the selected authentication

mechanism.

.TP

\fBsecret="<password>"\fP

This attribute holds the secret used by authentication mechanisms that

require it. Legal values for this attribute include any printable

characters that can be used by the selected authentication mechanism.

.TP

\fBencoded_secret="<base64 encoded password>"\fP

This attribute holds the base64 encoded secret used by authentication

mechanisms that require it. If this entry is present as well as the

secret entry this value will take precedence.

.TP

.TP

\fBclientprinc="<GSSAPI client principal>"\fP

When using GSSAPI authentication, this attribute is consulted to determine

the principal name to use when authenticating to the directory server. By

default, this will be set to "autofsclient/<fqdn>@<REALM>.

.TP

\fBcredentialcache="<external credential cache path>"\fP

When using GSSAPI authentication, this attribute can be used to specify an

externally configured credential cache that is used during authentication.

By default, autofs will setup a memory based credential cache.

.SH "SEE ALSO"

.BR auto.master (5),

.BR autofs.conf (5).

.SH AUTHOR

This manual page was written by Ian Kent <raven@themaw.net>.