9.10. Using Kerberos GSS-API with SASL
9.10.1. Authentication Mechanisms for SASL in Directory Server
- Generic Security Services (GSS-API). Generic Security Services (GSS) is a security API that is the native way for UNIX-based operating systems to access and authenticate Kerberos services. GSS-API also supports session encryption, similar to TLS. This allows LDAP clients to authenticate with the server using Kerberos version 5 credentials (tickets) and to use network session encryption.For Directory Server to use GSS-API, Kerberos must be configured on the host machine. See Section 9.10, “Using Kerberos GSS-API with SASL”.
NoteGSS-API and, thus, Kerberos are only supported on platforms that have GSS-API support. To use GSS-API, it may be necessary to install the Kerberos client libraries; any required Kerberos libraries will be available through the operating system vendor.
9.10.2. About Kerberos in Directory Server
126.96.36.199. About Principals and Realms
engineeringrealm of the European division of
example.comuses the following association to access a server in the US realm:
US.example.com, does not have to specify a realm when to access a local server:
188.8.131.52. About the KDC Server and Keytabs
ldapservice name in a Kerberos principal. For example:
9.10.3. Configuring SASL Authentication at Directory Server Startup
dirsrv-instance. For example,
dirsrv-example. The default
dirsrvfile can be used if there is a single instance on a host.
KRB5_KTNAMEline in the
/etc/sysconfig/dirsrv(or instance-specific) file, and set the keytab location for the
KRB5_KTNAMEvariable. For example:
# In order to use SASL/GSSAPI the directory # server needs to know where to find its keytab # file - uncomment the following line and set # the path and filename appropriately KRB5_KTNAME=