Kerberos authentication with the Directory Server

Directory Server allows you to use Kerberos authentication. Kerberos is a network authentication protocol that uses secret key cryptography to provide strong authentication to client and server applications.

To enable Kerberos authentication, you must have the network authentication service configured.

The Kerberos support of Directory Server provides support for the GSSAPI SASL mechanism. This enables both Directory Server and Windows 2000 LDAP clients to use Kerberos authentication with the Directory Server.

The Kerberos principal name that the server uses has the following form:

service-name/host-name@realm

service-name is ldap (ldap must be lower case), host-name is the fully qualified TCP/IP name of the system, and realm is the default realm specified in the systems Kerberos configuration.

For example, for a system named my-as400 in the acme.com TCP/IP domain, with a default Kerberos realm of ACME.COM, the LDAP server Kerberos principal name would be ldap/my-as400.acme.com@ACME.COM. The default Kerberos realm is specified in the Kerberos configuration file (by default, /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf) with the default_realm directive (default_realm = ACME.COM). The directory server cannot be configured to use Kerberos authentication if a default realm has not been configured.

When Kerberos authentication is used, the Directory Server associates a distinguished name (DN) with the connection that determines access to directory data. You can choose to have the server DN associated with one of the following methods:

  • The server can create a DN based on the Kerberos ID. When you choose this option, a Kerberos identity of the form principal@realm generates a DN of the form ibm-kn=principal@realm. ibm-kn= is equivalent to ibm-kerberosName=.
  • The server can search the directory for a distinguished name (DN) that contains an entry for the Kerberos principal and realm. When you choose this option, the server searches the directory for an entry that specifies this Kerberos identity.

You must have a key table (keytab) file that contains a key for the LDAP service principal.