Kerberos (GSSAPI)

Kerberos can be used to authenticate to LDAP directory. In this case, you don’t need to store the connection password in lsc.xml.

Here are the steps to use Kerberos with LSC.


You need to have configured Kerberos client on your server first. It means you are able to do a kinit to get a valid ticket from the Kerberos server.

For more convenience, this howto supposes you have generated a keytab for the LSC user. It will avoid the need to do a kinit for getting a ticket. Export the keytab to lsc.keytab


Create /etc/lsc/gsseg_jaas.conf configuration with the following: (adapt the path to keytab)

 * Login Configuration for JAAS.
org.lsc.jndi.JndiServices { required client=TRUE useKeyTab=true keyTab="/path/to/lsc.keytab";


Remove useKeyTab and keyTab parameters if you don’t want a keytab for now and plan to get a ticket with kinit


Soft-link the krb5.ini to your real /etc/krb5.conf:

ln -s /etc/krb5.conf /etc/lsc/krb5.ini

Java options

You need to add some options in the java command used by LSC. You can do that by exporting JAVA_OPTS:



If you need to debug, set these additional Java options:


You can also edit /usr/bin/lsc to remember this option.


Modify the LDAP connection:

  • username: set the Kerberos username (the realm must be in uppercase)

  • password: set a dummy password

  • authentication: use GSSAPI

  • saslQop (optional): The desired quality-of-protection, allowed values are:

    • auth (default value): authentication only

    • auth-int: authentication plus integrity protection

    • auth-conf: authentication plus integrity and confidentiality protection



Kerberos init

If you didn’t used a keytab, you have to get a kerberos ticket:

kinit adminlsc@EXAMPLE.ORG


You can now run LSC, it will authenticate trough Kerberos.


This documentation was done thanks to Francesco Malvezzi and Franck Rakotonindrainy