From 139c40de1bc595ccd4b8ca952da9e2a37bc8a18e Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Wed, 05 Nov 2008 13:22:43 +0000
Subject: [PATCH] These fixes add confidentiality/integrity to the SASL GSSAPI and DIGEST-MD5 mechanisms. The issue links:

---
 opends/src/admin/defn/org/opends/server/admin/std/GSSAPISASLMechanismHandlerConfiguration.xml |   81 ++++++++++++++++++++++++++++++++++++----
 1 files changed, 73 insertions(+), 8 deletions(-)

diff --git a/opends/src/admin/defn/org/opends/server/admin/std/GSSAPISASLMechanismHandlerConfiguration.xml b/opends/src/admin/defn/org/opends/server/admin/std/GSSAPISASLMechanismHandlerConfiguration.xml
index b76f7fb..2579301 100644
--- a/opends/src/admin/defn/org/opends/server/admin/std/GSSAPISASLMechanismHandlerConfiguration.xml
+++ b/opends/src/admin/defn/org/opends/server/admin/std/GSSAPISASLMechanismHandlerConfiguration.xml
@@ -31,15 +31,15 @@
   xmlns:adm="http://www.opends.org/admin"
   xmlns:ldap="http://www.opends.org/admin-ldap">
   <adm:synopsis>
-    The GSSAPI SASL mechanism 
+    The GSSAPI SASL mechanism
     performs all processing related to SASL GSSAPI
     authentication using Kerberos V5.
   </adm:synopsis>
   <adm:description>
-    The GSSAPI SASL mechanism provides the ability for clients 
-    to authenticate themselves to the server using existing 
-    authentication in a Kerberos environment. This mechanism 
-    provides the ability to achieve single sign-on for 
+    The GSSAPI SASL mechanism provides the ability for clients
+    to authenticate themselves to the server using existing
+    authentication in a Kerberos environment. This mechanism
+    provides the ability to achieve single sign-on for
     Kerberos-based clients.
   </adm:description>
   <adm:profile name="ldap">
@@ -85,7 +85,7 @@
     </adm:synopsis>
     <adm:description>
       If provided, this property must be a fully-qualified DNS-resolvable name.
-      If this property is not provided, then the server attempts to determine it 
+      If this property is not provided, then the server attempts to determine it
       from the system-wide Kerberos configuration.
     </adm:description>
     <adm:default-behavior>
@@ -105,6 +105,71 @@
       </ldap:attribute>
     </adm:profile>
   </adm:property>
+  <adm:property name="quality-of-protection">
+    <adm:synopsis>
+     The name of a property that specifies the quality of protection
+     the server will support.
+    </adm:synopsis>
+    <adm:default-behavior>
+      <adm:defined>
+        <adm:value>none</adm:value>
+      </adm:defined>
+    </adm:default-behavior>
+    <adm:syntax>
+      <adm:enumeration>
+        <adm:value name="none">
+          <adm:synopsis>
+            QOP equals authentication only.
+          </adm:synopsis>
+        </adm:value>
+        <adm:value name="integrity">
+          <adm:synopsis>
+            Quality of protection equals authentication with integrity
+            protection.
+          </adm:synopsis>
+        </adm:value>
+        <adm:value name="confidentiality">
+          <adm:synopsis>
+            Quality of protection equals authentication with integrity and
+            confidentiality protection.
+          </adm:synopsis>
+        </adm:value>
+      </adm:enumeration>
+    </adm:syntax>
+    <adm:profile name="ldap">
+      <ldap:attribute>
+        <ldap:name>ds-cfg-quality-of-protection</ldap:name>
+      </ldap:attribute>
+    </adm:profile>
+  </adm:property>
+  <adm:property name="principal-name">
+    <adm:synopsis>
+      Specifies the principal name.
+    </adm:synopsis>
+    <adm:description>
+      It can either be a simple user name or a
+      service name such as host/example.com.
+      If this property is not provided, then the server attempts to build the
+      principal name by appending the fully qualified domain name to the string
+      "ldap/".
+    </adm:description>
+    <adm:default-behavior>
+      <adm:alias>
+        <adm:synopsis>
+          The server attempts to determine the principal name from the
+          underlying system configuration.
+        </adm:synopsis>
+      </adm:alias>
+    </adm:default-behavior>
+    <adm:syntax>
+      <adm:string />
+    </adm:syntax>
+    <adm:profile name="ldap">
+      <ldap:attribute>
+        <ldap:name>ds-cfg-principal-name</ldap:name>
+      </ldap:attribute>
+    </adm:profile>
+  </adm:property>
   <adm:property name="keytab">
     <adm:synopsis>
       Specifies the path to the keytab file that should be used for
@@ -155,8 +220,8 @@
   <adm:property name="identity-mapper" mandatory="true">
     <adm:synopsis>
       Specifies the name of the identity mapper that is to be used
-      with this SASL mechanism handler 
-      to match the Kerberos principal 
+      with this SASL mechanism handler
+      to match the Kerberos principal
       included in the SASL bind request to the corresponding
       user in the directory.
     </adm:synopsis>

--
Gitblit v1.10.0