Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software

441

442

443

444

445

446

447

448

449

450

admin_server =adminserver.company.example.com:749

default_domain = company.example.com

}

[appdefaults]

pam = {

debug = true

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

[logging]

default = FILE:/var/krb5/kdc.log

kdc = FILE:/var/krb5/kdc.log

admin_server = FILE:/var/log/kadmind.log

5.4. Configuring SASL Authentication at Directory Server

Startup

SASL GSS-API authentication has to be activated in Directory Server so that Kerberos tickets

can be used for authentication. This is done by supplying a system configuration file for the init

scripts to use which identifies the variable to set the keytab file location. When the init script

runs at Directory Server startup, SASL authentication is then immediately active.

The default configuration file is in /etc/sysconfig/dirsrv.

NOTE

The default configuration file on Red Hat Enterprise Linux and HP-UX is in

/etc/sysconfig. On Solaris, it is in /etc/default.

If there are multiple Directory Server instances and not all of them will use SASL authentication,

then there can be instance-specific configuration files created in that directory named

dirsrv-instance. For example, dirsrv-example. The default dirsrv file can be used for a

single instance.

To enable SASL authentication, uncomment the KRB5_KTNAME line in the

/etc/sysconfig/dirsrv (or instance-specific) file, and set the keytab location for the

KRB5_KTNAME variable. For example:

# In order to use SASL/GSSAPI the directory

# server needs to know where to find its keytab

# file - uncomment the following line and set

# the path and filename appropriately

KRB5_KTNAME=/etc/krb5.keytab ; export KRB5_KTNAME

Configuring SASL Authentication at

429