Autofs TLS and binddn/bindpw patch.

Autofs TLS and binddn/bindpw patch.

[mzozd]

[-- Attachment #1: Type: text/plain, Size: 166 bytes --]

Dear maintainer,

this patch adds support for TLS and non-anonymous binds for autofs.


You could include it in your next release if you feel so.




Thanks,


MzOzD

[-- Attachment #2: autofs.patch --]
[-- Type: text/plain, Size: 2224 bytes --]

--- samples/autofs-ldap-auto-master.c.orig	2005-03-30 17:43:06.000000000 +0100
+++ samples/autofs-ldap-auto-master.c	2005-03-31 01:11:23.000000000 +0100
@@ -26,6 +26,8 @@
 #define ENTRYOC "nisObject"
 #define ENTRYKEY "cn"
 #define VALUE "nisMapEntry"
+#define BINDDN NULL
+#define BINDPW NULL
 
 static int
 dump_map(LDAP *ld,
@@ -162,12 +164,12 @@
 	int c;
 	const char *map_key = MAPKEY, *entry_key = ENTRYKEY, *value = VALUE;
 	const char *map_oc = MAPOC, *entry_oc = ENTRYOC;
-	const char *map = MAP;
+	const char *map = MAP, *bindpw=BINDPW, *binddn=BINDDN;  
 
 	setlocale(LC_ALL, "");
 
 	/* Scan through the argument list. */
-	while((c = getopt(argc, argv, "m:e:n:k:v:")) != -1) {
+	while((c = getopt(argc, argv, "m:e:n:k:v:U:P:")) != -1) {
 		switch(c) {
 			case 'm':
 				/* This is the object class we expect maps to
@@ -198,8 +200,22 @@
 				 * VALUE attribute. */
 				value = optarg;
 				break;
+			case 'U':
+			/* This is the BindDN for connecting to the server
+			 *  Particular usefull in my opinion...
+			 */
+				binddn = optarg;
+				break;
+			case 'P':
+			/* This is the BindPW for connecting to the server
+			 *  Particular usefull in my opinion...
+			 */
+				bindpw = optarg;
+				break;
 			default:
 				fprintf(stderr, "syntax: %s\n"
+					"\t[-U] BindDN\n"
+					"\t[-P] BindPW\n"
 					"\t[-m %s] (map object class)\n"
 					"\t[-e %s] (entry object class)\n"
 					"\t[-n %s] (attribute used as map key)\n"
@@ -235,8 +251,15 @@
 		ld = ldap_init(NULL, LDAP_PORT);
 	}
 
+	/* Start TLS */
+	result = ldap_start_tls_s(ld, NULL, NULL);
+	if (result != LDAP_SUCCESS) {
+		fprintf(stderr, "%s: ldap_connect: (TLS) ldap_start_tls() %s",
+                  argv[0], ldap_err2string(result));
+	}
+
 	/* Connect to the server anonymously. */
-	result = ldap_simple_bind_s(ld, NULL, NULL);
+	result = ldap_simple_bind_s(ld, binddn, bindpw);
 	if(result != LDAP_SUCCESS) {
 		fprintf(stderr, "%s: error binding to server: %s\n",
 			argv[0], ldap_err2string(result));
@@ -244,6 +267,7 @@
 		return 2;
 	}
 
+
 	/* Try to dump the map given the preferred or user-supplied schema. */
 	if(!dump_map(ld, map, map_oc, entry_oc, map_key, entry_key, value)) {
 		if(strcmp(map_oc, "automountMap") ||

[-- Attachment #3: Type: text/plain, Size: 140 bytes --]

_______________________________________________
autofs mailing list
autofs@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/autofs

Re: Autofs TLS and binddn/bindpw patch.

[raven]

On Thu, 31 Mar 2005, mzozd wrote:

>
> this patch adds support for TLS and non-anonymous binds for autofs.

That's for master maps only right?

Ian

Re: Autofs TLS and binddn/bindpw patch.

[mzozd]

[-- Attachment #1: Type: text/plain, Size: 1513 bytes --]

Dear Raven,

please DISREGARD MY PREVIOUS PATCH. I have created two seperate patches
to address this issue more seriously.

I am attaching the patches in this e-mail and i am going to give you a
short explanation of what is changed and why:

The problem is that if an ldap server is NOT allowing anonymous binds,
there is no way for autofs to acquire the information from the autofs
schema in ldap. Thus, it is also impossible to query for the schema if
the ldap server ENFORCES a TLS only authenticatiion.

The attached two patches address that issue by doing the following:

a) Open /etc/ldap.conf to read any rootbinddn option.
b) Open /etc/ldap.secret to read any password if the rootbinddn option
is in the conf.
c) Try to initiate TLS with the server (assuming the path to the
certifacte(s) is defined in /etc/openldap/ldap.conf).
d) Bind with rootdn and password defines in the configuration files.

I have successfully tested this patch with the latest autofs and
openldap autofs schema and it works. It may be needed some minor
adjustments. I have tried, and as far as i tested succeed, to maintain
the previous behaviour of the program but other people should verify
that via testing.


Thanks you,

MzOzD

PS: For any updates for this patch you may look at
http://crux-ports.ad2u.ath.cx/ports/autofs-ldap/

raven@themaw.net wrote:
> On Thu, 31 Mar 2005, mzozd wrote:
> 
>>
>> this patch adds support for TLS and non-anonymous binds for autofs.
> 
> 
> That's for master maps only right?
> 
> Ian
> 
> 

[-- Attachment #2: autofs-ldap-auto-master.patch --]
[-- Type: text/plain, Size: 3331 bytes --]

--- samples/autofs-ldap-auto-master.orig.c	2005-04-02 17:43:52.000000000 +0100
+++ samples/autofs-ldap-auto-master.c	2005-04-02 20:05:21.000000000 +0100
@@ -27,6 +27,84 @@
 #define ENTRYKEY "cn"
 #define VALUE "nisMapEntry"
 
+#define LDAP_CONFIG "/etc/ldap.conf"
+#define LDAP_SECRET "/etc/ldap.secret"
+#define bsize 4096
+const char *binddn=NULL;
+const char *bindpw=NULL;
+
+void ldap_readconfig() {
+FILE *fp,*fp2;
+char b[bsize];
+
+
+if ( (fp = fopen(LDAP_CONFIG, "r")) != NULL) {
+
+while (fgets (b, sizeof (b), fp) != NULL) {
+  char *k, *v;
+  int len;
+
+if (*b == '\n' || *b == '#')
+        continue;
+      k = b;
+      v = k;
+/* skip past all characters in keyword */
+      while (*v != '\0' && *v != ' ' && *v != '\t')
+        v++;
+      if (*v == '\0')
+        continue;
+ /* terminate keyword */
+      *(v++) = '\0';
+
+      /* skip empty lines with more than 3 spaces at the start of the line */
+      /* rds.oliver@samera.com.py 01-set-2004                              */
+      if (*v == '\n')
+        continue;
+
+ /* skip all whitespaces between keyword and value */
+      /* Lars Oergel <lars.oergel@innominate.de>, 05.10.2000 */
+      while (*v == ' ' || *v == '\t')
+        v++;
+
+      /* kick off all whitespaces and newline at the end of value */
+      /* Bob Guo <bob@mail.ied.ac.cn>, 08.10.2001 */
+      len = strlen (v) - 1;
+      while (v[len] == ' ' || v[len] == '\t' || v[len] == '\n')
+        --len;
+      v[++len] = '\0';
+if (!strcasecmp (k, "rootbinddn")) {
+	binddn=v;
+	/* Open the /etc/ldap.secret now and read the password */
+	if ( (fp2 = fopen (LDAP_SECRET, "r")) == NULL) {
+		/* We couldn't read the pass, reset binddn and print
+		 * an error message
+		 */
+		binddn=NULL;
+		fprintf(stderr,"file %s couldn't be opened\n",LDAP_SECRET);
+	} else {
+		char tmp[128];
+		memset(tmp,0,sizeof(tmp));
+		if (fgets (tmp, sizeof (tmp), fp2) != NULL) {
+			int len;
+			len = strlen (tmp);
+			char buffer[128];
+			memset(buffer,0,sizeof(buffer));
+			if (len > 0 && tmp[len - 1] == '\n')
+	        		len--;
+	        	strncpy (buffer, tmp, len);
+			buffer[len] = '\0';
+	       		bindpw=buffer;
+		}
+	  fclose (fp2);
+	}
+    break;
+    }
+}
+fclose(fp);
+} else  
+	fprintf(stderr,"file %s couldn't be opened\n",LDAP_CONFIG);
+}
+
 static int
 dump_map(LDAP *ld,
 	 const char *map_name,
@@ -235,8 +313,27 @@
 		ld = ldap_init(NULL, LDAP_PORT);
 	}
 
-	/* Connect to the server anonymously. */
-	result = ldap_simple_bind_s(ld, NULL, NULL);
+	/* Get binddn/bindpw credentials from system config files.
+	 * That functions sucks. Someone fix this.
+	 */
+	ldap_readconfig(); 
+
+/*	fprintf(stderr,"Credentials: %s[%d]/%s[%d]\n",binddn,
+						      strlen(binddn),
+					              bindpw,
+						      strlen(bindpw));
+*/	
+       /* Start TLS */
+       result = ldap_start_tls_s(ld, NULL, NULL);
+       if (result != LDAP_SUCCESS) {
+               fprintf(stderr, "%s: ldap_connect: (TLS) ldap_start_tls() %s",
+                  argv[0], ldap_err2string(result));
+       }
+
+	/* Connect to the server anonymously or with the dn specified in the
+	 * system config files.
+	 */
+	result = ldap_simple_bind_s(ld, binddn, bindpw);
 	if(result != LDAP_SUCCESS) {
 		fprintf(stderr, "%s: error binding to server: %s\n",
 			argv[0], ldap_err2string(result));

[-- Attachment #3: autofs-module-ldap.patch --]
[-- Type: text/plain, Size: 4371 bytes --]

--- modules/lookup_ldap.c.orig	2005-04-02 22:44:35.000000000 +0100
+++ modules/lookup_ldap.c	2005-04-02 22:43:46.000000000 +0100
@@ -27,7 +27,12 @@
 #define MAPFMT_DEFAULT "sun"
 
 #define MODPREFIX "lookup(ldap): "
-
+#define LDAP_CONFIG "/etc/ldap.conf"
+#define LDAP_SECRET "/etc/ldap.secret"
+#define bsize 4096 
+const char *binddn=NULL;
+const char *bindpw=NULL;
+	
 struct lookup_context {
 	char *server, *base;
 	int port;
@@ -36,6 +41,78 @@
 
 int lookup_version = AUTOFS_LOOKUP_VERSION;	/* Required by protocol */
 
+
+void ldap_readconfig() {
+
+FILE *fp,*fp2;
+char b[bsize];
+if ( (fp = fopen(LDAP_CONFIG, "r")) != NULL) {
+ 
+while (fgets (b, sizeof (b), fp) != NULL) {
+  char *k, *v;
+  int len;
+
+if (*b == '\n' || *b == '#')
+        continue;
+      k = b;
+      v = k;
+/* skip past all characters in keyword */
+      while (*v != '\0' && *v != ' ' && *v != '\t')
+        v++;
+      if (*v == '\0')   
+        continue;
+ /* terminate keyword */
+      *(v++) = '\0';
+
+      /* skip empty lines with more than 3 spaces at the start of the line */
+      /* rds.oliver@samera.com.py 01-set-2004                              */
+      if (*v == '\n')
+        continue;
+
+ /* skip all whitespaces between keyword and value */
+      /* Lars Oergel <lars.oergel@innominate.de>, 05.10.2000 */
+      while (*v == ' ' || *v == '\t')
+        v++;
+        
+      /* kick off all whitespaces and newline at the end of value */
+      /* Bob Guo <bob@mail.ied.ac.cn>, 08.10.2001 */
+      len = strlen (v) - 1;
+      while (v[len] == ' ' || v[len] == '\t' || v[len] == '\n')
+        --len;
+      v[++len] = '\0';  
+if (!strcasecmp (k, "rootbinddn")) {
+        binddn=v;
+        /* Open the /etc/ldap.secret now and read the password */
+        if ( (fp2 = fopen (LDAP_SECRET, "r")) == NULL) {
+                /* We couldn't read the pass, reset binddn and print
+                 * an error message
+               */  
+                binddn=NULL;
+                fprintf(stderr,"file %s couldn't be opened\n",LDAP_SECRET);
+        } else {
+                char tmp[128];
+                memset(tmp,0,sizeof(tmp));
+                if (fgets (tmp, sizeof (tmp), fp2) != NULL) {
+                        int len;
+                        len = strlen (tmp);
+                        char buffer[128];
+                        memset(buffer,0,sizeof(buffer));
+                        if (len > 0 && tmp[len - 1] == '\n')
+                                len--;
+                        strncpy (buffer, tmp, len);  
+                        buffer[len] = '\0';
+                        bindpw=buffer;
+                }
+          fclose (fp2);
+        }
+    break;
+    }
+}
+fclose(fp);
+} else
+        fprintf(stderr,"file %s couldn't be opened\n",LDAP_CONFIG);
+}
+
 /*
  * This initializes a context (persistent non-global data) for queries to
  * this module.  Return zero if we succeed.
@@ -131,11 +208,23 @@
 		}
 	}
 
+	/* Get binddn/bindpw credentials from system config files.
+	* That functions sucks. Someone fix this.
+	*/
+	ldap_readconfig();
+
+    /* Start TLS */
+       rv = ldap_start_tls_s(ldap, NULL, NULL);
+       if (rv != LDAP_SUCCESS) {
+               fprintf(stderr, "ldap_connect: (TLS) ldap_start_tls() %s", 
+                  ldap_err2string(rv));
+       }
+
 	/* Connect to the server as an anonymous user. */
 	if (version == 2)
 		rv = ldap_simple_bind_s(ldap, ctxt->base, NULL);
 	else
-		rv = ldap_simple_bind_s(ldap, NULL, NULL);
+		rv = ldap_simple_bind_s(ldap, binddn, bindpw);
 
 	if (rv != LDAP_SUCCESS) {
 		crit(MODPREFIX "couldn't connect to %s", ctxt->server);
@@ -203,11 +292,24 @@
 		}
 	}
 
+       /* Start TLS */
+       rv = ldap_start_tls_s(ldap, NULL, NULL);
+       if (rv != LDAP_SUCCESS) {
+               fprintf(stderr, "ldap_connect: (TLS) ldap_start_tls() %s",
+                  ldap_err2string(rv));
+       }
+
+       /* Get binddn/bindpw credentials from system config files.
+        * That functions sucks. Someone fix this.
+        */
+
+	ldap_readconfig();
+	
 	/* Connect to the server as an anonymous user. */
 	if (version == 2)
 		rv = ldap_simple_bind_s(ldap, ctxt->base, NULL);
 	else
-		rv = ldap_simple_bind_s(ldap, NULL, NULL);
+		rv = ldap_simple_bind_s(ldap, binddn, bindpw);
 
 	if (rv != LDAP_SUCCESS) {
 		crit(MODPREFIX "couldn't bind to %s",

[-- Attachment #4: Type: text/plain, Size: 140 bytes --]

_______________________________________________
autofs mailing list
autofs@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/autofs

Re: Autofs TLS and binddn/bindpw patch.

[Ian Kent]

On Sun, 3 Apr 2005, mzozd wrote:

> Dear Raven,
> 
> please DISREGARD MY PREVIOUS PATCH. I have created two seperate patches
> to address this issue more seriously.
> 
> I am attaching the patches in this e-mail and i am going to give you a
> short explanation of what is changed and why:
> 
> The problem is that if an ldap server is NOT allowing anonymous binds,
> there is no way for autofs to acquire the information from the autofs
> schema in ldap. Thus, it is also impossible to query for the schema if
> the ldap server ENFORCES a TLS only authenticatiion.
> 
> The attached two patches address that issue by doing the following:
> 
> a) Open /etc/ldap.conf to read any rootbinddn option.
> b) Open /etc/ldap.secret to read any password if the rootbinddn option
> is in the conf.
> c) Try to initiate TLS with the server (assuming the path to the
> certifacte(s) is defined in /etc/openldap/ldap.conf).

We shouldn't need care about the certificate. This should be taken care of 
with an API call either succeeding or failing.

> d) Bind with rootdn and password defines in the configuration files.

All this stuff is openldap specific.

Can we do this via an LDAP API?
How much of this can be done using a generalised dn?

This may already be the case as I haven't had a look yet but can we 
seperate out the LDAP implementation specific stuff to a seperate module?

> 
> I have successfully tested this patch with the latest autofs and
> openldap autofs schema and it works. It may be needed some minor
> adjustments. I have tried, and as far as i tested succeed, to maintain
> the previous behaviour of the program but other people should verify
> that via testing.

I have another patch that generalises the dn format and cleans up the LDAP 
module. It looks quite good but is very much out of date. The LDAP module 
is quite ugly and certainly needs work.

It's going to be quite a big job to merge these patches. Hopefully 
we can work together on this.

Ian

Re: Autofs TLS and binddn/bindpw patch.

[Timo Felbinger]

On Mon, Apr 04, 2005 at 10:44:28AM +0800, Ian Kent wrote:
> 
> On Sun, 3 Apr 2005, mzozd wrote:
> 
> > Dear Raven,
> > 
> > please DISREGARD MY PREVIOUS PATCH. I have created two seperate patches
> > to address this issue more seriously.
> > 
> > I am attaching the patches in this e-mail and i am going to give you a
> > short explanation of what is changed and why:
> > 
> > The problem is that if an ldap server is NOT allowing anonymous binds,
> > there is no way for autofs to acquire the information from the autofs
> > schema in ldap. Thus, it is also impossible to query for the schema if
> > the ldap server ENFORCES a TLS only authenticatiion.

Hmm, autofs over TLS works well for me with anonymous binds (only the
server is authenticated, the client remains unauthenticated).
Client authentication in the TLS layer (via client certificates) should
also be possible (and probably the most convenient form of client
authentication) but I never tried this seriously (I don't consider
automount information to be highly sensitive).

> > The attached two patches address that issue by doing the following:
> > 
> > a) Open /etc/ldap.conf to read any rootbinddn option.
> > b) Open /etc/ldap.secret to read any password if the rootbinddn option
> > is in the conf.
> > c) Try to initiate TLS with the server (assuming the path to the
> > certifacte(s) is defined in /etc/openldap/ldap.conf).
> 
> We shouldn't need care about the certificate. This should be taken care of 
> with an API call either succeeding or failing.
> 
> > d) Bind with rootdn and password defines in the configuration files.
> 
> All this stuff is openldap specific.
> 
> Can we do this via an LDAP API?
> How much of this can be done using a generalised dn?
> 
> This may already be the case as I haven't had a look yet but can we 
> seperate out the LDAP implementation specific stuff to a seperate module?
> 
> > 
> > I have successfully tested this patch with the latest autofs and
> > openldap autofs schema and it works. It may be needed some minor
> > adjustments. I have tried, and as far as i tested succeed, to maintain
> > the previous behaviour of the program but other people should verify
> > that via testing.
> 
> I have another patch that generalises the dn format and cleans up the LDAP 
> module. It looks quite good but is very much out of date. The LDAP module 
> is quite ugly and certainly needs work.

I might be the author of this other patch. Last year I posted an older
version (for 4.1.3) to the list. I believe the current version has not
been mentioned yet: It's at
   http://timof.qipc.org/autofs
and it patches (only) the lookup_ldap-module of the current 4.1.4-beta
version of autofs.  It can already do TLS, and takes map names in a more
flexible format than before. In particular, it supports the "extension"-
field of ldap urls, which would be a natural place to implement a binddn
(IIRC, some rfc even recommends this as a "standard" extension). It is
currently not there but adding binddn to the patch should not be hard.
Where to take the password from is a different thing: maybe an extension
naming a file to read the password from?

This patch only addresses regular lookups, not master maps. So far, it
works well for me, but it would be good if others could test it, too.

Regards,

Timo Felbinger


-- 
Timo Felbinger                  <Timo.Felbinger@physik.uni-potsdam.de>
Quantum Physics Group           http://www.quantum.physik.uni-potsdam.de
Institut fuer Physik            Tel: +49 331 977 1793      Fax: -1767
Universitaet Potsdam, Germany

Re: Autofs TLS and binddn/bindpw patch.

[raven]

On Mon, 4 Apr 2005, Timo Felbinger wrote:

> On Mon, Apr 04, 2005 at 10:44:28AM +0800, Ian Kent wrote:
>>
>> On Sun, 3 Apr 2005, mzozd wrote:
>>
>>> Dear Raven,
>>>
>>> please DISREGARD MY PREVIOUS PATCH. I have created two seperate patches
>>> to address this issue more seriously.
>>>
>>> I am attaching the patches in this e-mail and i am going to give you a
>>> short explanation of what is changed and why:
>>>
>>> The problem is that if an ldap server is NOT allowing anonymous binds,
>>> there is no way for autofs to acquire the information from the autofs
>>> schema in ldap. Thus, it is also impossible to query for the schema if
>>> the ldap server ENFORCES a TLS only authenticatiion.
>
> Hmm, autofs over TLS works well for me with anonymous binds (only the
> server is authenticated, the client remains unauthenticated).
> Client authentication in the TLS layer (via client certificates) should
> also be possible (and probably the most convenient form of client
> authentication) but I never tried this seriously (I don't consider
> automount information to be highly sensitive).

That's been said before and I agree however if the server also has 
sensitive info and will only allow secured connections for this reason 
we probably need to cater for it.

>
>>> The attached two patches address that issue by doing the following:
>>>
>>> a) Open /etc/ldap.conf to read any rootbinddn option.
>>> b) Open /etc/ldap.secret to read any password if the rootbinddn option
>>> is in the conf.
>>> c) Try to initiate TLS with the server (assuming the path to the
>>> certifacte(s) is defined in /etc/openldap/ldap.conf).
>>
>> We shouldn't need care about the certificate. This should be taken care of
>> with an API call either succeeding or failing.
>>
>>> d) Bind with rootdn and password defines in the configuration files.
>>
>> All this stuff is openldap specific.
>>
>> Can we do this via an LDAP API?
>> How much of this can be done using a generalised dn?
>>
>> This may already be the case as I haven't had a look yet but can we
>> seperate out the LDAP implementation specific stuff to a seperate module?
>>
>>>
>>> I have successfully tested this patch with the latest autofs and
>>> openldap autofs schema and it works. It may be needed some minor
>>> adjustments. I have tried, and as far as i tested succeed, to maintain
>>> the previous behaviour of the program but other people should verify
>>> that via testing.
>>
>> I have another patch that generalises the dn format and cleans up the LDAP
>> module. It looks quite good but is very much out of date. The LDAP module
>> is quite ugly and certainly needs work.
>
> I might be the author of this other patch. Last year I posted an older

Ideed you are.

It's currently sitting patiently in my 4.1.5 bin.

Sorry to take so long with this.

> version (for 4.1.3) to the list. I believe the current version has not
> been mentioned yet: It's at
>   http://timof.qipc.org/autofs
> and it patches (only) the lookup_ldap-module of the current 4.1.4-beta
> version of autofs.  It can already do TLS, and takes map names in a more
> flexible format than before. In particular, it supports the "extension"-
> field of ldap urls, which would be a natural place to implement a binddn
> (IIRC, some rfc even recommends this as a "standard" extension). It is
> currently not there but adding binddn to the patch should not be hard.
> Where to take the password from is a different thing: maybe an extension
> naming a file to read the password from?

The main goodnes about the patch is that it's not tied to specific 
config files.

>
> This patch only addresses regular lookups, not master maps. So far, it
> works well for me, but it would be good if others could test it, too.
>
> Regards,
>
> Timo Felbinger
>

Ian

Re: Autofs TLS and binddn/bindpw patch.

[Timo Felbinger]

On Mon, Apr 04, 2005 at 08:57:43PM +0800, raven@themaw.net wrote:
> >
> >Hmm, autofs over TLS works well for me with anonymous binds (only the
> >server is authenticated, the client remains unauthenticated).
> >Client authentication in the TLS layer (via client certificates) should
> >also be possible (and probably the most convenient form of client
> >authentication) but I never tried this seriously (I don't consider
> >automount information to be highly sensitive).
> 
> That's been said before and I agree however if the server also has 
> sensitive info and will only allow secured connections for this reason 
> we probably need to cater for it.

Ok, I see. I played with SASL/TLS a while ago in a different client and
got it working, so I decided to give it a try and simply put pretty much
the same code into autofs.
The interface for using SASL with OpenLDAP is still pretty undocumented
(afaik), so much of the code is copied-and-pasted from the sample clients
in the OpenLDAP source package. Nevertheless, it seems to work quite well,
and I have put a new patch on
  http://timof.qipc.org/autofs
which can do authenticated lookups with either
- LDAP simple authentication (with arbitrary binddn and password),
  or
- SASL authentication.

So far, the only SASL mechanism I have tried is "external", which is
IMO the easiest one to set up (and it's non-interactive, which is good
in this case: we probably don't want the automounter to hang, displaying
a "password:" prompt on some terminal...).

The whole SASL part is pretty experimental; it works for me but it would
be good if others could test it and report problems. The patch should
apply cleanly to autofs-4.1.4-beta2. Except for minor changes to the
Makefiles and configure script, only the lookup_ldap module is affected,
so it should not interfere with non-LDAP stuff. To actually use SASL, you
must configure --with-sasl (in addition to --with-openldap).

Greetings,

Timo


-- 
Timo Felbinger                  <Timo.Felbinger@physik.uni-potsdam.de>
Quantum Physics Group           http://www.quantum.physik.uni-potsdam.de
Institut fuer Physik            Tel: +49 331 977 1793      Fax: -1767
Universitaet Potsdam, Germany

Re: Autofs TLS and binddn/bindpw patch.

[Ian Kent]

On Tue, 5 Apr 2005, Timo Felbinger wrote:

> On Mon, Apr 04, 2005 at 08:57:43PM +0800, raven@themaw.net wrote:
> > >
> > >Hmm, autofs over TLS works well for me with anonymous binds (only the
> > >server is authenticated, the client remains unauthenticated).
> > >Client authentication in the TLS layer (via client certificates) should
> > >also be possible (and probably the most convenient form of client
> > >authentication) but I never tried this seriously (I don't consider
> > >automount information to be highly sensitive).
> > 
> > That's been said before and I agree however if the server also has 
> > sensitive info and will only allow secured connections for this reason 
> > we probably need to cater for it.
> 
> Ok, I see. I played with SASL/TLS a while ago in a different client and
> got it working, so I decided to give it a try and simply put pretty much
> the same code into autofs.
> The interface for using SASL with OpenLDAP is still pretty undocumented
> (afaik), so much of the code is copied-and-pasted from the sample clients
> in the OpenLDAP source package. Nevertheless, it seems to work quite well,
> and I have put a new patch on
>   http://timof.qipc.org/autofs
> which can do authenticated lookups with either
> - LDAP simple authentication (with arbitrary binddn and password),
>   or
> - SASL authentication.
> 
> So far, the only SASL mechanism I have tried is "external", which is
> IMO the easiest one to set up (and it's non-interactive, which is good
> in this case: we probably don't want the automounter to hang, displaying
> a "password:" prompt on some terminal...).

There isn't a terminal to prompti on.
Yes. A daemon like this should not have any interactive dependencies.

But also encoding the auth info on the command line is giving to much away 
to the casual user who might be looking around.

> 
> The whole SASL part is pretty experimental; it works for me but it would
> be good if others could test it and report problems. The patch should
> apply cleanly to autofs-4.1.4-beta2. Except for minor changes to the
> Makefiles and configure script, only the lookup_ldap module is affected,
> so it should not interfere with non-LDAP stuff. To actually use SASL, you
> must configure --with-sasl (in addition to --with-openldap).
> 

This all sounds great.

I have a couple of long overdue tasks to get out of the road before 
I start to merge this work. They aren't straight forward and could take a 
while.

Ian

Re: Autofs TLS and binddn/bindpw patch.

[mzozd]

Ian Kent wrote:
> On Sun, 3 Apr 2005, mzozd wrote:
>>
>>a) Open /etc/ldap.conf to read any rootbinddn option.
>>b) Open /etc/ldap.secret to read any password if the rootbinddn option
>>is in the conf.
>>c) Try to initiate TLS with the server (assuming the path to the
>>certifacte(s) is defined in /etc/openldap/ldap.conf).
> 
> 
> We shouldn't need care about the certificate. This should be taken care of 
> with an API call either succeeding or failing.
That is exactly what the patch does. the start_tls function is taking
care of the certificate. The current patches interact with
/etc/ldap.conf(pam/nss_ldap conf file) and NOT /etc/openldap/ldap.conf.
Sorry if i didn't put it right. In my point of view it was obvious that
the patch was not doing any "library" work.
> 
> 
>>d) Bind with rootdn and password defines in the configuration files.
> 
> 
> All this stuff is openldap specific.
> 
> Can we do this via an LDAP API?
There is no ldap library, as far as i know, capable of parsing the
config file. Other programs (like sudo) use the same approach.

> How much of this can be done using a generalised dn?
The patch is parsing the /etc/ldap.conf file in order to find any user
supplied DN and /etc/ldap.secret for the password. What do you mean
generalised dn?

> 
> This may already be the case as I haven't had a look yet but can we 
> seperate out the LDAP implementation specific stuff to a seperate module?
It is already seperated. Any further changes suggest major rewrite for
the autofs module. autofs has to query TWICE (three times actually
including the ldap bind test) the ldap server in order get 1) the autofs
ldap auto master entries(via /usr/lib/autofs-ldap-auto-master) and 2)
retrieving the e.g ldap auto.home entries via automount daemon.
> 
> 
> 
> I have another patch that generalises the dn format and cleans up the LDAP 
> module. It looks quite good but is very much out of date. The LDAP module 
> is quite ugly and certainly needs work.
Please, supply a url where i can see that patch.
> 
> It's going to be quite a big job to merge these patches. Hopefully 
> we can work together on this.
We can try to work together on that. What troubles me, is the enormous
number of patches available at the autofs directory. What is the policy
for patching autofs ?

Please note:
Me, and other people using CRUX, are already using this patch with no
problems.

Thank you for your reply,

MzOzD
> 
> Ian
> 
>