<?xml version="1.0" encoding="UTF-8"?>
|
<!--
|
! CDDL HEADER START
|
!
|
! The contents of this file are subject to the terms of the
|
! Common Development and Distribution License, Version 1.0 only
|
! (the "License"). You may not use this file except in compliance
|
! with the License.
|
!
|
! You can obtain a copy of the license at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE
|
! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
|
! See the License for the specific language governing permissions
|
! and limitations under the License.
|
!
|
! When distributing Covered Code, include this CDDL HEADER in each
|
! file and include the License file at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
|
! add the following below this CDDL HEADER, with the fields enclosed
|
! by brackets "[]" replaced with your own identifying information:
|
! Portions Copyright [yyyy] [name of copyright owner]
|
!
|
! CDDL HEADER END
|
!
|
!
|
! Copyright 2007-2008 Sun Microsystems, Inc.
|
! -->
|
<adm:managed-object name="gssapi-sasl-mechanism-handler"
|
plural-name="gssapi-sasl-mechanism-handlers"
|
package="org.opends.server.admin.std" extends="sasl-mechanism-handler"
|
xmlns:adm="http://www.opends.org/admin"
|
xmlns:ldap="http://www.opends.org/admin-ldap">
|
<adm:synopsis>
|
The GSSAPI SASL mechanism
|
performs all processing related to SASL GSSAPI
|
authentication using Kerberos V5.
|
</adm:synopsis>
|
<adm:description>
|
The GSSAPI SASL mechanism provides the ability for clients
|
to authenticate themselves to the server using existing
|
authentication in a Kerberos environment. This mechanism
|
provides the ability to achieve single sign-on for
|
Kerberos-based clients.
|
</adm:description>
|
<adm:profile name="ldap">
|
<ldap:object-class>
|
<ldap:name>ds-cfg-gssapi-sasl-mechanism-handler</ldap:name>
|
<ldap:superior>ds-cfg-sasl-mechanism-handler</ldap:superior>
|
</ldap:object-class>
|
</adm:profile>
|
<adm:property-override name="java-class" advanced="true">
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
org.opends.server.extensions.GSSAPISASLMechanismHandler
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
</adm:property-override>
|
<adm:property name="realm">
|
<adm:synopsis>
|
Specifies the realm to be used for GSSAPI authentication.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
The server attempts to determine the realm from the
|
underlying system configuration.
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-realm</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="kdc-address">
|
<adm:synopsis>
|
Specifies the address of the KDC that is to be used for Kerberos
|
processing.
|
</adm:synopsis>
|
<adm:description>
|
If provided, this property must be a fully-qualified DNS-resolvable name.
|
If this property is not provided, then the server attempts to determine it
|
from the system-wide Kerberos configuration.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
The server attempts to determine the KDC address from the
|
underlying system configuration.
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-kdc-address</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="quality-of-protection">
|
<adm:synopsis>
|
The name of a property that specifies the quality of protection
|
the server will support.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>none</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:enumeration>
|
<adm:value name="none">
|
<adm:synopsis>
|
QOP equals authentication only.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="integrity">
|
<adm:synopsis>
|
Quality of protection equals authentication with integrity
|
protection.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="confidentiality">
|
<adm:synopsis>
|
Quality of protection equals authentication with integrity and
|
confidentiality protection.
|
</adm:synopsis>
|
</adm:value>
|
</adm:enumeration>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-quality-of-protection</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="principal-name">
|
<adm:synopsis>
|
Specifies the principal name.
|
</adm:synopsis>
|
<adm:description>
|
It can either be a simple user name or a
|
service name such as host/example.com.
|
If this property is not provided, then the server attempts to build the
|
principal name by appending the fully qualified domain name to the string
|
"ldap/".
|
</adm:description>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
The server attempts to determine the principal name from the
|
underlying system configuration.
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-principal-name</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="keytab">
|
<adm:synopsis>
|
Specifies the path to the keytab file that should be used for
|
Kerberos processing.
|
</adm:synopsis>
|
<adm:description>
|
If provided, this is either an absolute path or one that is
|
relative to the server instance root.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
The server attempts to use the system-wide default keytab.
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-keytab</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="server-fqdn">
|
<adm:synopsis>
|
Specifies the DNS-resolvable fully-qualified domain name for the
|
system.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
The server attempts to determine the
|
fully-qualified domain name dynamically .
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-server-fqdn</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="identity-mapper" mandatory="true">
|
<adm:synopsis>
|
Specifies the name of the identity mapper that is to be used
|
with this SASL mechanism handler
|
to match the Kerberos principal
|
included in the SASL bind request to the corresponding
|
user in the directory.
|
</adm:synopsis>
|
<adm:syntax>
|
<adm:aggregation relation-name="identity-mapper"
|
parent-path="/">
|
<adm:constraint>
|
<adm:synopsis>
|
The referenced identity mapper must be enabled when the
|
<adm:user-friendly-name />
|
is enabled.
|
</adm:synopsis>
|
<adm:target-needs-enabling-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-needs-enabling-condition>
|
<adm:target-is-enabled-condition>
|
<adm:contains property="enabled" value="true" />
|
</adm:target-is-enabled-condition>
|
</adm:constraint>
|
</adm:aggregation>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-identity-mapper</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
</adm:managed-object>
|
