Directory Services 7.4.3

GSSAPI SASL Mechanism Handler

The GSSAPI SASL mechanism performs all processing related to SASL GSSAPI authentication using Kerberos V5.

The GSSAPI SASL mechanism provides the ability for clients to authenticate themselves to the server using existing authentication in a Kerberos environment. This mechanism provides the ability to achieve single sign-on for Kerberos-based clients.

Parent

The GSSAPI SASL Mechanism Handler object inherits from SASL Mechanism Handler.

Dependencies

GSSAPI SASL Mechanism Handlers depend on the following objects:

GSSAPI SASL Mechanism Handler properties

You can use configuration expressions to set property values at startup time. For details, see Property value substitution.

Basic Properties Advanced Properties

enabled
identity-mapper
kdc-address
keytab
principal-name
quality-of-protection
realm
server-fqdn

bind-to-server-fqdn
java-class

Basic properties

Use the --advanced option to access advanced properties.

enabled

Synopsis

Indicates whether the SASL mechanism handler is enabled for use.

Default value

None

Allowed values

true

false

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

identity-mapper

Synopsis

Specifies the name(s) of the identity mapper(s) that are to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory.

Default value

None

Allowed values

The name of an existing identity-mapper.

The referenced identity mapper(s) must be enabled when the GSSAPI SASL Mechanism Handler is enabled.

Multi-valued

Yes

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

kdc-address

Synopsis

Specifies the address of the KDC that is to be used for Kerberos processing.

Description

If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration.

Default value

The server attempts to determine the KDC address from the underlying system configuration.

Allowed values

A string.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

keytab

Synopsis

Specifies the path to the keytab file that should be used for Kerberos processing.

Description

If provided, this is either an absolute path or one that is relative to the server instance root.

Default value

The server attempts to use the system-wide default keytab.

Allowed values

A string.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

principal-name

Synopsis

Specifies the principal name.

Description

It can either be a simple user name or a service name such as host/example.com. If this property is not provided, then the server attempts to build the principal name by appending the fully qualified domain name to the string "ldap/".

Default value

The server attempts to determine the principal name from the underlying system configuration.

Allowed values

A string.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

quality-of-protection

Synopsis

The name of a property that specifies the quality of protection the server will support.

Default value

none

Allowed values

  • confidentiality: Quality of protection equals authentication with integrity and confidentiality protection.

  • integrity: Quality of protection equals authentication with integrity protection.

  • none: QOP equals authentication only.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

realm

Synopsis

Specifies the realm to be used for GSSAPI authentication.

Default value

The server attempts to determine the realm from the underlying system configuration.

Allowed values

A string.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

server-fqdn

Synopsis

Specifies the DNS-resolvable fully-qualified domain name for the system.

Default value

The server attempts to determine the fully-qualified domain name dynamically.

Allowed values

A string.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

Advanced properties

Use the --advanced option to access advanced properties.

bind-to-server-fqdn

Synopsis

Specifies if the server should bind to the server-fqdn or whether to try to run "unbound".

Description

The SASL server usually binds to the server-fqdn. By setting GSSAPI SASL Mechanism Handler to false, the server will not bind to a server name. Some SASL implementations are likely to also require the principal name to be "*" and have no realm specified, or may not support running "unbound" altogether.

Default value

true

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

java-class

Synopsis

Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.

Default value

org.opends.server.extensions.GSSAPISASLMechanismHandler

Allowed values

A Java class that extends or implements:

  • org.opends.server.api.SASLMechanismHandler

Multi-valued

No

Required

Yes

Admin action required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-only

No