Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The GSSAPI SASL mechanism performs all processing related to SASL GSSAPI authentication using Kerberos V5.
The GSSAPI SASL mechanism provides the ability for clients to authenticate themselves to the server using existing authentication in a Kerberos environment. This mechanism provides the ability to achieve single sign-on for Kerberos-based clients.
The GSSAPI SASL Mechanism Handler component inherits from the SASL Mechanism Handler
The following components have a direct aggregation relation from GSSAPI SASL Mechanism Handlers:
The properties supported by this managed object are as follows:
| Description | A description for this SASL Mechanism Handler |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the SASL mechanism handler is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the realm to be used for GSSAPI authentication. |
| Default Value | The server attempts to determine the realm from the underlying system configuration. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the address of the KDC that is to be used for Kerberos processing. If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration. |
| Default Value | The server attempts to determine the KDC address from the underlying system configuration. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the keytab file that should be used for Kerberos processing. If provided, this is either an absolute path or one that is relative to the server instance root. |
| Default Value | The server attempts to use the system-wide default keytab. |
| Allowed Values | A filesystem path |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the DNS-resolvable fully-qualified domain name for the system. |
| Default Value | The server attempts to determine the fully-qualified domain name dynamically if allow-null-server-fqdn is false, else, it will be left null. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the supported quality of protection (QoP) levels that clients will be permitted to request when performing GSSAPI authentication. |
| Default Value | auth auth-int auth-conf |
| Allowed Values | auth - Indicates that clients should be permitted to request the "auth" quality of protection (QoP) level, in which case GSSAPI will only be used for authentication and no additonal security layer will be configured for the connection after successfully authenticating. auth-int - Indicates that clients should be permitted to request the "auth-int" quality of protection (QoP) level, in which case integrity protection will be enabled for the connection after successfully authenticating so that communication between the client and server will be digitally signed to ensure it cannot be altered in transit. auth-conf - Indicates that clients should be permitted to request the "auth-conf" quality of protection (QoP) level, in which case integrity protection will be enabled for the connection after successfully authenticating so that communication between the client and server will be encrypted to ensure that it cannot be observed or altered in transit. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory. |
| Default Value | None |
| Allowed Values | The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
alternate-authorization-identity-mapper
| Description | Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to map the alternate authorization identity (if provided, and if different from the Kerberos principal used as the authentication identity) to the corresponding user in the directory. If no value is specified, then the mapper specified in the identity-mapper configuration property will be used. |
| Default Value | The mapper specified in the identity-mapper configuration property will be used. |
| Allowed Values | The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether to enable debugging for the Java GSSAPI provider. Debug information will be written to standard output, which should be captured in the server.out log file. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allow-null-server-fqdn (Advanced Property)
| Description | Specifies whether or not to allow a null value for the server-fqdn. If this is set to true, then we will not attempt to resolve a null server-fqdn. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
kerberos-service-principal (Advanced Property)
| Description | Specifies the Kerberos service principal that the Directory Server will use to identify itself to the KDC. If this is not provided, then the sun.security.krb5.principal system property may be used to specify the service principal. If an explicit service principal is not defined using either the configuration or a system property, then a default principal will be constructed with a service name of "ldap" and the fully-qualified domain name of the server (e.g., "ldap/directory.example.com"). |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
gssapi-role (Advanced Property)
| Description | Specifies the role that should be declared for the server in the generated JAAS configuration file. |
| Default Value | If no value is configured, then the generated JAAS configuration file will not explicitly specify the server's GSSAPI role. |
| Allowed Values | acceptor - Indicates that the server should act as a GSSAPI acceptor. initiator - Indicates that the server should act as a GSSAPI initiator. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
jaas-config-file (Advanced Property)
| Description | Specifies the path to a JAAS (Java Authentication and Authorization Service) configuration file that provides the information that the JVM should use for Kerberos processing. If this is not provided, then a JAAS configuration file will be automatically generated by the server. A custom JAAS file should only be used in extraordinary conditions in which the automatically-generated JAAS configuration file is not sufficient. |
| Default Value | None |
| Allowed Values | A filesystem path |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured SASL Mechanism Handlers:
dsconfig list-sasl-mechanism-handlers
[--property {propertyName}] ...
To view the configuration for an existing SASL Mechanism Handler:
dsconfig get-sasl-mechanism-handler-prop
--handler-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing SASL Mechanism Handler:
dsconfig set-sasl-mechanism-handler-prop
--handler-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...