[Bug 1987992] Re: autofs: Missing support of SCRAM for SASL binds

rdratlos 1987992 at bugs.launchpad.net
Mon Sep 5 11:28:05 UTC 2022 

A further security improvement of this patch let's OpenLDAP libldap
negotiate and choose the most safe available SASL authentication
mechanism:

Settings in /etc/autofs_ldap_auth.conf:
<?xml version="1.0" ?>
<!--
This files contains a single entry with multiple attributes tied to it.
See autofs_ldap_auth.conf(5) for more information.
-->

<autofs_ldap_sasl_conf
        usetls="yes"
        tlsrequired="no"
        authrequired="autodetect"
        user="testuser at example.com"
        authtype="DIGEST-MD5"
        secret="my_secret"
/>

$ automount -f -v -d
Starting automounter version 5.1.8, master map auto.master
using kernel protocol version 5.05
lookup_nss_read_master: reading master ldap auto.master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master".
parse_server_string: lookup(ldap): mapname auto.master
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 1, tls_required: 0, auth_required: 4, sasl_mech: DIGEST-MD5
parse_ldap_config: lookup(ldap): user: testuser at example.com, secret: specified, client principal: (null) credential cache: (null)
do_init: parse(sun): init gathered global options: (null)
find_server: trying server uri ldap://server.example.com
do_bind: lookup(ldap): auth_required: 4, sasl_mech DIGEST-MD5
do_bind: Attempting sasl bind with mechanism DIGEST-MD5
do_bind: SASL username: testuser at example.com
do_bind: SASL authcid: root
do_bind: sasl bind with mechanism SCRAM-SHA-1 succeeded

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to autofs in Ubuntu.
https://bugs.launchpad.net/bugs/1987992

Title:
  autofs: Missing support of SCRAM for SASL binds

Status in autofs package in Ubuntu:
  New

Bug description:
  Most directory services now support the more secure Salted Challenge
  Response Authentication Mechanismis (SCRAM) for SASL binding (RFC 5802).
  But automount user cannot request use of SCRAM, as automount does not
  read user and password credentials for SCRAM mechanisms.

  For sys admins that do not want to implement Kerberos based
  authentication to their directory service using GSSAPI need to rely on
  DIGEST-MD5, which is regarded as insecure.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/autofs/+bug/1987992/+subscriptions

More information about the foundations-bugs mailing list