LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Active Directory Administrator's Guide
Administering LDAP-UX Client Services
SASL GSSAPI Support
Chapter 492
5. LDAP-UX Client Services sends the service ticket and binds to the
LDAP directory server.
6. LDAP-UX Client Services verifies the received information and
authenticates the LDAP client.
Proxy User
SASL/GSSAPI authentication is only for proxy user authentication for
name service subsystem. When proxy is configured, you use either a user
or service principal as a proxy user.
User Principal
The user principal must be configured in the KDC. The user principal
can be specified with a realm (for example, user1@CUP.HP.COM) or
without a realm (for example, user1). When no realm is specified, the
realm information is retrieved from /etc/krb5.conf. The credential
(password) is the same one used to create the user principal in the KDC.
Service/Host Principal
A Kerberos keytab file contains service or host principals and associated
keys information. Users can choose to bind using the service or host keys.
The keytab file may contain multiple principals and keys. Users may
configure which service key to use. For example, the following
/etc/krb5.keytab file contains two principal:
$ klist -k
Keytab name: FILE:/etc/krb5.keytab
Principal
--------------------------------------------
1 ldapux/hpntc10.cup.hp.com@HP.COM
1 host/hpntc10.cup.hp.com@HP.COM
Configuing a Principal as The Proxy User
The following describes three different ways to configure a principal as
the proxy user:
• Configure a user principal:
Use ldap_proxy_config -i or “-d and -c” to enter a Kerbers user
principal and its credential (i.e. password).