Provided by: autofs-ldap_5.1.8-1ubuntu3_amd64 bug

NAME

       autofs_ldap_auth.conf - autofs LDAP authentication configuration

DESCRIPTION

       LDAP  authenticated  binds,  TLS  encrypted  connections  and certification may be used by
       setting appropriate values in the autofs authentication configuration file and configuring
       the  LDAP  client  with  appropriate  settings.   The  default  location  of  this file is
       /etc/autofs_ldap_auth.conf.  If this file exists it will be used to establish whether  TLS
       or authentication should be used.

       An example of this file is:

         <?xml version="1.0" ?>
         <autofs_ldap_sasl_conf
                 usetls="yes"
                 tlsrequired="no"
                 authrequired="no"
                 authtype="DIGEST-MD5"
                 user="xyz"
                 secret="abc"
         />

       If TLS encryption is to be used the location of the Certificate Authority certificate must
       be set within the LDAP client configuration in order to validate the  server  certificate.
       If,  in  addition,  a  certified  connection is to be used then the client certificate and
       private key file locations must also be configured within the LDAP client.

OPTIONS

       This files contains a single XML element, as shown in  the  example  above,  with  several
       attributes.

       The possible attributes are:

       usetls="yes"|"no"
              Determines whether an encrypted connection to the ldap server should be attempted.

       tlsrequired="yes"|"no"
              This flag tells whether the ldap connection must be encrypted. If set to "yes", the
              automounter will fail to start if an encrypted connection cannot be established.

       authrequired="yes"|"no"|"autodetect"|"simple"
              This option tells whether  an  authenticated  connection  to  the  ldap  server  is
              required  in  order  to  perform ldap queries. If the flag is set to yes, only sasl
              authenticated connections will be allowed. If it is set to no  then  authentication
              is not needed for ldap server connections. If it is set to autodetect then the ldap
              server will be queried to establish a suitable sasl authentication mechanism. If no
              suitable  mechanism  can  be found, connections to the ldap server are made without
              authentication. Finally, if it is set to simple, then simple authentication will be
              used instead of SASL.

       authtype="GSSAPI"|"LOGIN"|"PLAIN"|"ANONYMOUS"|"DIGEST-MD5|EXTERNAL"
              This  attribute  can  be  used to specify a preferred authentication mechanism.  In
              normal operations, the automounter will attempt to authenticate to the ldap  server
              using  the  list  of  supportedSASLmechanisms  obtained  from the directory server.
              Explicitly setting the authtype  will  bypass  this  selection  and  only  try  the
              mechanism  specified.  The  EXTERNAL  mechanism may be used to authenticate using a
              client certificate and requires that authrequired set to  "yes"  if  using  SSL  or
              usetls,  tlsrequired and authrequired all set to "yes" if using TLS, in addition to
              authtype being set to EXTERNAL.

              If using authtype EXTERNAL two additional configuration entries are required:

              external_cert="<client certificate path>"

              This specifies the path of the file containing the client certificate.

              external_key="<client certificate key path>"

              This specifies the path of the file containing the client certificate key.

              These two configuration entries are mandatory when using the EXTERNAL method as the
              HOME  environment  variable  cannot be assumed to be set or, if it is, to be set to
              the location we expect.

       user="<username>"
              This attribute holds the authentication identity used by authentication  mechanisms
              that  require it.  Legal values for this attribute include any printable characters
              that can be used by the selected authentication mechanism.

       secret="<password>"
              This attribute holds the secret used by authentication mechanisms that require  it.
              Legal  values  for this attribute include any printable characters that can be used
              by the selected authentication mechanism.

       encoded_secret="<base64 encoded password>"
              This attribute holds the base64 encoded secret used  by  authentication  mechanisms
              that  require  it.  If this entry is present as well as the secret entry this value
              will take precedence.

       clientprinc="<GSSAPI client principal>"
              When using GSSAPI authentication, this attribute  is  consulted  to  determine  the
              principal name to use when authenticating to the directory server. By default, this
              will be set to "autofsclient/<fqdn>@<REALM>.

       credentialcache="<external credential cache path>"
              When using GSSAPI  authentication,  this  attribute  can  be  used  to  specify  an
              externally  configured  credential  cache  that  is used during authentication.  By
              default, autofs will setup a memory based credential cache.

SEE ALSO

       auto.master(5), autofs.conf(5).

AUTHOR

       This manual page was written by Ian Kent <raven@themaw.net>.

                                           19 Feb 2010                   AUTOFS_LDAP_AUTH.CONF(5)