Directory Server allows you to use Kerberos authentication. Kerberos is a network authentication protocol that uses secret key cryptography to provide strong authentication to client/server applications.
To enable Kerberos authentication, you must have the network authentication service configured.
The Kerberos support of Directory Server provides support for the GSSAPI SASL mechanism. This enables both Directory Server and Windows 2000 LDAP clients to use Kerberos authentication with the Directory Server.
The Kerberos principal name that the server uses has the following form:
service-name/host-name@realmservice-name
is ldap (ldap must be lower case), host-name is the fully qualified TCP/IP name of the system, and realm is the default realm specified in the systems Kerberos configuration.
For example, for a system named my-as400 in the acme.com TCP/IP domain, with a default Kerberos realm of ACME.COM, the LDAP server Kerberos principal name would be ldap/my-as400.acme.com@ACME.COM. The default Kerberos realm is specified in the Kerberos configuration file (by default, /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf) with the default_realm directive (default_realm = ACME.COM). The directory server cannot be configured to use Kerberos authentication if a default realm has not been configured.
When Kerberos authentication is used, the Directory Server associates a distinguished name (DN) with the connection that determines access to directory data. You can choose to have the server DN associated with one of the following methods:
You must have a key table (keytab) file that contains a key for the LDAP service principal. See the Information Center topic Network authentication service under Security for more information about Kerberos on the iSeries server. The Configuring network authentication service section contains information about adding information to key table files.