Creating a Kerberos configuration file

To use an Kerberos server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension are allowed. If an authorization server is not used, you do not need to define the items for it.

olh-caution.gif  If you save the configuration file when using the Windows standard Notepad application, specify ANSI for the letter code. If you use an editor other than the memo pad and have the YTF-8 BOM setting, specify No BOM then save.

auth.server.type=kerberos 
auth.group.mapping=<value> 
auth.kerberos.<attribute>=<value> 
auth.group.<realm name>.<attribute>=<value>

A full example is shown below:

auth.server.type=kerberos 
auth.group.mapping=true 
auth.kerberos.default_realm=example.com 
auth.kerberos.dns_lookup_kdc=true 
auth.kerberos.clockshow=300 
auth.kerberos.timeout=10 
auth.group.example.com.searchdn=CN=sample1,CN=Users,DC=domain,DC=localauth.group.example.com.searchpw=passwordauth.ldap.PrimaryServer.basedn=CN=Users,DC=domain,DC=local

The Kerberos attributes are defined in the following table.

Kerberos definition (for authentication server)

Attribute

Description

Required / Optional

Default value

auth.server.type

Type of an authentication server. Specify kerberos.

Required

None

auth.group.mapping

Information about whether to work together with an authorization server

  • true: Works together

  • false: Does not work together

Optional

false

auth.kerberos.default_realm

Default realm name

Required

None

auth.kerberos.dns_lookup.kdc

This is a switch that determines which information registered in the SRV records in the DNS server to use when searching the Kerberos server.

  • true: Searches with the information registered in the SRV records in the DNS server

  • false: Searches with the host name and port number

When "realm name" and "<value specified to the realm name>.kdc" are specified, the Kerberos server is not searched with the information registered in the SRV records by specifying "true".

Optional

false

auth.kerberos.clockskew

The acceptable range of the difference in time between the SVP and the Kerberos server where the SVP is operating.

Must be between 0 and 300 seconds.1

Optional

300

auth.kerberos.timeout

The number of seconds before the connection to the RADIUS server times out. Must be between 1 and 30. When 0 is specified, the connection does not time out until a communication error occurs.1

Optonal

10

auth.kerberos.realm_name

Realm identifier name

Any name to distinguish the information of Kerberos server in each realm. Duplicate names cannot be used. If you register multiple names, use a comma to separate the names. The value specified here is called <realm_name> hereafter.

Optional2

None

auth.kerberos.<realm _name>.realm

The realm name set to the Kerberos server.

Optional2

None

auth.kerberos.<realm_name>.kdc

The host name, the IPv4 address, and the port number of the Kerberos server. Specify these in the format of "<Host name or IP address>[:Port number]".

Optional2

None

Notes:

  1. The item can be omitted if true is specified for "auth.ldap.<server_name>.dns_lookup".

  1. If the specified value is not valid, the default value will be used.

  1. To use symbols such as + ; , < = and >, enter a backslash (\) before each symbol. When using multiple symbols, each symbol must have a backslash before it. For example, to enter abc++ in the searchdn field, use \+ instead of + as shown here: abc\+\+

To enter \ , /, or ", enter a backslash and then the ASCII code in hex for these symbols.

  • Enter \5c for \.

  • Enter \2f for /.

  • Enter \22 for ".

For example, to enter abc\ in the searchdn field, enter abc\5c.

Kerberos definition (for authorization server)

Attribute

Description

Required / Optional

Default value

auth.group.<realm_na me>.protocol

LDAP protocol to use.

  • ldaps: Uses LDAP over SSL/TLS.

  • starttls: Uses StartTLS.

Required

None

auth.group.<realm_name>.port

A port number of the LDAP server.

Must be between 1 and 65535. 1

Optoinal

389

auth.group.<realm_name>.searchdn

DN of the user for searching.2

Required

None

auth.group.<realm_name>.searchpw

Password of the user for searching. Specify the same password that is registered in the LDAP server.

Required

None

auth.group.<realm_name>.basedn

BaseDN when the search for users begins. When searching, specify the hierarchy DN, including all the users, because the targeted user for the search is in a lower hierarchy than the specified DN.2

Optional

abbr

auth.group.<realm_name>.timeout

Number of seconds before the connection to the LDAP server times out. Must be between 1 and 30 seconds. When 0 is specified, the connection does not time out until a communication error occurs.1

Optional

10

auth.group.<realm_name>.retry.interval

Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5.1

Optional

1

auth.group.<realm_name>.retry.times

Retry times when the connection to the LDAP server fails. Must be between 0 and 3. 0 means no retry.1

Optional

3

Notes:

  1. If the specified value is not valid, the default value will be used.

  1. To use symbols such as + ; , < = and >, enter a backslash (\) before each symbol. When using multiple symbols, each symbol must have a backslash before it. For example, to enter abc++ in the searchdn field, use \+ instead of + as shown here: abc\+\+

To enter \ , /, or ", enter a backslash and then the ASCII code in hex for these symbols.

  • Enter \5c for \

  • Enter \2f for /

  • Enter \22 for "

For example, to enter abc\ in the searchdn field, enter abc\5c.