docs: add required/optional to kerberos autoauth config (#9897)

* docs: add required/optional to kerberos autoauth config

* Remove double space
This commit is contained in:
Jason O'Donnell 2020-09-04 17:20:21 -04:00 committed by GitHub
parent f6d3904271
commit fe7229028f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -18,19 +18,19 @@ For more on this auth method, see the [Kerberos auth method](/docs/auth/kerberos
## Configuration ## Configuration
- `krb5conf_path` is the path to a valid `krb5.conf` file describing how to - `krb5conf_path` `(string: required)` is the path to a valid `krb5.conf` file describing how to
communicate with the Kerberos environment. communicate with the Kerberos environment.
- `keytab_path` is the path to the `keytab` in which the entry lives for the - `keytab_path` `(string: required)` is the path to the `keytab` in which the entry lives for the
entity authenticating to Vault. Keytab files should be protected from other entity authenticating to Vault. Keytab files should be protected from other
users on a shared server using appropriate file permissions. users on a shared server using appropriate file permissions.
- `username` is the username for the entry _within_ the `keytab` to use for - `username` `(string: required)` is the username for the entry _within_ the `keytab` to use for
logging into Kerberos. This username must match a service account in LDAP. logging into Kerberos. This username must match a service account in LDAP.
- `service` is the service principal name to use in obtaining a service ticket for - `service` `(string: required)` is the service principal name to use in obtaining a service ticket for
gaining a SPNEGO token. This service must exist in LDAP. gaining a SPNEGO token. This service must exist in LDAP.
- `realm` is the name of the Kerberos realm. This realm must match the UPNDomain - `realm` `(string: required)` is the name of the Kerberos realm. This realm must match the UPNDomain
configured on the LDAP connection. This check is case-sensitive. configured on the LDAP connection. This check is case-sensitive.
- `disable_fast_negotiation` is for disabling the Kerberos auth method's default - `disable_fast_negotiation` `(bool: optional)` is for disabling the Kerberos auth method's default
of using FAST negotiation. FAST is a pre-authentication framework for Kerberos. of using FAST negotiation. FAST is a pre-authentication framework for Kerberos.
It includes a mechanism for tunneling pre-authentication exchanges using armoured It includes a mechanism for tunneling pre-authentication exchanges using armoured
KDC messages. FAST provides increased resistance to passive password guessing attacks. KDC messages. FAST provides increased resistance to passive password guessing attacks.
Some common Kerberos implementations do not support FAST negotiation. Some common Kerberos implementations do not support FAST negotiation. The default is false.