logo_kerberos.gif

LDAP on Kerberos

From K5Wiki
Jump to: navigation, search

About

A guide to set up ldap backend for kerberos.

To Do

  • Slapd in sandbox, not /etc
  • Simpler Domain names D.COM, R.COM
  • Different domain names
  • Figure out required schemas
  • Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu
  • Play around to get minimum set of requirement
  • update tree too, got a fix

0. Sample code to follow

    1  cd /tmp
    2  vim krb5.conf
    3  vim kdc.conf
    4  vim kadm5.acl
    5  export KRB5_CONFIG=/tmp/krb5.conf
    6  export KRB5_KDC_PROFILE=/tmp/kdc.conf
    7  export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/
    8  mkdir krb5kdc
    9  sudo apt-get install slapd
   10  sudo apt-get install ldap-utils
   11  sudo dpkg-reconfigure slapd
   12  sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/
   13  sudo vim /etc/default/slapd
   14  sudo apt-get install libldap2-dev
   15  cd /home/haoqili/trunk/src/
   16  make distclean
   17  autoreconf
   18  ./configure --with-ldap
   19  make
   20  sudo make install
   21  vim /tmp/schema_convert.conf
   22  mkdir /tmp/ldif_output
   23  slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/
   24  sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif 
   25  sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
   26  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
   27  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
   28  kadmin.local
   29  krb5kdc -n

1. Information about the system

- packages

  • Version of ubuntu
      lsb_release -a
      No LSB modules are available.
      Distributor ID:        Ubuntu
      Description:        Ubuntu 9.04
      Release:        9.04
      Codename:        jaunty
  • Version of slapd: 2.4.15 (Mar 19 2009)
      slapd -V
      @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $
      buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
  • Version of ldap-utils: 2.4.15
      dpkg -l ldap-utils

2. Extract krb conf files

  • It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.
  • Save krb5.conf
  • Save kdc.conf
  • Save kadm5.acl

3. Env and Setup

You need to export these lines into your env. Based on where you saved these files.

  • export KRB5_CONFIG=/tmp/sandbox/krb5.conf
  • export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf
  • make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)

Whatever you do, be consistent

4. Build kerb. config

  1. Install Packages:
    • sudo apt-get install slapd
    • for ldapsearch: sudo apt-get install ldap-utils
    • sudo apt-get install libldap2-dev
  2. Set "domain" of your LDAP server
    • Option 1, Interactive Option: sudo dpkg-reconfigure slapd
      Indented are the debconf-get-selections lines
      1. Omit OpenLDAP server configuration: No
        slapd slapd/no_configuration boolean false
      2. DNS domain name: example.org
        slapd slapd/domain string example.org
      3. Organization name: example.org [note: i used the same name for simplicity]
        slapd shared/organization string example.org
      4. Databases backend to use: HDB, instead of BDB
        slapd slapd/backend select HDB
      5. Do you want the database to be removed when slapd is purge: Yes
        slapd slapd/purge_database boolean true
      6. Move old database: Yes
        slapd slapd/move_old_database boolean true
      7. Admin password: [your pwd]
        slapd slapd/password1 password
        [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]
      8. Confirm password: [your pwd]
        slapd slapd/password2 password
      9. Allow LDAPv2 protocol: No
        slapd slapd/allow_ldap_v2 boolean false
    • Option 2, Noninteractive Option
      1. sudo apt-get install debconf-utils
      2. Save this file in /tmp/debconfile: debconfile
      3. sudo debconf-set-selections /tmp/debconfile
      4. sudo dpkg-reconfigure --frontend=noninteractive slapd
    • Checkpoint: If you are successful, you should see as output:
      Stopping OpenLDAP: slapd.
      Moving old database directory to /var/backups:
      - directory unknown... done.
      Creating initial slapd configuration... done.
      Creating initial LDAP directory... done.
      * Reloading AppArmor profiles
      ... [ OK ]
      Starting OpenLDAP: slapd.
  3. If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
  4. To restrict access to the local machine, sudo vim /etc/default/slapd, search for SLAPD_SERVICES and set it to:
    SLAPD_SERVICES="ldapi:///"
  5. Reconfigure your kerberos
    • Navigate to kerberos src
    • make distclean
    • util/reconf
    • ./configure --with-ldap
    • make
    • sudo make install

5. Kerb Schema Operations

Loosely followed Ubuntu Guide and Kerberos V5 System Admin Guide

  1. You have not done so already, locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
    Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as
    • core.schema
    • inetorgperson.schema
    • kerberos.schema
    • misc.schema
    • openldap.schema
  2. Make this schema_convert.conf at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.
  3. Make the directory to hold output: mkdir /tmp/ldif_output
  4. Convert schema --> LDIF with slaptest: slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output
    Output: "config file testing succeeded"
    Checkpoint: If you sudo ls /tmp/ldif_output/cn\=config/cn\=schema, you should see:
    cn={0}core.ldif
    cn={1}corba.ldif
    cn={2}cosine.ldif
    cn={3}duaconf.ldif
    cn={4}inetorgperson.ldif
    cn={5}java.ldif
    cn={6}kerberos.ldif
    cn={7}misc.ldif
    cn={8}openldap.ldif
    cn={9}nis.ldif
  5. Need to modify kerberos.ldif.
    • Find which number kerberos.ldif is listed as: sudo ls /tmp/ldif_output/cn\=config/cn\=schema
    • Edit it: sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif
      • change dn: cn={6}kerberos into dn: cn=kerberos,cn=schema,cn=config
      • change cn: {6}kerberos into cn: kerberos
      • Delete the bottom lines: from structuralObjectClasses: olcSchemaConfig to modifyTimestamp: 20090811205313Z
  6. load new schema: sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///
    Note if you get a "Can't contact LDAP server" error, check your ps -ef | grep slapd to see its details and change accordingly. A common way to fix it is to sudo ldapadd with ldap:/// instead of ldapi:///
    Output: adding new entry "cn=kerberos,cn=schema,cn=config"

6. Starting

  • Create your database with kdb5_ldap_util instead of kdb5_util:
    kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s
    note that if you have ldapadd with ldap:/// instead of ldapi:///, it should also be ldap:/// here

output:

Initializing database for realm 'EXAMPLE.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

Kerberos container is missing. Creating now...
  • Stash the password:
    kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
    Checkpoint: If it works, you can do:
    • kadmin.local, try listprincs, quit by typing quit
  • krb5kdc
    Checkpoint: ps -ef | grep krb5kdc should show it running
  • Command to destroy kdb5_ldap_util: kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy

Scratch Pad

Assume People have done

   1  cd /tmp
   9  sudo apt-get install slapd
  10  sudo apt-get install ldap-utils
  14  sudo apt-get install libldap2-dev
  15  cd /home/haoqili/trunk/src/
  16  make distclean
  17  util/reconf
  18  ./configure --with-ldap
  19  make
  20  sudo make install

Code

   2  vim krb5.conf
   3  vim kdc.conf
   4  vim kadm5.acl
   5  export KRB5_CONFIG=/tmp/krb5.conf
   6  export KRB5_KDC_PROFILE=/tmp/kdc.conf
   7  export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/



   8  mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?
  11  sudo dpkg-reconfigure slapd
  12  sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/
  13  sudo vim /etc/default/slapd
  21  vim /tmp/schema_convert.conf
  22  mkdir /tmp/ldif_output
  23  slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/
  24  sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif 
  25  sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
  26  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
  27  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
  28  kadmin.local
  29  krb5kdc -n

Errors

  • sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
    ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.
    sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/
    openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/
    • sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///
      Output: adding new entry "cn=kerberos,cn=schema,cn=config"
openldap 11434     1  0 12:06 ?        00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/
  • sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///
    ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine
    SOLUTION: Change "-h" to "-H"
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla
haoqili  12228  4371  0 12:26 pts/0    00:00:00 grep sla
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ 
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///
adding new entry "cn=kerberos,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
	additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"
  • DbDriver is locked
sudo debconf-set-selections /tmp/debconfile 
[sudo] password for haoqili: 
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable

OR 

sudo dpkg-reconfigure --frontend=noninteractive
[sudo] password for haoqili: 
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable
  • SOLUTION: This will tell what is locking it: fuser -v /var/cache/debconf/config.dat. From here.
  • Here is a series of steps, some with errors that I got when I am changing the domain name (specified from sudo dpkg-reconfigure slapd) from "example.org" to "D.COM." The errors might be helpful in pointing people to the right direction if they encounter the same errors.
    • With my config files still with realms set to "example.org", after I did
sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
Enter LDAP Password: 
adding new entry "cn=kerberos,cn=schema,cn=config"
    • I then did kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s
      ERROR: kdb5_ldap_util: Invalid credentials while initializing database
      Explaination: this is because the dc is no longer example.org anymore. So I did:
    • Changing this command to reflect the correct domain: kdb5_ldap_util -D cn=admin,dc=D,dc=COM -H ldapi:/// create -s
      Output:
Password for "cn=admin,dc=D,dc=COM": 
Initializing database for realm 'EXAMPLE.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

Kerberos container is missing. Creating now...
    • ERROR: kdb5_ldap_util: Kerberos Container create FAILED: Server is unwilling to perform while creating realm 'EXAMPLE.ORG'
      Explaination: this is because even though the command domain names have changed, the config files (krb5.conf, kdc.conf) also need to reflect the correct domain name.
  • After changing all the example.org's into d.com's, the create command worked. So I proceeded to: kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// stashsrvpw cn=admin,dc=D,dc=COM, I entered my passwords
  • kadmin.local and krb5kdc failed with errors:
$ kadmin.local
Authenticating as principal haoqili/admin@D.COM with password.
kadmin.local: Server error while initializing kadmin.local interface

$ krb5kdc
krb5kdc: cannot initialize realm D.COM - see log file for details
    • I looked at the kdc log file, it says: krb5kdc: Error reading password from stash: Bind DN entry missing in stash file - while initializing database for realm D.COM
  • $ kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
    Password for "cn=admin,dc=example,dc=org":
    Re-enter password for "cn=admin,dc=example,dc=org":
    ERROR: kdb5_ldap_util: Permission denied Failed to open file /usr/local/var/service_passwd: Permission denied
    SOLUTION: make sure your config files are exported in the terminal you use to do this command.