Provided by: autofs5_5.0.5-0ubuntu2_i386 bug

NAME

       autofs_ldap_auth.conf - autofs LDAP authentication configuration

DESCRIPTION

       LDAP  authenticated  binds, TLS encrypted connections and certification
       may be used by setting appropriate values in the autofs  authentication
       configuration  file  and  configuring  the LDAP client with appropriate
       settings.     The    default    location    of     this     file     is
       /etc/autofs_ldap_auth.conf.   If  this  file  exists it will be used to
       establish whether TLS or authentication should be used.

       An example of this file is:

         <?xml version="1.0" ?>
         <autofs_ldap_sasl_conf
                 usetls="yes"
                 tlsrequired="no"
                 authrequired="no"
                 authtype="DIGEST-MD5"
                 user="xyz"
                 secret="abc"
         />

       If TLS encryption is  to  be  used  the  location  of  the  Certificate
       Authority  certificate must be set within the LDAP client configuration
       in order to  validate  the  server  certificate.  If,  in  addition,  a
       certified  connection  is  to  be  used then the client certificate and
       private key file locations must also  be  configured  within  the  LDAP
       client.

OPTIONS

       This  files  contains  a  single  XML  element, as shown in the example
       above, with several attributes.

       The possible attributes are:

       usetls="yes"|"no"
              Determines whether an encrypted connection to  the  ldap  server
              should be attempted.

       tlsrequired="yes"|"no"
              This  flag  tells whether the ldap connection must be encrypted.
              If set to "yes", the  automounter  will  fail  to  start  if  an
              encrypted connection cannot be established.

       authrequired="yes"|"no"|"autodetect"|"simple"
              This  option  tells  whether  an authenticated connection to the
              ldap server is required in order to perform ldap queries. If the
              flag  is set to yes, only sasl authenticated connections will be
              allowed. If it is set to no then authentication  is  not  needed
              for ldap server connections. If it is set to autodetect then the
              ldap server  will  be  queried  to  establish  a  suitable  sasl
              authentication   mechanism.  If  no  suitable  mechanism  can be
              found,  connections  to  the  ldap  server  are   made   without
              authentication.  Finally,  if  it  is set to simple, then simple
              authentication will be used instead of SASL.

       authtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5"
              This attribute can be used to specify a preferred authentication
              mechanism.
               In   normal   operations,   the  automounter  will  attempt  to
              authenticate  to   the   ldap   server   using   the   list   of
              supportedSASLmechanisms  obtained  from  the  directory  server.
              Explicitly setting the authtype will bypass this  selection  and
              only try the mechanism specified.

       user="<username>"
              This   attribute  holds  the  authentication  identity  used  by
              authentication mechanisms that require  it.   Legal  values  for
              this attribute include any printable characters that can be used
              by the selected authentication mechanism.

       secret="<password>"
              This  attribute  holds  the  secret   used   by   authentication
              mechanisms  that  require  it.  Legal  values for this attribute
              include any  printable  characters  that  can  be  used  by  the
              selected authentication mechanism.

       clientprinc="<GSSAPI client principal>"
              When using GSSAPI authentication, this attribute is consulted to
              determine the principal name to use when authenticating  to  the
              directory   server.   By   default,   this   will   be   set  to
              "autofsclient/<fqdn>@<REALM>.

       credentialcache="<external credential cache path>"
              When using GSSAPI authentication, this attribute can be used  to
              specify  an  externally configured credential cache that is used
              during authentication.  By default, autofs will setup  a  memory
              based credential cache.

SEE ALSO

       auto.master(5),

AUTHOR

       This manual page was written by Ian Kent <raven@themaw.net>.

                                  19 Feb 2010         AUTOFS_LDAP_AUTH.CONF(5)