NAME         top

       autofs_ldap_auth.conf - autofs LDAP authentication configuration

DESCRIPTION         top

       LDAP authenticated binds, TLS encrypted connections and certification
       may be used by setting appropriate values in the autofs
       authentication configuration file and configuring the LDAP client
       with appropriate settings.  The default location of this file is
       @mapdir@/autofs_ldap_auth.conf.  If this file exists it will be used
       to establish whether TLS or authentication should be used.

       An example of this file is:

         <?xml version="1.0" ?>

       If TLS encryption is to be used the location of the Certificate Au‐
       thority certificate must be set within the LDAP client configuration
       in order to validate the server certificate. If, in addition, a cer‐
       tified connection is to be used then the client certificate and pri‐
       vate key file locations must also be configured within the LDAP

OPTIONS         top

       This files contains a single XML element, as shown in the example
       above, with several attributes.

       The possible attributes are:

              Determines whether an encrypted connection to the ldap server
              should be attempted.

              This flag tells whether the ldap connection must be encrypted.
              If set to "yes", the automounter will fail to start if an
              encrypted connection cannot be established.

              This option tells whether an authenticated connection to the
              ldap server is required in order to perform ldap queries. If
              the flag is set to yes, only sasl authenticated connections
              will be allowed. If it is set to no then authentication is not
              needed for ldap server connections. If it is set to autodetect
              then the ldap server will be queried to establish a suitable
              sasl authentication  mechanism. If no suitable mechanism can
              be found, connections to the ldap server are made without
              authentication. Finally, if it is set to simple, then simple
              authentication will be used instead of SASL.

              This attribute can be used to specify a preferred
              authentication mechanism.  In normal operations, the
              automounter will attempt to authenticate to the ldap server
              using the list of supportedSASLmechanisms obtained from the
              directory server.  Explicitly setting the authtype will bypass
              this selection and only try the mechanism specified. The
              EXTERNAL mechanism may be used to authenticate using a client
              certificate and requires that authrequired set to "yes" if
              using SSL or usetls, tlsrequired and authrequired all set to
              "yes" if using TLS, in addition to authtype being set to

              If using authtype EXTERNAL two additional configuration
              entries are required:

              external_cert="<client certificate path>"

              This specifies the path of the file containing the client

              external_key="<client certificate key path>"

              This specifies the path of the file containing the client
              certificate key.

              These two configuration entries are mandatory when using the
              EXTERNAL method as the HOME environment variable cannot be
              assumed to be set or, if it is, to be set to the location we

              This attribute holds the authentication identity used by
              authentication mechanisms that require it.  Legal values for
              this attribute include any printable characters that can be
              used by the selected authentication mechanism.

              This attribute holds the secret used by authentication
              mechanisms that require it. Legal values for this attribute
              include any printable characters that can be used by the
              selected authentication mechanism.

       encoded_secret="<base64 encoded password>"
              This attribute holds the base64 encoded secret used by
              authentication mechanisms that require it. If this entry is
              present as well as the secret entry this value will take

       clientprinc="<GSSAPI client principal>"
              When using GSSAPI authentication, this attribute is consulted
              to determine the principal name to use when authenticating to
              the directory server. By default, this will be set to

       credentialcache="<external credential cache path>"
              When using GSSAPI authentication, this attribute can be used
              to specify an externally configured credential cache that is
              used during authentication.  By default, autofs will setup a
              memory based credential cache.

SEE ALSO         top

       auto.master(5), autofs.conf(5),

AUTHOR         top

       This manual page was written by Ian Kent <>.

COLOPHON         top

       This page is part of the autofs (automount) project.  Information
       about the project can be found at ⟨⟩.  If you
       have a bug report for this manual page, send it to  This page was obtained from the project's
       upstream Git repository
       ⟨git://⟩ on
       2017-11-25.  (At that time, the date of the most recent commit that
       was found in the repository was 2017-05-24.)  If you discover any
       rendering problems in this HTML version of the page, or you believe
       there is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

                                 19 Feb 2010        AUTOFS_LDAP_AUTH.CONF(5)

Pages that refer to this page: autofs(5)autofs.conf(5)auto.master(5)autofs(8)automount(8)