Manualshelf

LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
919293949596979899100
6.3 SASL/GSSAPI support
LDAP-UX Client Services includes support for the SASL / Generic Security Services Application
Programming Interface (GSSAPI) authentication method for Kerberos v5. Currently, Kerberos v5
is the only security mechanism that is implemented to work with GSSAPI. For this release, we
provide SASL/GSSAPI authentication method support only for Microsoft Windows 2003 R2 or
2008 Active Directory. SASL/GSSAPI authentication is only for proxy user authentication for the
name service subsystem. Host, service or other principles may be used for the LDAP-UX proxy
identity. Because SASL/GSSAPI is only used for proxy authentication, user authentication to a
Windows domain should still be configured using PAM_KERBEROS.
For information on the realm, principal, keytab and credential cache definitions used by the
SASL/GSSAPI authentication, refer to Configuration Guide For Kerberos Product on HP-UX and
Installing, Configuring and Administering The Kerberos Server on HP-UX 11i at:
http://www.hp.com/go/hpux-security-docs (Click HP-UX Kerberos Data Security Software)
6.3.1 How SASL/GSSAPI works
Figure 8 SASL/GSSAPI environment
AS TGS
KDC Server
LDAP-UX Client Services
5
6
21 3
4
Windows Active
Directory
The following describes how LDAP-UX binds a client using SASL/GSSAPI to the directory server
shown in Figure 8:
1. The LDAP-UX Client Service sends the principal name and password to the Authentication Server
(AS).
2. The AS validates the principal and sends a Ticket Granting Ticket (TGT) and associated session
key to the LDAP-UX Client Services. LDAP-UX Client Services stores the TGT and session key
information in the credential cache, /etc/opt/ldapux/krb5cc_ldap_gssapi.
3. LDAP-UX Client Services uses the TGT and requests a service ticket from Ticket Granting Service
(TGS).
4. TGS sends the service ticket and other information to LDAP-UX Client Services.
5. LDAP-UX Client Services sends the service ticket and binds to the directory server.
6. LDAP-UX Client Services verifies the received information and authenticates the LDAP client.
6.3.2 Proxy user
SASL/GSSAPI authentication is only for proxy user authentication for name service subsystem.
When proxy is configured, you use either a user or service principal as a proxy user.
6.3.2.1 User principal
The user principal must be configured in the KDC. The user principal can be specified with a realm
(for example, user1@CUP.HP.COM) or without a realm (for example, user1). When no realm is
96 Administering LDAP-UX Client Services