223 lines
13 KiB
HTML
223 lines
13 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="task" />
|
|||
|
<meta name="DC.Title" content="Define realms in the LDAP server" />
|
|||
|
<meta name="abstract" content="Network authentication service allows you to use the LDAP server to resolve a host name into a Kerberos realm and to find the KDC for a Kerberos realm." />
|
|||
|
<meta name="description" content="Network authentication service allows you to use the LDAP server to resolve a host name into a Kerberos realm and to find the KDC for a Kerberos realm." />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzakhmanage.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="definerealmsldap" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Define realms in the LDAP server</title>
|
|||
|
</head>
|
|||
|
<body>
|
|||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<div class="nested0" id="definerealmsldap"><a name="definerealmsldap"><!-- --></a><h1 class="topictitle1">Define realms in the LDAP server</h1>
|
|||
|
<div><p>Network authentication service allows you to use the LDAP server
|
|||
|
to resolve a host name into a Kerberos realm and to find the KDC for a Kerberos
|
|||
|
realm.</p>
|
|||
|
<div class="section"> If you are using LDAP to look up this information, you must define
|
|||
|
the information in the LDAP server. To do this, you need to complete the following
|
|||
|
two sets of tasks:</div>
|
|||
|
<ol><li class="stepexpand"><span><a href="rzakhhost.htm#rzakhhost">Set the configuration file
|
|||
|
to use LDAP</a>.</span> <p>Use iSeries™ Navigator to indicate which directory
|
|||
|
server you would like to use to resolve host names. This updates the <strong>krb5.conf</strong> configuration
|
|||
|
file located at <span class="filepath">/QIBM/UserData/OS400/NetworkAuthentication/krb5.conf</span>.
|
|||
|
The name of the directory server is added to the <samp class="codeph">libdefaults</samp> section
|
|||
|
in the configuration file. The following is a sample of this configuration
|
|||
|
file:</p>
|
|||
|
<p><strong>Sample krb5.conf configuration file</strong></p>
|
|||
|
<div class="p"> <pre>; krb5.conf - Kerberos V5 configuration file DO NOT REMOVE THIS LINE
|
|||
|
;</pre>
|
|||
|
<pre>[libdefaults]</pre>
|
|||
|
<pre>; The default_realm value
|
|||
|
;-default_realm = REALM1.ROCHESTER.IBM.COM
|
|||
|
default_realm = DEPTXYZ.BOGUSNAME.COM</pre>
|
|||
|
<pre>; define the system to use LDAP lookup
|
|||
|
use_ldap_lookup = 1
|
|||
|
ldap_server = dirserv.bogusname.com</pre>
|
|||
|
<pre>[realms]
|
|||
|
;
|
|||
|
; We could configure the same realm information here, but it would
|
|||
|
; only be used if the LDAP lookup failed.
|
|||
|
;</pre>
|
|||
|
<pre>[domain_realm]
|
|||
|
; Convert host names to realm names. Individual host names may be
|
|||
|
; specified. Domain suffixes may be specified with a leading period
|
|||
|
; and will apply to all host names ending in that suffix.
|
|||
|
;
|
|||
|
; We will use LDAP to resolve what realm a given host name belongs to.
|
|||
|
; We could define them here also, but they would only be used if the
|
|||
|
; LDAP lookup fails.
|
|||
|
;</pre>
|
|||
|
<pre>[capaths]
|
|||
|
; Configurable authentication paths define the trust relationships
|
|||
|
; between client and servers. Each entry represents a client realm
|
|||
|
; and consists of the trust relationships for each server that can
|
|||
|
; be accessed from that realm. A server may be listed multiple times
|
|||
|
; if multiple trust relationships are involved. Specify '.' for
|
|||
|
; a direct connection.
|
|||
|
;-REALM1.ROCHESTER.IBM.COM = {
|
|||
|
;- REALM2.ROCHESTER.IBM.COM = .
|
|||
|
;;}
|
|||
|
DEPTXYZ.BOGUSNAME.COM = {
|
|||
|
DEPTABC.BOGUSNAME.COM = .
|
|||
|
}</pre>
|
|||
|
</div>
|
|||
|
</li>
|
|||
|
<li class="stepexpand"><span>Define Kerberos for the LDAP server</span> The LDAP server
|
|||
|
must have a domain object with a name that corresponds to the Kerberos realm
|
|||
|
name. For example, if the Kerberos realm name is <tt>DEPTABC.BOGUSNAME.COM</tt>,
|
|||
|
there needs to be an object in the directory named <tt>dc=DEPTABC,dc=BOGUSNAME,dc=com</tt>.
|
|||
|
If this object does not exist you may first need to add a suffix to the LDAP
|
|||
|
server configuration. For this object name, valid suffixes include dc=DEPTABC,dc=BOGUSNAME,dc=COM
|
|||
|
or one of the parent entries (dc=BOGUSNAME,dc=COM or dc=COM). For an i5/OS™ LDAP
|
|||
|
server, you can add a suffix by using iSeries Navigator. <ol type="a"><li class="substepexpand"><span>If you want to add a suffix, follow these steps: </span> <ol type="i"><li>In iSeries Navigator,
|
|||
|
expand <span class="menucascade"><span class="uicontrol">your iSeries server </span> > <span class="uicontrol">Network</span> > <span class="uicontrol">Servers</span> > <span class="uicontrol">TCP/IP</span></span>.</li>
|
|||
|
<li>Right-click <span class="uicontrol">IBM Directory Server</span> and select <span class="uicontrol">Properties</span>.</li>
|
|||
|
<li>On the <span class="uicontrol">Database/Suffix</span> page, specify the suffix
|
|||
|
you want to add.</li>
|
|||
|
</ol>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>Use the <span class="cmdname">LDAPADD</span> command to add the domain
|
|||
|
object for the realm in the LDAP directory.</span></li>
|
|||
|
<li class="substepexpand"><span>Continuing with our configuration example of two realms, called
|
|||
|
DEPTABC.BOGUSNAME.COM and DEPTXYZ.BOGUSNAME.COM, place the following lines
|
|||
|
in an integrated file system file: </span> <p><tt>dn: dc=BOGUSNAME,dc=COM<br />
|
|||
|
dc: BOGUSNAME<br />
|
|||
|
objectClass: domain</tt></p>
|
|||
|
<p><tt>dn: dc=DEPTABC,dc=BOGUSNAME,dc=COM<br />
|
|||
|
dc: DEPTABC<br />
|
|||
|
objectClass: domain</tt></p>
|
|||
|
<p><tt>dn: dc=DEPTXYZ,dc=BOGUSNAME,dc=COM<br />
|
|||
|
dc: DEPTXYZ<br />
|
|||
|
objectClass: domain</tt></p>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>If the integrated file system file is named <strong>/tmp/addRealms.ldif</strong>,
|
|||
|
then using the same assumptions as the previous example, enter the following
|
|||
|
commands: </span> <pre> STRQSH
|
|||
|
ldapadd -h dirserv.bogusname.com -D cn=Administrator
|
|||
|
-w verysecret -c -f
|
|||
|
/tmp/addRealms.ldif</pre>
|
|||
|
</li>
|
|||
|
<li class="substepexpand"><span>Define the KDC entries for your realms, and optionally define
|
|||
|
host name entries to assign each host in your network to a specific realm
|
|||
|
name. You can do this using the <span class="cmdname">ksetup</span>command, with the <span class="cmdname">addkdc</span> and <span class="cmdname">addhost</span> subcommands.
|
|||
|
Continuing with our configuration example, you can enter the following commands:</span> <pre> STRQSH
|
|||
|
ksetup -h dirserv.bogusname.com -n cn=Administrator
|
|||
|
-p verysecret
|
|||
|
addkdc kdc1.deptxyz.bogusname.com DEPTXYZ.BOGUSNAME.COM
|
|||
|
addkdc kdc2.deptxyz.bogusname.com DEPTXYZ.BOGUSNAME.COM
|
|||
|
addkdc kdc1.deptabc.bogusname.com DEPTABC.BOGUSNAME.COM
|
|||
|
addhost database.deptxyz.bogusname.com
|
|||
|
DEPTXYZ.BOGUSNAME.COM</pre>
|
|||
|
<p>Repeat for
|
|||
|
each host in each realm, as needed.</p>
|
|||
|
</li>
|
|||
|
</ol>
|
|||
|
</li>
|
|||
|
</ol>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhmanage.htm" title="Manage network authentication service by requesting tickets, working with key table files, and administering host name resolution. You can also work with credentials files and back up configuration files.">Manage network authentication service</a></div>
|
|||
|
</div>
|
|||
|
</div></div>
|
|||
|
<div class="nested0" xml:lang="en-us" id="ldapserverref"><a name="ldapserverref"><!-- --></a><h1 class="topictitle1">Defining schema on an LDAP Server</h1>
|
|||
|
<div><div class="section"><h4 class="sectiontitle">LDAP Schema</h4><p>The i5/OS LDAP server (IBM<sup>®</sup> Directory Server) is shipped with the
|
|||
|
LDAP schema already defined. However, if you are using an LDAP server other
|
|||
|
than IBM Directory
|
|||
|
Server, you can define your own schema on that server. The following information
|
|||
|
may be useful to you if you decide to define your own schema on an LDAP server.</p>
|
|||
|
<p>Network
|
|||
|
authentication service requires the following LDAP schema definitions, where: </p>
|
|||
|
<ul><li>Integer values are represented as a signed-numeric character string with
|
|||
|
a maximum length of 11 characters. </li>
|
|||
|
<li>Boolean values are represented by the character strings “TRUE” and “FALSE”. </li>
|
|||
|
<li>Time values are represented as 15-byte character strings encoded in the
|
|||
|
format “YYYYMMDDhhmmssZ”. All times are represented as UTC values. </li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
<div class="section"><h4 class="sectiontitle">LDAP Object Classes</h4>
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><thead align="left"><tr><th align="left" valign="bottom" width="38%" id="d0e204">Object </th>
|
|||
|
<th align="left" valign="bottom" width="38%" id="d0e206">Requires </th>
|
|||
|
<th align="left" valign="bottom" width="24%" id="d0e208">Allows </th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td align="left" valign="top" width="38%" headers="d0e204 ">domain </td>
|
|||
|
<td align="left" valign="top" width="38%" headers="d0e206 ">dc </td>
|
|||
|
<td align="left" valign="top" width="24%" headers="d0e208 ">description seeAlso </td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="38%" headers="d0e204 ">ibmCom1986-Krb-KerberosService </td>
|
|||
|
<td align="left" valign="top" width="38%" headers="d0e206 ">serviceName ibmCom1986-Krb-KerberosRealm </td>
|
|||
|
<td align="left" valign="top" width="24%" headers="d0e208 ">ipServicePort description seeAlso </td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="38%" headers="d0e204 ">domain </td>
|
|||
|
<td align="left" valign="top" width="38%" headers="d0e206 ">dc objectClass </td>
|
|||
|
<td align="left" valign="top" width="24%" headers="d0e208 ">description seeAlso </td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<div class="section"><h4 class="sectiontitle">LDAP Attributes</h4>
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><thead align="left"><tr><th align="left" valign="bottom" width="36.61971830985916%" id="d0e243">Attribute </th>
|
|||
|
<th align="left" valign="bottom" width="30.985915492957744%" id="d0e245">Type </th>
|
|||
|
<th align="left" valign="bottom" width="12.676056338028168%" id="d0e247">Size </th>
|
|||
|
<th align="left" valign="bottom" width="19.718309859154928%" id="d0e249">Value </th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">dc </td>
|
|||
|
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">caseIgnoreString </td>
|
|||
|
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">64 </td>
|
|||
|
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">single </td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">description </td>
|
|||
|
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">caseIgnoreString </td>
|
|||
|
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">1024 </td>
|
|||
|
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">multiple </td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">ibmCom1986-Krb-KerberosRealm </td>
|
|||
|
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">caseExactString </td>
|
|||
|
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">256 </td>
|
|||
|
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">single </td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">ipServicePort </td>
|
|||
|
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">integer </td>
|
|||
|
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">11 </td>
|
|||
|
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">single </td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">seeAlso </td>
|
|||
|
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">DN </td>
|
|||
|
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">1000 </td>
|
|||
|
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">multiple </td>
|
|||
|
</tr>
|
|||
|
<tr><td align="left" valign="top" width="36.61971830985916%" headers="d0e243 ">serviceName </td>
|
|||
|
<td align="left" valign="top" width="30.985915492957744%" headers="d0e245 ">caseIgnoreString </td>
|
|||
|
<td align="left" valign="top" width="12.676056338028168%" headers="d0e247 ">256 </td>
|
|||
|
<td align="left" valign="top" width="19.718309859154928%" headers="d0e249 ">single </td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
</body>
|
|||
|
</html>
|