Kerberos service name change

Starting in V5R3, the service name used by the directory server and client APIs for GSSAPI authentication (Kerberos) are changed. This change is incompatible with the service name used prior to V5R3 (V5R2M0 PTF 5722SS1-SI08487 includes the same change).

Previous to V5R3, the Directory Server and client APIs have used a service name of the form LDAP/dns-host-name@Kerberos-realm when the GSSAPI mechanism (Kerberos) is used for authentication. This name does not comply with the standards that define GSSAPI authentication, which state that the principal name should start with lower case "ldap". As a result, the both the Directory Server and client APIs might not interoperate with other vendor's products. This is particularly true if the Kerberos key distribution center (KDC) has case sensitive principal names. The LDAP service provider for JNDI, a commonly used Java LDAP client API, is an example of a client included with operating system that uses the correct service name.

V5R3M0 changed the service name to comply with the standards. This, however, introduces its own compatibility problems.

• A directory server configured to use GSSAPI authentication will not start installing this release. This is because the keytab file used by the server has credentials using the old service name (LDAP/mysys.ibm.com@IBM.COM), while the server is looking for credentials using the new service name (ldap/mysys.ibm.com@IBM.COM).
• A directory server or LDAP application using the LDAP APIs at V5R3M0 might not be able to authenticate with older OS/400 servers or clients. To correct this, you should do the following:
  1. If the KDC uses case sensitive principal names, create an account using the correct service name (ldap/mysys.ibm.com@IBM.COM).
  2. Update the keytab file used by the Directory Server to contain credentials for the new service name. You might also want to delete the old credentials. You can use the Qshell keytab utility to update the keytab file. By default, the directory server uses the /QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab file. The V5R3M0 Network Authentication Service (Kerberos) wizard in iSeries Navigator also creates keytab entries using the new service name.
  3. Update V5R2M0 OS/400 systems where GSSAPI is used by applying PTF 5722SS1-SI08487.

Alternately, you can choose to have the directory server and client APIs continue to use the old service name. This might be desirable when you are using Kerberos authentication in a mixed network of systems running with and without the PTFs. To do this, set the LDAP_KRB_SERVICE_NAME environment variable. You can set this for the entire system (required to set service name for the server) using the following command:

ADDENVVAR ENVVAR(LDAP_KRB_SERVICE_NAME)

or in QSH (to affect LDAP utilities run from this QSH session):

export LDAP_KRB_SERVICE_NAME=1