Table of Contents
Advertisement
Introduction to SASL
In order to respond to Kerberos operations, the Directory Server requires access to
its own cryptographic key which is read by the Kerberos libraries that the server
calls via GSSAPI. The details of how it is found are implementation-dependent.
However, in current releases of the supported Kerberos implementations, the
mechanism is the same: the key is read from a file called a keytab file. This file is
created by the Kerberos administrator by exporting the key from the KDC. Either
the system default keytab file (typically
) is used, or a
/etc/krb5.keytab
service-specific keytab file determined by the value of the
KRB5_KTNAME
environment variable.
The Directory Server uses the service name
. Its Kerberos principal is
ldap
. A key with this identity must be stored in the server s keytab
ldap/host-fqdn@realm
in order for Kerberos to work. For information on setting up the service key, see
your Kerberos documentation.
Example
Code Example 11-1 is an example code for a KDC server configured with the
realm.
company.example.com
Chapter 11
Managing SSL and SASL
445
Advertisement
Table of Contents
Troubleshooting
