The heimdal_gssapi authenticator provides server integration for the Heimdal GSSAPI/Kerberos library, permitting Exim to set a keytab pathname reliably.
|server_hostname||Use: heimdal_gssapi||Type: string†||Default: see below|
This option selects the hostname that is used, with server_service,
for constructing the GSS server name, as a GSS_C_NT_HOSTBASED_SERVICE
identifier. The default value is
|server_keytab||Use: heimdal_gssapi||Type: string†||Default: unset|
If set, then Heimdal will not use the system default keytab (typically /etc/krb5.keytab) but instead the pathname given in this option. The value should be a pathname, with no “file:” prefix.
|server_service||Use: heimdal_gssapi||Type: string†||Default: smtp|
This option specifies the service identifier used, in conjunction with server_hostname, for building the identifier for finding credentials from the keytab.
1. heimdal_gssapi auth variables
Beware that these variables will typically include a realm, thus will appear to be roughly like an email address already. The authzid in $auth2 is not verified, so a malicious client can set it to anything.
The $auth1 field should be safely trustable as a value from the Key Distribution Center. Note that these are not quite email addresses. Each identifier is for a role, and so the left-hand-side may include a role suffix. For instance, “joe/admin@EXAMPLE.ORG”.
$auth1: the authentication id, set to the GSS Display Name.
$auth2: the authorization id, sent within SASL encapsulation after authentication. If that was empty, this will also be set to the GSS Display Name.