The GSSAPI mechanism is used to perform authentication in a Kerberos V5 environment, and generally requires that the client system be configured to participate in such an environment. The options available for use with the GSSAPI mechanism include:
Specifies the authentication ID that should be used to identify the user. This ID should be in the form of a Kerberos principal and not in the authorization ID form described previously. This option must be provided if the user has not authenticated to Kerberos before attempting to bind.
Specifies the authorization ID that should be used to identify the user under whose authority operations should be performed. The directory server does not yet support this capability.
Specifies the quality of protection to use for the communication. Currently, only the auth quality-of-protection value is supported by the directory server clients. The auth-int and auth-conf values are supported by the server.
If the user already has a valid Kerberos ticket on the system when attempting to use GSSAPI, the client attempts to use it so that no password is required. However, if the user does not have a valid Kerberos ticket or if it cannot be accessed for some reason, a password must be provided using either the --bindPassword or --bindPasswordFile options.
The following command demonstrates the use of SASL GSSAPI authentication for a user that already has a valid Kerberos session:
$ ldapsearch --hostname server.example.com --port 1389 --saslOption mech=GSSAPI \ --saslOption authid=jdoe@EXAMPLE.COM --baseDN "" --searchScope base "(objectClass=*)"