Kerberos (GSSAPI)

Kerberos can be used to authenticate to LDAP directory. In this case, you don't need to store the connection password in lsc.xml.

Here are the steps to use Kerberos with LSC.


You need to have configured Kerberos client on your server first. It means you are able to do a kinit to get a valid ticket from the Kerberos server.


Create a ./etc/gsseg_jaas.conf with the following:

 * Login Configuration for JAAS.
org.lsc.jndi.JndiServices { required client=TRUE;


Soft-link the krb5.conf file to ./etc/krb5.ini:

ln -s /etc/krb5.conf ./etc/krb5.ini

Java options

You need to add some options in the java command used by LSC. You can do that by exporting JAVA_OPTS:

You can also edit /usr/bin/lsc to remember this option.


Modify the LDAP connection:

  • username: set the Kerberos username (the realm must be in uppercase)
  • password: set a dummy password
  • authentication: use GSSAPI
  • saslQop (optional): The desired quality-of-protection, allowed values are:
    • auth (default value)
    • auth-int
    • auth-conf



Kerberos init

Open a Kerberos connection:

kinit adminlsc@EXAMPLE.ORG
You can also load principal from keytab


You can now run LSC, it will authenticate trough Kerberos.

If you need to debug, set these additional Java options: