Define realms in the LDAP server

Network authentication service allows you to use the LDAP server to resolve a host name into a Kerberos realm and to find the KDC for a Kerberos realm.

If you are using LDAP to look up this information, you must define the information in the LDAP server. To do this, you need to complete the following two sets of tasks:
  1. Set the configuration file to use LDAP.

    Use iSeries™ Navigator to indicate which directory server you would like to use to resolve host names. This updates the krb5.conf configuration file located at /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf. The name of the directory server is added to the libdefaults section in the configuration file. The following is a sample of this configuration file:

    Sample krb5.conf configuration file

    ; krb5.conf - Kerberos V5 configuration file DO NOT REMOVE THIS LINE
;
    [libdefaults]
    ;  The default_realm value 
;-default_realm = REALM1.ROCHESTER.IBM.COM
default_realm = DEPTXYZ.BOGUSNAME.COM
    ; define the system to use LDAP lookup
use_ldap_lookup = 1
ldap_server = dirserv.bogusname.com
    [realms]
;
; We could configure the same realm information here, but it would
; only be used if the LDAP lookup failed.
;
    [domain_realm]
;  Convert host names to realm names.  Individual host names may be
;  specified.  Domain suffixes may be specified with a leading period
;  and will apply to all host names ending in that suffix.
;
; We will use LDAP to resolve what realm a given host name belongs to.  
; We could define them here also, but they would only be used if the 
; LDAP lookup fails.
;
    [capaths]
;  Configurable authentication paths define the trust relationships
;  between client and servers.  Each entry represents a client realm
;  and consists of the trust relationships for each server that can
;  be accessed from that realm.  A server may be listed multiple times
;  if multiple trust relationships are involved.  Specify '.' for
;  a direct connection.
;-REALM1.ROCHESTER.IBM.COM = {
;-    REALM2.ROCHESTER.IBM.COM = .
;;}
DEPTXYZ.BOGUSNAME.COM = {
	DEPTABC.BOGUSNAME.COM = .
}
  2. Define Kerberos for the LDAP server The LDAP server must have a domain object with a name that corresponds to the Kerberos realm name. For example, if the Kerberos realm name is DEPTABC.BOGUSNAME.COM, there needs to be an object in the directory named dc=DEPTABC,dc=BOGUSNAME,dc=com. If this object does not exist you may first need to add a suffix to the LDAP server configuration. For this object name, valid suffixes include dc=DEPTABC,dc=BOGUSNAME,dc=COM or one of the parent entries (dc=BOGUSNAME,dc=COM or dc=COM). For an i5/OS™ LDAP server, you can add a suffix by using iSeries Navigator.
    1. If you want to add a suffix, follow these steps:
      1. In iSeries Navigator, expand your iSeries server > Network > Servers > TCP/IP.
      2. Right-click IBM Directory Server and select Properties.
      3. On the Database/Suffix page, specify the suffix you want to add.
    2. Use the LDAPADD command to add the domain object for the realm in the LDAP directory.
    3. Continuing with our configuration example of two realms, called DEPTABC.BOGUSNAME.COM and DEPTXYZ.BOGUSNAME.COM, place the following lines in an integrated file system file:

      dn: dc=BOGUSNAME,dc=COM
      dc: BOGUSNAME
      objectClass: domain

      dn: dc=DEPTABC,dc=BOGUSNAME,dc=COM
      dc: DEPTABC
      objectClass: domain

      dn: dc=DEPTXYZ,dc=BOGUSNAME,dc=COM
      dc: DEPTXYZ
      objectClass: domain

    4. If the integrated file system file is named /tmp/addRealms.ldif, then using the same assumptions as the previous example, enter the following commands: 
        STRQSH
  ldapadd -h dirserv.bogusname.com -D cn=Administrator 
    -w verysecret -c -f
  /tmp/addRealms.ldif
    5. Define the KDC entries for your realms, and optionally define host name entries to assign each host in your network to a specific realm name. You can do this using the ksetupcommand, with the addkdc and addhost subcommands. Continuing with our configuration example, you can enter the following commands: 
        STRQSH
  ksetup -h dirserv.bogusname.com -n cn=Administrator 
    -p verysecret
  addkdc kdc1.deptxyz.bogusname.com DEPTXYZ.BOGUSNAME.COM
  addkdc kdc2.deptxyz.bogusname.com DEPTXYZ.BOGUSNAME.COM
  addkdc kdc1.deptabc.bogusname.com DEPTABC.BOGUSNAME.COM
  addhost database.deptxyz.bogusname.com 
    DEPTXYZ.BOGUSNAME.COM

      Repeat for each host in each realm, as needed.

Parent topic: Manage network authentication service

Defining schema on an LDAP Server

LDAP Schema

The i5/OS LDAP server (IBM® Directory Server) is shipped with the LDAP schema already defined. However, if you are using an LDAP server other than IBM Directory Server, you can define your own schema on that server. The following information may be useful to you if you decide to define your own schema on an LDAP server.

Network authentication service requires the following LDAP schema definitions, where:

  • Integer values are represented as a signed-numeric character string with a maximum length of 11 characters.
  • Boolean values are represented by the character strings “TRUE” and “FALSE”.
  • Time values are represented as 15-byte character strings encoded in the format “YYYYMMDDhhmmssZ”. All times are represented as UTC values.

LDAP Object Classes

Object Requires Allows
domain dc description seeAlso
ibmCom1986-Krb-KerberosService serviceName ibmCom1986-Krb-KerberosRealm ipServicePort description seeAlso
domain dc objectClass description seeAlso

LDAP Attributes

Attribute Type Size Value
dc caseIgnoreString 64 single
description caseIgnoreString 1024 multiple
ibmCom1986-Krb-KerberosRealm caseExactString 256 single
ipServicePort integer 11 single
seeAlso DN 1000 multiple
serviceName caseIgnoreString 256 single