HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
NOTE:
When SASL maps are added over LDAP, they are not used by the server until it is restarted. Adding
the SASL map with ldapmodify adds the mapping to the end of the list, regardless of its ASCII
order.
13.3 Configuring SASL authentication at Directory Server startup
SASL GSS-API authentication has to be activated in Directory Server so that Kerberos tickets can
be used for authentication. This is done by supplying a system configuration file for the init scripts
to use, which identifies the variable to set the keytab file location. When the init script runs at
Directory Server startup, SASL authentication is then immediately active.
The default configuration file is in /etc/opt/dirsrv/config/dirsrv.
If there are multiple Directory Server instances and not all of them will use SASL authentication,
then there can be instance-specific configuration files created in that directory named
dirsrv-instance. For example, dirsrv-example. The default dirsrv file can be used if
there is a single instance on a host.
To enable SASL authentication, uncomment the KRB5_KTNAME line in the /etc/opt/dirsrv/
config/dirsrv (or instance-specific) file, and set the keytab location for the KRB5_KTNAME
variable. For example:
# In order to use SASL/GSSAPI the directory
# server needs to know where to find its keytab
# file - uncomment the following line and set
# the path and filename appropriately
KRB5_KTNAME=/etc/krb5.keytab ; export KRB5_KTNAME
13.4 Using an external keytab
A default keytab file is specified in the Directory Server start script and is used by the Directory
Server automatically. However, it is possible to specify a different keytab file, referencing a different
principal, by manually running kinit, then specifying the cached credentials.
To specify the cached kinit credentials, add the principal as the KRB5CCNAME line in /etc/
opt/dirsrv/config/dirsrv:
KRB5CCNAME=/tmp/krb_ccache ; export KRB5CCNAME
kinit principalname
# how to provide the password here is left as an exercise
# or kinit -k -t /path/to/file.keytab principalname
chown serveruid:serveruid $KRB5CCNAME
# so the server process can read it
# start a cred renewal "daemon"
( while XXX ; do sleep NNN ; kinit ..... ; done ) &
# the exit condition XXX and sleep interval NNN are left as an exercise
...
The server has no way to renew these cached credentials. The kinit process must be run manually,
external to Directory Server processes, or the server could begin receiving SASL bind failures when
the server attempts to use expired credentials.
13.3 Configuring SASL authentication at Directory Server startup 507