friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahy_5.4.0.1/rzahykerberosmig.htm

75 lines
4.7 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>Directory Server (LDAP) - Kerberos service name change</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahykerberosmig"></a>
<h3 id="rzahykerberosmig">Kerberos service name change</h3>
<p>Starting in V5R3, the service name used by the directory server and client
APIs for GSSAPI authentication (Kerberos) are changed. This change is incompatible
with the service name used prior to V5R3 (V5R2M0 PTF 5722SS1-SI08487 includes
the same change).</p>
<p>Previous to V5R3, the Directory Server and client APIs have used a service
name of the form <tt class="xph">LDAP/dns-host-name@Kerberos-realm</tt> when the GSSAPI
mechanism (Kerberos) is used for authentication. This name does not comply
with the standards that define GSSAPI authentication, which state that the
principal name should start with lower case "ldap". As a result, the both
the Directory Server and client APIs might not interoperate with other vendor's
products. This is particularly true if the Kerberos key distribution center
(KDC) has case sensitive principal names. The LDAP service provider for JNDI,
a commonly used Java LDAP client API, is an example of a client included with
operating system that uses the correct service name.</p>
<p>V5R3M0 changed the service name to comply with the standards. This, however,
introduces its own compatibility problems.</p>
<ul>
<li>A directory server configured to use GSSAPI authentication will not start
installing this release. This is because the keytab file used by the server
has credentials using the old service name (LDAP/mysys.ibm.com@IBM.COM), while
the server is looking for credentials using the new service name (ldap/mysys.ibm.com@IBM.COM).</li>
<li>A directory server or LDAP application using the LDAP APIs at V5R3M0 might
not be able to authenticate with older OS/400 servers or clients. To correct
this, you should do the following:
<ol type="1">
<li>If the KDC uses case sensitive principal names, create an account using
the correct service name (ldap/mysys.ibm.com@IBM.COM).</li>
<li>Update the keytab file used by the Directory Server to contain credentials
for the new service name. You might also want to delete the old credentials.
You can use the Qshell keytab utility to update the keytab file. By default,
the directory server uses the /QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab
file. The V5R3M0 Network Authentication Service (Kerberos) wizard in iSeries
Navigator also creates keytab entries using the new service name.</li>
<li>Update V5R2M0 OS/400 systems where GSSAPI is used by applying PTF 5722SS1-SI08487.</li></ol></li></ul>
<p>Alternately, you can choose to have the directory server and client APIs
continue to use the old service name. This might be desirable when you are
using Kerberos authentication in a mixed network of systems running with and
without the PTFs. To do this, set the LDAP_KRB_SERVICE_NAME environment variable.
You can set this for the entire system (required to set service name for the
server) using the following command:</p>
<pre class="xmp">ADDENVVAR ENVVAR(LDAP_KRB_SERVICE_NAME)
</pre><p class="indatacontent">or in QSH (to affect LDAP utilities run from this QSH session):</p>
<pre class="xmp">export LDAP_KRB_SERVICE_NAME=1
</pre>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink