Re: AutoFS, GSSAPI, LDAPv3

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 11:10 AM 4/23/2004, Patrick Shinpaugh wrote:
>I have implemented an LDAPv3 (Kerberos(GSSAPI), TLS, Cyrus-SASL, and
>OpenLDAP) server which is used for user validation/authentication and
>for automounting of NFS filesystems. To allow autofs 3.1.7 access to the
>LDAP database I was forced to add
>
>allow bind_v2 bind_anon_dn
>
>to my slapd.conf file.

If the directory client you are using actually requires these to
be set, you should work with the developer of that client to fix it.
LDAPv2 is historic and unauthenticated bind (DN, no password)
should be avoided in favor of anonymous bind (no DN, no password).
The former for interoperability reasons, the latter for security
reasons.

>However, I was wondering if there is a way to set
>up LDAP so I can remove this allow statement and still have autofs able
>to access the automount information stored in the directory.

Whether or not these directives are actually required by this
particular directory client is more appropriately asked in a
forum supporting that client.  Of course, you should ask the
question in non-OpenLDAP specific manner.
        Does autofs require LDAPv2?
        If not, how do I configure autofs to use LDAPv3?
        Does autofs require unauthenticated bind?
        If not, how do I configure autofs to use anonymous or
                authenticated bind?

>I do have
>ACLs set up but I would rather not depend upon the ACLs alone to prevent
>unauthorized access to the information stored in the LDAP directory.

You might consider use of require and security directives
in addition to ACLs.