1
autofs-5.0.5 - add simple bind authentication
3
From: James Y Knight <foom@fuhm.net>
5
This patch adds the ability to do a simple bind against an LDAP server with
6
the configured username and password.
10
include/lookup_ldap.h | 1 +
11
modules/lookup_ldap.c | 21 +++++++++++++--------
12
samples/autofs_ldap_auth.conf | 16 +++++++++-------
13
4 files changed, 24 insertions(+), 15 deletions(-)
16
diff --git a/CHANGELOG b/CHANGELOG
17
index 5973824..d95542d 100644
21
- fix ampersand escape in auto.smb.
22
- add locality as valid ldap master map attribute.
23
- add locality as valid ldap master map attribute fix.
24
+- add simple bind authentication.
26
03/09/2009 autofs-5.0.5
27
-----------------------
28
diff --git a/include/lookup_ldap.h b/include/lookup_ldap.h
29
index dcae220..1e1c7a4 100644
30
--- a/include/lookup_ldap.h
31
+++ b/include/lookup_ldap.h
32
@@ -97,6 +97,7 @@ struct lookup_context {
33
#define LDAP_AUTH_NOTREQUIRED 0x0001
34
#define LDAP_AUTH_REQUIRED 0x0002
35
#define LDAP_AUTH_AUTODETECT 0x0004
36
+#define LDAP_AUTH_USESIMPLE 0x0008
39
LDAP *init_ldap_connection(unsigned logopt, const char *uri, struct lookup_context *ctxt);
40
diff --git a/modules/lookup_ldap.c b/modules/lookup_ldap.c
41
index 8387951..d7d4f71 100644
42
--- a/modules/lookup_ldap.c
43
+++ b/modules/lookup_ldap.c
44
@@ -137,11 +137,13 @@ static void uris_mutex_unlock(struct lookup_context *ctxt)
48
-int bind_ldap_anonymous(unsigned logopt, LDAP *ldap, const char *uri, struct lookup_context *ctxt)
49
+int bind_ldap_simple(unsigned logopt, LDAP *ldap, const char *uri, struct lookup_context *ctxt)
53
- if (ctxt->version == 2)
54
+ if (ctxt->auth_required == LDAP_AUTH_USESIMPLE)
55
+ rv = ldap_simple_bind_s(ldap, ctxt->user, ctxt->secret);
56
+ else if (ctxt->version == 2)
57
rv = ldap_simple_bind_s(ldap, ctxt->base, NULL);
59
rv = ldap_simple_bind_s(ldap, NULL, NULL);
60
@@ -517,12 +519,12 @@ static int do_bind(unsigned logopt, LDAP *ldap, const char *uri, struct lookup_c
61
rv = autofs_sasl_bind(logopt, ldap, ctxt);
62
debug(logopt, MODPREFIX "autofs_sasl_bind returned %d", rv);
64
- rv = bind_ldap_anonymous(logopt, ldap, uri, ctxt);
65
- debug(logopt, MODPREFIX "ldap anonymous bind returned %d", rv);
66
+ rv = bind_ldap_simple(logopt, ldap, uri, ctxt);
67
+ debug(logopt, MODPREFIX "ldap simple bind returned %d", rv);
70
- rv = bind_ldap_anonymous(logopt, ldap, uri, ctxt);
71
- debug(logopt, MODPREFIX "ldap anonymous bind returned %d", rv);
72
+ rv = bind_ldap_simple(logopt, ldap, uri, ctxt);
73
+ debug(logopt, MODPREFIX "ldap simple bind returned %d", rv);
77
@@ -971,11 +973,13 @@ int parse_ldap_config(unsigned logopt, struct lookup_context *ctxt)
78
auth_required = LDAP_AUTH_NOTREQUIRED;
79
else if (!strcasecmp(authrequired, "autodetect"))
80
auth_required = LDAP_AUTH_AUTODETECT;
81
+ else if (!strcasecmp(authrequired, "simple"))
82
+ auth_required = LDAP_AUTH_USESIMPLE;
86
"The authrequired property must have value "
87
- "\"yes\", \"no\" or \"autodetect\".");
88
+ "\"yes\", \"no\", \"autodetect\", or \"simple\".");
92
@@ -991,7 +995,8 @@ int parse_ldap_config(unsigned logopt, struct lookup_context *ctxt)
96
- if (authtype && authtype_requires_creds(authtype)) {
97
+ if (auth_required == LDAP_AUTH_USESIMPLE ||
98
+ (authtype && authtype_requires_creds(authtype))) {
99
ret = get_property(logopt, root, "user", &user);
100
ret |= get_property(logopt, root, "secret", &secret);
101
if (ret != 0 || (!user || !secret)) {
102
diff --git a/samples/autofs_ldap_auth.conf b/samples/autofs_ldap_auth.conf
103
index a1f60c0..be5e7dd 100644
104
--- a/samples/autofs_ldap_auth.conf
105
+++ b/samples/autofs_ldap_auth.conf
106
@@ -17,17 +17,19 @@ tlsrequired - This flag tells whether the ldap connection must be
108
authrequired - This option tells whether an authenticated connection to
109
the ldap server is required in order to perform ldap queries.
110
- If this flag is set to yes, then only authenticated connections
111
+ If the flag is set to yes, only sasl authenticated connections
112
will be allowed. If it is set to no then authentication is not
113
- needed for ldap server connections. Finally, if it is set to
114
- autodetect then the ldap server will be queried to establish
115
- a suitable authentication mechanism. If no suitable mechanism
116
- can be found, connections to the ldap server are made without
118
- Legal values for this option include:
119
+ needed for ldap server connections. If it is set to autodetect
120
+ then the ldap server will be queried to establish a suitable sasl
121
+ authentication mechanism. If no suitable mechanism can be found,
122
+ connections to the ldap server are made without authentication.
123
+ Finally, if it is set to simple, then simple authentication will
124
+ be used instead of SASL.
131
authtype - This attribute can be used to specify a preferred
132
authentication mechanism. In normal operations, the