Defining realms in the LDAP server

Network authentication service allows you to use the LDAP server to resolve a host name into a Kerberos realm and to find the KDC for a Kerberos realm. If you are using LDAP to look up this information, define the information in the LDAP server. To do this, complete the following two sets of tasks:

1. Set the configuration file to use LDAP.

   Use iSeries™ Navigator to indicate which directory server you want to use to resolve host names. This updates the krb5.conf configuration file located at /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf. The name of the directory server is added to the libdefaults section in the configuration file. Here is a sample of this configuration file:

   Sample krb5.conf configuration file

   ; krb5.conf - Kerberos V5 configuration file DO NOT REMOVE THIS LINE ;

   [libdefaults]

   ;  The default_realm value 
   ;-default_realm = REALM1.ROCHESTER.IBM.COM default_realm = DEPTXYZ.BOGUSNAME.COM

   ; define the system to use LDAP lookup use_ldap_lookup = 1 ldap_server = dirserv.bogusname.com

   [realms]
   ; ; We could configure the same realm information here, but it would ; only be used if the LDAP lookup failed.
   ;

   [domain_realm]
   ;  Convert host names to realm names.  Individual host names may be ;  specified.  Domain suffixes may be specified with a leading period ;  and will apply to all host names ending in that suffix.
   ; ; We will use LDAP to resolve what realm a given host name belongs to.  
   ; We could define them here also, but they would only be used if the 
   ; LDAP lookup fails.
   ;

   [capaths]
   ;  Configurable authentication paths define the trust relationships ;  between client and servers.  Each entry represents a client realm ;  and consists of the trust relationships for each server that can ;  be accessed from that realm.  A server may be listed multiple times ;  if multiple trust relationships are involved.  Specify '.' for ;  a direct connection.
   ;-REALM1.ROCHESTER.IBM.COM = {
   ;-    REALM2.ROCHESTER.IBM.COM = .
   ;;}
   DEPTXYZ.BOGUSNAME.COM = {
   	DEPTABC.BOGUSNAME.COM = .
   }

2. Define Kerberos for the LDAP server. The LDAP server must have a domain object with a name that corresponds to the Kerberos realm name. For example, if the Kerberos realm name is DEPTABC.BOGUSNAME.COM, there needs to be an object in the directory named dc=DEPTABC,dc=BOGUSNAME,dc=com. If this object does not exist, you may first need to add a suffix to the LDAP server configuration. For this object name, valid suffixes include dc=DEPTABC,dc=BOGUSNAME,dc=COM or one of the parent entries (dc=BOGUSNAME,dc=COM or dc=COM). For an i5/OS^® LDAP server, you can add a suffix by using iSeries Navigator.
   1. If you want to add a suffix, follow these steps:

      1. In iSeries Navigator, expand your system > Network > Servers > TCP/IP.

      2. Right-click IBM Directory Server and select Properties.

      3. On the Database/Suffix page, specify the suffix you want to add.
   2. Use the LDAPADD command to add the domain object for the realm in the LDAP directory.
   3. Continuing with our configuration example of two realms, called DEPTABC.BOGUSNAME.COM and DEPTXYZ.BOGUSNAME.COM, place the following lines in an integrated file system file:

      dn: dc=BOGUSNAME,dc=COM
      dc: BOGUSNAME
      objectClass: domain

      dn: dc=DEPTABC,dc=BOGUSNAME,dc=COM
      dc: DEPTABC
      objectClass: domain

      dn: dc=DEPTXYZ,dc=BOGUSNAME,dc=COM
      dc: DEPTXYZ
      objectClass: domain

   4. If the integrated file system file is named /tmp/addRealms.ldif, then using the same assumptions as the previous example, enter the following commands:

        STRQSH   ldapadd -h dirserv.bogusname.com -D cn=Administrator 
          -w verysecret -c -f   /tmp/addRealms.ldif

   5. Define the KDC entries for your realms, and optionally define host name entries to assign each host in your network to a specific realm name. You can do this using the ksetup command, with the addkdc and addhost subcommands. Continuing with our configuration example, you can enter the following commands:

        STRQSH   ksetup -h dirserv.bogusname.com -n cn=Administrator 
          -p verysecret   addkdc kdc1.deptxyz.bogusname.com DEPTXYZ.BOGUSNAME.COM   addkdc kdc2.deptxyz.bogusname.com DEPTXYZ.BOGUSNAME.COM   addkdc kdc1.deptabc.bogusname.com DEPTABC.BOGUSNAME.COM   addhost database.deptxyz.bogusname.com 
          DEPTXYZ.BOGUSNAME.COM

      Repeat for each host in each realm, as needed.

• Defining schema on an LDAP server
  The i5/OS LDAP server (IBM^® Directory Server) is shipped with the LDAP schema already defined. However, if you are using an LDAP server other than IBM Directory Server, you can define your own schema on that server.

Parent topic: