|
Packit |
8480eb |
.\" t
|
|
Packit |
8480eb |
.TH AUTOFS_LDAP_AUTH.CONF 5 "19 Feb 2010"
|
|
Packit |
8480eb |
.SH NAME
|
|
Packit |
8480eb |
autofs_ldap_auth.conf \- autofs LDAP authentication configuration
|
|
Packit |
8480eb |
.SH "DESCRIPTION"
|
|
Packit |
8480eb |
LDAP authenticated binds, TLS encrypted connections and certification
|
|
Packit |
8480eb |
may be used by setting appropriate values in the autofs authentication
|
|
Packit |
8480eb |
configuration file and configuring the LDAP client with appropriate
|
|
Packit |
8480eb |
settings. The default location of this file is
|
|
Packit |
8480eb |
.nh
|
|
Packit |
8480eb |
.BR @@autofsmapdir@@/autofs_ldap_auth.conf .
|
|
Packit |
8480eb |
.hy
|
|
Packit |
8480eb |
If this file exists it will be used to establish whether TLS or authentication
|
|
Packit |
8480eb |
should be used.
|
|
Packit |
8480eb |
.P
|
|
Packit |
8480eb |
An example of this file is:
|
|
Packit |
8480eb |
.sp
|
|
Packit |
8480eb |
.RS +.2i
|
|
Packit |
8480eb |
.ta 1.0i
|
|
Packit |
8480eb |
.nf
|
|
Packit |
8480eb |
|
|
Packit |
8480eb |
|
|
Packit |
8480eb |
usetls="yes"
|
|
Packit |
8480eb |
tlsrequired="no"
|
|
Packit |
8480eb |
authrequired="no"
|
|
Packit |
8480eb |
authtype="DIGEST-MD5"
|
|
Packit |
8480eb |
user="xyz"
|
|
Packit |
8480eb |
secret="abc"
|
|
Packit |
8480eb |
/>
|
|
Packit |
8480eb |
.fi
|
|
Packit |
8480eb |
.RE
|
|
Packit |
8480eb |
.sp
|
|
Packit |
8480eb |
If TLS encryption is to be used the location of the Certificate Authority
|
|
Packit |
8480eb |
certificate must be set within the LDAP client configuration in
|
|
Packit |
8480eb |
order to validate the server certificate. If, in addition, a certified
|
|
Packit |
8480eb |
connection is to be used then the client certificate and private key file
|
|
Packit |
8480eb |
locations must also be configured within the LDAP client.
|
|
Packit |
8480eb |
.SH "OPTIONS"
|
|
Packit |
8480eb |
This files contains a single XML element, as shown in the example above, with
|
|
Packit |
8480eb |
several attributes.
|
|
Packit |
8480eb |
.TP
|
|
Packit |
8480eb |
The possible attributes are:
|
|
Packit |
8480eb |
.TP
|
|
Packit |
8480eb |
\fBusetls="yes"|"no"\fP
|
|
Packit |
8480eb |
Determines whether an encrypted connection to the ldap server
|
|
Packit |
8480eb |
should be attempted.
|
|
Packit |
8480eb |
.TP
|
|
Packit |
8480eb |
\fBtlsrequired="yes"|"no"\fP
|
|
Packit |
8480eb |
This flag tells whether the ldap connection must be encrypted. If set to "yes",
|
|
Packit |
8480eb |
the automounter will fail to start if an encrypted connection cannot be
|
|
Packit |
8480eb |
established.
|
|
Packit |
8480eb |
.TP
|
|
Packit |
8480eb |
\fBauthrequired="yes"|"no"|"autodetect"|"simple"\fP
|
|
Packit |
8480eb |
This option tells whether an authenticated connection to the ldap server is
|
|
Packit |
8480eb |
required in order to perform ldap queries. If the flag is set to yes, only
|
|
Packit |
8480eb |
sasl authenticated connections will be allowed. If it is set to no then
|
|
Packit |
8480eb |
authentication is not needed for ldap server connections. If it is set to
|
|
Packit |
8480eb |
autodetect then the ldap server will be queried to establish a suitable sasl
|
|
Packit |
8480eb |
authentication mechanism. If no suitable mechanism can be found, connections
|
|
Packit |
8480eb |
to the ldap server are made without authentication. Finally, if it is set to
|
|
Packit |
8480eb |
simple, then simple authentication will be used instead of SASL.
|
|
Packit |
8480eb |
.TP
|
|
Packit |
8480eb |
\fBauthtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5|EXTERNAL"\fP
|
|
Packit |
8480eb |
This attribute can be used to specify a preferred authentication mechanism.
|
|
Packit |
8480eb |
In normal operations, the automounter will attempt to authenticate to the
|
|
Packit |
8480eb |
ldap server using the list of supportedSASLmechanisms obtained from the
|
|
Packit |
8480eb |
directory server. Explicitly setting the authtype will bypass this selection
|
|
Packit |
8480eb |
and only try the mechanism specified. The EXTERNAL mechanism may be used to
|
|
Packit |
8480eb |
authenticate using a client certificate and requires that authrequired
|
|
Packit |
8480eb |
set to "yes" if using SSL or usetls, tlsrequired and authrequired all set to
|
|
Packit |
8480eb |
"yes" if using TLS, in addition to authtype being set to EXTERNAL.
|
|
Packit |
8480eb |
.sp
|
|
Packit |
8480eb |
If using authtype EXTERNAL two additional configuration entries are
|
|
Packit |
8480eb |
required:
|
|
Packit |
8480eb |
.sp
|
|
Packit |
8480eb |
\fBexternal_cert="<client certificate path>"\fP
|
|
Packit |
8480eb |
.sp
|
|
Packit |
8480eb |
This specifies the path of the file containing the client certificate.
|
|
Packit |
8480eb |
.sp
|
|
Packit |
8480eb |
\fBexternal_key="<client certificate key path>"\fP
|
|
Packit |
8480eb |
.sp
|
|
Packit |
8480eb |
This specifies the path of the file containing the client certificate key.
|
|
Packit |
8480eb |
.sp
|
|
Packit |
8480eb |
These two configuration entries are mandatory when using the EXTERNAL method
|
|
Packit |
8480eb |
as the HOME environment variable cannot be assumed to be set or, if it is,
|
|
Packit |
8480eb |
to be set to the location we expect.
|
|
Packit |
8480eb |
.TP
|
|
Packit |
8480eb |
\fBuser="<username>"\fP
|
|
Packit |
8480eb |
This attribute holds the authentication identity used by authentication
|
|
Packit |
8480eb |
mechanisms that require it. Legal values for this attribute include any
|
|
Packit |
8480eb |
printable characters that can be used by the selected authentication
|
|
Packit |
8480eb |
mechanism.
|
|
Packit |
8480eb |
.TP
|
|
Packit |
8480eb |
\fBsecret="<password>"\fP
|
|
Packit |
8480eb |
This attribute holds the secret used by authentication mechanisms that
|
|
Packit |
8480eb |
require it. Legal values for this attribute include any printable
|
|
Packit |
8480eb |
characters that can be used by the selected authentication mechanism.
|
|
Packit |
8480eb |
.TP
|
|
Packit |
8480eb |
\fBencoded_secret="<base64 encoded password>"\fP
|
|
Packit |
8480eb |
This attribute holds the base64 encoded secret used by authentication
|
|
Packit |
8480eb |
mechanisms that require it. If this entry is present as well as the
|
|
Packit |
8480eb |
secret entry this value will take precedence.
|
|
Packit |
8480eb |
.TP
|
|
Packit |
8480eb |
.TP
|
|
Packit |
8480eb |
\fBclientprinc="<GSSAPI client principal>"\fP
|
|
Packit |
8480eb |
When using GSSAPI authentication, this attribute is consulted to determine
|
|
Packit |
8480eb |
the principal name to use when authenticating to the directory server. By
|
|
Packit |
8480eb |
default, this will be set to "autofsclient/<fqdn>@<REALM>.
|
|
Packit |
8480eb |
.TP
|
|
Packit |
8480eb |
\fBcredentialcache="<external credential cache path>"\fP
|
|
Packit |
8480eb |
When using GSSAPI authentication, this attribute can be used to specify an
|
|
Packit |
8480eb |
externally configured credential cache that is used during authentication.
|
|
Packit |
8480eb |
By default, autofs will setup a memory based credential cache.
|
|
Packit |
8480eb |
.SH "SEE ALSO"
|
|
Packit |
8480eb |
.BR auto.master (5),
|
|
Packit |
8480eb |
.BR autofs.conf (5).
|
|
Packit |
8480eb |
.SH AUTHOR
|
|
Packit |
8480eb |
This manual page was written by Ian Kent <raven@themaw.net>.
|