GSSAPISASLMechanismHandlerConfiguration.xml revision bccd35904bb6c244e7eae5b7ddb28e5c295e856b
<?xml version="1.0" encoding="UTF-8"?>
<!--
! CDDL HEADER START
!
! The contents of this file are subject to the terms of the
! Common Development and Distribution License, Version 1.0 only
! (the "License"). You may not use this file except in compliance
! with the License.
!
! You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
! or http://forgerock.org/license/CDDLv1.0.html.
! See the License for the specific language governing permissions
! and limitations under the License.
!
! When distributing Covered Code, include this CDDL HEADER in each
! file and include the License file at legal-notices/CDDLv1_0.txt.
! If applicable, add the following below this CDDL HEADER, with the
! fields enclosed by brackets "[]" replaced with your own identifying
! information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CDDL HEADER END
!
!
! Copyright 2007-2008 Sun Microsystems, Inc.
! -->
<adm:managed-object name="gssapi-sasl-mechanism-handler"
plural-name="gssapi-sasl-mechanism-handlers"
package="org.forgerock.opendj.admin" extends="sasl-mechanism-handler"
xmlns:adm="http://www.opends.org/admin"
xmlns:ldap="http://www.opends.org/admin-ldap">
<adm:synopsis>
The GSSAPI SASL mechanism
performs all processing related to SASL GSSAPI
authentication using Kerberos V5.
</adm:synopsis>
<adm:description>
The GSSAPI SASL mechanism provides the ability for clients
to authenticate themselves to the server using existing
authentication in a Kerberos environment. This mechanism
provides the ability to achieve single sign-on for
Kerberos-based clients.
</adm:description>
<adm:profile name="ldap">
<ldap:object-class>
<ldap:name>ds-cfg-gssapi-sasl-mechanism-handler</ldap:name>
<ldap:superior>ds-cfg-sasl-mechanism-handler</ldap:superior>
</ldap:object-class>
</adm:profile>
<adm:property-override name="java-class" advanced="true">
<adm:default-behavior>
<adm:defined>
<adm:value>
org.opends.server.extensions.GSSAPISASLMechanismHandler
</adm:value>
</adm:defined>
</adm:default-behavior>
</adm:property-override>
<adm:property name="realm">
<adm:synopsis>
Specifies the realm to be used for GSSAPI authentication.
</adm:synopsis>
<adm:default-behavior>
<adm:alias>
<adm:synopsis>
The server attempts to determine the realm from the
underlying system configuration.
</adm:synopsis>
</adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:string />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-realm</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="kdc-address">
<adm:synopsis>
Specifies the address of the KDC that is to be used for Kerberos
processing.
</adm:synopsis>
<adm:description>
If provided, this property must be a fully-qualified DNS-resolvable name.
If this property is not provided, then the server attempts to determine it
from the system-wide Kerberos configuration.
</adm:description>
<adm:default-behavior>
<adm:alias>
<adm:synopsis>
The server attempts to determine the KDC address from the
underlying system configuration.
</adm:synopsis>
</adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:string />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-kdc-address</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="quality-of-protection">
<adm:synopsis>
The name of a property that specifies the quality of protection
the server will support.
</adm:synopsis>
<adm:default-behavior>
<adm:defined>
<adm:value>none</adm:value>
</adm:defined>
</adm:default-behavior>
<adm:syntax>
<adm:enumeration>
<adm:value name="none">
<adm:synopsis>
QOP equals authentication only.
</adm:synopsis>
</adm:value>
<adm:value name="integrity">
<adm:synopsis>
Quality of protection equals authentication with integrity
protection.
</adm:synopsis>
</adm:value>
<adm:value name="confidentiality">
<adm:synopsis>
Quality of protection equals authentication with integrity and
confidentiality protection.
</adm:synopsis>
</adm:value>
</adm:enumeration>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-quality-of-protection</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="principal-name">
<adm:synopsis>
Specifies the principal name.
</adm:synopsis>
<adm:description>
It can either be a simple user name or a
service name such as host/example.com.
If this property is not provided, then the server attempts to build the
principal name by appending the fully qualified domain name to the string
"ldap/".
</adm:description>
<adm:default-behavior>
<adm:alias>
<adm:synopsis>
The server attempts to determine the principal name from the
underlying system configuration.
</adm:synopsis>
</adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:string />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-principal-name</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="keytab">
<adm:synopsis>
Specifies the path to the keytab file that should be used for
Kerberos processing.
</adm:synopsis>
<adm:description>
If provided, this is either an absolute path or one that is
relative to the server instance root.
</adm:description>
<adm:default-behavior>
<adm:alias>
<adm:synopsis>
The server attempts to use the system-wide default keytab.
</adm:synopsis>
</adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:string />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-keytab</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="server-fqdn">
<adm:synopsis>
Specifies the DNS-resolvable fully-qualified domain name for the
system.
</adm:synopsis>
<adm:default-behavior>
<adm:alias>
<adm:synopsis>
The server attempts to determine the
fully-qualified domain name dynamically .
</adm:synopsis>
</adm:alias>
</adm:default-behavior>
<adm:syntax>
<adm:string />
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-server-fqdn</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
<adm:property name="identity-mapper" mandatory="true">
<adm:synopsis>
Specifies the name of the identity mapper that is to be used
with this SASL mechanism handler
to match the Kerberos principal
included in the SASL bind request to the corresponding
user in the directory.
</adm:synopsis>
<adm:syntax>
<adm:aggregation relation-name="identity-mapper"
parent-path="/">
<adm:constraint>
<adm:synopsis>
The referenced identity mapper must be enabled when the
<adm:user-friendly-name />
is enabled.
</adm:synopsis>
<adm:target-needs-enabling-condition>
<adm:contains property="enabled" value="true" />
</adm:target-needs-enabling-condition>
<adm:target-is-enabled-condition>
<adm:contains property="enabled" value="true" />
</adm:target-is-enabled-condition>
</adm:constraint>
</adm:aggregation>
</adm:syntax>
<adm:profile name="ldap">
<ldap:attribute>
<ldap:name>ds-cfg-identity-mapper</ldap:name>
</ldap:attribute>
</adm:profile>
</adm:property>
</adm:managed-object>