Difference between revisions of "LDAP on Kerberos"
From K5Wiki
(→6. Starting) |
(→6. Starting) |
||
| Line 111: | Line 111: | ||
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code> |
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code> |
||
*: If it works, you can do: |
*: If it works, you can do: |
||
| − | *: <code>kadmin.local</code>, try <code>listprincs</code> |
+ | *: <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code> |
*: <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line |
*: <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line |
||
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code> |
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code> |
||
| − | |||
| − | 18:10, 15 August 2009 (EDT) |
||
| − | *Command that worked: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code> |
||
| − | *<code>krb5kdc -n</code> |
||
Revision as of 10:03, 17 August 2009
Contents
1. Information about the system
- packages
- Version of ubuntu
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.04
Release: 9.04
Codename: jaunty
- Version of slapd: 2.4.15 (Mar 19 2009)
slapd -V
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
- Version of ldap-utils: 2.4.15
dpkg -l ldap-utils
2. Extract krb conf files
- It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.
- Save krb5.conf
- Save kdc.conf
- Save kadm5.acl
3. Env
You need to export these lines into your env. Based on where you saved these files.
KRB5_CONFIG=/tmp/krb5.conf
KRB5_KDC_PROFILE=/tmp/kdc.conf
LD_LIBRARY_PATH=[path to the kerberos src]/src/lib
I saved mine here:
KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf
KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf
LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib
4. Build kerb. config
- Install slapd package:
sudo apt-get install slapd- Asks for password.
- Install ldap-utils package (for ldapsearch):
sudo apt-get install ldap-utils - Set the "domain" of your LDAP server with
sudo dpkg-reconfigure slapd- Omit OpenLDAP server configuration: No
- DNS domain name: example.org
- Organization name: example.org [note: i used the same name for simplicity]
- Databases backend to use: HDB
- Do you want the database to be removed when slapd is purge: Yes
- Move old database: Yes
- Admin password: a
- Confirm password: a
- Allow LDAPv2 protocol: No
- Checkpoint: If you are successful, you should see as output:
- Stopping OpenLDAP: slapd.
- Moving old database directory to /var/backups:
- - directory unknown... done.
- Creating initial slapd configuration... done.
- Creating initial LDAP directory... done.
- * Reloading AppArmor profiles
- ... [ OK ]
- Starting OpenLDAP: slapd.
- If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema:
sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema - To restrict access to the local machine,
sudo vim /etc/default/slapd, search for SLAPD_SERVICES and set it to:SLAPD_SERVICES="ldapi:///"
- To build Kerberos with LDAP back end support, install:
sudo apt-get install libldap2-dev - Reconfigure your kerberos
- Navigate to kerberos src
-
make distclean -
util/reconf -
./configure --with-ldap -
make -
sudo make install
5. Kerb Schema Operations
Loosely followed Ubuntu Guide and Kerberos V5 System Admin Guide
- Locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk:
cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema- Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema
- Make this schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.
- Make the directory to hold output:
mkdir /tmp/ldif_output - Convert schema --> LDIF with slaptest:
slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output- Output: "config file testing succeeded"
- Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output
- Need to modify kerberos.ldif.
- Find which number kerberos.ldif is listed as:
sudo ls /tmp/ldif_output/cn\=config/cn\=schema - Edit it:
sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif- change dn: cn={6}kerberos into dn: cn=kerberos,cn=schema,cn=config
- change cn: {6}kerberos into cn: kerberos
- Delete the bottom lines: from structuralObjectClasses: olcSchemaConfig to modifyTimestamp: 20090811205313Z
- Find which number kerberos.ldif is listed as:
- load new schema, replace "-w a" with your password:
sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///- Output: adding new entry "cn=kerberos,cn=schema,cn=config"
6. Starting
- Create your database with kdb5_ldap_util instead of kdb5_util:
-
kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
-
output:
Initializing database for realm 'EXAMPLE.ORG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Kerberos container is missing. Creating now...
- Stash the password:
-
kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org - If it works, you can do:
-
kadmin.local, trylistprincs, quit by typingquit -
krb5kdc -nif it runs, the cursor blinks on a new line
-
- Command to destroy kdb5_ldap_util:
kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy
