On Tue, 5 Apr 2005, Timo Felbinger wrote: > On Mon, Apr 04, 2005 at 08:57:43PM +0800, [EMAIL PROTECTED] wrote: > > > > > >Hmm, autofs over TLS works well for me with anonymous binds (only the > > >server is authenticated, the client remains unauthenticated). > > >Client authentication in the TLS layer (via client certificates) should > > >also be possible (and probably the most convenient form of client > > >authentication) but I never tried this seriously (I don't consider > > >automount information to be highly sensitive). > > > > That's been said before and I agree however if the server also has > > sensitive info and will only allow secured connections for this reason > > we probably need to cater for it. > > Ok, I see. I played with SASL/TLS a while ago in a different client and > got it working, so I decided to give it a try and simply put pretty much > the same code into autofs. > The interface for using SASL with OpenLDAP is still pretty undocumented > (afaik), so much of the code is copied-and-pasted from the sample clients > in the OpenLDAP source package. Nevertheless, it seems to work quite well, > and I have put a new patch on > http://timof.qipc.org/autofs > which can do authenticated lookups with either > - LDAP simple authentication (with arbitrary binddn and password), > or > - SASL authentication. > > So far, the only SASL mechanism I have tried is "external", which is > IMO the easiest one to set up (and it's non-interactive, which is good > in this case: we probably don't want the automounter to hang, displaying > a "password:" prompt on some terminal...).
There isn't a terminal to prompti on. Yes. A daemon like this should not have any interactive dependencies. But also encoding the auth info on the command line is giving to much away to the casual user who might be looking around. > > The whole SASL part is pretty experimental; it works for me but it would > be good if others could test it and report problems. The patch should > apply cleanly to autofs-4.1.4-beta2. Except for minor changes to the > Makefiles and configure script, only the lookup_ldap module is affected, > so it should not interfere with non-LDAP stuff. To actually use SASL, you > must configure --with-sasl (in addition to --with-openldap). > This all sounds great. I have a couple of long overdue tasks to get out of the road before I start to merge this work. They aren't straight forward and could take a while. Ian _______________________________________________ autofs mailing list autofs@linux.kernel.org http://linux.kernel.org/mailman/listinfo/autofs
