DS 7.2.4

External SASL Mechanism Handler

The External SASL Mechanism Handler performs all processing related to SASL EXTERNAL authentication.

Parent

The External SASL Mechanism Handler object inherits from SASL Mechanism Handler.

Dependencies

External SASL Mechanism Handlers depend on the following objects:

External SASL Mechanism Handler properties

You can use configuration expressions to set property values at startup time. For details, see Property value substitution.

Basic Properties Advanced Properties

certificate-attribute
certificate-mapper
certificate-validation-policy
enabled

java-class

Basic properties

Use the --advanced option to access advanced properties.

certificate-attribute

Synopsis

Specifies the name of the attribute to hold user certificates.

Description

This property must specify the name of a valid attribute type defined in the server schema.

Default value

userCertificate

Allowed values

The name of an attribute type defined in the LDAP schema.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

certificate-mapper

Synopsis

Specifies the name(s) of the certificate mapper(s) that should be used to match client certificates to user entries.

Default value

None

Allowed values

The name of an existing certificate-mapper.

The referenced certificate mapper(s) must be enabled when the External SASL Mechanism Handler is enabled.

Multi-valued

Yes

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

certificate-validation-policy

Synopsis

Indicates whether to attempt to validate the peer certificate against a certificate held in the user’s entry.

Default value

None

Allowed values

  • always: Always require the peer certificate to be present in the user’s entry.

  • ifpresent: If the user’s entry contains one or more certificates, require that one of them match the peer certificate.

  • never: Do not look for the peer certificate to be present in the user’s entry.

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

enabled

Synopsis

Indicates whether the SASL mechanism handler is enabled for use.

Default value

None

Allowed values

true

false

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

Advanced properties

Use the --advanced option to access advanced properties.

java-class

Synopsis

Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.

Default value

org.opends.server.extensions.ExternalSASLMechanismHandler

Allowed values

A Java class that extends or implements:

  • org.opends.server.api.SASLMechanismHandler

Multi-valued

No

Required

Yes

Admin action required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-only

No
Copyright © 2010-2023 ForgeRock, all rights reserved.