Configuring SASL Authentication at

admin_server =adminserver.company.example.com:749 default_domain = company.example.com

}

[appdefaults] pam = {

debug = true

ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false

}

[logging]

default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log admin_server = FILE:/var/log/kadmind.log

5.4.Configuring SASL Authentication at Directory Server Startup

SASL GSS-API authentication has to be activated in Directory Server so that Kerberos tickets can be used for authentication. This is done by supplying a system configuration file for the init scripts to use which identifies the variable to set the keytab file location. When the init script runs at Directory Server startup, SASL authentication is then immediately active.

The default configuration file is in /etc/sysconfig/dirsrv.

NOTE

The default configuration file on Red Hat Enterprise Linux and HP-UX is in /etc/sysconfig. On Solaris, it is in /etc/default.

If there are multiple Directory Server instances and not all of them will use SASL authentication, then there can be instance-specific configuration files created in that directory named dirsrv-instance. For example, dirsrv-example. The default dirsrv file can be used for a single instance.

To enable SASL authentication, uncomment the KRB5_KTNAME line in the /etc/sysconfig/dirsrv (or instance-specific) file, and set the keytab location for the KRB5_KTNAME variable. For example:

#In order to use SASL/GSSAPI the directory

#server needs to know where to find its keytab

#file - uncomment the following line and set

#the path and filename appropriately

KRB5_KTNAME=/etc/krb5.keytab ; export KRB5_KTNAME

429

Page 449
Image 449
HP UX Red Hat Direry Server Software manual Configuring Sasl Authentication at Directory Server Startup