Configuration Reference Home
OpenDJ - GSSAPI SASL Mechanism Handler

GSSAPI SASL Mechanism Handler

The GSSAPI SASL mechanism performs all processing related to SASL GSSAPI authentication using Kerberos V5.

The GSSAPI SASL mechanism provides the ability for clients to authenticate themselves to the server using existing authentication in a Kerberos environment. This mechanism provides the ability to achieve single sign-on for Kerberos-based clients.

Parent Component

The GSSAPI SASL Mechanism Handler component inherits from the SASL Mechanism Handler

Relations From this Component

The following components have a direct AGGREGATION relation FROM GSSAPI SASL Mechanism Handlers :

Properties

A description of each property follows.


Basic Properties: Advanced Properties:
↓ enabled ↓ java-class
↓ identity-mapper
↓ kdc-address
↓ keytab
↓ principal-name
↓ quality-of-protection
↓ realm
↓ server-fqdn

Basic Properties

enabled

Description
Indicates whether the SASL mechanism handler is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-valued
No
Required
Yes
Admin Action Required
None
Advanced Property
No
Read-only
No

identity-mapper

Description
Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory.
Default Value
None
Allowed Values
The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled.
Multi-valued
No
Required
Yes
Admin Action Required
None
Advanced Property
No
Read-only
No

kdc-address

Description
Specifies the address of the KDC that is to be used for Kerberos processing. If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration.
Default Value
The server attempts to determine the KDC address from the underlying system configuration.
Allowed Values
A String
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No

keytab

Description
Specifies the path to the keytab file that should be used for Kerberos processing. If provided, this is either an absolute path or one that is relative to the server instance root.
Default Value
The server attempts to use the system-wide default keytab.
Allowed Values
A String
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No

principal-name

Description
Specifies the principal name. It can either be a simple user name or a service name such as host/example.com. If this property is not provided, then the server attempts to build the principal name by appending the fully qualified domain name to the string "ldap/".
Default Value
The server attempts to determine the principal name from the underlying system configuration.
Allowed Values
A String
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No

quality-of-protection

Description
The name of a property that specifies the quality of protection the server will support.
Default Value
none
Allowed Values
confidentiality - Quality of protection equals authentication with integrity and confidentiality protection.

integrity - Quality of protection equals authentication with integrity protection.

none - QOP equals authentication only.


Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No

realm

Description
Specifies the realm to be used for GSSAPI authentication.
Default Value
The server attempts to determine the realm from the underlying system configuration.
Allowed Values
A String
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No

server-fqdn

Description
Specifies the DNS-resolvable fully-qualified domain name for the system.
Default Value
The server attempts to determine the fully-qualified domain name dynamically .
Allowed Values
A String
Multi-valued
No
Required
No
Admin Action Required
None
Advanced Property
No
Read-only
No


Advanced Properties

java-class

Description
Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
Default Value
org.opends.server.extensions.GSSAPISASLMechanismHandler
Allowed Values
A java class that implements or extends the class(es) :
org.opends.server.api.SASLMechanismHandler
Multi-valued
No
Required
Yes
Admin Action Required
The GSSAPI SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
Advanced Property
Yes
Read-only
No