Note: this component has a complexity level of "expert", which means that objects of this type are not expected to be created or altered. Please contact UnboundID support for assistance if you believe that you have a need to create or modify this type of object.
The GSSAPI SASL mechanism performs all processing related to SASL GSSAPI authentication using Kerberos V5.
The GSSAPI SASL mechanism provides the ability for clients to authenticate themselves to the server using existing authentication in a Kerberos environment. This mechanism provides the ability to achieve single sign-on for Kerberos-based clients.
↓Parent Component
↓Relations To this Component
↓Properties
↓dsconfig Usage
The GSSAPI SASL Mechanism Handler component inherits from the SASL Mechanism Handler
The following components have a direct aggregation relation from GSSAPI SASL Mechanism Handlers:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ kerberos-service-principal |
| ↓ enabled | ↓ jaas-config-file |
| ↓ realm | |
| ↓ kdc-address | |
| ↓ keytab | |
| ↓ server-fqdn | |
| ↓ identity-mapper | |
| ↓ enable-debug |
| Description | A description for this SASL Mechanism Handler |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the SASL mechanism handler is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the realm to be used for GSSAPI authentication. |
| Default Value | The server attempts to determine the realm from the underlying system configuration. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the address of the KDC that is to be used for Kerberos processing. If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration. |
| Default Value | The server attempts to determine the KDC address from the underlying system configuration. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the keytab file that should be used for Kerberos processing. If provided, this is either an absolute path or one that is relative to the server instance root. |
| Default Value | The server attempts to use the system-wide default keytab. |
| Allowed Values | Unknown |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the DNS-resolvable fully-qualified domain name for the system. |
| Default Value | The server attempts to determine the fully-qualified domain name dynamically . |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory. |
| Default Value | None |
| Allowed Values | The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether to enable debugging for the Java GSSAPI provider. Debug information will be written to standard output, which should be captured in the server.out log file. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
kerberos-service-principal (Advanced Property)
| Description | Specifies the Kerberos service principal that the Metrics Engine will use to identify itself to the KDC. If this is not provided, then the sun.security.krb5.principal system property may be used to specify the service principal. If an explicit service principal is not defined using either the configuration or a system property, then a default principal will be constructed with a service name of "ldap" and the fully-qualified domain name of the server (e.g., "ldap/directory.example.com"). |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
jaas-config-file (Advanced Property)
| Description | Specifies the path to a JAAS (Java Authentication and Authorization Service) configuration file that provides the information that the JVM should use for Kerberos processing. If this is not provided, then a JAAS configuration file will be automatically generated by the server. A custom JAAS file should only be used in extraordinary conditions in which the automatically-generated JAAS configuration file is not sufficient. |
| Default Value | None |
| Allowed Values | Unknown |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured SASL Mechanism Handlers:
dsconfig list-sasl-mechanism-handlers
[--property {propertyName}] ...
To view the configuration for an existing SASL Mechanism Handler:
dsconfig get-sasl-mechanism-handler-prop
--handler-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing SASL Mechanism Handler:
dsconfig set-sasl-mechanism-handler-prop
--handler-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new GSSAPI SASL Mechanism Handler:
dsconfig create-sasl-mechanism-handler
--handler-name {name}
--type gssapi
--set enabled:{propertyValue}
--set identity-mapper:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing SASL Mechanism Handler:
dsconfig delete-sasl-mechanism-handler
--handler-name {name}