dsconfig set-sasl-mechanism-handler-prop — Modifies SASL Mechanism Handler properties
dsconfig set-sasl-mechanism-handler-prop
{options}
The dsconfig set-sasl-mechanism-handler-prop command takes the following options:
--handler-name {name}
The name of the SASL Mechanism Handler.
SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the {name} you provide.
By default, OpenDJ directory server supports the following SASL Mechanism Handler types:
Default {name}: Anonymous SASL Mechanism Handler
Enabled by default: true
See the section called “Anonymous SASL Mechanism Handler” for the properties of this SASL Mechanism Handler type.
Default {name}: Cram MD5 SASL Mechanism Handler
Enabled by default: true
See the section called “Cram MD5 SASL Mechanism Handler” for the properties of this SASL Mechanism Handler type.
Default {name}: Digest MD5 SASL Mechanism Handler
Enabled by default: true
See the section called “Digest MD5 SASL Mechanism Handler” for the properties of this SASL Mechanism Handler type.
Default {name}: External SASL Mechanism Handler
Enabled by default: true
See the section called “External SASL Mechanism Handler” for the properties of this SASL Mechanism Handler type.
Default {name}: GSSAPI SASL Mechanism Handler
Enabled by default: true
See the section called “GSSAPI SASL Mechanism Handler” for the properties of this SASL Mechanism Handler type.
Default {name}: Plain SASL Mechanism Handler
Enabled by default: true
See the section called “Plain SASL Mechanism Handler” for the properties of this SASL Mechanism Handler type.
--set {PROP:VALUE}
Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.
SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the --handler-name {name}
option.
--reset {property}
Resets a property back to its default values where PROP is the name of the property to be reset.
SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the --handler-name {name}
option.
--add {PROP:VALUE}
Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.
SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the --handler-name {name}
option.
--remove {PROP:VALUE}
Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.
SASL Mechanism Handler properties depend on the SASL Mechanism Handler type, which depends on the --handler-name {name}
option.
SASL Mechanism Handlers of type anonymous-sasl-mechanism-handler have the following properties:
Indicates whether the SASL mechanism handler is enabled for use.
None
true
false
No
Yes
None
No
No
Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
org.opends.server.extensions.AnonymousSASLMechanismHandler
A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
No
Yes
The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
Yes (Use --advanced in interactive mode.)
No
SASL Mechanism Handlers of type cram-md5-sasl-mechanism-handler have the following properties:
Indicates whether the SASL mechanism handler is enabled for use.
None
true
false
No
Yes
None
No
No
Specifies the name of the identity mapper used with this SASL mechanism handler to match the authentication ID included in the SASL bind request to the corresponding user in the directory.
None
The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Cram MD5 SASL Mechanism Handler is enabled.
No
Yes
None
No
No
Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
org.opends.server.extensions.CRAMMD5SASLMechanismHandler
A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
No
Yes
The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
Yes (Use --advanced in interactive mode.)
No
SASL Mechanism Handlers of type digest-md5-sasl-mechanism-handler have the following properties:
Indicates whether the SASL mechanism handler is enabled for use.
None
true
false
No
Yes
None
No
No
Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
None
The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Digest MD5 SASL Mechanism Handler is enabled.
No
Yes
None
No
No
Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
org.opends.server.extensions.DigestMD5SASLMechanismHandler
A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
No
Yes
The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
Yes (Use --advanced in interactive mode.)
No
The name of a property that specifies the quality of protection the server will support.
none
Quality of protection equals authentication with integrity and confidentiality protection.
Quality of protection equals authentication with integrity protection.
QOP equals authentication only.
No
No
None
No
No
Specifies the realms that is to be used by the server for DIGEST-MD5 authentication. If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
Any realm string that does not contain a comma.
No
No
None
No
No
Specifies the DNS-resolvable fully-qualified domain name for the server that is used when validating the digest-uri parameter during the authentication process. If this configuration attribute is present, then the server expects that clients use a digest-uri equal to "ldap/" followed by the value of this attribute. For example, if the attribute has a value of "directory.example.com", then the server expects clients to use a digest-uri of "ldap/directory.example.com". If no value is provided, then the server does not attempt to validate the digest-uri provided by the client and accepts any value.
The server attempts to determine the fully-qualified domain name dynamically.
The fully-qualified address that is expected for clients to use when connecting to the server and authenticating via DIGEST-MD5.
No
No
None
No
No
SASL Mechanism Handlers of type external-sasl-mechanism-handler have the following properties:
Specifies the name of the attribute to hold user certificates. This property must specify the name of a valid attribute type defined in the server schema.
userCertificate
The name of an attribute type defined in the server schema.
No
No
None
No
No
Specifies the name of the certificate mapper that should be used to match client certificates to user entries.
None
The DN of any Certificate Mapper. The referenced certificate mapper must be enabled when the External SASL Mechanism Handler is enabled.
No
Yes
None
No
No
Indicates whether to attempt to validate the peer certificate against a certificate held in the user's entry.
None
Always require the peer certificate to be present in the user's entry.
If the user's entry contains one or more certificates, require that one of them match the peer certificate.
Do not look for the peer certificate to be present in the user's entry.
No
Yes
None
No
No
Indicates whether the SASL mechanism handler is enabled for use.
None
true
false
No
Yes
None
No
No
Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
org.opends.server.extensions.ExternalSASLMechanismHandler
A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
No
Yes
The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
Yes (Use --advanced in interactive mode.)
No
SASL Mechanism Handlers of type gssapi-sasl-mechanism-handler have the following properties:
Indicates whether the SASL mechanism handler is enabled for use.
None
true
false
No
Yes
None
No
No
Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the Kerberos principal included in the SASL bind request to the corresponding user in the directory.
None
The DN of any Identity Mapper. The referenced identity mapper must be enabled when the GSSAPI SASL Mechanism Handler is enabled.
No
Yes
None
No
No
Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
org.opends.server.extensions.GSSAPISASLMechanismHandler
A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
No
Yes
The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
Yes (Use --advanced in interactive mode.)
No
Specifies the address of the KDC that is to be used for Kerberos processing. If provided, this property must be a fully-qualified DNS-resolvable name. If this property is not provided, then the server attempts to determine it from the system-wide Kerberos configuration.
The server attempts to determine the KDC address from the underlying system configuration.
A String
No
No
None
No
No
Specifies the path to the keytab file that should be used for Kerberos processing. If provided, this is either an absolute path or one that is relative to the server instance root.
The server attempts to use the system-wide default keytab.
A String
No
No
None
No
No
Specifies the principal name. It can either be a simple user name or a service name such as host/example.com. If this property is not provided, then the server attempts to build the principal name by appending the fully qualified domain name to the string "ldap/".
The server attempts to determine the principal name from the underlying system configuration.
A String
No
No
None
No
No
The name of a property that specifies the quality of protection the server will support.
none
Quality of protection equals authentication with integrity and confidentiality protection.
Quality of protection equals authentication with integrity protection.
QOP equals authentication only.
No
No
None
No
No
Specifies the realm to be used for GSSAPI authentication.
The server attempts to determine the realm from the underlying system configuration.
A String
No
No
None
No
No
Specifies the DNS-resolvable fully-qualified domain name for the system.
The server attempts to determine the fully-qualified domain name dynamically .
A String
No
No
None
No
No
SASL Mechanism Handlers of type plain-sasl-mechanism-handler have the following properties:
Indicates whether the SASL mechanism handler is enabled for use.
None
true
false
No
Yes
None
No
No
Specifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
None
The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Plain SASL Mechanism Handler is enabled.
No
Yes
None
No
No
Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
org.opends.server.extensions.PlainSASLMechanismHandler
A Java class that implements or extends the class(es): org.opends.server.api.SASLMechanismHandler
No
Yes
The SASL Mechanism Handler must be disabled and re-enabled for changes to this setting to take effect
Yes (Use --advanced in interactive mode.)
No