ldap-KerberosConfig
Figure 6. Kerberos Config properties
To access these properties, expand and double-click Config.
| Property | Value | Description |
|---|---|---|
| Enable Connection Pooling | true or false |
Enables true and disables (false) shared and reused connections. Pooling connections can improve performance.
|
| Connection URL | ldap://your.domain.net or ldap://your.domain.net:nnn |
Identifies the URL (your.domain.net) for the LDAP server. Standard LDAP ports are 389, or 636 (if using SSL). If the server uses a non-standard port, include the port (your.domain.net:nnn) in the URL, for example, ldap://your.domain.net.999. |
| SSL | true or false |
Enables (true) and disables (false) secure communication. If set to true, make sure that SSL (3.8) or TLS (4.0) is enabled in the station’s FoxService (for
|
| User Login Attr | text For AD this value defaults to sAMAccountName |
Identifies the specific attribute in the LDAP directory to store the LDAP user login name. For AD servers, this is always sAMAccountName. For OpenLDAP servers, it would be uid. |
| User Base | domain components | Identifies the sub-tree of the LDAP server in which users who can access this station are found. At the very least it must contain the domain components of the server’s domain, for example: DC=domain, CD=net. |
| Attr Email | email address (AD value defaults to: mail) | Identifies the specific attribute in the LDAP directory to store the user’s LDAP email address. This value populates the
Email property.
|
| Attr Full Name | text (AD value default s to: name. | Identifies the specific attribute in the LDAP directory to store the user’s full name. This value populates the
Full Name property.
|
| Attr Language | two-letter language code (AD defaults to blank) | Identifies the specific attribute in the LDAP directory to store the user’s language. This value populates the
Language property.
|
| Attr Cell Phone Number | telephone number (AD defaults to mobile) | Identifies the attribute in the LDAP directory that stores the user’s mobile phone number. This value populates the
Cell Phone Number property.
|
| Attr Prototype | text (AD defaults to memberOf) | Identifies the User Prototype with which the system populates a new user’s local properties.
If this property is blank or the name does not match any user prototype, the system uses the If a user belongs to multiple user groups (user prototypes), the top-to-bottom order of prototypes determines which prototype the system uses. If the value of a user prototype property changes, the system dynamically updates user properties accordingly. |
| Cache Expiration | hours, minutes, seconds (defaults to 00168h 00m 00s) | Allows users to continue to log in if the LDAP server is not reachable (the Key Distribution Center still has to be reachable for Kerberos). A user can continue to log in as long as the last time that user logged in when the server was up is less than the specified Cache Expiration. There are no limits on the property. |
| Connection Timeout | time | Determines the length of time the station attempts to connect to the LDAP server before the connection fails.
The station will not fail over to the next LDAP server until the first connection attempt is unresponsive for the amount of time specified in the connection timeout. This time should be not too short to cause false connection failures, but not so long as to cause excessive delays when a server is down. |
| Realm | UPPERCASE letters, for example: EXAMPLE.COM | Identifies the system on which the LDAP server resides. You get this information from your Kerberos administrator. |
| Key Distribution Center | text, for example: kd.example.com | Specifies the name of the Kerberos Key Distribution Center that the system contacts to get a ticket, which, like a key, is
used to authenticate the user to the
|
| Station Kerberos Name | text | As part of securely delegating Kerberos tickets, this property represents the station as a user in the Kerberos database.
If logging in only via
However, if the user logs in via a browser, the user must be a service in the form: HTTP/service-Name.domain.com, where serviceName.domain.com is how the station is to be accessed in the browser, (for example, http://stationkerb1.mydomain.com). The service name for the station Kerberos name typically omits a bit of the normal http URL syntax, for example: http/stationkerb1.mydomain.net instead of http://stationkerb1.mydomain.net. You may need to ask the Kerberos administrator to create the service for you in the Kerberos database. NOTE: Kerberos is very particular about names. You must enter the station name in the “Station Kerberos Name” property exactly as it appears in the Kerberos database. Upper/lowercase can sometimes be an issue, so make sure you have an exact match. |
| Station Kerberos Password | text (defaults to blank) | Specifies the password for the Kerberos station user identified by the Station Kerberos Name property. If you are using a keytab file, you can leave this property blank.
|
| Key Tab File | file name | Defines the keytab file that contains a key table.
Kerberos services usually do not use a password to authenticate. Instead, they use a file. To authenticate from a web browser
you must specify an associated service in the You must copy that keytab file to this secure location on the
|