Simple BINDS over SSL/TLS

Simple BINDS over SSL/TLS

[peter]

I was wondering if it is possible for autofs to do simple binds over
TLS/SSL rather than having to do them over SASL.

Any input would be greatly appreciated.

Peter

Re: Simple BINDS over SSL/TLS

[peter]

On Wed, May 02, 2007 at 11:19:39AM -0400, peter@devries.tv wrote:
> I was wondering if it is possible for autofs to do simple binds over
> TLS/SSL rather than having to do them over SASL.

This may not have been clear enough.  I want autofs to authenticate to
the LDAP server as a user but without the use of SASL. 

Thanks,
Peter

Re: Simple BINDS over SSL/TLS

[Ian Kent]

On Wed, 2007-05-02 at 11:33 -0400, peter@devries.tv wrote:
> On Wed, May 02, 2007 at 11:19:39AM -0400, peter@devries.tv wrote:
> > I was wondering if it is possible for autofs to do simple binds over
> > TLS/SSL rather than having to do them over SASL.
> 
> This may not have been clear enough.  I want autofs to authenticate to
> the LDAP server as a user but without the use of SASL. 

Why don't you want to use SASL?

Ian

Re: Simple BINDS over SSL/TLS

[Douglas E. Engert]

peter@devries.tv wrote:
> On Wed, May 02, 2007 at 11:19:39AM -0400, peter@devries.tv wrote:
>> I was wondering if it is possible for autofs to do simple binds over
>> TLS/SSL rather than having to do them over SASL.
> 
> This may not have been clear enough.  I want autofs to authenticate to
> the LDAP server as a user but without the use of SASL. 

Looking at autofs-4.1.4, it looks like it only does anonymous,
because it does not have a binddn or bindpw to use. It can use TLS,
if the ldap.conf it uses has someting like:

  URI ldaps://your.ldap.server.name
  TLS_CACERTDIR path to ca certs

The ldap library could fill in a binddn from a ldaprc, Its the  bindpw
that the ldap library will not fill in, and autofs does not have an
easy way to get it.

Speakinig of SASL, the best I can tell is 4.1.4 does not support it
directly, but could with a patch to call

  ldap_sasl_interactive_bind_s

I had a working patch, but got side tracked. Are there any plans
to add SASL support to autofs, such that it ends up in Debian distribution?



> Thanks,
> Peter
> 
> _______________________________________________
> autofs mailing list
> autofs@linux.kernel.org
> http://linux.kernel.org/mailman/listinfo/autofs
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Re: Simple BINDS over SSL/TLS

[Jeff Moyer]

==> On Thu, 03 May 2007 09:56:55 -0500, "Douglas E. Engert" <deengert@anl.gov> said:

Douglas> I had a working patch, but got side tracked. Are there any
Douglas> plans to add SASL support to autofs, such that it ends up in
Douglas> Debian distribution?

SASL support was introduced in autofs v5.  Testing has been limited,
since it seems no one uses it.

-Jeff

Re: Simple BINDS over SSL/TLS

[Ian Kent]

On Thu, 2007-05-03 at 09:56 -0500, Douglas E. Engert wrote:
> 
> peter@devries.tv wrote:
> > On Wed, May 02, 2007 at 11:19:39AM -0400, peter@devries.tv wrote:
> >> I was wondering if it is possible for autofs to do simple binds over
> >> TLS/SSL rather than having to do them over SASL.
> > 
> > This may not have been clear enough.  I want autofs to authenticate to
> > the LDAP server as a user but without the use of SASL. 
> 
> Looking at autofs-4.1.4, it looks like it only does anonymous,
> because it does not have a binddn or bindpw to use. It can use TLS,
> if the ldap.conf it uses has someting like:
> 
>   URI ldaps://your.ldap.server.name
>   TLS_CACERTDIR path to ca certs
> 
> The ldap library could fill in a binddn from a ldaprc, Its the  bindpw
> that the ldap library will not fill in, and autofs does not have an
> easy way to get it.
> 
> Speakinig of SASL, the best I can tell is 4.1.4 does not support it
> directly, but could with a patch to call
> 
>   ldap_sasl_interactive_bind_s
> 
> I had a working patch, but got side tracked. Are there any plans
> to add SASL support to autofs, such that it ends up in Debian distribution?

If the folks at Debian update to version 5 it's present.

Ian

Re: Simple BINDS over SSL/TLS

[Douglas E. Engert]

Jeff Moyer wrote:
> ==> On Thu, 03 May 2007 09:56:55 -0500, "Douglas E. Engert" <deengert@anl.gov> said:
> 
> Douglas> I had a working patch, but got side tracked. Are there any
> Douglas> plans to add SASL support to autofs, such that it ends up in
> Douglas> Debian distribution?
> 
> SASL support was introduced in autofs v5.  Testing has been limited,
> since it seems no one uses it.


Great. I was looking at Debian, and using a Ubuntu system, that used 4.1.4
When v5 is stable, then we can look at it again. Is v5 in any of the RedHat
distributions?

> 
> -Jeff
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Re: Simple BINDS over SSL/TLS

[Jeff Moyer]

==> On Fri, 04 May 2007 09:27:13 -0500, "Douglas E. Engert" <deengert@anl.gov> said:

Douglas> Jeff Moyer wrote: > ==> On Thu, 03 May 2007 09:56:55 -0500,
Douglas> "Douglas E. Engert" <deengert@anl.gov> said: > Douglas> I had
Douglas> a working patch, but got side tracked. Are there any >
Douglas> Douglas> plans to add SASL support to autofs, such that it
Douglas> ends up in > Douglas> Debian distribution?  > SASL support
Douglas> was introduced in autofs v5.  Testing has been limited, >
Douglas> since it seems no one uses it.

Douglas> Great. I was looking at Debian, and using a Ubuntu system,
Douglas> that used 4.1.4 When v5 is stable, then we can look at it
Douglas> again. Is v5 in any of the RedHat distributions?

I use v5 on my workstation, and have done so for at least a couple of
months, now.  We also ship it in several distributions, so let's call
it stable.  If you have evidence to the contrary, then please send us
problem reports!

It is available in RHEL 5, FC6, and will be shipping with F7 as well.

-Jeff

Re: Simple BINDS over SSL/TLS

[Douglas E. Engert]

Jeff Moyer wrote:
> ==> On Fri, 04 May 2007 09:27:13 -0500, "Douglas E. Engert" <deengert@anl.gov> said:
> 
> Douglas> Jeff Moyer wrote: > ==> On Thu, 03 May 2007 09:56:55 -0500,
> Douglas> "Douglas E. Engert" <deengert@anl.gov> said: > Douglas> I had
> Douglas> a working patch, but got side tracked. Are there any >
> Douglas> Douglas> plans to add SASL support to autofs, such that it
> Douglas> ends up in > Douglas> Debian distribution?  > SASL support
> Douglas> was introduced in autofs v5.  Testing has been limited, >
> Douglas> since it seems no one uses it.
> 
> Douglas> Great. I was looking at Debian, and using a Ubuntu system,
> Douglas> that used 4.1.4 When v5 is stable, then we can look at it
> Douglas> again. Is v5 in any of the RedHat distributions?
> 
> I use v5 on my workstation, and have done so for at least a couple of
> months, now.  We also ship it in several distributions, so let's call
> it stable.  If you have evidence to the contrary, then please send us
> problem reports!

I have no indications of any problems. What I meant was "stable"
in the terms of the Debian distributions. Debian appears to have 4.1.4
versions in "stable", "testing" and "unstable"
Unfortuneatly they don't appear to have any 5.0 versions yet.


 
http://packages.debian.org/cgi-bin/search_packages.pl?searchon=names&version=all&exact=1&keywords=autofs

> 
> It is available in RHEL 5, FC6, and will be shipping with F7 as well.

Good to know, we have a number of RedHat systems too.
> 
> -Jeff
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Re: Simple BINDS over SSL/TLS

[Ian Kent]

On Fri, 2007-05-04 at 11:19 -0500, Douglas E. Engert wrote:
> 
> Jeff Moyer wrote:
> > ==> On Fri, 04 May 2007 09:27:13 -0500, "Douglas E. Engert" <deengert@anl.gov> said:
> > 
> > Douglas> Jeff Moyer wrote: > ==> On Thu, 03 May 2007 09:56:55 -0500,
> > Douglas> "Douglas E. Engert" <deengert@anl.gov> said: > Douglas> I had
> > Douglas> a working patch, but got side tracked. Are there any >
> > Douglas> Douglas> plans to add SASL support to autofs, such that it
> > Douglas> ends up in > Douglas> Debian distribution?  > SASL support
> > Douglas> was introduced in autofs v5.  Testing has been limited, >
> > Douglas> since it seems no one uses it.
> > 
> > Douglas> Great. I was looking at Debian, and using a Ubuntu system,
> > Douglas> that used 4.1.4 When v5 is stable, then we can look at it
> > Douglas> again. Is v5 in any of the RedHat distributions?
> > 
> > I use v5 on my workstation, and have done so for at least a couple of
> > months, now.  We also ship it in several distributions, so let's call
> > it stable.  If you have evidence to the contrary, then please send us
> > problem reports!
> 
> I have no indications of any problems. What I meant was "stable"
> in the terms of the Debian distributions. Debian appears to have 4.1.4
> versions in "stable", "testing" and "unstable"
> Unfortuneatly they don't appear to have any 5.0 versions yet.

Yes, one of the difficulties with Debian is that v5 needs a fairly
recent kernel which could cause pain for some people that can't update
the kernel component for some reason.

Ian