friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahykerrf.htm

68 lines
4.5 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Kerberos authentication with the Directory Server</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahykerrf"></a>
<h3 id="rzahykerrf">Kerberos authentication with the Directory Server</h3>
<p>Directory Server allows you to use Kerberos authentication. Kerberos is a network
authentication protocol that uses secret key cryptography to provide strong
authentication to client/server applications.</p>
<p>To <a href="rzahyekbpi.htm#rzahyekbpi">enable Kerberos authentication</a>, you must
have the network authentication service configured.</p>
<p>The Kerberos support of Directory Server provides support for the GSSAPI SASL mechanism.
This enables both Directory Server and Windows 2000 LDAP clients to use Kerberos
authentication with the Directory Server.</p>
<a name="kerprinc"></a>
<p id="kerprinc">The <span class="bold">Kerberos principal name</span> that the
server uses has the following form:</p>
<pre class="xmp">service-name/host-name@realm</pre><tt class="xph">service-name</tt><p class="indatacontent"> is ldap (ldap must be lower case), <tt class="xph">host-name</tt> is
the fully qualified TCP/IP name of the system, and <tt class="xph">realm</tt> is the
default realm specified in the systems Kerberos configuration.</p>
<p>For example, for a system named <tt class="xph">my-as400</tt> in the <tt class="xph">acme.com</tt> TCP/IP domain, with a default Kerberos realm of <tt class="xph">ACME.COM</tt>,
the LDAP server Kerberos principal name would be <tt class="xph">ldap/my-as400.acme.com@ACME.COM</tt>. The default Kerberos realm is specified in the Kerberos configuration
file (by default, /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf) with
the default_realm directive (default_realm = ACME.COM). The directory server
cannot be configured to use Kerberos authentication if a default realm has
not been configured.</p>
<p>When Kerberos authentication is used, the Directory Server associates a
distinguished name (DN) with the connection that determines access to directory
data. You can choose to have the server DN associated with one of the following
methods: </p>
<ul>
<li>The server can create a DN based on the Kerberos ID. When you choose this
option, a Kerberos identity of the form principal@realm generates a DN of
the form ibm-kn=principal@realm. ibm-kn= is equivalent to ibm-kerberosName=.</li>
<li>The server can search the directory for a distinguished name (DN) that
contains an entry for the Kerberos principal and realm. When you choose this
option, the server searches the directory for an entry that specifies this
Kerberos identity.</li></ul>
<p>You must have a key table (keytab) file that contains a key for the LDAP
service principal. See the Information Center topic <a href="../rzakh/rzakh000.htm">Network authentication
service</a> under Security for more information about Kerberos on the iSeries server.
The <a href="../rzakh/rzakhconfig.htm">Configuring network authentication service</a> section
contains information about adding information to key table files.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink