Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
191192193194195196197198199200
7.3.1 How SASL/GSSAPI works
Figure 14 SASL/GSSAPI environment
AS TGS
KDC Server
LDAP-UX Client Services
5
6
21 3
4
Windows Active
Directory
The following describes how LDAP-UX binds a client using SASL/GSSAPI to the directory server
shown in Figure 14:
1. The LDAP-UX Client Service sends the principal name and password to the Authentication Server
(AS).
2. The AS validates the principal and sends a Ticket Granting Ticket (TGT) and associated session
key to the LDAP-UX Client Services. LDAP-UX Client Services stores the TGT and session key
information in the credential cache, /etc/opt/ldapux/krb5cc_ldap_gssapi.
3. LDAP-UX Client Services uses the TGT and requests a service ticket from Ticket Granting Service
(TGS).
4. TGS sends the service ticket and other information to LDAP-UX Client Services.
5. LDAP-UX Client Services sends the service ticket and binds to the directory server.
6. LDAP-UX Client Services verifies the received information and authenticates the LDAP client.
7.3.2 Configuring the proxy user
SASL/GSSAPI authentication is only for proxy user authentication for name service subsystem.
When proxy is configured, you use either a user or service principal as a proxy user.
7.3.2.1 Configuring the user principal
The user principal must be configured in the KDC. The user principal may be specified with a realm
(for example, user1@CUP.HP.COM) or without a realm (for example, user1). When no realm
is specified, the realm information is retrieved from /etc/krb5.conf. The credential (password)
is the same one used to create the user principal in the KDC.
7.3.2.2 Service/host principal and keys
A Kerberos keytab file contains service or host principals and associated keys information. Users
can bind using the service or host keys. The keytab file can contain multiple principals and keys.
Users can configure which service key to use. For example, the following /etc/krb5.keytab
file contains two principals:
$ klist -k
7.3 Configuring SASL/GSSAPI support for proxy user authentication (Windows ADS only) 197