GSSAPI SASL Mechanism Handler

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The GSSAPI SASL mechanism performs all processing related to SASL GSSAPI authentication using Kerberos V5.

The GSSAPI SASL mechanism provides the ability for clients to authenticate themselves to the server using existing authentication in a Kerberos environment. This mechanism provides the ability to achieve single sign-on for Kerberos-based clients.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The GSSAPI SASL Mechanism Handler component inherits from the SASL Mechanism Handler

Relations from This Component

The following components have a direct aggregation relation from GSSAPI SASL Mechanism Handlers:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  allow-null-server-fqdn
 enabled  kerberos-service-principal
 realm  gssapi-role
 kdc-address  jaas-config-file
 keytab
 server-fqdn
 allowed-quality-of-protection
 identity-mapper
 alternate-authorization-identity-mapper
 enable-debug

Basic Properties

description

Description
A description for this SASL Mechanism Handler
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the SASL mechanism handler is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

realm

Description
Specifies the realm to be used for GSSAPI authentication.
Default Value
The server attempts to determine the realm from the underlying system configuration.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

kdc-address

Description
Specifies the address of the KDC that is to be used for Kerberos processing. If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration.
Default Value
The server attempts to determine the KDC address from the underlying system configuration.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

keytab

Description
Specifies the keytab file that should be used for Kerberos processing. If provided, this is either an absolute path or one that is relative to the server instance root.
Default Value
The server attempts to use the system-wide default keytab.
Allowed Values
A filesystem path
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

server-fqdn

Description
Specifies the DNS-resolvable fully-qualified domain name for the system.
Default Value
The server attempts to determine the fully-qualified domain name dynamically if allow-null-server-fqdn is false, else, it will be left null.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

allowed-quality-of-protection

Description
Specifies the supported quality of protection (QoP) levels that clients will be permitted to request when performing GSSAPI authentication.
Default Value
auth
auth-int
auth-conf
Allowed Values
auth - Indicates that clients should be permitted to request the "auth" quality of protection (QoP) level, in which case GSSAPI will only be used for authentication and no additonal security layer will be configured for the connection after successfully authenticating.

auth-int - Indicates that clients should be permitted to request the "auth-int" quality of protection (QoP) level, in which case integrity protection will be enabled for the connection after successfully authenticating so that communication between the client and server will be digitally signed to ensure it cannot be altered in transit.

auth-conf - Indicates that clients should be permitted to request the "auth-conf" quality of protection (QoP) level, in which case integrity protection will be enabled for the connection after successfully authenticating so that communication between the client and server will be encrypted to ensure that it cannot be observed or altered in transit.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

identity-mapper

Description
Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory.
Default Value
None
Allowed Values
The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

alternate-authorization-identity-mapper

Description
Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to map the alternate authorization identity (if provided, and if different from the Kerberos principal used as the authentication identity) to the corresponding user in the directory. If no value is specified, then the mapper specified in the identity-mapper configuration property will be used.
Default Value
The mapper specified in the identity-mapper configuration property will be used.
Allowed Values
The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enable-debug

Description
Indicates whether to enable debugging for the Java GSSAPI provider. Debug information will be written to standard output, which should be captured in the server.out log file.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


Advanced Properties

allow-null-server-fqdn (Advanced Property)

Description
Specifies whether or not to allow a null value for the server-fqdn. If this is set to true, then we will not attempt to resolve a null server-fqdn.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

kerberos-service-principal (Advanced Property)

Description
Specifies the Kerberos service principal that the Directory Server will use to identify itself to the KDC. If this is not provided, then the sun.security.krb5.principal system property may be used to specify the service principal. If an explicit service principal is not defined using either the configuration or a system property, then a default principal will be constructed with a service name of "ldap" and the fully-qualified domain name of the server (e.g., "ldap/directory.example.com").
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

gssapi-role (Advanced Property)

Description
Specifies the role that should be declared for the server in the generated JAAS configuration file.
Default Value
If no value is configured, then the generated JAAS configuration file will not explicitly specify the server's GSSAPI role.
Allowed Values
acceptor - Indicates that the server should act as a GSSAPI acceptor.

initiator - Indicates that the server should act as a GSSAPI initiator.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

jaas-config-file (Advanced Property)

Description
Specifies the path to a JAAS (Java Authentication and Authorization Service) configuration file that provides the information that the JVM should use for Kerberos processing. If this is not provided, then a JAAS configuration file will be automatically generated by the server. A custom JAAS file should only be used in extraordinary conditions in which the automatically-generated JAAS configuration file is not sufficient.
Default Value
None
Allowed Values
A filesystem path
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured SASL Mechanism Handlers:

dsconfig list-sasl-mechanism-handlers
     [--property {propertyName}] ...

To view the configuration for an existing SASL Mechanism Handler:

dsconfig get-sasl-mechanism-handler-prop
     --handler-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing SASL Mechanism Handler:

dsconfig set-sasl-mechanism-handler-prop
     --handler-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...