Kerberos setup

You must set up Kerberos server to use it for authentication.

IBM® Security Directory Server supports Kerberos Version 1.4 servers, such as the IBM Network Authentication Service, for AIX® servers and AIX 64-bit clients.

Note: You must have the IBM Network Authentication Service client that is installed to use Kerberos authentication.

Under Network Authentication Service, a client (either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it by using the client's password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, by using its password. If the decryption is successful, the client retains the decrypted TGT, indicating proof of the client's identity.

The TGT, which expires at a specified time, permits the client to obtain extra tickets that give permission for specific services. The requesting and granting of these additional tickets does not require user intervention.

Network Authentication Service negotiates authenticated, optionally encrypted communications between two points on the network. It can enable applications to provide a layer of security that is not dependent on which side of a firewall either client is on. Because of this, Network Authentication Service can play a vital role in the security of your network.

You need to create an LDAP server service name in the key distribution center (KDC) by using the principal name ldap/<hostname>.<mylocation>.<mycompany>.com.

Note: An environment variable LDAP_KRB_SERVICE_NAME is used to determine the case of the LDAP Kerberos service name. If the variable is set to LDAP, then the uppercase LDAP Kerberos service name is used. If the variable is not set, then the lowercase ldap is used. This environment variable is used by both the LDAP client and the server. By default this variable is not set. See the Troubleshooting and support section of the IBM Security Directory Server documentation for more detailed information about the Kerberos service name change.

Network Authentication Service provides the following components:

Key distribution center: The KDC is a trusted server that has access to the private keys of all the principals in a realm. The KDC is composed of two parts: the Authentication Server (AS) and the Ticket Granting Server (TGS). The AS handles initial client authentication by issuing a TGT. The TGS issues service tickets that can be used by the client to authenticate to a service.
Administration server: The administration server provides administrative access to the Network Authentication Service database. This database contains the principals, keys, policies, and other administrative information for the realm. The administration server allows adding, modifying, deleting, and viewing principals and policies.
Password change service: The password change service allows users to change their passwords. The password change service is provided by the administration server.
Client programs: Client programs are provided to manipulate credentials (tickets), manipulate keytab files, change passwords, and perform other basic Network Authentication Service operations.
Application programming interfaces (APIs): Libraries and header files are provided to allow the development of secure distributed applications. The APIs provided are described in the Application Development Reference.