Latest update: 7.0.2
- About This Reference
- Subcommands
- create-access-control-handler
- create-access-log-filtering-criteria
- create-account-status-notification-handler
- create-alert-handler
- create-backend
- create-backend-index
- create-backend-vlv-index
- create-certificate-mapper
- create-connection-handler
- create-debug-target
- create-entry-cache
- create-extended-operation-handler
- create-global-access-control-policy
- create-group-implementation
- create-http-authorization-mechanism
- create-http-endpoint
- create-identity-mapper
- create-key-manager-provider
- create-log-publisher
- create-log-retention-policy
- create-log-rotation-policy
- create-mail-server
- create-password-generator
- create-password-policy
- create-password-storage-scheme
- create-password-validator
- create-plugin
- create-replication-domain
- create-replication-server
- create-sasl-mechanism-handler
- create-schema-provider
- create-service-discovery-mechanism
- create-synchronization-provider
- create-trust-manager-provider
- create-virtual-attribute
- delete-access-control-handler
- delete-access-log-filtering-criteria
- delete-account-status-notification-handler
- delete-alert-handler
- delete-backend
- delete-backend-index
- delete-backend-vlv-index
- delete-certificate-mapper
- delete-connection-handler
- delete-debug-target
- delete-entry-cache
- delete-extended-operation-handler
- delete-global-access-control-policy
- delete-group-implementation
- delete-http-authorization-mechanism
- delete-http-endpoint
- delete-identity-mapper
- delete-key-manager-provider
- delete-log-publisher
- delete-log-retention-policy
- delete-log-rotation-policy
- delete-mail-server
- delete-password-generator
- delete-password-policy
- delete-password-storage-scheme
- delete-password-validator
- delete-plugin
- delete-replication-domain
- delete-replication-server
- delete-sasl-mechanism-handler
- delete-schema-provider
- delete-service-discovery-mechanism
- delete-synchronization-provider
- delete-trust-manager-provider
- delete-virtual-attribute
- get-access-control-handler-prop
- get-access-log-filtering-criteria-prop
- get-account-status-notification-handler-prop
- get-administration-connector-prop
- get-alert-handler-prop
- get-backend-index-prop
- get-backend-prop
- get-backend-vlv-index-prop
- get-certificate-mapper-prop
- get-connection-handler-prop
- get-crypto-manager-prop
- get-debug-target-prop
- get-entry-cache-prop
- get-extended-operation-handler-prop
- get-global-access-control-policy-prop
- get-global-configuration-prop
- get-group-implementation-prop
- get-http-authorization-mechanism-prop
- get-http-endpoint-prop
- get-identity-mapper-prop
- get-key-manager-provider-prop
- get-log-publisher-prop
- get-log-retention-policy-prop
- get-log-rotation-policy-prop
- get-mail-server-prop
- get-password-generator-prop
- get-password-policy-prop
- get-password-storage-scheme-prop
- get-password-validator-prop
- get-plugin-prop
- get-plugin-root-prop
- get-replication-domain-prop
- get-replication-server-prop
- get-root-dse-backend-prop
- get-sasl-mechanism-handler-prop
- get-schema-provider-prop
- get-service-discovery-mechanism-prop
- get-synchronization-provider-prop
- get-trust-manager-provider-prop
- get-virtual-attribute-prop
- get-work-queue-prop
- list-access-control-handler
- list-access-log-filtering-criteria
- list-account-status-notification-handlers
- list-alert-handlers
- list-backend-indexes
- list-backend-vlv-indexes
- list-backends
- list-certificate-mappers
- list-connection-handlers
- list-debug-targets
- list-entry-caches
- list-extended-operation-handlers
- list-global-access-control-policies
- list-group-implementations
- list-http-authorization-mechanisms
- list-http-endpoints
- list-identity-mappers
- list-key-manager-providers
- list-log-publishers
- list-log-retention-policies
- list-log-rotation-policies
- list-mail-servers
- list-password-generators
- list-password-policies
- list-password-storage-schemes
- list-password-validators
- list-plugins
- list-properties
- list-replication-domains
- list-replication-server
- list-sasl-mechanism-handlers
- list-schema-providers
- list-service-discovery-mechanisms
- list-synchronization-providers
- list-trust-manager-providers
- list-virtual-attributes
- set-access-control-handler-prop
- set-access-log-filtering-criteria-prop
- set-account-status-notification-handler-prop
- set-administration-connector-prop
- set-alert-handler-prop
- set-backend-index-prop
- set-backend-prop
- set-backend-vlv-index-prop
- set-certificate-mapper-prop
- set-connection-handler-prop
- set-crypto-manager-prop
- set-debug-target-prop
- set-entry-cache-prop
- set-extended-operation-handler-prop
- set-global-access-control-policy-prop
- set-global-configuration-prop
- set-group-implementation-prop
- set-http-authorization-mechanism-prop
- set-http-endpoint-prop
- set-identity-mapper-prop
- set-key-manager-provider-prop
- set-log-publisher-prop
- set-log-retention-policy-prop
- set-log-rotation-policy-prop
- set-mail-server-prop
- set-password-generator-prop
- set-password-policy-prop
- set-password-storage-scheme-prop
- set-password-validator-prop
- set-plugin-prop
- set-plugin-root-prop
- set-replication-domain-prop
- set-replication-server-prop
- set-root-dse-backend-prop
- set-sasl-mechanism-handler-prop
- set-schema-provider-prop
- set-service-discovery-mechanism-prop
- set-synchronization-provider-prop
- set-trust-manager-provider-prop
- set-virtual-attribute-prop
- set-work-queue-prop
- Objects
- Access Control Handler
- Access Log Filtering Criteria
- Access Log Publisher
- Account Status Notification Handler
- cn=admin data Trust Manager Provider
- Admin Endpoint
- Administration Connector
- AES Password Storage Scheme
- Alert Handler
- Alive HTTP endpoint
- Anonymous SASL Mechanism Handler
- Attribute Cleanup Plugin
- Attribute Value Password Validator
- Authentication Policy
- Backend
- Backend Index
- Backend VLV Index
- Base64 Password Storage Scheme
- Bcrypt Password Storage Scheme
- Blind Trust Manager Provider
- Blowfish Password Storage Scheme
- Cancel Extended Operation Handler
- Certificate Mapper
- Change Number Control Plugin
- Character Set Password Validator
- Clear Password Storage Scheme
- Collective Attribute Subentries Virtual Attribute
- Common Audit Access Log Publisher
- Connection Handler
- Console Error Log Publisher
- Core Schema
- CRAM-MD5 SASL Mechanism Handler
- Common REST Metrics HTTP Endpoint
- Crypt Password Storage Scheme
- Crypto Manager
- CSV File Access Log Publisher
- CSV File HTTP Access Log Publisher
- Debug Log Publisher
- Debug Target
- Dictionary Password Validator
- DIGEST-MD5 SASL Mechanism Handler
- DSEE Compatible Access Control Handler
- Dynamic Group Implementation
- Entity Tag Virtual Attribute
- Entry Cache
- entryDN Virtual Attribute
- entryUUID Plugin
- entryUUID Virtual Attribute
- Error Log Account Status Notification Handler
- Error Log Publisher
- Exact Match Identity Mapper
- Extended Operation Handler
- External Access Log Publisher
- External HTTP Access Log Publisher
- External SASL Mechanism Handler
- FIFO Entry Cache
- File Based Access Log Publisher
- File Based Audit Log Publisher
- File Based Debug Log Publisher
- File Based Error Log Publisher
- File Based HTTP Access Log Publisher
- File Based Key Manager Provider
- File Based Trust Manager Provider
- File Count Log Retention Policy
- Fingerprint Certificate Mapper
- Fixed Time Log Rotation Policy
- Fractional LDIF Import Plugin
- Free Disk Space Log Retention Policy
- Get Connection ID Extended Operation Handler
- Get Symmetric Key Extended Operation Handler
- Global Configuration
- Global Access Control Policy
- Governing Structure Rule Virtual Attribute
- Graphite Monitor Reporter Plugin
- Group Implementation
- GSSAPI SASL Mechanism Handler
- Has Subordinates Virtual Attribute
- Healthy HTTP endpoint
- HTTP Access Log Publisher
- HTTP Anonymous Authorization Mechanism
- HTTP Authorization Mechanism
- HTTP Basic Authorization Mechanism
- HTTP Connection Handler
- HTTP Endpoint
- HTTP OAuth2 Authorization Mechanism
- HTTP OAuth2 CTS Authorization Mechanism
- HTTP OAuth2 File Based Authorization Mechanism
- HTTP OAuth2 OpenAM Authorization Mechanism
- HTTP OAuth2 Token Introspection (RFC 7662) Authorization Mechanism
- Identity Mapper
- Is Member Of Virtual Attribute
- JE Backend
- JMX Alert Handler
- JMX Connection Handler
- JSON Equality Matching Rule
- JSON File Based Access Log Publisher
- JSON File Based HTTP Access Log Publisher
- JSON Ordering Matching Rule
- JSON Query Equality Matching Rule
- Key Manager Provider
- Last Mod Plugin
- LDAP Attribute Description List Plugin
- LDAP Connection Handler
- LDAP Key Manager Provider
- LDAP Pass Through Authentication Policy
- LDAP Trust Manager Provider
- LDIF Backend
- LDIF Connection Handler
- Length Based Password Validator
- Local Backend
- Log Publisher
- Log Retention Policy
- Log Rotation Policy
- Mail Server
- MD5 Password Storage Scheme
- Member Virtual Attribute
- Memory Backend
- Monitor Backend
- Null Backend
- Num Subordinates Virtual Attribute
- Password Expiration Time Virtual Attribute
- Password Generator
- Password Modify Extended Operation Handler
- Password Policy
- Password Policy Import Plugin
- Password Policy State Extended Operation Handler
- Password Policy Subentry Virtual Attribute
- Password Storage Scheme
- Password Validator
- PBKDF2-HMAC-SHA256 Password Storage Scheme
- PBKDF2-HMAC-SHA512 Password Storage Scheme
- PBKDF2 Password Storage Scheme
- PKCS#11 Key Manager Provider
- PKCS#11 Trust Manager Provider
- PKCS#5 V2.0 Scheme 2 Password Storage Scheme
- Plain SASL Mechanism Handler
- Pluggable Backend
- Plugin
- Plugin Root
- Policy Based Access Control Handler
- Prometheus HTTP Endpoint
- Proxy Backend
- Random Password Generator
- RC4 Password Storage Scheme
- Referential Integrity Plugin
- Regular Expression Identity Mapper
- Repeated Characters Password Validator
- Replication Domain
- Replication Server
- Replication Service Discovery Mechanism
- Replication Synchronization Provider
- Rest2LDAP Endpoint
- Root DSE Backend
- Salted MD5 Password Storage Scheme
- Salted SHA-1 Password Storage Scheme
- Salted SHA-256 Password Storage Scheme
- Salted SHA-384 Password Storage Scheme
- Salted SHA-512 Password Storage Scheme
- Samba Password Plugin
- SASL Mechanism Handler
- Schema Backend
- Schema Provider
- SCRAM-SHA-256 Password Storage Scheme
- SCRAM-SHA-256 SASL Mechanism Handler
- SCRAM-SHA-512 Password Storage Scheme
- SCRAM-SHA-512 SASL Mechanism Handler
- Service Discovery Mechanism
- Seven Bit Clean Plugin
- SHA-1 Password Storage Scheme
- Similarity Based Password Validator
- Size Limit Log Retention Policy
- Size Limit Log Rotation Policy
- SMTP Account Status Notification Handler
- SMTP Alert Handler
- SNMP Connection Handler
- Soft Reference Entry Cache
- StartTLS Extended Operation Handler
- Static Group Implementation
- Static Service Discovery Mechanism
- Structural Object Class Virtual Attribute
- Subject Attribute To User Attribute Certificate Mapper
- Subject DN To User Attribute Certificate Mapper
- Subject Equals DN Certificate Mapper
- Subschema Subentry Virtual Attribute
- Synchronization Provider
- Task Backend
- Time Limit Log Rotation Policy
- Traditional Work Queue
- Triple-DES Password Storage Scheme
- Trust Manager Provider
- Unique Attribute Plugin
- Unique Characters Password Validator
- User Defined Virtual Attribute
- Virtual Attribute
- Virtual Static Group Implementation
- Who Am I Extended Operation Handler
- Work Queue
- Properties
- Duration Syntax
- Size Syntax
- Property Value Substitution
GSSAPI SASL Mechanism Handler
The GSSAPI SASL mechanism performs all processing related to SASL GSSAPI authentication using Kerberos V5.
The GSSAPI SASL mechanism provides the ability for clients to authenticate themselves to the server using existing authentication in a Kerberos environment. This mechanism provides the ability to achieve single sign-on for Kerberos-based clients.
Parent
The GSSAPI SASL Mechanism Handler object inherits from SASL Mechanism Handler.
GSSAPI SASL Mechanism Handler Properties
You can use configuration expressions to set property values at startup time. For details, see Property Value Substitution.
| Basic Properties | Advanced Properties | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
Basic Properties
enabled
| Synopsis | Indicates whether the SASL mechanism handler is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-valued | No |
| Required | Yes |
| Admin Action Required | None |
| Advanced | No |
| Read-Only | No |
identity-mapper
| Synopsis | Specifies the name(s) of the identity mapper(s) that are to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory. |
| Default Value | None |
| Allowed Values | The name of an existing Identity Mapper . The referenced identity mapper(s) must be enabled when the GSSAPI SASL Mechanism Handler is enabled. |
| Multi-valued | Yes |
| Required | Yes |
| Admin Action Required | None |
| Advanced | No |
| Read-Only | No |
kdc-address
| Synopsis | Specifies the address of the KDC that is to be used for Kerberos processing. |
| Description | If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration. |
| Default Value | The server attempts to determine the KDC address from the underlying system configuration. |
| Allowed Values | A string. |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None |
| Advanced | No |
| Read-Only | No |
keytab
| Synopsis | Specifies the path to the keytab file that should be used for Kerberos processing. |
| Description | If provided, this is either an absolute path or one that is relative to the server instance root. |
| Default Value | The server attempts to use the system-wide default keytab. |
| Allowed Values | A string. |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None |
| Advanced | No |
| Read-Only | No |
principal-name
| Synopsis | Specifies the principal name. |
| Description | It can either be a simple user name or a service name such as host/example.com. If this property is not provided, then the server attempts to build the principal name by appending the fully qualified domain name to the string "ldap/". |
| Default Value | The server attempts to determine the principal name from the underlying system configuration. |
| Allowed Values | A string. |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None |
| Advanced | No |
| Read-Only | No |
quality-of-protection
| Synopsis | The name of a property that specifies the quality of protection the server will support. |
| Default Value | none |
| Allowed Values | confidentiality: Quality of protection equals authentication with integrity and confidentiality protection. integrity: Quality of protection equals authentication with integrity protection. none: QOP equals authentication only. |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None |
| Advanced | No |
| Read-Only | No |
realm
| Synopsis | Specifies the realm to be used for GSSAPI authentication. |
| Default Value | The server attempts to determine the realm from the underlying system configuration. |
| Allowed Values | A string. |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None |
| Advanced | No |
| Read-Only | No |
server-fqdn
| Synopsis | Specifies the DNS-resolvable fully-qualified domain name for the system. |
| Default Value | The server attempts to determine the fully-qualified domain name dynamically . |
| Allowed Values | A string. |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None |
| Advanced | No |
| Read-Only | No |
Advanced Properties
Use the --advanced option to access advanced properties.
java-class
| Synopsis | Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation. |
| Default Value | org.opends.server.extensions.GSSAPISASLMechanismHandler |
| Allowed Values | A Java class that extends or implements:
|
| Multi-valued | No |
| Required | Yes |
| Admin Action Required | The object must be disabled and re-enabled for changes to take effect. |
| Advanced | Yes |
| Read-Only | No |