content/apacheds/advanced-ug/4.1.2.4-sasl-gssapi-authn.mdtext - directory-site - Git at Google

 Title: 4.1.2.4 - SASL GSSAPI Authentication
 NavPrev: 4.1.2.3-sasl-digest-md5-authn.html
 NavPrevText: 4.1.2.4 - SASL GSSAPI Authentication
 NavPrev: 4.1.2.3-sasl-digest-md5-authn.html
 NavPrevText: 4.1.2.3 - SASL DIGEST-MD5 Authentication
 NavUp: 4.1.2-sasl-authn.html
 NavUpText: 4.1.2 - SASL Authentication
 NavNext: 4.1.2.5-sasl-external-authn.html
 NavNextText: 4.1.2.5 - SASL EXTERNAL Authentication
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at
     .
     http://www.apache.org/licenses/LICENSE-2.0
     .
     Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.

 # 4.1.2.4 - SASL GSSAPI Authentication

 This authentication mechanism is specified in the following RFCs :

     * [RFC 4752](http://tools.ietf.org/html/rfc4752)

 It's more specifically used for Kerberos V5 authentication. As **Apache Directory Server** is also a _Kerberos Server_, it comes as a natural extension of the server.

 It requires some configuration though.

 ## Configuration

 The idea is for the **LDAP** server to delegate the authentication  to the **Kerberos** Server.


 ## Usage

 MessageType : BIND_REQUEST
 Message ID : 1
     BindRequest
         Version : '3'
         Name : ''
         Sasl credentials
             Mechanism :'GSSAPI'
             Credentials : (omitted-for-safety)


 MessageType : BIND_RESPONSE
 Message ID : 1
     BindResponse
         Ldap Result
             Result code : (SASL_BIND_IN_PROGRESS) saslBindInProgress -- new
             Matched Dn : 'null'
             Diagnostic message : 'null'
         Server sasl credentials : ''
	Title: 4.1.2.4 - SASL GSSAPI Authentication
	NavPrev: 4.1.2.3-sasl-digest-md5-authn.html
	NavPrevText: 4.1.2.4 - SASL GSSAPI Authentication
	NavPrev: 4.1.2.3-sasl-digest-md5-authn.html
	NavPrevText: 4.1.2.3 - SASL DIGEST-MD5 Authentication
	NavUp: 4.1.2-sasl-authn.html
	NavUpText: 4.1.2 - SASL Authentication
	NavNext: 4.1.2.5-sasl-external-authn.html
	NavNextText: 4.1.2.5 - SASL EXTERNAL Authentication
	Notice: Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	.
	http://www.apache.org/licenses/LICENSE-2.0
	.
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	# 4.1.2.4 - SASL GSSAPI Authentication

	This authentication mechanism is specified in the following RFCs :

	* [RFC 4752](http://tools.ietf.org/html/rfc4752)

	It's more specifically used for Kerberos V5 authentication. As Apache Directory Server is also a _Kerberos Server_, it comes as a natural extension of the server.

	It requires some configuration though.

	## Configuration

	The idea is for the LDAP server to delegate the authentication to the Kerberos Server.


	## Usage

	MessageType : BIND_REQUEST
	Message ID : 1
	BindRequest
	Version : '3'
	Name : ''
	Sasl credentials
	Mechanism :'GSSAPI'
	Credentials : (omitted-for-safety)


	MessageType : BIND_RESPONSE
	Message ID : 1
	BindResponse
	Ldap Result
	Result code : (SASL_BIND_IN_PROGRESS) saslBindInProgress -- new
	Matched Dn : 'null'
	Diagnostic message : 'null'
	Server sasl credentials : ''