HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

501

502

503

504

505

506

507

508

509

510

NOTE:

When SASL maps are added over LDAP, they are not used by the server until it is restarted.

Adding the SASL map with ldapmodify adds the mapping to the end of the list, regardless of

its ASCII order.

13.3 Configuring SASL authentication at Directory Server startup

SASL GSS-API authentication has to be activated in Directory Server so that Kerberos tickets can

be used for authentication. This is done by supplying a system configuration file for the init

scripts to use, which identifies the variable to set the keytab file location. When the init script

runs at Directory Server startup, SASL authentication is then immediately active.

The default configuration file is in /etc/opt/dirsrv/config/dirsrv.

If there are multiple Directory Server instances and not all of them will use SASL authentication,

then there can be instance-specific configuration files created in that directory named

dirsrv-instance. For example, dirsrv-example. The default dirsrv file can be used if

there is a single instance on a host.

To enable SASL authentication, uncomment the KRB5_KTNAME line in the /etc/opt/dirsrv/

config/dirsrv (or instance-specific) file, and set the keytab location for the KRB5_KTNAME

variable. For example:

# In order to use SASL/GSSAPI the directory

# server needs to know where to find its keytab

# file - uncomment the following line and set

# the path and filename appropriately

KRB5_KTNAME=/etc/krb5.keytab ; export KRB5_KTNAME

13.4 Using an external keytab

A default keytab file is specified in the Directory Server start script and is used by the Directory

Server automatically. However, it is possible to specify a different keytab file, referencing a

different principal, by manually running kinit, then specifying the cached credentials.

To specify the cached kinit credentials, add the principal as the KRB5CCNAME line in /etc/

opt/dirsrv/config/dirsrv:

KRB5CCNAME=/tmp/krb_ccache ; export KRB5CCNAME

kinit principalname

# how to provide the password here is left as an exercise

# or kinit -k -t /path/to/file.keytab principalname

chown serveruid:serveruid $KRB5CCNAME

# so the server process can read it

# start a cred renewal "daemon"

( while XXX ; do sleep NNN ; kinit ..... ; done ) &

# the exit condition XXX and sleep interval NNN are left as an exercise

...

The server has no way to renew these cached credentials. The kinit process must be run

manually, external to Directory Server processes, or the server could begin receiving SASL bind

failures when the server attempts to use expired credentials.

13.3 Configuring SASL authentication at Directory Server startup 509