From: Thomas Reim <reimth@xxxxxxxxx>
Since version 4.4 Samba AD domain controllers default settings only allow
for simple SASL binds over TLS encrypted connections or SASL binds with
sign or seal, i. e. data security layer encryption, over unencrypted
connections. Therefore, current automounter cannot fetch autofs maps from
Samba AD DCs using SASL anymore without setting Samba configuration
parameter "ldap server require strong auth" to "no" or "allow_sasl_over_tls".
Cyrus SASL supports data encryption in GSSAPI (with Kerberos V) mode using
an SASL data security layer according to IETF RFC 2078. This security layer
provides for traffic encryption during authentication and authorization
towards an OpenLDAP based server and for subsequent encryption of data
traffic for the LDAP session. Current automounter does not implement SASL
security layer encryption and only relies on TLS to protect LDAP
communication.
OpenLDAP libldap if compiled with Cyrus SASL supports negotiation of an
SASL data security layer based encryption of LDAP traffic. libldap also
provides automatic negotiation of the best suited SASL mechanism taking
into account application required defaults.
This series of patches updates automounter to let OpenLDAP and Cyrus SASL
handle SASL binding and traffic security configuration. Proposed changes
are backward compatible for clients that use LDAP libraries different from
OpenLDAP. When using SASL mechanism GSSAPI or simple authentication with
TLS encryption automounter seamlessly interworks with latest Samba AD DCs.
Please review and provide your comments or suggestions.
Thomas Reim (4):
autofs-5.1.8 - restore gcc flags after autoconf Kerberos 5 check
autofs-5.1.8 - prepare for OpenLDAP SASL binding
autofs-5.1.8 - let OpenLDAP handle SASL binding
autofs-5.1.8 - configure: LDAP function checks ignore implicit
declarations
aclocal.m4 | 52 +++++++++++++++
configure.in | 5 +-
include/config.h.in | 3 +
include/lookup_ldap.h | 6 ++
modules/cyrus-sasl.c | 148 +++++++++++++++++++++++++++++++++++++++++-
modules/lookup_ldap.c | 102 ++++++++++++++++++++++++++++-
6 files changed, 312 insertions(+), 4 deletions(-)
--
2.37.1
