ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahykerberosmig.htm

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights                   -->
<!-- Use, duplication or disclosure restricted by            -->
<!-- GSA ADP Schedule Contract with IBM Corp.                -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Kerberos service name change</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link --> 
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>


<a name="rzahykerberosmig"></a>
<h3 id="rzahykerberosmig">Kerberos service name change</h3>
<p>Starting in V5R3, the service name used by the directory server and client
APIs for GSSAPI authentication (Kerberos) are changed.  This change is incompatible
with the service name used prior to V5R3 (V5R2M0 PTF 5722SS1-SI08487 includes
the same change).</p>
<p>Previous to V5R3, the Directory Server and client APIs have used a service
name of the form <tt class="xph">LDAP/dns-host-name@Kerberos-realm</tt>  when the GSSAPI
mechanism (Kerberos) is used for authentication.  This name does not comply
with the standards that define GSSAPI authentication, which state that the
principal name should start with lower case "ldap". As a result, the both
the Directory Server and client APIs might not interoperate with other vendor's
products. This is particularly true if the Kerberos key distribution center
(KDC) has case sensitive principal names. The LDAP service provider for JNDI,
a commonly used Java LDAP client API, is an example of a client included with
operating system that uses the correct service name.</p>
<p>V5R3M0 changed the service name to comply with the standards. This, however,
introduces its own compatibility problems.</p>
<ul>
<li>A directory server configured to use GSSAPI authentication will not start
installing this release. This is because the keytab file used by  the server
has credentials using the old service name (LDAP/mysys.ibm.com@IBM.COM), while
the server is looking for credentials using the new service name (ldap/mysys.ibm.com@IBM.COM).</li>
<li>A directory server or LDAP application using the LDAP APIs at V5R3M0 might
not be able to authenticate with older OS/400 servers or clients.  To correct
this, you should do the following:
<ol type="1">
<li>If the KDC uses case sensitive principal names, create an account using
the correct service name (ldap/mysys.ibm.com@IBM.COM).</li>
<li>Update the keytab file used by the Directory Server to contain credentials
for the new service name. You might also want to delete the old credentials.
You can use the Qshell keytab utility to update the keytab file. By default,
the directory server uses the /QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab
file.  The V5R3M0 Network Authentication Service (Kerberos) wizard in iSeries
Navigator also creates keytab entries using the new service name.</li>
<li>Update V5R2M0 OS/400 systems where GSSAPI is used by applying PTF 5722SS1-SI08487.</li></ol></li></ul>
<p>Alternately, you can choose to have the directory server and client APIs
continue to use the old service name. This might be desirable when you are
using Kerberos authentication in a mixed network of systems running with and
without the PTFs. To do this, set the LDAP_KRB_SERVICE_NAME environment variable.
You can set this for the entire system (required to set service name for the
server) using the following command:</p>
<pre class="xmp">ADDENVVAR ENVVAR(LDAP_KRB_SERVICE_NAME)
</pre><p class="indatacontent">or in QSH (to affect LDAP utilities run from this QSH session):</p>
<pre class="xmp">export LDAP_KRB_SERVICE_NAME=1
</pre>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="utf-8"?>`
			`<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"`
			`"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="dc.language" scheme="rfc1766" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<meta name="dc.date" scheme="iso8601" content="2005-09-06" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow"/>`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<title>Directory Server (LDAP) - Kerberos service name change</title>`
			`<link rel="stylesheet" type="text/css" href="ibmidwb.css" />`
			`<link rel="stylesheet" type="text/css" href="ic.css" />`
			`</head>`
			`<body>`
			`<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->`
			`<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>`


			`<a name="rzahykerberosmig"></a>`
			`<h3 id="rzahykerberosmig">Kerberos service name change</h3>`
			`<p>Starting in V5R3, the service name used by the directory server and client`
			`APIs for GSSAPI authentication (Kerberos) are changed. This change is incompatible`
			`with the service name used prior to V5R3 (V5R2M0 PTF 5722SS1-SI08487 includes`
			`the same change).</p>`
			`<p>Previous to V5R3, the Directory Server and client APIs have used a service`
			`name of the form <tt class="xph">LDAP/dns-host-name@Kerberos-realm</tt> when the GSSAPI`
			`mechanism (Kerberos) is used for authentication. This name does not comply`
			`with the standards that define GSSAPI authentication, which state that the`
			`principal name should start with lower case "ldap". As a result, the both`
			`the Directory Server and client APIs might not interoperate with other vendor's`
			`products. This is particularly true if the Kerberos key distribution center`
			`(KDC) has case sensitive principal names. The LDAP service provider for JNDI,`
			`a commonly used Java LDAP client API, is an example of a client included with`
			`operating system that uses the correct service name.</p>`
			`<p>V5R3M0 changed the service name to comply with the standards. This, however,`
			`introduces its own compatibility problems.</p>`
			`<ul>`
			`<li>A directory server configured to use GSSAPI authentication will not start`
			`installing this release. This is because the keytab file used by the server`
			`has credentials using the old service name (LDAP/mysys.ibm.com@IBM.COM), while`
			`the server is looking for credentials using the new service name (ldap/mysys.ibm.com@IBM.COM).</li>`
			`<li>A directory server or LDAP application using the LDAP APIs at V5R3M0 might`
			`not be able to authenticate with older OS/400 servers or clients. To correct`
			`this, you should do the following:`
			`<ol type="1">`
			`<li>If the KDC uses case sensitive principal names, create an account using`
			`the correct service name (ldap/mysys.ibm.com@IBM.COM).</li>`
			`<li>Update the keytab file used by the Directory Server to contain credentials`
			`for the new service name. You might also want to delete the old credentials.`
			`You can use the Qshell keytab utility to update the keytab file. By default,`
			`the directory server uses the /QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab`
			`file. The V5R3M0 Network Authentication Service (Kerberos) wizard in iSeries`
			`Navigator also creates keytab entries using the new service name.</li>`
			`<li>Update V5R2M0 OS/400 systems where GSSAPI is used by applying PTF 5722SS1-SI08487.</li></ol></li></ul>`
			`<p>Alternately, you can choose to have the directory server and client APIs`
			`continue to use the old service name. This might be desirable when you are`
			`using Kerberos authentication in a mixed network of systems running with and`
			`without the PTFs. To do this, set the LDAP_KRB_SERVICE_NAME environment variable.`
			`You can set this for the entire system (required to set service name for the`
			`server) using the following command:</p>`
			`<pre class="xmp">ADDENVVAR ENVVAR(LDAP_KRB_SERVICE_NAME)`
			`</pre><p class="indatacontent">or in QSH (to affect LDAP utilities run from this QSH session):</p>`
			`<pre class="xmp">export LDAP_KRB_SERVICE_NAME=1`
			`</pre>`
			`<a id="Bot_Of_Page" name="Bot_Of_Page"></a>`
			`</body>`
			`</html>`