On Mon, Apr 04, 2005 at 08:57:43PM +0800, [EMAIL PROTECTED] wrote: > > > >Hmm, autofs over TLS works well for me with anonymous binds (only the > >server is authenticated, the client remains unauthenticated). > >Client authentication in the TLS layer (via client certificates) should > >also be possible (and probably the most convenient form of client > >authentication) but I never tried this seriously (I don't consider > >automount information to be highly sensitive). > > That's been said before and I agree however if the server also has > sensitive info and will only allow secured connections for this reason > we probably need to cater for it.
Ok, I see. I played with SASL/TLS a while ago in a different client and got it working, so I decided to give it a try and simply put pretty much the same code into autofs. The interface for using SASL with OpenLDAP is still pretty undocumented (afaik), so much of the code is copied-and-pasted from the sample clients in the OpenLDAP source package. Nevertheless, it seems to work quite well, and I have put a new patch on http://timof.qipc.org/autofs which can do authenticated lookups with either - LDAP simple authentication (with arbitrary binddn and password), or - SASL authentication. So far, the only SASL mechanism I have tried is "external", which is IMO the easiest one to set up (and it's non-interactive, which is good in this case: we probably don't want the automounter to hang, displaying a "password:" prompt on some terminal...). The whole SASL part is pretty experimental; it works for me but it would be good if others could test it and report problems. The patch should apply cleanly to autofs-4.1.4-beta2. Except for minor changes to the Makefiles and configure script, only the lookup_ldap module is affected, so it should not interfere with non-LDAP stuff. To actually use SASL, you must configure --with-sasl (in addition to --with-openldap). Greetings, Timo -- Timo Felbinger <[EMAIL PROTECTED]> Quantum Physics Group http://www.quantum.physik.uni-potsdam.de Institut fuer Physik Tel: +49 331 977 1793 Fax: -1767 Universitaet Potsdam, Germany _______________________________________________ autofs mailing list autofs@linux.kernel.org http://linux.kernel.org/mailman/listinfo/autofs
