The LDAP mechanism supports directory authentication and authorization of users that are defined in an LDAP-compliant directory. To use the LDAP mechanism, you must complete setup procedures described in:
Several of the LDAP properties shown do not appear in the TdgssUserConfigFile.xml. You must add them to the TdgssUserConfigFile.xml to configure non-default values.
You can modify some LDAP support properties without performing a TPA reset. run_tdgssconfig indicates when you need to do a TPA reset. For example, the following properties are all updated without a TPA reset requirement:
- AuthorizationSupported
- MechanismEnabled
- Any property beginning with “Ldap”
- Canonicalizations
Rely on run_tdgssconfig to tell you when a TPA reset is required.
Example: LDAP Configuration
<!-- LDAPv3 --> <Mechanism Name="ldap" ObjectId="1.3.6.1.4.1.191.1.1012.1.20" LibraryName="gssp2ldap" Prefix="ldapv3" InterfaceType="custom"> <!-- Note: DHKeyP and DHKeyG are for legacy (pre-14.0) use only --> <MechanismProperties AuthenticationSupported="yes" AuthorizationSupported="yes" SingleSignOnSupported="no" DefaultMechanism="no" MechanismEnabled="yes" MechanismRank="70" MechanismIgnoresQop="no" GenerateCredentialFromLogon="yes" DelegateCredentials="no" MutualAuthentication="yes" ReplayDetection="yes" OutOfSequenceDetection="yes" ConfidentialityDesired="yes" IntegrityDesired="yes" AnonymousAuthentication="no" DesiredContextTime="" DesiredCredentialTime="" CredentialUsage="0" VerifyDHKey="no" DHKeyP="E4BE0A78F54C4A0B17E7E9249A78BCC08868C17281D8463C880937853E73DDC787E41580A8AFE2594D984C9E0814C590790354ECCD1BE8EA85961E5E0974B32EFE178335F061E80189B4BDAA20F67B47" DHKeyG="0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005" DHKeyP2048="8AB3F86E8D374B782F31DAD5F27D6AFDA30150C11A20CF6346712AE2D2C6B70A5B79D45D4C0C232A065B207B121B2C33E147B5983C38A1087F272703B0B839CBA6F71C5D0EB51EC890934EACF2C7DD2A1DF6F55E89B145A0359D35EF8FB6C561E157B13FF927A35E69963648614902B1034EF71197F545DEF3236244EADAE0689E624CF1245953630AE042BD797C4025E37C51D9F6CBDA0B2278FA7D5CA2D9CA930BE2968330C811A4BA4D0845333C0D62E3EE742154F6B62F2951CD8C73C43B5AA1C7819DEF1D7C9314411E465F8E4796666594AADE0AEB3F1256E5719E7AE54DD34FFDA949634E4A293C5BC60AF258BB9FE558086E83B3DD3D7491966DEE93" DHKeyG2048="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005" LdapServerName="" LdapSystemFQDN="" LdapGroupBaseFQDN="" LdapUserBaseFQDN="" LdapClientReferrals="off" LdapClientDeref="never" LdapClientDebug="0" LdapClientRebindAuth="yes" LdapClientRandomDevice="/dev/urandom" LdapClientUseTls="no" LdapClientTlsCACert="" LdapClientTlsCACertDir="" LdapClientTlsCert="" LdapClientTlsKey="" LdapClientTlsRandFile="" LdapClientTlsReqCert="never" LdapClientTlsCipherSuite="" LdapClientTlsCRLCheck="none" LdapServiceFQDN="" LdapServicePasswordProtected="no" LdapServicePassword="" LdapServiceBindRequired="no" LdapAllowUnsafeServerConnect="yes" UseLdapConfig="no" /> <!-- Low, Medium and High QOP values are all set to "Default" unless the Low, Medium and High values are explicitly set in TdgssUserConfigFile.xml --> <!-- DEFAULT QOP --> <MechQop Value="Default"> AES-K128_GCM_PKCS5Padding_SHA2_DH-K2048 AES-K128_CBC_PKCS5Padding_SHA1_DH-K2048 AES-K192_GCM_PKCS5Padding_SHA2_DH-K2048 AES-K192_CBC_PKCS5Padding_SHA1_DH-K2048 AES-K256_GCM_PKCS5Padding_SHA2_DH-K2048 AES-K256_CBC_PKCS5Padding_SHA1_DH-K2048 </MechQop> </Mechanism>