Enabling the IDS server Kerberos bind

Edit online

The following procedure enables the IDS server for Kerberos bind.

The following example shows how to configure an IDS server for Kerberos bind.

This example was tested using IDS v5.1:

  1. Install the krb5.client fileset.
  2. Make sure the /etc/krb5/krb5.conf file exists and is configured properly. If you need to configure it, you can run the /usr/sbin/config.krb5 command. 
    # config.krb5 -r ud3a.austin.ibm.com -d austin.ibm.com -c KDC -s alyssa.austin.ibm.com
Initializing configuration...
Creating /etc/krb5/krb5_cfg_type...
Creating /etc/krb5/krb5.conf...
The command completed successfully.
# cat /etc/krb5/krb5.conf
[libdefaults]
     default_realm = ud3a.austin.ibm.com
     default_keytab_name = FILE:/etc/krb5/krb5.keytab
     default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
     defaut_tgs_enctypes = des3-cbc-shal1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
[realms]
  ud3a.austin.ibm.com = {
     kdc = alyssa.austin.ibm.com:88
     admin_server = alyssa.austin.ibm.com:749
     default_domain = austin.ibm.com
  }

[domain_realm]
     .austin.ibm.com = ud3a.austin.ibm.com
     alyssa.austin.ibm.com = ud3a.austin.ibm.com

[logging]
     kdc = FILE:/var/krb5/log/krb5
     admin_server = FILE:/var/krb5/log/kadmin.log
     default = FILE:/var/krb5/log/krb5lib.log
  3. Get the keytab file of the ldap:/serverhostname principal, and place it in the /usr/ldap/etc directory. For example: /usr/ldap/etc/slapd_krb5.keytab.
  4. Set the permission to allow the server process to access the file. 
    # chown ldap:ldap /usr/ldap/etc/slapd_krb5.keytab
#
  5. To enable the IDS server for Kerberos bind, edit the /etc/ibmslapd.conf file and append the following entry: 
    dn: cn=Kerberos, cn-Configuration
cn: Kerberos
ibm-slapdKrbAdminDN: ldapadmin
ibm-slapdKrbEnable: true
ibm-slapdKrbIdentityMap: true
ibm-slapdKrbKeyTab: /usr/ldap/etc/slapd_krb5.keytab
ibm-slapdKrbRealm: ud3a.austin.ibm.com
objectclass: ibm-slapdKerberos
objectclass: ibm-slapdconfigEntry
objectclass: top
  6. Map the ldapproxy principal to a bind DN named cn-proxyuser,cn=aixdata.
    1. If the bind DN entry exists in the IDS server, create a file named ldapproxy.ldif with the following content: 
      dn: cn=proxyuser,cn=aixdata
changetype: modify
add: objectclass
objectclass: ibm-securityidentities
-
add:altsecurityidentities
altsecurityidentities: Kerberos:ldapproxy@ud3a.austin.ibm.com
      OR
    2. If the bind DN entry is not yet added to the server, create a file named proxyuser.ldif with the following content:
    Note: You will need to replace proxyuserpwd with your password.
    dn: cn=proxyuser,cn=mytest
cn: proxyuser
sn: proxyuser
userpassword: proxyuserpwd
objectclass: person
objectclass: top
objectclass: ibm-securityidentities
altsecurityidentities: Kerberos:ldapproxy@ud3a.austin.ibm.com

    Add the bind DN entry that is created to the IDS server using the ldapmodify command.

    # ldapmodify -D cn-admin -w adminPwd -f /tmp/proxyuser.ldif modifying entry cn=proxyuser,cn=mytest
#
  7. Restart the IDS server.