LDAP on Kerberos
Contents
1. Information about the system
- packages
- Version of ubuntu
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.04
Release: 9.04
Codename: jaunty
- Version of slapd: 2.4.15 (Mar 19 2009)
slapd -V
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
- Version of ldap-utils: 2.4.15
dpkg -l ldap-utils
2. Kerb Schema Operations
Ubuntu Guide, loosely following section 6.4
- Locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema.
- Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema, collective.schema, etc.
- Make this schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide. You must put "kerberos.schema" in there.
- Make the directory to hold output:
mkdir /tmp/ldif_output - Convert schema --> LDIF with slaptest, make sure you have your correct schema_convert path:
slaptest -f schema_convert.conf -F /tmp/ldif_output- Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output
??populate all the directories
3. ldap/slapd configuration changes
take out lines, modify lines
4. Extract krb conf files
5. Env
6. Build kerb. config
- You'll need a test OpenLDAP server. To get this, you'll need to
install the slapd package (for the server program) and the ldap-utils package (for ldapsearch). You can set the "domain" of your LDAP server using "sudo dpkg-reconfigure slapd". I will assume example.com below. I believe this will also prompt you for an admin password.
- You'll need to copy kerberos.schema from the source tree
(src/plugins/kdb/ldap/libkdb_ ldap/kerberos.schema) into /etc/ldap/schema.
- In /etc/default/slapd, search for SLAPD_SERVICES and set it to:
SLAPD_SERVICES="ldapi:///"
This will restrict access to the local machine.
- You may want to get familiar with the ldapsearch program. Here's an
example of how to use it against the test server installed above:
ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL -b
dc=example,dc=com
This command displays all of the entries in your LDAP database. The
-H option and argument indicate the URI of the LDAP server; ldapi:/// means "a Unix-domain socket on the local machine". -x means to use simple authentication and -W means to prompt for a password (the admin password you chose previously). The -D option and argument specify the "bind DN", which you can think of as a username. The -LLL option shortens the output format a bit; you can leave that out if you want. The -b option specifies the base of the query; in this case, the whole thing. It's also worth reading the man page for the meaning of the -s option (restrict the scope of the query) and for the filter syntax.
- To build Kerberos with LDAP back end support, you need to install the
libldap2-dev package, and configure with --with-ldap.
- Configuring your KDC is similar to setting up a normal KDC, but your
dbmodule directive will look something like this:
[dbmodules]
LDAP = {
db_library = kldap
ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
ldap_kdc_dn = cn=admin,dc=example,dc=com
ldap_kadmind_dn = cn=admin,dc=example,dc=com
ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash
ldap_servers = ldapi:///
}
(In a real deployment, you would probably create user DNs for the KDC and kadmin rather than using the admin DN, and grant them the minimum necessary access. But creating users in an OpenLDAP database didn't appear straightforward to me, so I skipped that step in my testing.)
- When you create your database, instead of using kdb5_util, you use
kdb5_ldap_util, like so:
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create \ -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s
You'll have to enter your OpenLDAP admin pasword, which will be stored in the admin.stash file for use by the KDC and kadmind.
There is more information in the krb5 admin guide (see the doc subdir of your source tree).
