Creating a Kerberos configuration file

System Administrator Guide for VSP E990 and VSP G130, G/F350, G/F370, G/F700, G/F900

Version
88-06-0x
Audience
anonymous
Part Number
MK-97HM85028-08

You can use a Kerberos server for authentication on your storage system.

To use a Kerberos server for authentication, create a configuration file in UTF-8 encoding. Include information about the authentication server as shown in the following example. Any file name and extension are allowed. If an authorization server is not used, you do not need to define the items for it.

CAUTION:
If you save the configuration file when using the Windows standard Notepad application, specify ANSI for the letter code. If you use an editor other than the memo pad and have the YTF-8 BOM setting, specify No BOM then save.
auth.server.type=kerberos 
auth.group.mapping=<value> 
auth.kerberos.<attribute>=<value> 
auth.group.<realm name>.<attribute>=<value>

A full example is shown below:

auth.server.type=kerberos 
auth.group.mapping=true 
auth.kerberos.default_realm=example.com 
auth.kerberos.dns_lookup_kdc=true 
auth.kerberos.clockskew=300 
auth.kerberos.timeout=10
auth.group.example.com.protocol=ldaps
auth.group.example.com.port=636
auth.group.example.com.searchdn=CN=sample1,CN=Users,DC=domain,DC=local
auth.group.example.com.searchpw=password
auth.group.example.com.basedn=CN=Users,DC=domain,DC=local

The Kerberos attributes are defined in the following table.

Table. Kerberos definition (for authentication server)
Attribute Description Required / Optional Default value
auth.server.type Type of an authentication server. Specify kerberos. Required None
auth.group.mapping Information about whether to work together with an authorization server
  • true: Works together
  • false: Does not work together
Optional false
auth.kerberos.default_realm Default realm name Required None
auth.kerberos.dns_lookup.kdc

This is a switch that determines which information registered in the SRV records in the DNS server to use when searching the Kerberos server.

Specify "false" (Searches with the host name and port number).

Do not specify "true" (Searches with the information registered in the SRV records in the DNS server).

Optional false
auth.kerberos.clockskew The acceptable range of the difference in time between the SVP and the Kerberos server where the SVP is operating.

Must be between 0 and 300 seconds.

Optional1 300
auth.kerberos.timeout The number of seconds before the connection to the RADIUS server times out. Must be between 1 and 30. When 0 is specified, the connection does not time out until a communication error occurs. Optonal1 10
auth.kerberos.realm_name Realm identifier name

Any name to distinguish the information of Kerberos server in each realm. Duplicate names cannot be used. If you register multiple names, use a comma to separate the names. The value specified here is called <realm_name> hereafter.

Optional2 None
auth.kerberos.<realm _name>.realm The realm name set to the Kerberos server. Optional2 None
auth.kerberos.<realm_name>.kdc The host name, the IPv4 address, and the port number of the Kerberos server. Specify these in the format of "<Host name or IP address>[:Port number]". Optional2 None
Notes:
  1. If the specified value is not valid, the default value will be used.
  2. The item can be omitted if true is specified for auth.kerberos.dns_lookup_kdc.
Table. Kerberos definition (for authorization server)
Attribute Description Required / Optional Default value
auth.group.<realm_na me>.protocol

LDAP protocol to use.

Specify "ldaps" (Uses LDAP over SSL/TLS).

Do not specify "starttls" (Uses StartTLS).

Required None
auth.group.<realm_name>.port A port number of the LDAP server.

Must be between 1 and 65535.

Optional1 389
auth.group.<realm_name>.searchdn DN of the user for searching. Required2 None
auth.group.<realm_name>.searchpw Password of the user for searching. Specify the same password that is registered in the LDAP server. Required None
auth.group.<realm_name>.basedn BaseDN when the search for users begins. When searching, specify the hierarchy DN, including all the users, because the targeted user for the search is in a lower hierarchy than the specified DN. Optional2 abbr
auth.group.<realm_name>.timeout Number of seconds before the connection to the LDAP server times out. Must be between 1 and 30 seconds. When 0 is specified, the connection does not time out until a communication error occurs. Optional1 10
auth.group.<realm_name>.retry.interval Retry interval in seconds when the connection to the LDAP server fails. Must be between 1 and 5. Optional1 1
auth.group.<realm_name>.retry.times Retry times when the connection to the LDAP server fails. Must be between 0 and 3. 0 means no retry. Optional1 3
Notes:
  1. If the specified value is not valid, the default value will be used.
  2. To use symbols such as + ; , < = and >, enter a backslash (\) before each symbol. When using multiple symbols, each symbol must have a backslash before it. For example, to enter abc++ in the searchdn field, use \+ instead of + as shown here: abc\+\+

    To enter \ , /, or ", enter a backslash and then the ASCII code in hex for these symbols.

    • Enter \5c for \
    • Enter \2f for /
    • Enter \22 for "

    For example, to enter abc\ in the searchdn field, enter abc\5c.