ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhdefinerealmsldap.htm

223 lines
13 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Define realms in the LDAP server" />
<meta name="abstract" content="Network authentication service allows you to use the LDAP server to resolve a host name into a Kerberos realm and to find the KDC for a Kerberos realm." />
<meta name="description" content="Network authentication service allows you to use the LDAP server to resolve a host name into a Kerberos realm and to find the KDC for a Kerberos realm." />
<meta name="DC.Relation" scheme="URI" content="rzakhmanage.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="definerealmsldap" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Define realms in the LDAP server</title>
</head>
<body>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<div class="nested0" id="definerealmsldap"><a name="definerealmsldap"><!-- --></a><h1 class="topictitle1">Define realms in the LDAP server</h1>
<div><p>Network authentication service allows you to use the LDAP server
to resolve a host name into a Kerberos realm and to find the KDC for a Kerberos
realm.</p>
<div class="section"> If you are using LDAP to look up this information, you must define
the information in the LDAP server. To do this, you need to complete the following
two sets of tasks:</div>
<ol><li class="stepexpand"><span><a href="rzakhhost.htm#rzakhhost">Set the configuration file
to use LDAP</a>.</span> <p>Use iSeries™ Navigator to indicate which directory
server you would like to use to resolve host names. This updates the <strong>krb5.conf</strong> configuration
file located at <span class="filepath">/QIBM/UserData/OS400/NetworkAuthentication/krb5.conf</span>.
The name of the directory server is added to the <samp class="codeph">libdefaults</samp> section
in the configuration file. The following is a sample of this configuration
file:</p>
<p><strong>Sample krb5.conf configuration file</strong></p>
<div class="p"> <pre>; krb5.conf - Kerberos V5 configuration file DO NOT REMOVE THIS LINE
;</pre>
<pre>[libdefaults]</pre>
<pre>; The default_realm value
;-default_realm = REALM1.ROCHESTER.IBM.COM
default_realm = DEPTXYZ.BOGUSNAME.COM</pre>
<pre>; define the system to use LDAP lookup
use_ldap_lookup = 1
ldap_server = dirserv.bogusname.com</pre>
<pre>[realms]
;
; We could configure the same realm information here, but it would
; only be used if the LDAP lookup failed.
;</pre>
<pre>[domain_realm]
; Convert host names to realm names. Individual host names may be
; specified. Domain suffixes may be specified with a leading period
; and will apply to all host names ending in that suffix.
;
; We will use LDAP to resolve what realm a given host name belongs to.
; We could define them here also, but they would only be used if the
; LDAP lookup fails.
;</pre>
<pre>[capaths]
; Configurable authentication paths define the trust relationships
; between client and servers. Each entry represents a client realm
; and consists of the trust relationships for each server that can
; be accessed from that realm. A server may be listed multiple times
; if multiple trust relationships are involved. Specify '.' for
; a direct connection.
;-REALM1.ROCHESTER.IBM.COM = {
;- REALM2.ROCHESTER.IBM.COM = .
;;}
DEPTXYZ.BOGUSNAME.COM = {
DEPTABC.BOGUSNAME.COM = .
}</pre>
</div>
</li>
<li class="stepexpand"><span>Define Kerberos for the LDAP server</span> The LDAP server
must have a domain object with a name that corresponds to the Kerberos realm
name. For example, if the Kerberos realm name is <tt>DEPTABC.BOGUSNAME.COM</tt>,
there needs to be an object in the directory named <tt>dc=DEPTABC,dc=BOGUSNAME,dc=com</tt>.
If this object does not exist you may first need to add a suffix to the LDAP
server configuration. For this object name, valid suffixes include dc=DEPTABC,dc=BOGUSNAME,dc=COM
or one of the parent entries (dc=BOGUSNAME,dc=COM or dc=COM). For an i5/OS™ LDAP
server, you can add a suffix by using iSeries Navigator. <ol type="a"><li class="substepexpand"><span>If you want to add a suffix, follow these steps: </span> <ol type="i"><li>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">your iSeries server </span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">Servers</span> &gt; <span class="uicontrol">TCP/IP</span></span>.</li>
<li>Right-click <span class="uicontrol">IBM Directory Server</span> and select <span class="uicontrol">Properties</span>.</li>
<li>On the <span class="uicontrol">Database/Suffix</span> page, specify the suffix
you want to add.</li>
</ol>
</li>
<li class="substepexpand"><span>Use the <span class="cmdname">LDAPADD</span> command to add the domain
object for the realm in the LDAP directory.</span></li>
<li class="substepexpand"><span>Continuing with our configuration example of two realms, called
DEPTABC.BOGUSNAME.COM and DEPTXYZ.BOGUSNAME.COM, place the following lines
in an integrated file system file: </span> <p><tt>dn: dc=BOGUSNAME,dc=COM<br />
dc: BOGUSNAME<br />
objectClass: domain</tt></p>
<p><tt>dn: dc=DEPTABC,dc=BOGUSNAME,dc=COM<br />
dc: DEPTABC<br />
objectClass: domain</tt></p>
<p><tt>dn: dc=DEPTXYZ,dc=BOGUSNAME,dc=COM<br />
dc: DEPTXYZ<br />
objectClass: domain</tt></p>
</li>
<li class="substepexpand"><span>If the integrated file system file is named <strong>/tmp/addRealms.ldif</strong>,
then using the same assumptions as the previous example, enter the following
commands: </span> <pre> STRQSH
ldapadd -h dirserv.bogusname.com -D cn=Administrator
   -w verysecret -c -f
/tmp/addRealms.ldif</pre>
</li>
<li class="substepexpand"><span>Define the KDC entries for your realms, and optionally define
host name entries to assign each host in your network to a specific realm
name. You can do this using the <span class="cmdname">ksetup</span>command, with the <span class="cmdname">addkdc</span> and <span class="cmdname">addhost</span> subcommands.
Continuing with our configuration example, you can enter the following commands:</span> <pre> STRQSH
ksetup -h dirserv.bogusname.com -n cn=Administrator
  -p verysecret
addkdc kdc1.deptxyz.bogusname.com DEPTXYZ.BOGUSNAME.COM
addkdc kdc2.deptxyz.bogusname.com DEPTXYZ.BOGUSNAME.COM
addkdc kdc1.deptabc.bogusname.com DEPTABC.BOGUSNAME.COM
addhost database.deptxyz.bogusname.com
  DEPTXYZ.BOGUSNAME.COM</pre>
<p>Repeat for
each host in each realm, as needed.</p>
</li>
</ol>
</li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhmanage.htm" title="Manage network authentication service by requesting tickets, working with key table files, and administering host name resolution. You can also work with credentials files and back up configuration files.">Manage network authentication service</a></div>
</div>
</div></div>
<div class="nested0" xml:lang="en-us" id="ldapserverref"><a name="ldapserverref"><!-- --></a><h1 class="topictitle1">Defining schema on an LDAP Server</h1>
<div><div class="section"><h4 class="sectiontitle">LDAP Schema</h4><p>The i5/OS LDAP server (IBM<sup>®</sup> Directory Server) is shipped with the
LDAP schema already defined. However, if you are using an LDAP server other
than IBM Directory
Server, you can define your own schema on that server. The following information
may be useful to you if you decide to define your own schema on an LDAP server.</p>
<p>Network
authentication service requires the following LDAP schema definitions, where: </p>
<ul><li>Integer values are represented as a signed-numeric character string with
a maximum length of 11 characters. </li>
<li>Boolean values are represented by the character strings “TRUE” and “FALSE”. </li>
<li>Time values are represented as 15-byte character strings encoded in the
format “YYYYMMDDhhmmssZ”. All times are represented as UTC values. </li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">LDAP Object Classes</h4>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><thead align="left"><tr><th align="left" valign="bottom" width="38%" id="d0e204">Object </th>
<th align="left" valign="bottom" width="38%" id="d0e206">Requires </th>
<th align="left" valign="bottom" width="24%" id="d0e208">Allows </th>
</tr>
</thead>
<tbody><tr><td align="left" valign="top" width="38%" headers="d0e204 ">domain </td>
<td align="left" valign="top" width="38%" headers="d0e206 ">dc </td>
<td align="left" valign="top" width="24%" headers="d0e208 ">description seeAlso </td>
</tr>
<tr><td align="left" valign="top" width="38%" headers="d0e204 ">ibmCom1986-Krb-KerberosService </td>
<td align="left" valign="top" width="38%" headers="d0e206 ">serviceName ibmCom1986-Krb-KerberosRealm </td>
<td align="left" valign="top" width="24%" headers="d0e208 ">ipServicePort description seeAlso </td>
</tr>
<tr><td align="left" valign="top" width="38%" headers="d0e204 ">domain </td>
<td align="left" valign="top" width="38%" headers="d0e206 ">dc objectClass </td>
<td align="left" valign="top" width="24%" headers="d0e208 ">description seeAlso </td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section"><h4 class="sectiontitle">LDAP Attributes</h4>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><thead align="left"><tr><th align="left" valign="bottom" width="36.61971830985916%" id="d0e243">Attribute </th>
<th align="left" valign="bottom" width="30.985915492957744%" id="d0e245">Type </th>
<th align="left" valign="bottom" width="12.676056338028168%" id="d0e247">Size </th>
<th align="left" valign="bottom" width="19.718309859154928%" id="d0e249">Value </th>
</tr>
</thead>
<tbody><tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">dc </td>
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">caseIgnoreString </td>
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">64 </td>
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">single </td>
</tr>
<tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">description </td>
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">caseIgnoreString </td>
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">1024 </td>
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">multiple </td>
</tr>
<tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">ibmCom1986-Krb-KerberosRealm </td>
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">caseExactString </td>
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">256 </td>
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">single </td>
</tr>
<tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">ipServicePort </td>
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">integer </td>
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">11 </td>
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">single </td>
</tr>
<tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">seeAlso </td>
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">DN </td>
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">1000 </td>
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">multiple </td>
</tr>
<tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">serviceName </td>
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">caseIgnoreString </td>
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">256 </td>
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">single </td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</body>
</html>