Next: KERBEROS_V5, Previous: SECURID, Up: Mechanisms
GSS-API is a framework, similar to SASL, for authentication. The GSSAPI mechanism only support the Kerberos 5 GSS-API mechanism, though. (A new SASL mechanism to support non-Kerberos 5 GSS-API mechanisms may be supported in the future.)
In the client, the mechanism is enabled only if the user has acquired
credentials (i.e., a ticket granting ticket), and require the
GSASL_AUTHID, GSASL_SERVICE, and GSASL_HOSTNAME
properties.
In the server, the mechanism require the GSASL_SERVICE, and
GSASL_HOSTNAME properties, and will invoke the
GSASL_VALIDATE_GSSAPI callback in order to validate the user.
The callback may inspect the GSASL_AUTHZID and
GSASL_GSSAPI_DISPLAY_NAME properties to decide whether to
authorize the user. Note that authentication is performed by the
GSS-API library.
XXX: explain more about quality of service, maximum buffer size, etc.