GSSAPI SASL Mechanism Handler
The GSSAPI SASL mechanism performs all processing related to SASL GSSAPI authentication using Kerberos V5.
The GSSAPI SASL mechanism provides the ability for clients to authenticate themselves to the server using existing authentication in a Kerberos environment. This mechanism provides the ability to achieve single sign-on for Kerberos-based clients.
Parent
The GSSAPI SASL Mechanism Handler object inherits from SASL Mechanism Handler.
GSSAPI SASL Mechanism Handler properties
You can use configuration expressions to set property values at startup time. For details, see Property value substitution.
Basic Properties | Advanced Properties |
---|---|
enabled |
enabled
Synopsis |
Indicates whether the SASL mechanism handler is enabled for use. |
Default value |
None |
Allowed values |
true false |
Multi-valued |
No |
Required |
Yes |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
identity-mapper
Synopsis |
Specifies the name(s) of the identity mapper(s) that are to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory. |
Default value |
None |
Allowed values |
The name of an existing identity-mapper. The referenced identity mapper(s) must be enabled when the GSSAPI SASL Mechanism Handler is enabled. |
Multi-valued |
Yes |
Required |
Yes |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
kdc-address
Synopsis |
Specifies the address of the KDC that is to be used for Kerberos processing. |
Description |
If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration. |
Default value |
The server attempts to determine the KDC address from the underlying system configuration. |
Allowed values |
A string. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
keytab
Synopsis |
Specifies the path to the keytab file that should be used for Kerberos processing. |
Description |
If provided, this is either an absolute path or one that is relative to the server instance root. |
Default value |
The server attempts to use the system-wide default keytab. |
Allowed values |
A string. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
principal-name
Synopsis |
Specifies the principal name. |
Description |
It can either be a simple user name or a service name such as host/example.com. If this property is not provided, then the server attempts to build the principal name by appending the fully qualified domain name to the string "ldap/". |
Default value |
The server attempts to determine the principal name from the underlying system configuration. |
Allowed values |
A string. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
quality-of-protection
Synopsis |
The name of a property that specifies the quality of protection the server will support. |
Default value |
none |
Allowed values |
|
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
Advanced properties
Use the --advanced
option to access advanced properties.
bind-to-server-fqdn
Synopsis |
Specifies if the server should bind to the server-fqdn or whether to try to run "unbound". |
Description |
The SASL server usually binds to the server-fqdn. By setting GSSAPI SASL Mechanism Handler to false, the server will not bind to a server name. Some SASL implementations are likely to also require the principal name to be "*" and have no realm specified, or may not support running "unbound" altogether. |
Default value |
true |
Allowed values |
true false |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
Yes |
Read-only |
No |
java-class
Synopsis |
Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation. |
Default value |
org.opends.server.extensions.GSSAPISASLMechanismHandler |
Allowed values |
A Java class that extends or implements:
|
Multi-valued |
No |
Required |
Yes |
Admin action required |
The object must be disabled and re-enabled for changes to take effect. |
Advanced |
Yes |
Read-only |
No |