Initial implementation of sasl bind support

Inits krb5 credentials, if sasl mech is GSSAPI.
Tested with GSSAPI and host keytab as well as user credentials.
Updates also manpages with the new options.

1 files changed, 79 insertions, 0 deletions

diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml
index b5efb11d0..7a86c7a3c 100644
--- a/server/man/sssd-ldap.5.xml
+++ b/server/man/sssd-ldap.5.xml
@@ -485,6 +485,85 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>ldap_id_use_start_tls (boolean)</term>
+                    <listitem>
+                        <para>
+                            Specifies that the id_provider connection must also
+                            use tls to protect the channel.
+                        </para>
+                        <para>
+                            Default: false
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                    <term>ldap_sasl_mech (string)</term>
+                    <listitem>
+                        <para>
+                            Specify the sasl mechanism to use.
+                            Currently only GSSAPI is tested and supported.
+                        </para>
+                        <para>
+                            Default: none
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                    <term>ldap_sasl_authid (string)</term>
+                    <listitem>
+                        <para>
+                            Specify the sasl authorization id to use.
+                            When GSSAPI is used, this represents the kerberos
+                            principal used for authentication to the directory.
+                        </para>
+                        <para>
+                            Default: host/machine.fqdn@REALM
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                    <term>ldap_krb5_keytab (string)</term>
+                    <listitem>
+                        <para>
+                            Specify keytab to use when using SASL/GSSAPI.
+                        </para>
+                        <para>
+                            Default: System keytab, normally /etc/krb5.keytab
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                    <term>ldap_krb5_init_creds (boolean)</term>
+                    <listitem>
+                        <para>
+                            Specifies that the id_provider should init
+                            kerberos credentials (TGT).
+                            This action is perfromed only if SASL is used and
+                            the mechanism selected is GSSAPI.
+                        </para>
+                        <para>
+                            Default: true
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                    <term>krb5_realm (string)</term>
+                    <listitem>
+                        <para>
+                            Specify the kerberos REALM (for SASL/GSSAPI auth).
+                        </para>
+                        <para>
+                            Default: System defaults, see /etc/krb5.conf
+                        </para>
+                    </listitem>
+                </varlistentry>
+
             </variablelist>
         </para>
     </refsect1>