I'm sorry but I have to revise patch 0002 autofs-5.1.8 - ldap_sasl_interactive_bind() needs credentials for auto-detection. Please ignore this patch series.
I will post a second version (v2) of the patches that fix this issue.
On 11.09.22 16:41, ThomasReim wrote:
From: Thomas Reim <reimth@xxxxxxxxx>
Dear Ian,
please find two more patches for update of LDAP SASL bind in autofs. The
provided patches fix following issues:
- Missing support of SCRAM-*
autofs 5.1.8 blocks use of SCRAM-* for SASL binding. DIGEST-MD5 is regarded
unsafe and has been marked obsolete by IANA. Implementations should use one
of the latest Salted Challenge Response Authentication Mechanisms (SCRAM)
defined by IETF RFC-5802/RFC-7677 instead.
- OpenLDAP SASL mechanism auto-selection requires user credentials
autofs 5.1.8 does not fetch user credentials from autofs_ldap_auth.conf if
users set authrequired="autodetect" without specifying one of the user
credential based SASL mechanisms in attribute authtype. SASL binding using
function ldap_sasl_interactive_bind() will fail with error SASL(-13): user
not found: no secret in database. Seamless auto-selection of an SASL mechanism
using OpenLDAP requires specification of user credentials.
Thomas Reim (2):
autofs-5.1.8 - support SCRAM for SASL binding
autofs-5.1.8 - ldap_sasl_interactive_bind() needs credentials for
auto-detection
man/autofs_ldap_auth.conf.5.in | 2 +-
modules/cyrus-sasl.c | 4 ++--
modules/lookup_ldap.c | 41 +++++++++++++++++++++++++---------
3 files changed, 34 insertions(+), 13 deletions(-)
