The GSSAPI SASL mechanism performs all processing related to SASL GSSAPI authentication using Kerberos V5. The GSSAPI SASL mechanism provides the ability for clients to authenticate themselves to the server using existing authentication in a Kerberos environment. This mechanism provides the ability to achieve single sign-on for Kerberos-based clients. ds-cfg-gssapi-sasl-mechanism-handler ds-cfg-sasl-mechanism-handler org.opends.server.extensions.GSSAPISASLMechanismHandler Specifies the realm to be used for GSSAPI authentication. The server attempts to determine the realm from the underlying system configuration. ds-cfg-realm Specifies the address of the KDC that is to be used for Kerberos processing. If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration. The server attempts to determine the KDC address from the underlying system configuration. ds-cfg-kdc-address The name of a property that specifies the quality of protection the server will support. none QOP equals authentication only. Quality of protection equals authentication with integrity protection. Quality of protection equals authentication with integrity and confidentiality protection. ds-cfg-quality-of-protection Specifies the principal name. It can either be a simple user name or a service name such as host/example.com. If this property is not provided, then the server attempts to build the principal name by appending the fully qualified domain name to the string "ldap/". The server attempts to determine the principal name from the underlying system configuration. ds-cfg-principal-name Specifies the path to the keytab file that should be used for Kerberos processing. If provided, this is either an absolute path or one that is relative to the server instance root. The server attempts to use the system-wide default keytab. ds-cfg-keytab Specifies the DNS-resolvable fully-qualified domain name for the system. The server attempts to determine the fully-qualified domain name dynamically . ds-cfg-server-fqdn Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory. The referenced identity mapper must be enabled when the is enabled. ds-cfg-identity-mapper