This site is in the process of being reviewed and updated.
Apache Directory currently supports the SASL GSSAPI mechanism. SASL GSSAPI allows Kerberos authentication to be used during LDAP Binds. Additionally, the GSSAPI mechanism can provide message integrity (checksums) and, optionally, message privacy (encryption). When using SASL message privacy, connections do not need SSL to protect communications.
QoP |
Description |
---|---|
auth |
Use SASL for authentication only (no integrity or confidentiality protection). |
auth-int |
Use SASL with integrity protection. Integrity basically means "with a checksum." For GSSAPI integrity is always enabled. |
auth-conf |
Use SASL with confidentiality protection. Confidentiality means "with encryption." Confidentiality is sometimes called privacy. When Confidentiality is enabled, you do not need SSL/TLS to protect connections. |
Entry RDN |
Password |
Principal Name |
Description |
---|---|---|---|
uid=hnelson |
userpassword: s3crEt |
krb5PrincipalName: hnelson@EXAMPLE.COM |
Our user principal. Note the user password. |
uid=krbtgt |
userpassword: randomKey |
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM |
The KDC principal, with a random key. |
uid=hostldap |
userpassword: randomKey |
krb5PrincipalName: ldap/ldap.example.com@EXAMPLE.COM |
The LDAP principal, with a random key. |