Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
441442443444445446447448449450
NOTE
GSS-API and, thus, Kerberos are only supported on platforms that have GSS-API
support. To use GSS-API, it may be necessary to install the Kerberos client
libraries; any required Kerberos libraries will be available through the operating
system vendor.
CRAM-MD5, DIGEST-MD5, and GSS-API are shared secret mechanisms. The server challenges
the client attempting to bind with a secret, such as a password, that depends on the
mechanism. The user sends back the response required by the mechanism.
NOTE
DIGEST-MD5 requires clear text passwords. The Directory Server requires the
clear text password in order to generate the shared secret. Passwords already
stored as a hashed value, such as SHA1 cannot be used with DIGEST-MD5.
2. SASL Identity Mapping
When processing a SASL bind request, the server matches, or maps, the SASL authentication
ID used to authenticate to the Directory Server with an LDAP entry stored within the server.
When using Kerberos, the SASL user ID usually has the format userid@REALM, such as
scarter@EXAMPLE.COM. This ID must be converted into the DN of the user's Directory Server
entry, such as uid=scarter,ou=people,dc=example,dc=com.
If the authentication ID clearly corresponds to the LDAP entry for a person, it is possible to
configure the Directory Server to map the authentication ID automatically to the entry DN.
Directory Server has some preconfigured default maps which handle most common
configurations, and customized maps can be created. During a bind attempt, the first matching
mapping rule is applied. If only one user identity is returned, the bind is successful; if none or
more than one are returned, then the bind fails. Red Hat recommends configuring SASL maps
so that only one mapping rule matches the authentication string.
NOTE
SASL proxy authorization is not supported in Directory Server; therefore,
Directory Server ignores any SASL authzid value supplied by the client.
SASL is configured by entries under a container entry:
Chapter 12. Managing SASL
422