141 lines
8.8 KiB
HTML
141 lines
8.8 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow"/>
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<title>Directory Server (LDAP) - Create credentials</title>
|
||
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
||
|
|
||
|
<a name="rzahycreatecreds"></a>
|
||
|
<h4 id="rzahycreatecreds">Create credentials</h4>
|
||
|
<p>Expand the Replication management category in the navigation area of the
|
||
|
Web administration tool and click <span class="bold">Manage credentials</span></p>
|
||
|
<ol type="1">
|
||
|
<li>Select the location that you want to use to store the credentials from
|
||
|
the list of subtrees. The Web administration tool allows you to define credentials
|
||
|
in these locations:
|
||
|
<ul>
|
||
|
<li><span class="bold">cn=replication,cn=localhost</span>, which keeps the credentials
|
||
|
only on the current server.
|
||
|
<a name="wq218"></a>
|
||
|
<div class="notetitle" id="wq218">Note:</div>
|
||
|
<div class="notebody">In most replication cases, locating
|
||
|
credentials in cn=replication,cn=localhost is preferred because it provides
|
||
|
greater security than replicated credentials located on the subtree. However,
|
||
|
there are certain situations in which credentials located on cn=replication,cn=localhost
|
||
|
are not available.
|
||
|
<p>If you are trying to add a replica under a server, for
|
||
|
example serverA and you are connected to a different server with the Web administration
|
||
|
tool, serverB, the <span class="bold">Select credentials</span> field
|
||
|
does not display the option <span class="bold">cn=replication,cn=localhost</span>. This is because you cannot read the information or update any information
|
||
|
under <span class="bold">cn=localhost</span> of the serverA when you are connected
|
||
|
to serverB.</p>
|
||
|
<p>The cn=replication,cn=localhost option is only available
|
||
|
when the server under which you are trying to add a replica is the same server
|
||
|
that you are connected to with the Web administration tool.</p></div></li>
|
||
|
<li> Within the replicated subtree, in which case the credentials are replicated
|
||
|
with the rest of the subtree. Credentials placed in the replicated subtree
|
||
|
are created beneath the <span class="bold">ibm-replicagroup=default</span> entry for that subtree.
|
||
|
<a name="wq219"></a>
|
||
|
<div class="notetitle" id="wq219">Note:</div>
|
||
|
<div class="notebody">If no subtrees
|
||
|
are displayed, go to <a href="rzahycreatems.htm#rzahycreatems">Create a master server (replicated subtree)</a> for instructions about creating
|
||
|
the subtree that you want to replicate.</div></li></ul></li>
|
||
|
<li>Click <span class="bold">Add</span>.</li>
|
||
|
<li>Enter the name for the credentials you are creating, for example, <span class="bold">mycreds</span>, cn= is prefilled in the field for you.</li>
|
||
|
<li>Select the type of authentication method you want to use and click <span class="bold">Next</span>.
|
||
|
<ul>
|
||
|
<li>If you selected simple bind authentication:
|
||
|
<ol type="a">
|
||
|
<li>Enter the DN that the server uses to bind to the replica, for example,
|
||
|
cn=any</li>
|
||
|
<li>Enter the password the server uses when it binds to the replica, for example, <tt class="xph">secret</tt>.</li>
|
||
|
<li>Enter the password again to confirm that there are no typographical errors.</li>
|
||
|
<li>If you want, enter a brief description of the credentials.</li>
|
||
|
<li>Click <span class="bold">Finish</span>.</li></ol>
|
||
|
<a name="wq221"></a>
|
||
|
<div class="notetitle" id="wq221">Note:</div>
|
||
|
<div class="notebody">You might want to record the credential's bind DN and
|
||
|
password for future reference. You will need this password when you create
|
||
|
the replica agreement.</div></li>
|
||
|
<li>If you selected Kerberos authentication:
|
||
|
<ol type="a">
|
||
|
<li>Enter your Kerberos bind DN.</li>
|
||
|
<li>Enter the key tab file name.</li>
|
||
|
<li>If you want, enter a brief description of the credentials. No other information
|
||
|
is necessary. See <a href="rzahyekbpi.htm#rzahyekbpi">Enable Kerberos authentication on the Directory Server</a> for additional information.</li>
|
||
|
<li>Click <span class="bold">Finish</span>.</li></ol>The <span class="bold">Add Kerberos Credentials</span> panel takes
|
||
|
an optional bind DN of the form <tt class="xph"><img src="delta.gif" alt="Start of change" />ibm-kn=user@realm<img src="deltaend.gif" alt="End of change" /></tt> and
|
||
|
an optional keytab file name (referred to as a key file). If a bind DN is
|
||
|
specified, the server uses the specified principal name to authenticate to
|
||
|
the consumer server. Otherwise the server's Kerberos service name (ldap/host-name@realm)
|
||
|
is used. If a keytab file is used, the server uses it to obtain the credentials
|
||
|
for the specified principal name. If no keytab file is specified, the server
|
||
|
uses the keytab file specified in the server's Kerberos configuration. If
|
||
|
there is more than one supplier, you must specify the principal name and keytab
|
||
|
file to be used by all of the suppliers.
|
||
|
<dl>
|
||
|
<dt class="bold">On the server where you created the credentials:</dt>
|
||
|
<dd>
|
||
|
<ol type="a">
|
||
|
<li>Expand <span class="bold">Directory management</span> and click <span class="bold">Manage entries</span>.</li>
|
||
|
<li>Select the subtree where you stored the credentials, for example <span class="bold">cn=localhost</span> and click <span class="bold">Expand</span>.</li>
|
||
|
<li>Select <span class="bold">cn=replication</span> and click <span class="bold">Expand</span>.</li>
|
||
|
<li>Select the kerberos credentials (ibm-replicationCredentialsKerberos) and
|
||
|
click <span class="bold">Edit attributes</span>.</li>
|
||
|
<li>Click the <span class="bold">Other attributes</span> tab.</li>
|
||
|
<li>Enter the <span class="bold">replicaBindDN</span>, for example, <span class="bold">ibm-kn=myprincipal@SOME.REALM</span>.</li>
|
||
|
<li>Enter the <span class="bold">replicaCredentials</span>. This is the key tab
|
||
|
file name used for <span class="bold">myprincipal</span>.
|
||
|
<a name="wq224"></a>
|
||
|
<div class="notetitle" id="wq224">Note:</div>
|
||
|
<div class="notebody">This
|
||
|
principal and password should be the same as the ones you use to run <span class="bold">kinit</span> from the command line.</div></li></ol>
|
||
|
</dd>
|
||
|
<dt class="bold">On the replica</dt>
|
||
|
<dd>
|
||
|
<ol type="a">
|
||
|
<li>Click <span class="bold">Manage replication properties</span> in the navigation
|
||
|
area.</li>
|
||
|
<li>Select a supplier from the <span class="bold">Supplier information</span> drop-down menu or enter the name of the replicated subtree for which
|
||
|
you want to configure supplier credentials.</li>
|
||
|
<li>Click <span class="bold">Edit</span>.</li>
|
||
|
<li>Enter the replication bindDN. In this example, <span class="bold">ibm-kn=myprincipal@SOME.REALM</span>.</li>
|
||
|
<li>Enter and confirm the <span class="bold">Replication bind password</span>. This is the KDC password used for <span class="bold">myprincipal</span>.</li></ol>
|
||
|
</dd>
|
||
|
</dl></li>
|
||
|
<li>If you selected SSL with certificate authentication you do not need to
|
||
|
provide any additional information, if you are using the server's certificate.
|
||
|
If you choose to use a certificate other than the server's:
|
||
|
<ol type="a">
|
||
|
<li>Enter the key file name.</li>
|
||
|
<li>Enter the key file password.</li>
|
||
|
<li>Reenter the key file password to confirm it.</li>
|
||
|
<li>Enter the key label.</li>
|
||
|
<li>If you want, enter a brief description.</li>
|
||
|
<li>Click <span class="bold">Finish</span>.</li></ol>See <a href="rzahyess-pi.htm#rzahyess-pi">Enable SSL and Transport Layer Security on the Directory Server</a> for additional information.</li></ul></li>
|
||
|
<li>On the server where you created the credentials, set the <a href="../rzakz/rzakzqretsvrsec.htm">Allow server security information to be retained (QRETSVRSEC)</a> system value
|
||
|
to 1 (retain data). Since the replication credentials are stored in a validation
|
||
|
list, this allows the server to retrieve the credentials from the validation
|
||
|
list when it connects to the replica.</li></ol>
|
||
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
</body>
|
||
|
</html>
|