HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
host-fqdn must be the fully-qualified host and domain name, which can be resolved by all LDAP
and Kerberos clients through both DNS and reverse DNS lookups. A key with this identity must be
stored in the server's keytab in order for Kerberos to work.
Whatever server the Directory Server is authenticating to must have a SASL mapping that maps
the Directory Server's principal (its user entry, usually something like
ldap/server.example.com@EXAMPLE.COM) to a real entry DN in the receiving server.
The HP server and client are separate packages with their own configuration. The server stores
config files in /opt/krb5. The client is Classic MIT Kerberos and uses /etc/krb5.conf. Both
the server and client must be configured to have a working Kerberos system.
For information on setting up the service key, see the Kerberos documentation.
13.2 Configuring SASL identity mapping
SASL identity mapping can be configured from either the Directory Server or the command line.
For SASL identity mapping to work for SASL authentication, the mapping must return one, and only
one, entry that matches and Kerberos must be configured on the host machine.
13.2.1 Configuring SASL identity mapping from the console
1. In the Directory Server Console, open the Configuration tab.
2. Select the SASL Mapping tab.
3. To add a new SASL identity mapping, select the Add button, and fill in the required values.
13.2 Configuring SASL identity mapping 505