https://k5wiki.kerberos.org/w/api.php?action=feedcontributions&feedformat=atom&user=Haoqili
K5Wiki - User contributions [en]
2026-05-13T02:49:30Z
User contributions
MediaWiki 1.27.4
https://k5wiki.kerberos.org/wiki?title=User_talk:Haoqili&diff=3843
User talk:Haoqili
2011-03-23T18:18:45Z
<p>Haoqili: I moved the notes I had from my personal wiki here. I'm destroying my personal wiki.</p>
<hr />
<div>Thanks to Tom, Zhanna, Greg, and Will for helping me find the solutions.<br><br />
<strong>我能, 我能!</strong><br />
<br />
==Things to do==<br />
* figure out why:<br />
<pre><br />
My password for ldap is "a" I have tried both upper and lower cases, but I always get:<br />
<br />
$ /usr/local/sbin/kdb5_ldap_util -D cn=admin,dc=example,dc=com -w a -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s<br />
kdb5_ldap_util: Invalid credentials while initializing database<br />
</pre><br />
<br />
and this:<br />
<br />
<pre><br />
ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL =b dc=example,dc=com<br />
Enter LDAP Password: <br />
ldap_bind: Invalid credentials (49)<br />
</pre><br />
<br />
* make keystash in mkm py the right place<br />
<br />
==Kerberos Little Bugs I've encountered and fixed (started loggin since Jun 24th).==<br />
<br />
* When trying to ''kinit username''<br />
: ERROR: ''kinit: Cannot contact any KDC for realm [your realm fqdn] while getting initial credentials''<br />
: SOLUTION: make sure KDC is running. ''/usr/local/sbin/krb5kdc''<br />
: SOLUTION: 1. check log file. I looked in /var/log/auth.log. The bottom of it says: ''Cannot create reply cache file /var/tmp/krb5kdc_rcache: File exits''. 2. ''sudo rm /var/tmp/krb5kdc_rcache.<br />
<br />
* Can't start krb5kdc and in auth.log it says:<br />
: ERROR: ''Address already in use - Cannot bind server socket to port [#] address [IP address]''<br />
: ERROR: ''<open file '<fdopen>', mode 'rb' at 0x9a38660>''<br />
: SOLUTION: 1. see if it is true that port [#] is in use by ''netstat -nap | grep [#]'' (I also did ''pgrep -x krb5kdc''). 2. kill the process: ''pkill -x krb5kdc''. note the "-x" is for matching exactly the process "krb5kdc".<br />
<br />
* When changing password 'kpasswd', ''Cannot contact any KDC for realm [your realm fqdn]''<br />
* and/or Can't start kadmind (know because echo $? = 1). The last chunk of auth.log says:<br />
: ERROR: <br />
::<pre><br />
::kadmind[6924]: No dictionary file specified, continuing without one.<br />
::kadmind[6924]: setting up network...<br />
::kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 0.0.0.0<br />
::kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked<br />
::kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address ::<br />
::kadmind[6924]: skipping unrecognized local address family 17<br />
::kadmind[6924]: skipping unrecognized local address family 17<br />
::kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 192.168.165.145<br />
::kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked<br />
::kadmind[6924]: Permission denied - Cannot bind TCP server socket on ::.464<br />
::kadmind[6924]: Permission denied - Cannot bind RPC server socket on 0.0.0.0.749<br />
::kadmind[6924]: set up 0 sockets<br />
::kadmind[6924]: no sockets set up?<br />
::</pre><br />
: Reason (provided by tlyu): It is trying to bind to a privileged port. you need to give it a different port number. actually, two different port numbers: one for password changing and one for normal kadmin.<br />
: SOLUTION:<br />
::<pre><br />
::In kdc.conf inserted the last two lines here<br />
::<br />
::kdc_ports = 8888<br />
::kpasswd_port = 8887<br />
::kadmind_port = 8886<br />
::</pre><br />
<br />
::<pre><br />
::In krb5.conf modify/insert the lines:<br />
::<br />
::admin_server = yourComputerName.domain:8886<br />
::kpasswd_server = yourComputerName.domain:8887<br />
::</pre><br />
<br />
* Purge key (''kdb5_util purge_mkeys'') gives an error<br />
: ERROR:<br />
::<pre><br />
::kdb5_util: Invalid argument while updating actkvno data for master principal entry<br />
::</pre><br />
: SOLUTION:<br />
::<pre><br />
:: #you must activate the keys that have not been "used" like this:<br />
:: kdb5_util use_mkey kvno [time]<br />
:: #i.e. kdb5_util use_mkey 2 'now+2days'<br />
::</pre><br />
<br />
* when running a kadmin command. Runs into operation requires xx privilege error<br />
: ERROR:<br />
::<pre><br />
:: $ kadmin -p haoqili/admin -w test123 -q 'listprincs'<br />
:: Authenticating as principal haoqili/admin with password.<br />
:: get_principals: Operation requires ``list'' privilege while retrieving list.<br />
::</pre><br />
: SOLUTION:<br />
: I didn't create my acl file yet. In kdc.conf, I have specified ''acl_file = /home/haoqili/kdcfiles/kadm5.acl'' and now I need to create the kadm5.acl<br />
::<pre><br />
:: #kadm5.acl, setting up my "admin" principal with all rights, i.e. *<br />
:: haoqili/admin *<br />
::</pre><br />
: Also, before I created the kadm5.acl, I used ''echo $?'' to check the command. However, it gave me a 0 even though there were stderr. Tom says: "kadmin is meant to be an interactive program, so exit status might not be as meaningful."<br />
:: P.S. I later changed the line in my acl file to be ''*/admin *'' to allow others<br />
<br />
==Python Bugs I've encountered and fixed==<br />
<br />
* When talking to the terminal shell, a command (in my case, ''kdbt_util add_mkey'') asks for password twice (second time is confirmation). I first tried:<br />
::<pre><br />
::p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)<br />
::(out, err) = p.communicate('password')<br />
::(out2, err2) = p.communicate('password')<br />
::</pre><br />
:When I ran it, I got a chunk of error that ends with: ''ValueError: I/O operation on closed file''. So what happens is that communicate closes the pipe, it breaks (even if it only runs once). <br><br />
:Solution code:<br />
::<pre><br />
::p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)<br />
::p.stdin.write('password'+'\n')<br />
::p.stdin.write('password'+'\n')<br />
::</pre><br />
:Note don't forget the new line at the end.<br />
<br />
==Tips. Useful little things to know==<br />
=== Kerberos ===<br />
* [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html Good link]<br />
* '' kadmin.local -q 'modprinc +needchange [princname]' '', the flag ''needchange'' forces the principal to change its password upon kinit.<br />
* '' kadmin.local -q 'modprinc -policy [policyname] [princname]' '' Sets up a policy for the principal. This "policy" can store previous passwords and ensures that new passwords are not used before.<br />
* There is a bug in the code 6507 kdb5_util update_princ_encryption uses latest mkey instead of mkey <br />
* AES has replaced Triple DES but there are still places taht have Triple DES set as the default (such as in ''klist -ekt [path of stash, such as /home/haoqili/kdcfiles/keyStashFile]'')<br />
* Test date. Navigate to src/kadmin/cli <br />
** delete 2nd argument in main of getdate.y<br />
** ''rm getdate.c''<br />
** ''make getdate.c''<br />
** ''gcc -o datetest -DTEST getdate.c -I../../include''<br />
** ./datetest<br />
<br />
* ''kadmind -nofork'' is useful in python because it tells it to wait first so that later processes can happen later and don't have to get timed out.<br />
::<pre><br />
::l0b = self.parentpath+'kadmind -nofork'<br />
::pl0b = Popen(l0b.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)<br />
:: print "kadmind -nofork"<br />
:: while (True):<br />
:: l = pl0b.stderr.readline()<br />
:: if l.find("starting") > -1: #for kadmind: starting ...<br />
:: print l.strip() <br />
:: break <br />
::</pre><br />
<br />
=== Ubuntu ===<br />
* Change computer name: <code>gksudo gedit /etc/hostname</code><br />
* Change Colors<br />
** Change color of background is easy. Just go to "Edit" and "Profile Preferences"<br />
** Change color of the prompt line is more difficult. [http://ubuntuforums.org/showthread.php?t=614743 Here is a good guide], but it is in a lot more detail than I needed. You can read that if you don't want the prompt color to be green or want to know how it works. But most basically:<br />
**# Navigate to home. <code>cd ~/</code><br />
**# <code>vim .bashrc</code><br />
**# Un-comment: <code>#force_color_prompt=yes</code> by deleting the #<br />
**# Open a new terminal to see the result<br />
** I have:<br />
<pre><br />
# uncomment for a colored prompt, if the terminal has the capability; turned<br />
# off by default to not distract the user: the focus in a terminal window<br />
# should be on the output of commands, not on the prompt<br />
force_color_prompt=yes<br />
<br />
if [ -n "$force_color_prompt" ]; then<br />
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then<br />
# We have color support; assume it's compliant with Ecma-48<br />
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such<br />
# a case would tend to support setf rather than setaf.)<br />
color_prompt=yes<br />
else<br />
color_prompt=<br />
fi<br />
fi<br />
<br />
# ANSI color codes<br />
RS="\[\033[0m\]" # reset<br />
HC="\[\033[1m\]" # hicolor<br />
UL="\[\033[4m\]" # underline<br />
INV="\[\033[7m\]" # inverse background and foreground<br />
FBLK="\[\033[30m\]" # foreground black<br />
FRED="\[\033[31m\]" # foreground red<br />
FGRN="\[\033[32m\]" # foreground green<br />
FYEL="\[\033[33m\]" # foreground yellow<br />
FBLE="\[\033[34m\]" # foreground blue<br />
FMAG="\[\033[35m\]" # foreground magenta<br />
FCYN="\[\033[36m\]" # foreground cyan<br />
FWHT="\[\033[37m\]" # foreground white<br />
BBLK="\[\033[40m\]" # background black<br />
BRED="\[\033[41m\]" # background red<br />
BGRN="\[\033[42m\]" # background green<br />
BYEL="\[\033[43m\]" # background yellow<br />
BBLE="\[\033[44m\]" # background blue<br />
BMAG="\[\033[45m\]" # background magenta<br />
BCYN="\[\033[46m\]" # background cyan<br />
BWHT="\[\033[47m\]" # background white<br />
<br />
if [ "$color_prompt" = yes ]; then<br />
# PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '<br />
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;32m\]\w\[\033[00m\]\$ '<br />
<br />
#PS1="[ ${debian_chroot:+($debian_chroot)}\u: \w ]\\$ "<br />
#PS2="> "<br />
#PS1=" $FRED${debian_chroot:+($debian_chroot)}"<br />
#PS2="> "<br />
else<br />
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '<br />
fi<br />
unset color_prompt force_color_prompt<br />
</pre><br />
* Change root password:<br />
** Reboot<br />
** ESC to Recovery Mode<br />
** (wait)<br />
** click: root Drop to root shell prompt<br />
** <code>ls /home</code><br />
** <code>passwd ''username''</code><br />
** change your password<br />
** <code>exit</code><br />
** click: resume<br />
* The Caps Lock light is reversed. <br />
: Reset Caps Lock: <code>xmodmap -e "remove Lock = Caps_Lock"</code> and then <code>xmodmap -e "add Lock = Caps_Lock"</code><br />
<br />
=== Shell ===<br />
* [http://www.unixprogram.com/grep/using_egrep.html grep vs. egrep]<br />
::<pre><br />
::The following characters have special meanings in grep or egrep:<br />
::<br />
:: In egrep:<br />
:: | ^ $ . * + ? ( ) [ { } \<br />
:: In grep:<br />
:: ^ $ . * \( \) [ \{ \} \<br />
::</pre><br />
<br />
* 0 = STDIN, 1 = STDOUT, 2 = STDERR. Like '' blah 2> /dev/null'' puts blah's STDERR into /dev/null<br />
<br />
* > overwrites, >> appends<br />
:: not see what's writing: ''ksh filename > writefilename 2>&1'', the 2>&1 writes the errors as well<br />
:: see what's writing: ''ksh filename 2>&1 | tee writefilename''<br />
<br />
* ksh: typeset'ing vars in a function makes those vars local to the function.<br />
<br />
* Avoid typing in sudo password everytime:<br />
*: Edit <code>/etc/sudoers</code> such that under the line <code> root ALL=(ALL) ALL</code>, this line is added: <code> [username] ALL=(ALL) ALL</code><br />
<br />
* Add a path as the first option in a path<br />
*: e.g. slapd's path. Currently when you do <code>echo $PATH</code>, <code>/usr/local/sbin</code> shows in front. I want to add <code>/usr/local/libexec</code>.<br><br />
<pre><br />
export PATH=/usr/local/libexec:$PATH<br />
</pre><br />
:: Now I have <code>/usr/local/libexec</code> as the first option under <code>echo $PATH</code><br />
<br />
* <code>pkill</code> doesn't always work. Use <code>pkill -9</code> or <code>pkill -15</code> instead. Same with <code>sudo kill</code>.<br />
<br />
* A Debugger! :D <code>gdb [command]</code><br />
<br />
=== Python ===<br />
<br>Common Stuff<br />
* Cannot do ''[print line for line in linelist]'' must have a function that prints the line, call it, printl(), and do ''[printl(line) for line in linelist]''<br />
<br />
More Specific Stuff<br />
*''p = Popen('blah', stdin=PIPE, stdout=PIPE, stderr=PIPE)''<br />
:''(out, err) = p.communicate('inputThing\n')'' <-- don't forget the return "\n" at the end!<br />
* When you're doing a bunch of p=Popen('shell command') be careful because Popen starts a new branch so the next Popen might start without the previous one having completed. To fix this problem, put in:<br />
::<pre><br />
::if int(p.wait()) != 0: #meaning that it's not executed<br />
:: print "error message"<br />
:: exit<br />
::</pre><br />
<br />
* Two ways to display outputs after Popen( a command that has to get into something, in my case, getting into kadmin.local) 06262009<br />
:Way 1:<br />
::<pre><br />
::p = Popen(['commannd', 'all', 'in', 'one', 'line'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local', '-q', 'listprincs']<br />
::if int(p.wait()) != 0:<br />
::print p.stdout.readlines()<br />
::</pre><br />
:Way 2:<br />
::<pre><br />
::p = Popen(['command', 'front', 'chunk'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local']<br />
::(out, err) = p.communicate('rest of command') #e.g. 'listprincs'<br />
::print out<br />
::</pre><br />
<br />
* Not type in a chunk of common code every time, i.e.<br />
:: ''p = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)''<br />
:This can be changed to:<br />
::<pre><br />
:: s = {stdin:PIPE, stdout=PIPE, stderr=PIPE}<br />
:: p = Popen(cmd, **s)<br />
::</pre><br />
<br />
* For putting in a shell command directly, can turn shell=True. Note the command here can be a single line of string, not split up.<br />
:: '' p = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)<br />
<br />
* The p.stdout.readlines() can be read only once<br />
<br />
* Print current time in python:<br />
::<pre><br />
:: from time import strftime<br />
:: print "current time: "+strftime("%Y-%m-%d %H:%M:%S")<br />
::</pre><br />
: Output: ''current time: 2009-07-06 22:00:54''<br />
<br />
* Sleep for 7 seconds. <br />
::<pre><br />
:: import time<br />
:: time.sleep(7)<br />
::</pre><br />
<br />
* Popen( env=blah ) this argument only needs to be specified when the environment is changing<br />
<br />
* To terminate a while loop after 3 seconds do: <code>while time.clock() < 3: blah</code> remember to <code>import time</code><br />
<br />
* Kadmin's wait() number (exit number) failed to point out that there is an error. The chunk below was generated when I tested it manually. It clearly pointed out that the acl file is missing (documented before).<br />
<pre><br />
$ kadmin -p haoqili/admin -w test123 -q 'getprinc test'<br />
Authenticating as principal haoqili/admin with password.<br />
get_principal: Operation requires ``get'' privilege while retrieving "test@K.MIT.EDU".<br />
</pre><br />
: What I saw in the output of the test was just the line "Authenticating ...", because wait() = 0, I only printed out stdout. However the last line was in the stderr. So I asked Tom if the existence of a stderr message is a better indicator of the success/failure of a command compared to the exit number. The answer is "not necessarily". <br />
:Tom: Some programs write things to stderr even when there's not an error.<br><br />
:Me: why would they do that?<br><br />
:Tom: various reasons. sometimes prompts are written to stderr so they won't end up in redirected output by default.<br />
<br />
* Ordering of stdout/stderr messages:<br />
: Tom: if you use separate pipes for stderr and stdout, you may get the relative ordering of the messages mixed up if you print all stdout, then print all stderr.<br />
: Me: right now I have stdin=PIPE, stdout=PIPE, stderr=PIPE. Is this separate pipes or the same pipe?<br />
: Tom: separate pipes, i think.<br />
: Tom: so to get program output in order, i would make stderr=STDOUT when creating the subprocess, and check the value of wait()<br />
<pre><br />
p = Popen('/bin/sh stdouterr.sh', shell=True, stdin=PIPE, stdout=PIPE,<br />
stderr=PIPE)<br />
<br />
This gives all outputs together, and all errors together<br />
<br />
= = = <br />
<br />
p = Popen('/bin/sh stdouterr.sh', shell=True, stdin=PIPE, stdout=PIPE,<br />
stderr=STDOUT)<br />
<br />
This gives the outputs and errors in the order they come.<br />
</pre><br />
<br />
== MKM Errors Put Aside ==<br />
* Adding the 1058th master key gives a memory error<br />
<br />
* getdate.y has problems:<br />
::<pre><br />
::/trunk/src/kadmin/cli$ ./datetest<br />
::Enter date, or blank line to exit.<br />
:: > 6 months<br />
::Sat Jan 9 14:22:36 2010<br />
:: > 12/31/2009<br />
::Wed Dec 30 23:00:00 2009<br />
:: > 07/10/2009<br />
::Thu Jul 9 23:00:00 2009<br />
:: > 01/01/2009<br />
::Wed Dec 31 23:00:00 2008<br />
:: > 01/01/2009 00:00:00<br />
::Wed Dec 31 23:00:00 2008<br />
::</pre><br />
<br />
* Phantom list_mkey error after adding ''-e aes128-cts-hmac-sha1-96''. The error went away after I ran the ksh equivalent of the python test. I don't know why it went away because everything seemed to be the same.<br />
<br />
:<pre><br />
::for lines 283-289:<br />
::print "Testing add_mkey with aes128 enctype<br />
::=============================================="<br />
::kdb5_util add_mkey -e aes128-cts-hmac-sha1-96 <<EOF<br />
::abcde<br />
::abcde<br />
::EOF<br />
::kdb5_util list_mkeys<br />
::print "Testing add_mkey with aes128 enctype done<br />
::=============================================="<br />
::<br />
::The list_mkeys at the bottom is giving the following error:<br />
::<br />
::kdb5_util: Unable to decrypt latest master key with the provided master key<br />
:: while getting master key list<br />
::kdb5_util: Warning: proceeding without master key list<br />
::kdb5_util: master keylist not initialized<br />
:</pre><br />
<br />
== Getting LDAP Running ==<br />
<br />
[http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend configure kerberos with LDAP backend]<br />
<br />
[http://quark.humbug.org.au/publications/ldap/ldap_tut.html Nice looking LDAP tutorial]<br />
<br />
* (DON'T FORLLOW THESE STEPS, WILL HAVE CONFLICTS, follow Greg's steps) I followed the directions on this website http://openldap.org/doc/admin24/quickstart.html<br />
* Install BerkeleyDB<br />
** Download berkeleydb4.7<br />
** cd to folder<br />
** ''cd build_unix'' (on my Ubuntu)<br />
** ''../dist/configure''<br />
** ''make''<br />
** ''sudo make install''<br />
* Install Open LDAP<br />
** ''./configure'' (fails)<br />
:ERROR: DBD/HDB:BerkeleyDB not available<br />
:Fixed: ''CPPFLAGS="-I/usr/local/BerkeleyDB4.7/include"'' then ''export CPPFLAGS''<br />
:* ''./configure''<br />
:* ''make depend''<br />
:* ''make'' (fails)<br />
:ERROR: getpeereid.c:65: error: storage size of ‘peercred’ isn’t known<br />
:FIXED: ''CPPFLAGS=-D_GNU_SOURCE'' then ''export CPPFLAGS''<br />
:* ''make''<br />
:* ''make test'' (takes a while)<br />
:* ''sudo make install'' (installed in /usr/local/etc/openldap)<br />
* Change configuration file at /usr/local/etc/openldap/slapd.conf<br />
:* <my-domain> <-- example<br />
:* <com> <-- com<br />
:* password is still "secret"<br />
:* cn is still "Manager"<br />
* Start SLAPD: ''sudo /usr/local/libexec/slapd''<br />
** Check if it works by a search: ldapsearch blah<br />
* Add entries. Consult link above.<br />
<br />
What I should have done. Faster, simpler. <b>Directions given by Greg Hudson.</b><br><br />
<b>1.</b> ''sudo apt-get install slapd'' (for server program)<br><br />
<b>2.</b> ''sudo apt-get install ldap-utils'' (for ldapsearch)<br><br />
<b>3.</b> copy src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema into /etc/ldap/schema<br><br />
<b>4.</b> In /etc/default/slapd, change SLAPD_SERVICES="ldapi:///", to restrict access to the local machine<br><br />
<b>5.</b> ldapsearch test:<br><br />
:: ''ldapsearch -H ldapi:/// -x -W -D cn=Manager,dc=example,dc=com -LLL -b dc=example,dc=com''<br />
:::''-H ldapi:///'' indicate the URI for the LDAP server<br />
:::''-x'' simple authentication<br />
:::''-W'' password prompt<br />
:::''-D cn=Manager,dc=example,dc=com'' specify the "bind DN", like a username<br />
:::''-LLL'' shortens output<br />
:::''-b'' specify base of query to restrict the scope of the query<br><br />
<b>6.</b> ''sudo apt-get install libldap2-dev''<br><br />
<b>7.</b> Modify kdc.conf to include:<br />
<pre><br />
[dbmodules]<br />
LDAP = {<br />
db_library = kldap<br />
ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com<br />
ldap_kdc_dn = cn=admin,dc=example,dc=com<br />
ldap_kadmind_dn = cn=admin,dc=example,dc=com<br />
ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash<br />
ldap_servers = ldapi:///<br />
}<br />
</pre><br />
<b>8.</b> Build krb5 from source with a different configure command: <code>./configure --with-ldap</code><br><br />
<b>9.</b> Create your database not with <code>kdb5_util</code>, but with <code>kdb5_ldap_util</code> like this:<br />
<code>kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s</code><br />
<br />
<p>@ end of step 6. I thought I didn't have to do steps 1 and 2 since I installed the whole thing. However, I got stuck on step 4 because /etc/default/slapd doesn't exist. So I tried to install 1 and 2, but got the following <br><br />
ERROR:<br />
<pre>$ sudo apt-get install slapd<br />
Reading package lists... Done<br />
Building dependency tree <br />
Reading state information... Done<br />
slapd is already the newest version.<br />
0 upgraded, 0 newly installed, 0 to remove and 169 not upgraded.<br />
1 not fully installed or removed.<br />
After this operation, 0B of additional disk space will be used.<br />
Setting up slapd (2.4.15-1ubuntu3) ...<br />
Creating initial slapd configuration... Loading the initial configuration from the ldif file (/tmp/slapd_init.ldif.FZDOiAlAPo) failed with the following<br />
error while running slapadd:<br />
str2entry: invalid value for attributeType objectClass #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38)<br />
slapadd: could not parse entry (line=16)<br />
dpkg: error processing slapd (--configure):<br />
subprocess post-installation script returned error exit status 1<br />
Errors were encountered while processing:<br />
slapd<br />
E: Sub-process /usr/bin/dpkg returned an error code (1)<br />
</pre><br />
<br />
It's okay, the previously missing /etc/default/slapd now exists so that I can do step 4.<br />
<br />
SOLUTION: I fixed this error by removing a slapd to avoid conflicts in the slapd already installed from source: <code>sudo apt-get remove slapd</code> Note how in the top of the error it says that whatever I was installing "is already the newest version", but there was the rest of the stuff because of the slapd conflict.<br />
<br />
Step 5 then failed with error: <br />
<pre>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)</pre><br />
<br />
It can be fixed if slapd is started more specifically:<br />
''sudo /usr/local/libexec/slapd -h ldapi:///''<br />
<br />
=== Everything was a mess! But here are some of things I did despite of the mess ===<br />
<br />
* Zhanna got slapd and ldapsearch working on my computer. I have not been able to replicate it. But here are the steps she used.<br />
*# Kill an existing slapd: <code> ps -ef | grep slapd </code> and then <code> sudo kill -9 [the left side number]</code><br />
*# Set up new slapd: <code> sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:667 </code> (667, a bigger number works, 389 a smaller number wouldn't work. <br />
*# Test if slapd is running by doing a search: <code> ldapsearch -H ldapi:/// -x -D cn=Manager,dc=example,dc=com -w secret</code><br />
<br />
==== Adding LDAP Entries ====<br />
<br />
* Then I created 2 new LDAP entries:<br />
** Create this file named <code>example.ldif</code><br />
<pre><br />
dn: dc=example,dc=com<br />
objectclass: dcObject<br />
objectclass: organization<br />
o: HaoQiCompany<br />
dc: example<br />
<br />
dn: cn=Manager,dc=example,dc=com<br />
objectclass: organizationalRole<br />
cn: Manager<br />
</pre><br />
**:Note that the objectclass names cannot be changed, they have been predetermined<br />
** Add them: <code> ldapadd -H ldapi:/// -x -D "cn=Manager,dc=example,dc=com" -w secret -f example.ldif<br />
** Search them: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'</code><br />
**: result:<br />
<pre><br />
# extended LDIF<br />
#<br />
# LDAPv3<br />
# base <dc=example,dc=com> with scope subtree<br />
# filter: (objectclass=*)<br />
# requesting: ALL<br />
#<br />
<br />
# example.com<br />
dn: dc=example,dc=com<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: HaoQiCompany<br />
dc: example<br />
<br />
# Manager, example.com<br />
dn: cn=Manager,dc=example,dc=com<br />
objectClass: organizationalRole<br />
cn: Manager<br />
<br />
# search result<br />
search: 2<br />
result: 0 Success<br />
<br />
# numResponses: 3<br />
# numEntries: 2<br />
</pre><br />
<br />
* An important thing I learned is that I can't randomly put entries. The object classes are all specified and so are the other entries that comes with each object class. For example, the objectclass "person" must have "objectclass", "sn" for surname, and "cn" for common name. Objectclass "person" may also have these entries: "description", "seeAlso", "telephoneNumber", and "userPassword." <br />
** I ran into some errors when I followed the examples for adding "person" on some websites because they included a "title" entry, which is not allowed<br />
** [http://www.it.ufl.edu/projects/directory/ldap-schema/oc-PERSON.html Here is where I learned which entries are allowed]<br />
* With this knowledge, I made <code> example3.ldif</code><br />
<pre><br />
dn: cn=Zhanna Tsitkova,dc=example,dc=com<br />
objectclass: person<br />
cn: Zhanna<br />
cn: Zhanna Tsitkova<br />
sn: Tsitkova<br />
description: kind boss<br />
telephoneNumber: 6171231234<br />
</pre><br />
* Add this entry: <code> ldapadd -H ldapi:/// -x -w secret -D "cn=Manager,dc=example,dc=com" -f example3.ldif</code><br />
<br />
* Now, the search result of all object classes look like this:<br />
*:<code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'</code><br />
<pre><br />
# extended LDIF<br />
#<br />
# LDAPv3<br />
# base <dc=example,dc=com> with scope subtree<br />
# filter: (objectclass=*)<br />
# requesting: ALL<br />
#<br />
<br />
# example.com<br />
dn: dc=example,dc=com<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: HaoQiCompany<br />
dc: example<br />
<br />
# Manager, example.com<br />
dn: cn=Manager,dc=example,dc=com<br />
objectClass: organizationalRole<br />
cn: Manager<br />
<br />
# Zhanna Tsitkova, example.com<br />
dn: cn=Zhanna Tsitkova,dc=example,dc=com<br />
objectClass: person<br />
cn: Zhanna<br />
cn: Zhanna Tsitkova<br />
sn: Tsitkova<br />
description: kind boss<br />
telephoneNumber: 6171231234<br />
<br />
# HaoQi Li, example.com<br />
dn: cn=HaoQi Li,dc=example,dc=com<br />
objectClass: person<br />
cn: HaoQi<br />
cn: HaoQi Li<br />
sn: Li<br />
description: happy intern<br />
telephoneNumber: 7031231234<br />
<br />
# search result<br />
search: 2<br />
result: 0 Success<br />
<br />
# numResponses: 5<br />
# numEntries: 4<br />
</pre><br />
<br />
*: Search for just "person" object class: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=person)'</code><br />
<pre><br />
# extended LDIF<br />
#<br />
# LDAPv3<br />
# base <dc=example,dc=com> with scope subtree<br />
# filter: (objectclass=person)<br />
# requesting: ALL<br />
#<br />
<br />
# Zhanna Tsitkova, example.com<br />
dn: cn=Zhanna Tsitkova,dc=example,dc=com<br />
objectClass: person<br />
cn: Zhanna<br />
cn: Zhanna Tsitkova<br />
sn: Tsitkova<br />
description: kind boss<br />
telephoneNumber: 6171231234<br />
<br />
# HaoQi Li, example.com<br />
dn: cn=HaoQi Li,dc=example,dc=com<br />
objectClass: person<br />
cn: HaoQi<br />
cn: HaoQi Li<br />
sn: Li<br />
description: happy intern<br />
telephoneNumber: 7031231234<br />
<br />
# search result<br />
search: 2<br />
result: 0 Success<br />
<br />
# numResponses: 3<br />
# numEntries: 2<br />
</pre><br />
<br />
*: Search for just one entry: <code>ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' 'cn=HaoQi'</code>. Note that the "cn=HaoQi" is not in the first set of single quotes.<br />
<pre><br />
# extended LDIF<br />
#<br />
# LDAPv3<br />
# base <dc=example,dc=com> with scope subtree<br />
# filter: cn=HaoQi<br />
# requesting: ALL<br />
#<br />
<br />
# HaoQi Li, example.com<br />
dn: cn=HaoQi Li,dc=example,dc=com<br />
objectClass: person<br />
cn: HaoQi<br />
cn: HaoQi Li<br />
sn: Li<br />
description: happy intern<br />
telephoneNumber: 7031231234<br />
<br />
# search result<br />
search: 2<br />
result: 0 Success<br />
<br />
# numResponses: 2<br />
# numEntries: 1<br />
</pre><br />
<br />
=== Starting LDAP ===<br />
<br />
Starting from a specific IP address and port number:<br />
: <code>sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:677</code> Note that it's "ldap", not "ldapi." The port number 677 was chosen arbitrarily. <br />
: To search to check that it works: <br />
: <code>ldapsearch -h 127.0.0.1 -p 677 -x -D cn=manager,dc=example,dc=com -w secret</code><br />
<br />
Starting from /:<br />
: <code>sudo /usr/local/libexec/slapd -h ldapi:///</code> Note that it's "ldapi", not "ldap"<br />
: To search to check that it works:<br />
: <code>ldapsearch -H ldapi:/// -x -D cn=manager,dc=example,dc=com -w secret</code><br />
<br />
To kill a slapd and start again:<br />
: <code>ps -ef | grep slapd</code> look for the left most number<br />
: <code>sudo kill -9 [left most number]</code><br />
<br />
=== Things I had to fix ===<br />
* I first did step 9 without doing step 8. So I got an kdb5_ldap_util not found error, but I was recommended by the computer to install krb5-kdc-ldap. DON'T DO THAT! because it is not what I want for the krb5 development, I want it to be running from the build (step 8). So I had to do a <code>sudo apt-get remove krb5-kdc-ldap</code>. In the end, the kdb5_ldap_util we want should be in <code>/usr/local/sbin/kdb5_ldap_util</code><br />
<br />
* @ step 8. while doing <code>./configure --with-ldap</code> it stopped with this:<br><br />
:ERROR: <code>configure: error: libldap not found or missing ldap_init</code>. <br><br />
:Greg told me to check if /usr/lib/libldap.so exists, and it does. Then I looked at config.log from the ./configure: Here are chunks of it, found in the middle of the log:<br />
<pre><br />
configure:24570: checking for ldap_init in -lldap<br />
configure:24605: gcc -o conftest -g -O2 conftest.c -lldap -lresolv >&5<br />
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_pvt_sb_do_write@OPENLDAP_2.4_2'<br />
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_free@OPENLDAP_2.4_2'<br />
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_skip_data@OPENLDAP_2.4_2'<br />
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_reset@OPENLDAP_2.4_2'<br />
... 50 more lines like so ...<br />
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_sockbuf_alloc@OPENLDAP_2.4_2'<br />
collect2: ld returned 1 exit status<br />
configure:24612: $? = 1<br />
configure: failed program was:<br />
| /* confdefs.h. */<br />
| #define PACKAGE_NAME "Kerberos 5"<br />
| #define PACKAGE_TARNAME "krb5"<br />
| #define PACKAGE_VERSION "1.7-prerelease"<br />
| #define PACKAGE_STRING "Kerberos 5 1.7-prerelease"<br />
| #define PACKAGE_BUGREPORT "krb5-bugs@mit.edu"<br />
| #define STDC_HEADERS 1<br />
| #define HAVE_SYS_TYPES_H 1<br />
| #define HAVE_SYS_STAT_H 1<br />
| #define HAVE_STDLIB_H 1<br />
... continues ...<br />
| #define HAVE_GETHOSTBYNAME_R 1<br />
| #define HAVE_GETSERVBYNAME_R 1<br />
| #define HAVE_GMTIME_R 1<br />
| #define HAVE_LOCALTIME_R 1<br />
| #define HAVE_LDAP_H 1<br />
| #define HAVE_LBER_H 1<br />
| /* end confdefs.h. */<br />
|<br />
| /* Override any GCC internal prototype to avoid an error.<br />
| Use char because int might match the return type of a GCC<br />
| builtin and then its argument prototype would still apply. */<br />
| #ifdef __cplusplus<br />
| extern "C"<br />
| #endif<br />
| char ldap_init ();<br />
| int<br />
| main ()<br />
| {<br />
| return ldap_init ();<br />
| ;<br />
| return 0;<br />
| }<br />
configure:24633: result: no<br />
configure:24638: error: libldap not found or missing ldap_init<br />
</pre><br />
<br />
:So Greg says: "I think maybe your OpenLDAP source installation in /usr/local/lib is messing up the system library." So it might be better if I start a new Ubuntu virtual machine without being stupid and compiling the entire OpenLDAP.<br />
<br />
NOTE: One of the solutions is to change the default configuration from /usr/local/lib to /usr/lib in /etc/ld.so.conf.d/libc.conf. Then run /sbin/ldconfig. <br />
<br />
=== Starting Over ===<br />
I ran into some more troubles. So I decided to start again, with a brand new virtual machine<br />
<br />
The bolded lines are for ldap. The non-bolded ones are for general make krb5 from source<br />
* To start again if you screwed up anywhere, do <code>make distclean</code> if you want to remove "make" or <code>make clean</code> if you don't want to remove "make" (sometimes you have to do <code>rm config.cache</code>), and then proceed to <code>util/reconf</code><br />
<br />
* Stuff you need to install for the krb5 build<br />
** subversion: <code>sudo apt-get install subversion</code><br />
** autoconf: <code>sudo apt-get install autoconf</code><br />
** <code>sudo apt-get install ncurses-dev</code><br />
** yacc: <code>sudo apt-get install byacc</code><br />
* <code>svn checkout svn://anonsvn.mit.edu/krb5/trunk</code><br />
* Navigate to trunk/src<br />
* <code>util/reconf</code><br />
* 1: <code><b>sudo apt-get install slapd</b></code><br />
* 2: <code><b>sudo apt-get install ldap-utils</b></code><br />
* 3: <b>Navigate to /etc/ldap/scheme and then do: <code>sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema</code></b><br />
* 4: <b><code>sudo vim /etc/default/slapd</code> and change SLAPD_SERVICES to: <code>SLAPD_SERVICES="ldapi:///"</code> to restrict access to the local machine</b><br />
* 5: <b>Test to see if it works by: <code>ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL -b dc=example,dc=com</code></b><br />
* 6: <b><code>sudo apt-get install libldap2-dev</code></b><br />
* 8: <b><code>./configure --with-ldap</code></b> Skipping step 7 intentionally. It can be done later. If you are not doing ldap stuff, just do <code>./configure</code><br />
* <code>make</code><br />
* <code>sudo make install</code><br><br />
(I didn't do <code>make check</code>)<br />
* 7: <b> Change kdc.conf according to 7. above</b><br />
* 9: <b> To run it: <code>sudo /usr/local/sbin/kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s</code></b><br />
<br />
=== Figuring out stuff ===<br />
* [ https://help.ubuntu.com/9.04/serverguide/C/serverguide.pdf good guide]<br />
** Locate the kerberos schema: <br />
:: /etc/ldap/schema/kerberos.schema<br />
:* Create this file:<br />
:: sudo vim /etc/ldap/schema/schema_testing.conf<br />
<pre><br />
include /etc/ldap/schema/core.schema<br />
include /etc/ldap/schema/collective.schema<br />
include /etc/ldap/schema/corba.schema<br />
include /etc/ldap/schema/cosine.schema<br />
include /etc/ldap/schema/duaconf.schema<br />
include /etc/ldap/schema/dyngroup.schema<br />
include /etc/ldap/schema/inetorgperson.schema<br />
include /etc/ldap/schema/java.schema<br />
include /etc/ldap/schema/kerberos.schema<br />
include /etc/ldap/schema/nis.schema<br />
include /etc/ldap/schema/openldap.schema<br />
include /etc/ldap/schema/ppolicy.schema<br />
</pre><br />
:* Make the temp dir to hold output: <br />
:: mkdir /tmp/ldifoutput<br />
:* Convert schema --> LDIF with slaptest:<br />
:: slaptest -f schema_testing.conf -F /tmp/ldifoutput<br />
:* Edit /tmp/ldifoutput/cn=config/cn=schema/cn={8}kerberos.ldif<br />
:: sudo vi /tmp/ldifoutput/cn\=config/cn\=schema/cn\=\{8\}kerberos.ldif <br />
<pre><br />
change dn: cn={8}kerberos into<br />
dn: dn: cn=kerberos,cn=schema,cn=config<br />
<br />
change cn: {8}kerberos into<br />
cn: kerberos<br />
<br />
remove lines:<br />
structuralObjectClass: olcsch... <br />
till end<br />
<pre><br />
:* Start the slapd<br />
:: sudo slpad -h ldapi:/// -F /etc/ldap/slapd.d/ <br />
:: The "-F" is for slapd-config-directory<br />
:*<br />
=== LDAP notes ===<br />
<br />
* Man pages<br />
** [http://docs.sun.com/app/docs/doc/816-5166/kdb5-ldap-util-1m?a=view good man page]<br />
** [http://linux.die.net/man/8/kdb5_ldap_util another one]<br />
<br />
* If you can't start slapd, try <code>sudo</code><br />
* [http://www.openldap.org/doc/admin21/runningslapd.html bug level, -d #]<br />
<pre><br />
Level Description<br />
-1 enable all debugging<br />
0 no debugging<br />
1 trace function calls<br />
2 debug packet handling<br />
4 heavy trace debugging<br />
8 connection management<br />
16 print out packets sent and received<br />
32 search filter processing<br />
64 configuration file processing<br />
128 access control list processing<br />
256 stats log connections/operations/results<br />
512 stats log entries sent<br />
1024 print communication with shell backends<br />
2048 print entry parsing debugging <br />
</pre><br />
<br />
* src/kadmin/dbutil/kdb5_ldap_util<br />
* src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util<br />
<br />
== Ldap notes (from notes I saved elsewhere) ==<br />
=== 1. Information about the system ===<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
=== 2. Kerb Schema Operations ===<br />
[https://help.ubuntu.com/9.04/serverguide/C/serverguide.pdf loosely following section 6.4]<br />
<br />
[[kerberos.schema]]<br />
schema --> ldif<br />
populate all the directories<br />
<br />
=== 3. ldap/slapd configuration changes ===<br />
take out lines, modify lines<br />
<br />
=== 4. Extract krb conf files ===<br />
<br />
=== 5. Env ===<br />
<br />
=== 6. Build kerb. config ===<br />
<br />
<br />
* You'll need a test OpenLDAP server. To get this, you'll need to<br />
install the slapd package (for the server program) and the ldap-utils<br />
package (for ldapsearch). You can set the "domain" of your LDAP server<br />
using "sudo dpkg-reconfigure slapd". I will assume example.com below.<br />
I believe this will also prompt you for an admin password.<br />
<br />
* You'll need to copy kerberos.schema from the source tree<br />
(src/plugins/kdb/ldap/libkdb_<br />
ldap/kerberos.schema)<br />
into /etc/ldap/schema.<br />
<br />
* In /etc/default/slapd, search for SLAPD_SERVICES and set it to:<br />
<br />
SLAPD_SERVICES="ldapi:///"<br />
<br />
This will restrict access to the local machine.<br />
<br />
* You may want to get familiar with the ldapsearch program. Here's an<br />
example of how to use it against the test server installed above:<br />
<br />
ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL -b<br />
dc=example,dc=com<br />
<br />
This command displays all of the entries in your LDAP database. The<br />
-H option and argument indicate the URI of the LDAP server; ldapi:///<br />
means "a Unix-domain socket on the local machine". -x means to use<br />
simple authentication and -W means to prompt for a password (the admin<br />
password you chose previously). The -D option and argument specify the<br />
"bind DN", which you can think of as a username. The -LLL option<br />
shortens the output format a bit; you can leave that out if you want.<br />
The -b option specifies the base of the query; in this case, the whole<br />
thing. It's also worth reading the man page for the meaning of the -s<br />
option (restrict the scope of the query) and for the filter syntax.<br />
<br />
* To build Kerberos with LDAP back end support, you need to install the<br />
libldap2-dev package, and configure with --with-ldap.<br />
<br />
* Configuring your KDC is similar to setting up a normal KDC, but your<br />
dbmodule directive will look something like this:<br />
<br />
[dbmodules]<br />
LDAP = {<br />
db_library = kldap<br />
ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com<br />
ldap_kdc_dn = cn=admin,dc=example,dc=com<br />
ldap_kadmind_dn = cn=admin,dc=example,dc=com<br />
ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash<br />
ldap_servers = ldapi:///<br />
}<br />
<br />
(In a real deployment, you would probably create user DNs for the KDC<br />
and kadmin rather than using the admin DN, and grant them the minimum<br />
necessary access. But creating users in an OpenLDAP database didn't<br />
appear straightforward to me, so I skipped that step in my testing.)<br />
<br />
* When you create your database, instead of using kdb5_util, you use<br />
kdb5_ldap_util, like so:<br />
<br />
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create \<br />
-r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s<br />
<br />
You'll have to enter your OpenLDAP admin pasword, which will be stored<br />
in the admin.stash file for use by the KDC and kadmind.<br />
<br />
There is more information in the krb5 admin guide (see the doc subdir of<br />
your source tree).</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2208
LDAP on Kerberos
2009-08-26T15:46:52Z
<p>Haoqili: /* Errors */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set "domain" of your LDAP server <br />
#* Option 1, Interactive Option: <code>sudo dpkg-reconfigure slapd</code><br />
#*: Indented are the debconf-get-selections lines<br />
#*# Omit OpenLDAP server configuration: No<br />
#*#: slapd slapd/no_configuration boolean false<br />
#*# DNS domain name: example.org<br />
#*#: slapd slapd/domain string example.org<br />
#*# Organization name: example.org [note: i used the same name for simplicity]<br />
#*#: slapd shared/organization string example.org<br />
#*# Databases backend to use: HDB, instead of BDB<br />
#*#: slapd slapd/backend select HDB<br />
#*# Do you want the database to be removed when slapd is purge: Yes<br />
#*#: slapd slapd/purge_database boolean true<br />
#*# Move old database: Yes<br />
#*#: slapd slapd/move_old_database boolean true<br />
#*# Admin password: [your pwd]<br />
#*#: slapd slapd/password1 password<br />
#*#: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
#*# Confirm password: [your pwd]<br />
#*#: slapd slapd/password2 password<br />
#*# Allow LDAPv2 protocol: No<br />
#*#: slapd slapd/allow_ldap_v2 boolean false<br />
#* Option 2, Noninteractive Option<br />
#*# <code>sudo apt-get install debconf-utils</code><br />
#*# Save this file in /tmp/debconfile: [[debconfile]]<br />
#*# <code>sudo debconf-set-selections /tmp/debconfile</code><br />
#*# <code>sudo dpkg-reconfigure --frontend=noninteractive slapd</code> <br />
#* Checkpoint: If you are successful, you should see as output:<br />
#*: ''Stopping OpenLDAP: slapd.''<br />
#*: ''Moving old database directory to /var/backups:''<br />
#*: ''- directory unknown... done.''<br />
#*: ''Creating initial slapd configuration... done.''<br />
#*: ''Creating initial LDAP directory... done.''<br />
#*: ''* Reloading AppArmor profiles ''<br />
#*: ''... [ OK ]'' <br />
#*: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Note if you get a "Can't contact LDAP server" error, check your <code>ps -ef | grep slapd</code> to see its details and change accordingly. A common way to fix it is to sudo ldapadd with ldap:/// instead of ldapi:///<br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s<br />
*: note that if you have ldapadd with ldap:/// instead of ldapi:///, it should also be ldap:/// here<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre><br />
<br />
* DbDriver is locked<br />
<pre><br />
sudo debconf-set-selections /tmp/debconfile <br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
<br />
OR <br />
<br />
sudo dpkg-reconfigure --frontend=noninteractive<br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
</pre><br />
<br />
*: SOLUTION: This will tell what is locking it: <code>fuser -v /var/cache/debconf/config.dat</code>. [http://spiralinks.blogspot.com/2009/07/debian-apt-get-interrupted-leaves-files.html From here.]<br />
<br />
* Here is a series of steps, some with errors that I got when I am changing the domain name (specified from sudo dpkg-reconfigure slapd) from "example.org" to "D.COM." The errors might be helpful in pointing people to the right direction if they encounter the same errors.<br />
** With my config files still with realms set to "example.org", after I did<br />
<pre><br />
sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
Enter LDAP Password: <br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
</pre><br />
<br />
** I then did <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s </code><br />
**: ERROR: kdb5_ldap_util: Invalid credentials while initializing database<br />
**: Explaination: this is because the dc is no longer example.org anymore. So I did:<br />
** Changing this command to reflect the correct domain: <code>kdb5_ldap_util -D cn=admin,dc=D,dc=COM -H ldapi:/// create -s</code><br />
**: Output:<br />
<pre><br />
Password for "cn=admin,dc=D,dc=COM": <br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
**: ERROR: kdb5_ldap_util: Kerberos Container create FAILED: Server is unwilling to perform while creating realm 'EXAMPLE.ORG'<br />
**: Explaination: this is because even though the command domain names have changed, the config files (krb5.conf, kdc.conf) also need to reflect the correct domain name.<br />
* After changing all the example.org's into d.com's, the create command worked. So I proceeded to: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// stashsrvpw cn=admin,dc=D,dc=COM</code>, I entered my passwords<br />
* kadmin.local and krb5kdc failed with errors:<br />
<pre><br />
$ kadmin.local<br />
Authenticating as principal haoqili/admin@D.COM with password.<br />
kadmin.local: Server error while initializing kadmin.local interface<br />
<br />
$ krb5kdc<br />
krb5kdc: cannot initialize realm D.COM - see log file for details<br />
</pre><br />
** I looked at the kdc log file, it says: ''krb5kdc: Error reading password from stash: Bind DN entry missing in stash file - while initializing database for realm D.COM''<br />
*$ kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
*: Password for "cn=admin,dc=example,dc=org": <br />
*: Re-enter password for "cn=admin,dc=example,dc=org": <br />
*: ERROR: kdb5_ldap_util: Permission denied Failed to open file /usr/local/var/service_passwd: Permission denied<br />
*: SOLUTION: make sure your config files are exported in the terminal you use to do this command.</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=Debconfile&diff=2185
Debconfile
2009-08-24T22:26:43Z
<p>Haoqili: </p>
<hr />
<div>save in /tmp/debconfile<br />
<br />
<pre><br />
slapd slapd/no_configuration boolean false<br />
slapd slapd/domain string example.org<br />
slapd shared/organization string My Organization<br />
slapd slapd/backend select HDB<br />
slapd slapd/purge_database boolean true<br />
slapd slapd/move_old_database boolean true<br />
slapd slapd/password1 password [YOUR PASSWORD]<br />
slapd slapd/password2 password [YOUR PASSWORD]<br />
slapd slapd/allow_ldap_v2 boolean false<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2184
LDAP on Kerberos
2009-08-24T19:51:21Z
<p>Haoqili: /* Errors */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set "domain" of your LDAP server <br />
#* Option 1, Interactive Option: <code>sudo dpkg-reconfigure slapd</code><br />
#*: Indented are the debconf-get-selections lines<br />
#*# Omit OpenLDAP server configuration: No<br />
#*#: slapd slapd/no_configuration boolean false<br />
#*# DNS domain name: example.org<br />
#*#: slapd slapd/domain string example.org<br />
#*# Organization name: example.org [note: i used the same name for simplicity]<br />
#*#: slapd shared/organization string example.org<br />
#*# Databases backend to use: HDB, instead of BDB<br />
#*#: slapd slapd/backend select HDB<br />
#*# Do you want the database to be removed when slapd is purge: Yes<br />
#*#: slapd slapd/purge_database boolean true<br />
#*# Move old database: Yes<br />
#*#: slapd slapd/move_old_database boolean true<br />
#*# Admin password: [your pwd]<br />
#*#: slapd slapd/password1 password<br />
#*#: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
#*# Confirm password: [your pwd]<br />
#*#: slapd slapd/password2 password<br />
#*# Allow LDAPv2 protocol: No<br />
#*#: slapd slapd/allow_ldap_v2 boolean false<br />
#* Option 2, Noninteractive Option<br />
#*# <code>sudo apt-get install debconf-utils</code><br />
#*# Save this file in /tmp/debconfile: [[debconfile]]<br />
#*# <code>sudo debconf-set-selections /tmp/debconfile</code><br />
#*# <code>sudo dpkg-reconfigure --frontend=noninteractive slapd</code> <br />
#* Checkpoint: If you are successful, you should see as output:<br />
#*: ''Stopping OpenLDAP: slapd.''<br />
#*: ''Moving old database directory to /var/backups:''<br />
#*: ''- directory unknown... done.''<br />
#*: ''Creating initial slapd configuration... done.''<br />
#*: ''Creating initial LDAP directory... done.''<br />
#*: ''* Reloading AppArmor profiles ''<br />
#*: ''... [ OK ]'' <br />
#*: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Note if you get a "Can't contact LDAP server" error, check your <code>ps -ef | grep slapd</code> to see its details and change accordingly. A common way to fix it is to sudo ldapadd with ldap:/// instead of ldapi:///<br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s<br />
*: note that if you have ldapadd with ldap:/// instead of ldapi:///, it should also be ldap:/// here<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre><br />
<br />
* DbDriver is locked<br />
<pre><br />
sudo debconf-set-selections /tmp/debconfile <br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
<br />
OR <br />
<br />
sudo dpkg-reconfigure --frontend=noninteractive<br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
</pre><br />
<br />
*: SOLUTION: This will tell what is locking it: <code>fuser -v /var/cache/debconf/config.dat</code>. [http://spiralinks.blogspot.com/2009/07/debian-apt-get-interrupted-leaves-files.html From here.]<br />
<br />
* Here is a series of steps, some with errors that I got when I am changing the domain name (specified from sudo dpkg-reconfigure slapd) from "example.org" to "D.COM." The errors might be helpful in pointing people to the right direction if they encounter the same errors.<br />
** With my config files still with realms set to "example.org", after I did<br />
<pre><br />
sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
Enter LDAP Password: <br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
</pre><br />
<br />
** I then did <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s </code><br />
**: ERROR: kdb5_ldap_util: Invalid credentials while initializing database<br />
**: Explaination: this is because the dc is no longer example.org anymore. So I did:<br />
** Changing this command to reflect the correct domain: <code>kdb5_ldap_util -D cn=admin,dc=D,dc=COM -H ldapi:/// create -s</code><br />
**: Output:<br />
<pre><br />
Password for "cn=admin,dc=D,dc=COM": <br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
**: ERROR: kdb5_ldap_util: Kerberos Container create FAILED: Server is unwilling to perform while creating realm 'EXAMPLE.ORG'<br />
**: Explaination: this is because even though the command domain names have changed, the config files (krb5.conf, kdc.conf) also need to reflect the correct domain name.<br />
* After changing all the example.org's into d.com's, the create command worked. So I proceeded to: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// stashsrvpw cn=admin,dc=D,dc=COM</code>, I entered my passwords<br />
* kadmin.local and krb5kdc failed with errors:<br />
<pre><br />
$ kadmin.local<br />
Authenticating as principal haoqili/admin@D.COM with password.<br />
kadmin.local: Server error while initializing kadmin.local interface<br />
<br />
$ krb5kdc<br />
krb5kdc: cannot initialize realm D.COM - see log file for details<br />
</pre><br />
** I looked at the kdc log file, it says: ''krb5kdc: Error reading password from stash: Bind DN entry missing in stash file - while initializing database for realm D.COM''</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2183
LDAP on Kerberos
2009-08-24T19:37:20Z
<p>Haoqili: /* Errors */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set "domain" of your LDAP server <br />
#* Option 1, Interactive Option: <code>sudo dpkg-reconfigure slapd</code><br />
#*: Indented are the debconf-get-selections lines<br />
#*# Omit OpenLDAP server configuration: No<br />
#*#: slapd slapd/no_configuration boolean false<br />
#*# DNS domain name: example.org<br />
#*#: slapd slapd/domain string example.org<br />
#*# Organization name: example.org [note: i used the same name for simplicity]<br />
#*#: slapd shared/organization string example.org<br />
#*# Databases backend to use: HDB, instead of BDB<br />
#*#: slapd slapd/backend select HDB<br />
#*# Do you want the database to be removed when slapd is purge: Yes<br />
#*#: slapd slapd/purge_database boolean true<br />
#*# Move old database: Yes<br />
#*#: slapd slapd/move_old_database boolean true<br />
#*# Admin password: [your pwd]<br />
#*#: slapd slapd/password1 password<br />
#*#: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
#*# Confirm password: [your pwd]<br />
#*#: slapd slapd/password2 password<br />
#*# Allow LDAPv2 protocol: No<br />
#*#: slapd slapd/allow_ldap_v2 boolean false<br />
#* Option 2, Noninteractive Option<br />
#*# <code>sudo apt-get install debconf-utils</code><br />
#*# Save this file in /tmp/debconfile: [[debconfile]]<br />
#*# <code>sudo debconf-set-selections /tmp/debconfile</code><br />
#*# <code>sudo dpkg-reconfigure --frontend=noninteractive slapd</code> <br />
#* Checkpoint: If you are successful, you should see as output:<br />
#*: ''Stopping OpenLDAP: slapd.''<br />
#*: ''Moving old database directory to /var/backups:''<br />
#*: ''- directory unknown... done.''<br />
#*: ''Creating initial slapd configuration... done.''<br />
#*: ''Creating initial LDAP directory... done.''<br />
#*: ''* Reloading AppArmor profiles ''<br />
#*: ''... [ OK ]'' <br />
#*: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Note if you get a "Can't contact LDAP server" error, check your <code>ps -ef | grep slapd</code> to see its details and change accordingly. A common way to fix it is to sudo ldapadd with ldap:/// instead of ldapi:///<br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s<br />
*: note that if you have ldapadd with ldap:/// instead of ldapi:///, it should also be ldap:/// here<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre><br />
<br />
* DbDriver is locked<br />
<pre><br />
sudo debconf-set-selections /tmp/debconfile <br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
<br />
OR <br />
<br />
sudo dpkg-reconfigure --frontend=noninteractive<br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
</pre><br />
<br />
*: SOLUTION: This will tell what is locking it: <code>fuser -v /var/cache/debconf/config.dat</code>. [http://spiralinks.blogspot.com/2009/07/debian-apt-get-interrupted-leaves-files.html From here.]<br />
<br />
* Here is a series of steps, some with errors that I got when I am changing the domain name (specified from sudo dpkg-reconfigure slapd) from "example.org" to "D.COM." The errors might be helpful in pointing people to the right direction if they encounter the same errors.<br />
** With my config files still with realms set to "example.org", after I did<br />
<pre><br />
sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
Enter LDAP Password: <br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
</pre><br />
<br />
** I then did <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s </code><br />
**: ERROR: kdb5_ldap_util: Invalid credentials while initializing database<br />
**: Explaination: this is because the dc is no longer example.org anymore. So I did:<br />
** Changing this command to reflect the correct domain: <code>kdb5_ldap_util -D cn=admin,dc=D,dc=COM -H ldapi:/// create -s</code><br />
**: Output:<br />
<pre><br />
Password for "cn=admin,dc=D,dc=COM": <br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
**: ERROR: kdb5_ldap_util: Kerberos Container create FAILED: Server is unwilling to perform while creating realm 'EXAMPLE.ORG'<br />
**: Explaination: this is because even though the command domain names have changed, the config files (krb5.conf, kdc.conf) also need to reflect the correct domain name.</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2182
LDAP on Kerberos
2009-08-24T15:48:38Z
<p>Haoqili: /* 6. Starting */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set "domain" of your LDAP server <br />
#* Option 1, Interactive Option: <code>sudo dpkg-reconfigure slapd</code><br />
#*: Indented are the debconf-get-selections lines<br />
#*# Omit OpenLDAP server configuration: No<br />
#*#: slapd slapd/no_configuration boolean false<br />
#*# DNS domain name: example.org<br />
#*#: slapd slapd/domain string example.org<br />
#*# Organization name: example.org [note: i used the same name for simplicity]<br />
#*#: slapd shared/organization string example.org<br />
#*# Databases backend to use: HDB, instead of BDB<br />
#*#: slapd slapd/backend select HDB<br />
#*# Do you want the database to be removed when slapd is purge: Yes<br />
#*#: slapd slapd/purge_database boolean true<br />
#*# Move old database: Yes<br />
#*#: slapd slapd/move_old_database boolean true<br />
#*# Admin password: [your pwd]<br />
#*#: slapd slapd/password1 password<br />
#*#: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
#*# Confirm password: [your pwd]<br />
#*#: slapd slapd/password2 password<br />
#*# Allow LDAPv2 protocol: No<br />
#*#: slapd slapd/allow_ldap_v2 boolean false<br />
#* Option 2, Noninteractive Option<br />
#*# <code>sudo apt-get install debconf-utils</code><br />
#*# Save this file in /tmp/debconfile: [[debconfile]]<br />
#*# <code>sudo debconf-set-selections /tmp/debconfile</code><br />
#*# <code>sudo dpkg-reconfigure --frontend=noninteractive slapd</code> <br />
#* Checkpoint: If you are successful, you should see as output:<br />
#*: ''Stopping OpenLDAP: slapd.''<br />
#*: ''Moving old database directory to /var/backups:''<br />
#*: ''- directory unknown... done.''<br />
#*: ''Creating initial slapd configuration... done.''<br />
#*: ''Creating initial LDAP directory... done.''<br />
#*: ''* Reloading AppArmor profiles ''<br />
#*: ''... [ OK ]'' <br />
#*: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Note if you get a "Can't contact LDAP server" error, check your <code>ps -ef | grep slapd</code> to see its details and change accordingly. A common way to fix it is to sudo ldapadd with ldap:/// instead of ldapi:///<br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s<br />
*: note that if you have ldapadd with ldap:/// instead of ldapi:///, it should also be ldap:/// here<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre><br />
<br />
* DbDriver is locked<br />
<pre><br />
sudo debconf-set-selections /tmp/debconfile <br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
<br />
OR <br />
<br />
sudo dpkg-reconfigure --frontend=noninteractive<br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
</pre><br />
<br />
*: SOLUTION: This will tell what is locking it: <code>fuser -v /var/cache/debconf/config.dat</code>. [http://spiralinks.blogspot.com/2009/07/debian-apt-get-interrupted-leaves-files.html From here.]</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2181
LDAP on Kerberos
2009-08-24T15:14:46Z
<p>Haoqili: /* 5. Kerb Schema Operations */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set "domain" of your LDAP server <br />
#* Option 1, Interactive Option: <code>sudo dpkg-reconfigure slapd</code><br />
#*: Indented are the debconf-get-selections lines<br />
#*# Omit OpenLDAP server configuration: No<br />
#*#: slapd slapd/no_configuration boolean false<br />
#*# DNS domain name: example.org<br />
#*#: slapd slapd/domain string example.org<br />
#*# Organization name: example.org [note: i used the same name for simplicity]<br />
#*#: slapd shared/organization string example.org<br />
#*# Databases backend to use: HDB, instead of BDB<br />
#*#: slapd slapd/backend select HDB<br />
#*# Do you want the database to be removed when slapd is purge: Yes<br />
#*#: slapd slapd/purge_database boolean true<br />
#*# Move old database: Yes<br />
#*#: slapd slapd/move_old_database boolean true<br />
#*# Admin password: [your pwd]<br />
#*#: slapd slapd/password1 password<br />
#*#: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
#*# Confirm password: [your pwd]<br />
#*#: slapd slapd/password2 password<br />
#*# Allow LDAPv2 protocol: No<br />
#*#: slapd slapd/allow_ldap_v2 boolean false<br />
#* Option 2, Noninteractive Option<br />
#*# <code>sudo apt-get install debconf-utils</code><br />
#*# Save this file in /tmp/debconfile: [[debconfile]]<br />
#*# <code>sudo debconf-set-selections /tmp/debconfile</code><br />
#*# <code>sudo dpkg-reconfigure --frontend=noninteractive slapd</code> <br />
#* Checkpoint: If you are successful, you should see as output:<br />
#*: ''Stopping OpenLDAP: slapd.''<br />
#*: ''Moving old database directory to /var/backups:''<br />
#*: ''- directory unknown... done.''<br />
#*: ''Creating initial slapd configuration... done.''<br />
#*: ''Creating initial LDAP directory... done.''<br />
#*: ''* Reloading AppArmor profiles ''<br />
#*: ''... [ OK ]'' <br />
#*: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Note if you get a "Can't contact LDAP server" error, check your <code>ps -ef | grep slapd</code> to see its details and change accordingly. A common way to fix it is to sudo ldapadd with ldap:/// instead of ldapi:///<br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre><br />
<br />
* DbDriver is locked<br />
<pre><br />
sudo debconf-set-selections /tmp/debconfile <br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
<br />
OR <br />
<br />
sudo dpkg-reconfigure --frontend=noninteractive<br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
</pre><br />
<br />
*: SOLUTION: This will tell what is locking it: <code>fuser -v /var/cache/debconf/config.dat</code>. [http://spiralinks.blogspot.com/2009/07/debian-apt-get-interrupted-leaves-files.html From here.]</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2180
LDAP on Kerberos
2009-08-24T15:06:47Z
<p>Haoqili: /* 4. Build kerb. config */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set "domain" of your LDAP server <br />
#* Option 1, Interactive Option: <code>sudo dpkg-reconfigure slapd</code><br />
#*: Indented are the debconf-get-selections lines<br />
#*# Omit OpenLDAP server configuration: No<br />
#*#: slapd slapd/no_configuration boolean false<br />
#*# DNS domain name: example.org<br />
#*#: slapd slapd/domain string example.org<br />
#*# Organization name: example.org [note: i used the same name for simplicity]<br />
#*#: slapd shared/organization string example.org<br />
#*# Databases backend to use: HDB, instead of BDB<br />
#*#: slapd slapd/backend select HDB<br />
#*# Do you want the database to be removed when slapd is purge: Yes<br />
#*#: slapd slapd/purge_database boolean true<br />
#*# Move old database: Yes<br />
#*#: slapd slapd/move_old_database boolean true<br />
#*# Admin password: [your pwd]<br />
#*#: slapd slapd/password1 password<br />
#*#: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
#*# Confirm password: [your pwd]<br />
#*#: slapd slapd/password2 password<br />
#*# Allow LDAPv2 protocol: No<br />
#*#: slapd slapd/allow_ldap_v2 boolean false<br />
#* Option 2, Noninteractive Option<br />
#*# <code>sudo apt-get install debconf-utils</code><br />
#*# Save this file in /tmp/debconfile: [[debconfile]]<br />
#*# <code>sudo debconf-set-selections /tmp/debconfile</code><br />
#*# <code>sudo dpkg-reconfigure --frontend=noninteractive slapd</code> <br />
#* Checkpoint: If you are successful, you should see as output:<br />
#*: ''Stopping OpenLDAP: slapd.''<br />
#*: ''Moving old database directory to /var/backups:''<br />
#*: ''- directory unknown... done.''<br />
#*: ''Creating initial slapd configuration... done.''<br />
#*: ''Creating initial LDAP directory... done.''<br />
#*: ''* Reloading AppArmor profiles ''<br />
#*: ''... [ OK ]'' <br />
#*: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre><br />
<br />
* DbDriver is locked<br />
<pre><br />
sudo debconf-set-selections /tmp/debconfile <br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
<br />
OR <br />
<br />
sudo dpkg-reconfigure --frontend=noninteractive<br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
</pre><br />
<br />
*: SOLUTION: This will tell what is locking it: <code>fuser -v /var/cache/debconf/config.dat</code>. [http://spiralinks.blogspot.com/2009/07/debian-apt-get-interrupted-leaves-files.html From here.]</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=Debconfile&diff=2179
Debconfile
2009-08-24T15:03:10Z
<p>Haoqili: New page: save in /tmp/debconfile <pre> slapd slapd/no_configuration boolean false slapd slapd/domain string example.org slapd shared/organization string My Organization slapd sla...</p>
<hr />
<div>save in /tmp/debconfile<br />
<br />
<pre><br />
slapd slapd/no_configuration boolean false<br />
slapd slapd/domain string example.org<br />
slapd shared/organization string My Organization<br />
slapd slapd/backend select HDB<br />
slapd slapd/purge_database boolean true<br />
slapd slapd/move_old_database boolean true<br />
slapd slapd/password1 password<br />
slapd slapd/password2 password<br />
slapd slapd/allow_ldap_v2 boolean false<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2178
LDAP on Kerberos
2009-08-24T15:02:51Z
<p>Haoqili: /* 4. Build kerb. config */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set "domain" of your LDAP server <br />
#* Option 1, Interactive Option: <code>sudo dpkg-reconfigure slapd</code><br />
#*: Indented are the debconf-get-selections lines<br />
#*# Omit OpenLDAP server configuration: No<br />
#*#: slapd slapd/no_configuration boolean false<br />
#*# DNS domain name: example.org<br />
#*#: slapd slapd/domain string example.org<br />
#*# Organization name: example.org [note: i used the same name for simplicity]<br />
#*#: slapd shared/organization string example.org<br />
#*# Databases backend to use: HDB, instead of BDB<br />
#*#: slapd slapd/backend select HDB<br />
#*# Do you want the database to be removed when slapd is purge: Yes<br />
#*#: slapd slapd/purge_database boolean true<br />
#*# Move old database: Yes<br />
#*#: slapd slapd/move_old_database boolean true<br />
#*# Admin password: [your pwd]<br />
#*#: slapd slapd/password1 password<br />
#*#: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
#*# Confirm password: [your pwd]<br />
#*#: slapd slapd/password2 password<br />
#*# Allow LDAPv2 protocol: No<br />
#*#: slapd slapd/allow_ldap_v2 boolean false<br />
#* Option 2, Noninteractive Option<br />
#*# Save this file in /tmp/debconfile: [[debconfile]]<br />
#*# <code>sudo debconf-set-selections /tmp/debconfile</code><br />
#*# <code>sudo dpkg-reconfigure --frontend=noninteractive slapd</code> <br />
#* Checkpoint: If you are successful, you should see as output:<br />
#*: ''Stopping OpenLDAP: slapd.''<br />
#*: ''Moving old database directory to /var/backups:''<br />
#*: ''- directory unknown... done.''<br />
#*: ''Creating initial slapd configuration... done.''<br />
#*: ''Creating initial LDAP directory... done.''<br />
#*: ''* Reloading AppArmor profiles ''<br />
#*: ''... [ OK ]'' <br />
#*: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre><br />
<br />
* DbDriver is locked<br />
<pre><br />
sudo debconf-set-selections /tmp/debconfile <br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
<br />
OR <br />
<br />
sudo dpkg-reconfigure --frontend=noninteractive<br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
</pre><br />
<br />
*: SOLUTION: This will tell what is locking it: <code>fuser -v /var/cache/debconf/config.dat</code>. [http://spiralinks.blogspot.com/2009/07/debian-apt-get-interrupted-leaves-files.html From here.]</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2177
LDAP on Kerberos
2009-08-24T15:02:25Z
<p>Haoqili: /* 4. Build kerb. config */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set "domain" of your LDAP server <br />
#* Option 1, Interactive Option: <code>sudo dpkg-reconfigure slapd</code><br />
#*: Indented are the debconf-get-selections lines<br />
#*# Omit OpenLDAP server configuration: No<br />
#*#: slapd slapd/no_configuration boolean false<br />
#*# DNS domain name: example.org<br />
#*#: slapd slapd/domain string example.org<br />
#*# Organization name: example.org [note: i used the same name for simplicity]<br />
#*#: slapd shared/organization string example.org<br />
#*# Databases backend to use: HDB, instead of BDB<br />
#*#: slapd slapd/backend select HDB<br />
#*# Do you want the database to be removed when slapd is purge: Yes<br />
#*#: slapd slapd/purge_database boolean true<br />
#*# Move old database: Yes<br />
#*#: slapd slapd/move_old_database boolean true<br />
#*# Admin password: [your pwd]<br />
#*#: slapd slapd/password1 password<br />
#*#: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
#*# Confirm password: [your pwd]<br />
#*#: slapd slapd/password2 password<br />
#*# Allow LDAPv2 protocol: No<br />
#*#: slapd slapd/allow_ldap_v2 boolean false<br />
#* Option 2, Noninteractive Option<br />
#*# Save this file in /tmp/debconfile: [debconfile]<br />
#*# <code>sudo debconf-set-selections /tmp/debconfile</code><br />
#*# <code>sudo dpkg-reconfigure --frontend=noninteractive slapd</code> <br />
#* Checkpoint: If you are successful, you should see as output:<br />
#*: ''Stopping OpenLDAP: slapd.''<br />
#*: ''Moving old database directory to /var/backups:''<br />
#*: ''- directory unknown... done.''<br />
#*: ''Creating initial slapd configuration... done.''<br />
#*: ''Creating initial LDAP directory... done.''<br />
#*: ''* Reloading AppArmor profiles ''<br />
#*: ''... [ OK ]'' <br />
#*: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre><br />
<br />
* DbDriver is locked<br />
<pre><br />
sudo debconf-set-selections /tmp/debconfile <br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
<br />
OR <br />
<br />
sudo dpkg-reconfigure --frontend=noninteractive<br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
</pre><br />
<br />
*: SOLUTION: This will tell what is locking it: <code>fuser -v /var/cache/debconf/config.dat</code>. [http://spiralinks.blogspot.com/2009/07/debian-apt-get-interrupted-leaves-files.html From here.]</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2176
LDAP on Kerberos
2009-08-24T14:12:46Z
<p>Haoqili: /* Errors */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selections lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre><br />
<br />
* DbDriver is locked<br />
<pre><br />
sudo debconf-set-selections /tmp/debconfile <br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
<br />
OR <br />
<br />
sudo dpkg-reconfigure --frontend=noninteractive<br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
</pre><br />
<br />
*: SOLUTION: This will tell what is locking it: <code>fuser -v /var/cache/debconf/config.dat</code>. [http://spiralinks.blogspot.com/2009/07/debian-apt-get-interrupted-leaves-files.html From here.]</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2175
LDAP on Kerberos
2009-08-24T14:11:17Z
<p>Haoqili: /* Errors */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selections lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre><br />
<br />
* DbDriver is locked<br />
<pre><br />
sudo debconf-set-selections /tmp/debconfile <br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
<br />
OR <br />
<br />
sudo dpkg-reconfigure --frontend=noninteractive<br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
</pre><br />
<br />
*: SOLUTION: This will tell what is locking it: <code>fuser -v /var/cache/debconf/config.dat</code>. [ http://spiralinks.blogspot.com/2009/07/debian-apt-get-interrupted-leaves-files.html From here.]</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2174
LDAP on Kerberos
2009-08-24T13:58:43Z
<p>Haoqili: /* Errors */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selections lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre><br />
<br />
* DbDriver is locked<br />
<pre><br />
sudo debconf-set-selections /tmp/debconfile <br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
<br />
OR <br />
<br />
sudo dpkg-reconfigure --frontend=noninteractive<br />
[sudo] password for haoqili: <br />
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2165
LDAP on Kerberos
2009-08-21T21:01:46Z
<p>Haoqili: /* 4. Build kerb. config */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selections lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=User_talk:Haoqili&diff=2164
User talk:Haoqili
2009-08-21T19:22:30Z
<p>Haoqili: /* Figuring out stuff */</p>
<hr />
<div>Thanks to Tom, Zhanna, Greg, and Will for helping me find the solutions.<br><br />
<strong>我能, 我能!</strong><br />
<br />
==Things to do==<br />
* figure out why:<br />
<pre><br />
My password for ldap is "a" I have tried both upper and lower cases, but I always get:<br />
<br />
$ /usr/local/sbin/kdb5_ldap_util -D cn=admin,dc=example,dc=com -w a -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s<br />
kdb5_ldap_util: Invalid credentials while initializing database<br />
</pre><br />
<br />
and this:<br />
<br />
<pre><br />
ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL =b dc=example,dc=com<br />
Enter LDAP Password: <br />
ldap_bind: Invalid credentials (49)<br />
</pre><br />
<br />
* make keystash in mkm py the right place<br />
<br />
==Kerberos Little Bugs I've encountered and fixed (started loggin since Jun 24th).==<br />
<br />
* When trying to ''kinit username''<br />
: ERROR: ''kinit: Cannot contact any KDC for realm [your realm fqdn] while getting initial credentials''<br />
: SOLUTION: make sure KDC is running. ''/usr/local/sbin/krb5kdc''<br />
: SOLUTION: 1. check log file. I looked in /var/log/auth.log. The bottom of it says: ''Cannot create reply cache file /var/tmp/krb5kdc_rcache: File exits''. 2. ''sudo rm /var/tmp/krb5kdc_rcache.<br />
<br />
* Can't start krb5kdc and in auth.log it says:<br />
: ERROR: ''Address already in use - Cannot bind server socket to port [#] address [IP address]''<br />
: ERROR: ''<open file '<fdopen>', mode 'rb' at 0x9a38660>''<br />
: SOLUTION: 1. see if it is true that port [#] is in use by ''netstat -nap | grep [#]'' (I also did ''pgrep -x krb5kdc''). 2. kill the process: ''pkill -x krb5kdc''. note the "-x" is for matching exactly the process "krb5kdc".<br />
<br />
* When changing password 'kpasswd', ''Cannot contact any KDC for realm [your realm fqdn]''<br />
* and/or Can't start kadmind (know because echo $? = 1). The last chunk of auth.log says:<br />
: ERROR: <br />
::<pre><br />
::kadmind[6924]: No dictionary file specified, continuing without one.<br />
::kadmind[6924]: setting up network...<br />
::kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 0.0.0.0<br />
::kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked<br />
::kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address ::<br />
::kadmind[6924]: skipping unrecognized local address family 17<br />
::kadmind[6924]: skipping unrecognized local address family 17<br />
::kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 192.168.165.145<br />
::kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked<br />
::kadmind[6924]: Permission denied - Cannot bind TCP server socket on ::.464<br />
::kadmind[6924]: Permission denied - Cannot bind RPC server socket on 0.0.0.0.749<br />
::kadmind[6924]: set up 0 sockets<br />
::kadmind[6924]: no sockets set up?<br />
::</pre><br />
: Reason (provided by tlyu): It is trying to bind to a privileged port. you need to give it a different port number. actually, two different port numbers: one for password changing and one for normal kadmin.<br />
: SOLUTION:<br />
::<pre><br />
::In kdc.conf inserted the last two lines here<br />
::<br />
::kdc_ports = 8888<br />
::kpasswd_port = 8887<br />
::kadmind_port = 8886<br />
::</pre><br />
<br />
::<pre><br />
::In krb5.conf modify/insert the lines:<br />
::<br />
::admin_server = yourComputerName.domain:8886<br />
::kpasswd_server = yourComputerName.domain:8887<br />
::</pre><br />
<br />
* Purge key (''kdb5_util purge_mkeys'') gives an error<br />
: ERROR:<br />
::<pre><br />
::kdb5_util: Invalid argument while updating actkvno data for master principal entry<br />
::</pre><br />
: SOLUTION:<br />
::<pre><br />
:: #you must activate the keys that have not been "used" like this:<br />
:: kdb5_util use_mkey kvno [time]<br />
:: #i.e. kdb5_util use_mkey 2 'now+2days'<br />
::</pre><br />
<br />
* when running a kadmin command. Runs into operation requires xx privilege error<br />
: ERROR:<br />
::<pre><br />
:: $ kadmin -p haoqili/admin -w test123 -q 'listprincs'<br />
:: Authenticating as principal haoqili/admin with password.<br />
:: get_principals: Operation requires ``list'' privilege while retrieving list.<br />
::</pre><br />
: SOLUTION:<br />
: I didn't create my acl file yet. In kdc.conf, I have specified ''acl_file = /home/haoqili/kdcfiles/kadm5.acl'' and now I need to create the kadm5.acl<br />
::<pre><br />
:: #kadm5.acl, setting up my "admin" principal with all rights, i.e. *<br />
:: haoqili/admin *<br />
::</pre><br />
: Also, before I created the kadm5.acl, I used ''echo $?'' to check the command. However, it gave me a 0 even though there were stderr. Tom says: "kadmin is meant to be an interactive program, so exit status might not be as meaningful."<br />
:: P.S. I later changed the line in my acl file to be ''*/admin *'' to allow others<br />
<br />
==Python Bugs I've encountered and fixed==<br />
<br />
* When talking to the terminal shell, a command (in my case, ''kdbt_util add_mkey'') asks for password twice (second time is confirmation). I first tried:<br />
::<pre><br />
::p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)<br />
::(out, err) = p.communicate('password')<br />
::(out2, err2) = p.communicate('password')<br />
::</pre><br />
:When I ran it, I got a chunk of error that ends with: ''ValueError: I/O operation on closed file''. So what happens is that communicate closes the pipe, it breaks (even if it only runs once). <br><br />
:Solution code:<br />
::<pre><br />
::p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)<br />
::p.stdin.write('password'+'\n')<br />
::p.stdin.write('password'+'\n')<br />
::</pre><br />
:Note don't forget the new line at the end.<br />
<br />
==Tips. Useful little things to know==<br />
=== Kerberos ===<br />
* [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html Good link]<br />
* '' kadmin.local -q 'modprinc +needchange [princname]' '', the flag ''needchange'' forces the principal to change its password upon kinit.<br />
* '' kadmin.local -q 'modprinc -policy [policyname] [princname]' '' Sets up a policy for the principal. This "policy" can store previous passwords and ensures that new passwords are not used before.<br />
* There is a bug in the code 6507 kdb5_util update_princ_encryption uses latest mkey instead of mkey <br />
* AES has replaced Triple DES but there are still places taht have Triple DES set as the default (such as in ''klist -ekt [path of stash, such as /home/haoqili/kdcfiles/keyStashFile]'')<br />
* Test date. Navigate to src/kadmin/cli <br />
** delete 2nd argument in main of getdate.y<br />
** ''rm getdate.c''<br />
** ''make getdate.c''<br />
** ''gcc -o datetest -DTEST getdate.c -I../../include''<br />
** ./datetest<br />
<br />
* ''kadmind -nofork'' is useful in python because it tells it to wait first so that later processes can happen later and don't have to get timed out.<br />
::<pre><br />
::l0b = self.parentpath+'kadmind -nofork'<br />
::pl0b = Popen(l0b.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)<br />
:: print "kadmind -nofork"<br />
:: while (True):<br />
:: l = pl0b.stderr.readline()<br />
:: if l.find("starting") > -1: #for kadmind: starting ...<br />
:: print l.strip() <br />
:: break <br />
::</pre><br />
<br />
=== Ubuntu ===<br />
* Change computer name: <code>gksudo gedit /etc/hostname</code><br />
* Change Colors<br />
** Change color of background is easy. Just go to "Edit" and "Profile Preferences"<br />
** Change color of the prompt line is more difficult. [http://ubuntuforums.org/showthread.php?t=614743 Here is a good guide], but it is in a lot more detail than I needed. You can read that if you don't want the prompt color to be green or want to know how it works. But most basically:<br />
**# Navigate to home. <code>cd ~/</code><br />
**# <code>vim .bashrc</code><br />
**# Un-comment: <code>#force_color_prompt=yes</code> by deleting the #<br />
**# Open a new terminal to see the result<br />
** I have:<br />
<pre><br />
# uncomment for a colored prompt, if the terminal has the capability; turned<br />
# off by default to not distract the user: the focus in a terminal window<br />
# should be on the output of commands, not on the prompt<br />
force_color_prompt=yes<br />
<br />
if [ -n "$force_color_prompt" ]; then<br />
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then<br />
# We have color support; assume it's compliant with Ecma-48<br />
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such<br />
# a case would tend to support setf rather than setaf.)<br />
color_prompt=yes<br />
else<br />
color_prompt=<br />
fi<br />
fi<br />
<br />
# ANSI color codes<br />
RS="\[\033[0m\]" # reset<br />
HC="\[\033[1m\]" # hicolor<br />
UL="\[\033[4m\]" # underline<br />
INV="\[\033[7m\]" # inverse background and foreground<br />
FBLK="\[\033[30m\]" # foreground black<br />
FRED="\[\033[31m\]" # foreground red<br />
FGRN="\[\033[32m\]" # foreground green<br />
FYEL="\[\033[33m\]" # foreground yellow<br />
FBLE="\[\033[34m\]" # foreground blue<br />
FMAG="\[\033[35m\]" # foreground magenta<br />
FCYN="\[\033[36m\]" # foreground cyan<br />
FWHT="\[\033[37m\]" # foreground white<br />
BBLK="\[\033[40m\]" # background black<br />
BRED="\[\033[41m\]" # background red<br />
BGRN="\[\033[42m\]" # background green<br />
BYEL="\[\033[43m\]" # background yellow<br />
BBLE="\[\033[44m\]" # background blue<br />
BMAG="\[\033[45m\]" # background magenta<br />
BCYN="\[\033[46m\]" # background cyan<br />
BWHT="\[\033[47m\]" # background white<br />
<br />
if [ "$color_prompt" = yes ]; then<br />
# PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '<br />
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;32m\]\w\[\033[00m\]\$ '<br />
<br />
#PS1="[ ${debian_chroot:+($debian_chroot)}\u: \w ]\\$ "<br />
#PS2="> "<br />
#PS1=" $FRED${debian_chroot:+($debian_chroot)}"<br />
#PS2="> "<br />
else<br />
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '<br />
fi<br />
unset color_prompt force_color_prompt<br />
</pre><br />
* Change root password:<br />
** Reboot<br />
** ESC to Recovery Mode<br />
** (wait)<br />
** click: root Drop to root shell prompt<br />
** <code>ls /home</code><br />
** <code>passwd ''username''</code><br />
** change your password<br />
** <code>exit</code><br />
** click: resume<br />
* The Caps Lock light is reversed. <br />
: Reset Caps Lock: <code>xmodmap -e "remove Lock = Caps_Lock"</code> and then <code>xmodmap -e "add Lock = Caps_Lock"</code><br />
<br />
=== Shell ===<br />
* [http://www.unixprogram.com/grep/using_egrep.html grep vs. egrep]<br />
::<pre><br />
::The following characters have special meanings in grep or egrep:<br />
::<br />
:: In egrep:<br />
:: | ^ $ . * + ? ( ) [ { } \<br />
:: In grep:<br />
:: ^ $ . * \( \) [ \{ \} \<br />
::</pre><br />
<br />
* 0 = STDIN, 1 = STDOUT, 2 = STDERR. Like '' blah 2> /dev/null'' puts blah's STDERR into /dev/null<br />
<br />
* > overwrites, >> appends<br />
:: not see what's writing: ''ksh filename > writefilename 2>&1'', the 2>&1 writes the errors as well<br />
:: see what's writing: ''ksh filename 2>&1 | tee writefilename''<br />
<br />
* ksh: typeset'ing vars in a function makes those vars local to the function.<br />
<br />
* Avoid typing in sudo password everytime:<br />
*: Edit <code>/etc/sudoers</code> such that under the line <code> root ALL=(ALL) ALL</code>, this line is added: <code> [username] ALL=(ALL) ALL</code><br />
<br />
* Add a path as the first option in a path<br />
*: e.g. slapd's path. Currently when you do <code>echo $PATH</code>, <code>/usr/local/sbin</code> shows in front. I want to add <code>/usr/local/libexec</code>.<br><br />
<pre><br />
export PATH=/usr/local/libexec:$PATH<br />
</pre><br />
:: Now I have <code>/usr/local/libexec</code> as the first option under <code>echo $PATH</code><br />
<br />
* <code>pkill</code> doesn't always work. Use <code>pkill -9</code> or <code>pkill -15</code> instead. Same with <code>sudo kill</code>.<br />
<br />
* A Debugger! :D <code>gdb [command]</code><br />
<br />
=== Python ===<br />
<br>Common Stuff<br />
* Cannot do ''[print line for line in linelist]'' must have a function that prints the line, call it, printl(), and do ''[printl(line) for line in linelist]''<br />
<br />
More Specific Stuff<br />
*''p = Popen('blah', stdin=PIPE, stdout=PIPE, stderr=PIPE)''<br />
:''(out, err) = p.communicate('inputThing\n')'' <-- don't forget the return "\n" at the end!<br />
* When you're doing a bunch of p=Popen('shell command') be careful because Popen starts a new branch so the next Popen might start without the previous one having completed. To fix this problem, put in:<br />
::<pre><br />
::if int(p.wait()) != 0: #meaning that it's not executed<br />
:: print "error message"<br />
:: exit<br />
::</pre><br />
<br />
* Two ways to display outputs after Popen( a command that has to get into something, in my case, getting into kadmin.local) 06262009<br />
:Way 1:<br />
::<pre><br />
::p = Popen(['commannd', 'all', 'in', 'one', 'line'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local', '-q', 'listprincs']<br />
::if int(p.wait()) != 0:<br />
::print p.stdout.readlines()<br />
::</pre><br />
:Way 2:<br />
::<pre><br />
::p = Popen(['command', 'front', 'chunk'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local']<br />
::(out, err) = p.communicate('rest of command') #e.g. 'listprincs'<br />
::print out<br />
::</pre><br />
<br />
* Not type in a chunk of common code every time, i.e.<br />
:: ''p = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)''<br />
:This can be changed to:<br />
::<pre><br />
:: s = {stdin:PIPE, stdout=PIPE, stderr=PIPE}<br />
:: p = Popen(cmd, **s)<br />
::</pre><br />
<br />
* For putting in a shell command directly, can turn shell=True. Note the command here can be a single line of string, not split up.<br />
:: '' p = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)<br />
<br />
* The p.stdout.readlines() can be read only once<br />
<br />
* Print current time in python:<br />
::<pre><br />
:: from time import strftime<br />
:: print "current time: "+strftime("%Y-%m-%d %H:%M:%S")<br />
::</pre><br />
: Output: ''current time: 2009-07-06 22:00:54''<br />
<br />
* Sleep for 7 seconds. <br />
::<pre><br />
:: import time<br />
:: time.sleep(7)<br />
::</pre><br />
<br />
* Popen( env=blah ) this argument only needs to be specified when the environment is changing<br />
<br />
* To terminate a while loop after 3 seconds do: <code>while time.clock() < 3: blah</code> remember to <code>import time</code><br />
<br />
* Kadmin's wait() number (exit number) failed to point out that there is an error. The chunk below was generated when I tested it manually. It clearly pointed out that the acl file is missing (documented before).<br />
<pre><br />
$ kadmin -p haoqili/admin -w test123 -q 'getprinc test'<br />
Authenticating as principal haoqili/admin with password.<br />
get_principal: Operation requires ``get'' privilege while retrieving "test@K.MIT.EDU".<br />
</pre><br />
: What I saw in the output of the test was just the line "Authenticating ...", because wait() = 0, I only printed out stdout. However the last line was in the stderr. So I asked Tom if the existence of a stderr message is a better indicator of the success/failure of a command compared to the exit number. The answer is "not necessarily". <br />
:Tom: Some programs write things to stderr even when there's not an error.<br><br />
:Me: why would they do that?<br><br />
:Tom: various reasons. sometimes prompts are written to stderr so they won't end up in redirected output by default.<br />
<br />
* Ordering of stdout/stderr messages:<br />
: Tom: if you use separate pipes for stderr and stdout, you may get the relative ordering of the messages mixed up if you print all stdout, then print all stderr.<br />
: Me: right now I have stdin=PIPE, stdout=PIPE, stderr=PIPE. Is this separate pipes or the same pipe?<br />
: Tom: separate pipes, i think.<br />
: Tom: so to get program output in order, i would make stderr=STDOUT when creating the subprocess, and check the value of wait()<br />
<pre><br />
p = Popen('/bin/sh stdouterr.sh', shell=True, stdin=PIPE, stdout=PIPE,<br />
stderr=PIPE)<br />
<br />
This gives all outputs together, and all errors together<br />
<br />
= = = <br />
<br />
p = Popen('/bin/sh stdouterr.sh', shell=True, stdin=PIPE, stdout=PIPE,<br />
stderr=STDOUT)<br />
<br />
This gives the outputs and errors in the order they come.<br />
</pre><br />
<br />
== MKM Errors Put Aside ==<br />
* Adding the 1058th master key gives a memory error<br />
<br />
* getdate.y has problems:<br />
::<pre><br />
::/trunk/src/kadmin/cli$ ./datetest<br />
::Enter date, or blank line to exit.<br />
:: > 6 months<br />
::Sat Jan 9 14:22:36 2010<br />
:: > 12/31/2009<br />
::Wed Dec 30 23:00:00 2009<br />
:: > 07/10/2009<br />
::Thu Jul 9 23:00:00 2009<br />
:: > 01/01/2009<br />
::Wed Dec 31 23:00:00 2008<br />
:: > 01/01/2009 00:00:00<br />
::Wed Dec 31 23:00:00 2008<br />
::</pre><br />
<br />
* Phantom list_mkey error after adding ''-e aes128-cts-hmac-sha1-96''. The error went away after I ran the ksh equivalent of the python test. I don't know why it went away because everything seemed to be the same.<br />
<br />
:<pre><br />
::for lines 283-289:<br />
::print "Testing add_mkey with aes128 enctype<br />
::=============================================="<br />
::kdb5_util add_mkey -e aes128-cts-hmac-sha1-96 <<EOF<br />
::abcde<br />
::abcde<br />
::EOF<br />
::kdb5_util list_mkeys<br />
::print "Testing add_mkey with aes128 enctype done<br />
::=============================================="<br />
::<br />
::The list_mkeys at the bottom is giving the following error:<br />
::<br />
::kdb5_util: Unable to decrypt latest master key with the provided master key<br />
:: while getting master key list<br />
::kdb5_util: Warning: proceeding without master key list<br />
::kdb5_util: master keylist not initialized<br />
:</pre><br />
<br />
== Getting LDAP Running ==<br />
<br />
[http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend configure kerberos with LDAP backend]<br />
<br />
[http://quark.humbug.org.au/publications/ldap/ldap_tut.html Nice looking LDAP tutorial]<br />
<br />
* (DON'T FORLLOW THESE STEPS, WILL HAVE CONFLICTS, follow Greg's steps) I followed the directions on this website http://openldap.org/doc/admin24/quickstart.html<br />
* Install BerkeleyDB<br />
** Download berkeleydb4.7<br />
** cd to folder<br />
** ''cd build_unix'' (on my Ubuntu)<br />
** ''../dist/configure''<br />
** ''make''<br />
** ''sudo make install''<br />
* Install Open LDAP<br />
** ''./configure'' (fails)<br />
:ERROR: DBD/HDB:BerkeleyDB not available<br />
:Fixed: ''CPPFLAGS="-I/usr/local/BerkeleyDB4.7/include"'' then ''export CPPFLAGS''<br />
:* ''./configure''<br />
:* ''make depend''<br />
:* ''make'' (fails)<br />
:ERROR: getpeereid.c:65: error: storage size of ‘peercred’ isn’t known<br />
:FIXED: ''CPPFLAGS=-D_GNU_SOURCE'' then ''export CPPFLAGS''<br />
:* ''make''<br />
:* ''make test'' (takes a while)<br />
:* ''sudo make install'' (installed in /usr/local/etc/openldap)<br />
* Change configuration file at /usr/local/etc/openldap/slapd.conf<br />
:* <my-domain> <-- example<br />
:* <com> <-- com<br />
:* password is still "secret"<br />
:* cn is still "Manager"<br />
* Start SLAPD: ''sudo /usr/local/libexec/slapd''<br />
** Check if it works by a search: ldapsearch blah<br />
* Add entries. Consult link above.<br />
<br />
What I should have done. Faster, simpler. <b>Directions given by Greg Hudson.</b><br><br />
<b>1.</b> ''sudo apt-get install slapd'' (for server program)<br><br />
<b>2.</b> ''sudo apt-get install ldap-utils'' (for ldapsearch)<br><br />
<b>3.</b> copy src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema into /etc/ldap/schema<br><br />
<b>4.</b> In /etc/default/slapd, change SLAPD_SERVICES="ldapi:///", to restrict access to the local machine<br><br />
<b>5.</b> ldapsearch test:<br><br />
:: ''ldapsearch -H ldapi:/// -x -W -D cn=Manager,dc=example,dc=com -LLL -b dc=example,dc=com''<br />
:::''-H ldapi:///'' indicate the URI for the LDAP server<br />
:::''-x'' simple authentication<br />
:::''-W'' password prompt<br />
:::''-D cn=Manager,dc=example,dc=com'' specify the "bind DN", like a username<br />
:::''-LLL'' shortens output<br />
:::''-b'' specify base of query to restrict the scope of the query<br><br />
<b>6.</b> ''sudo apt-get install libldap2-dev''<br><br />
<b>7.</b> Modify kdc.conf to include:<br />
<pre><br />
[dbmodules]<br />
LDAP = {<br />
db_library = kldap<br />
ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com<br />
ldap_kdc_dn = cn=admin,dc=example,dc=com<br />
ldap_kadmind_dn = cn=admin,dc=example,dc=com<br />
ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash<br />
ldap_servers = ldapi:///<br />
}<br />
</pre><br />
<b>8.</b> Build krb5 from source with a different configure command: <code>./configure --with-ldap</code><br><br />
<b>9.</b> Create your database not with <code>kdb5_util</code>, but with <code>kdb5_ldap_util</code> like this:<br />
<code>kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s</code><br />
<br />
<p>@ end of step 6. I thought I didn't have to do steps 1 and 2 since I installed the whole thing. However, I got stuck on step 4 because /etc/default/slapd doesn't exist. So I tried to install 1 and 2, but got the following <br><br />
ERROR:<br />
<pre>$ sudo apt-get install slapd<br />
Reading package lists... Done<br />
Building dependency tree <br />
Reading state information... Done<br />
slapd is already the newest version.<br />
0 upgraded, 0 newly installed, 0 to remove and 169 not upgraded.<br />
1 not fully installed or removed.<br />
After this operation, 0B of additional disk space will be used.<br />
Setting up slapd (2.4.15-1ubuntu3) ...<br />
Creating initial slapd configuration... Loading the initial configuration from the ldif file (/tmp/slapd_init.ldif.FZDOiAlAPo) failed with the following<br />
error while running slapadd:<br />
str2entry: invalid value for attributeType objectClass #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38)<br />
slapadd: could not parse entry (line=16)<br />
dpkg: error processing slapd (--configure):<br />
subprocess post-installation script returned error exit status 1<br />
Errors were encountered while processing:<br />
slapd<br />
E: Sub-process /usr/bin/dpkg returned an error code (1)<br />
</pre><br />
<br />
It's okay, the previously missing /etc/default/slapd now exists so that I can do step 4.<br />
<br />
SOLUTION: I fixed this error by removing a slapd to avoid conflicts in the slapd already installed from source: <code>sudo apt-get remove slapd</code> Note how in the top of the error it says that whatever I was installing "is already the newest version", but there was the rest of the stuff because of the slapd conflict.<br />
<br />
Step 5 then failed with error: <br />
<pre>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)</pre><br />
<br />
It can be fixed if slapd is started more specifically:<br />
''sudo /usr/local/libexec/slapd -h ldapi:///''<br />
<br />
=== Everything was a mess! But here are some of things I did despite of the mess ===<br />
<br />
* Zhanna got slapd and ldapsearch working on my computer. I have not been able to replicate it. But here are the steps she used.<br />
*# Kill an existing slapd: <code> ps -ef | grep slapd </code> and then <code> sudo kill -9 [the left side number]</code><br />
*# Set up new slapd: <code> sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:667 </code> (667, a bigger number works, 389 a smaller number wouldn't work. <br />
*# Test if slapd is running by doing a search: <code> ldapsearch -H ldapi:/// -x -D cn=Manager,dc=example,dc=com -w secret</code><br />
<br />
==== Adding LDAP Entries ====<br />
<br />
* Then I created 2 new LDAP entries:<br />
** Create this file named <code>example.ldif</code><br />
<pre><br />
dn: dc=example,dc=com<br />
objectclass: dcObject<br />
objectclass: organization<br />
o: HaoQiCompany<br />
dc: example<br />
<br />
dn: cn=Manager,dc=example,dc=com<br />
objectclass: organizationalRole<br />
cn: Manager<br />
</pre><br />
**:Note that the objectclass names cannot be changed, they have been predetermined<br />
** Add them: <code> ldapadd -H ldapi:/// -x -D "cn=Manager,dc=example,dc=com" -w secret -f example.ldif<br />
** Search them: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'</code><br />
**: result:<br />
<pre><br />
# extended LDIF<br />
#<br />
# LDAPv3<br />
# base <dc=example,dc=com> with scope subtree<br />
# filter: (objectclass=*)<br />
# requesting: ALL<br />
#<br />
<br />
# example.com<br />
dn: dc=example,dc=com<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: HaoQiCompany<br />
dc: example<br />
<br />
# Manager, example.com<br />
dn: cn=Manager,dc=example,dc=com<br />
objectClass: organizationalRole<br />
cn: Manager<br />
<br />
# search result<br />
search: 2<br />
result: 0 Success<br />
<br />
# numResponses: 3<br />
# numEntries: 2<br />
</pre><br />
<br />
* An important thing I learned is that I can't randomly put entries. The object classes are all specified and so are the other entries that comes with each object class. For example, the objectclass "person" must have "objectclass", "sn" for surname, and "cn" for common name. Objectclass "person" may also have these entries: "description", "seeAlso", "telephoneNumber", and "userPassword." <br />
** I ran into some errors when I followed the examples for adding "person" on some websites because they included a "title" entry, which is not allowed<br />
** [http://www.it.ufl.edu/projects/directory/ldap-schema/oc-PERSON.html Here is where I learned which entries are allowed]<br />
* With this knowledge, I made <code> example3.ldif</code><br />
<pre><br />
dn: cn=Zhanna Tsitkova,dc=example,dc=com<br />
objectclass: person<br />
cn: Zhanna<br />
cn: Zhanna Tsitkova<br />
sn: Tsitkova<br />
description: kind boss<br />
telephoneNumber: 6171231234<br />
</pre><br />
* Add this entry: <code> ldapadd -H ldapi:/// -x -w secret -D "cn=Manager,dc=example,dc=com" -f example3.ldif</code><br />
<br />
* Now, the search result of all object classes look like this:<br />
*:<code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'</code><br />
<pre><br />
# extended LDIF<br />
#<br />
# LDAPv3<br />
# base <dc=example,dc=com> with scope subtree<br />
# filter: (objectclass=*)<br />
# requesting: ALL<br />
#<br />
<br />
# example.com<br />
dn: dc=example,dc=com<br />
objectClass: dcObject<br />
objectClass: organization<br />
o: HaoQiCompany<br />
dc: example<br />
<br />
# Manager, example.com<br />
dn: cn=Manager,dc=example,dc=com<br />
objectClass: organizationalRole<br />
cn: Manager<br />
<br />
# Zhanna Tsitkova, example.com<br />
dn: cn=Zhanna Tsitkova,dc=example,dc=com<br />
objectClass: person<br />
cn: Zhanna<br />
cn: Zhanna Tsitkova<br />
sn: Tsitkova<br />
description: kind boss<br />
telephoneNumber: 6171231234<br />
<br />
# HaoQi Li, example.com<br />
dn: cn=HaoQi Li,dc=example,dc=com<br />
objectClass: person<br />
cn: HaoQi<br />
cn: HaoQi Li<br />
sn: Li<br />
description: happy intern<br />
telephoneNumber: 7031231234<br />
<br />
# search result<br />
search: 2<br />
result: 0 Success<br />
<br />
# numResponses: 5<br />
# numEntries: 4<br />
</pre><br />
<br />
*: Search for just "person" object class: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=person)'</code><br />
<pre><br />
# extended LDIF<br />
#<br />
# LDAPv3<br />
# base <dc=example,dc=com> with scope subtree<br />
# filter: (objectclass=person)<br />
# requesting: ALL<br />
#<br />
<br />
# Zhanna Tsitkova, example.com<br />
dn: cn=Zhanna Tsitkova,dc=example,dc=com<br />
objectClass: person<br />
cn: Zhanna<br />
cn: Zhanna Tsitkova<br />
sn: Tsitkova<br />
description: kind boss<br />
telephoneNumber: 6171231234<br />
<br />
# HaoQi Li, example.com<br />
dn: cn=HaoQi Li,dc=example,dc=com<br />
objectClass: person<br />
cn: HaoQi<br />
cn: HaoQi Li<br />
sn: Li<br />
description: happy intern<br />
telephoneNumber: 7031231234<br />
<br />
# search result<br />
search: 2<br />
result: 0 Success<br />
<br />
# numResponses: 3<br />
# numEntries: 2<br />
</pre><br />
<br />
*: Search for just one entry: <code>ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' 'cn=HaoQi'</code>. Note that the "cn=HaoQi" is not in the first set of single quotes.<br />
<pre><br />
# extended LDIF<br />
#<br />
# LDAPv3<br />
# base <dc=example,dc=com> with scope subtree<br />
# filter: cn=HaoQi<br />
# requesting: ALL<br />
#<br />
<br />
# HaoQi Li, example.com<br />
dn: cn=HaoQi Li,dc=example,dc=com<br />
objectClass: person<br />
cn: HaoQi<br />
cn: HaoQi Li<br />
sn: Li<br />
description: happy intern<br />
telephoneNumber: 7031231234<br />
<br />
# search result<br />
search: 2<br />
result: 0 Success<br />
<br />
# numResponses: 2<br />
# numEntries: 1<br />
</pre><br />
<br />
=== Starting LDAP ===<br />
<br />
Starting from a specific IP address and port number:<br />
: <code>sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:677</code> Note that it's "ldap", not "ldapi." The port number 677 was chosen arbitrarily. <br />
: To search to check that it works: <br />
: <code>ldapsearch -h 127.0.0.1 -p 677 -x -D cn=manager,dc=example,dc=com -w secret</code><br />
<br />
Starting from /:<br />
: <code>sudo /usr/local/libexec/slapd -h ldapi:///</code> Note that it's "ldapi", not "ldap"<br />
: To search to check that it works:<br />
: <code>ldapsearch -H ldapi:/// -x -D cn=manager,dc=example,dc=com -w secret</code><br />
<br />
To kill a slapd and start again:<br />
: <code>ps -ef | grep slapd</code> look for the left most number<br />
: <code>sudo kill -9 [left most number]</code><br />
<br />
=== Things I had to fix ===<br />
* I first did step 9 without doing step 8. So I got an kdb5_ldap_util not found error, but I was recommended by the computer to install krb5-kdc-ldap. DON'T DO THAT! because it is not what I want for the krb5 development, I want it to be running from the build (step 8). So I had to do a <code>sudo apt-get remove krb5-kdc-ldap</code>. In the end, the kdb5_ldap_util we want should be in <code>/usr/local/sbin/kdb5_ldap_util</code><br />
<br />
* @ step 8. while doing <code>./configure --with-ldap</code> it stopped with this:<br><br />
:ERROR: <code>configure: error: libldap not found or missing ldap_init</code>. <br><br />
:Greg told me to check if /usr/lib/libldap.so exists, and it does. Then I looked at config.log from the ./configure: Here are chunks of it, found in the middle of the log:<br />
<pre><br />
configure:24570: checking for ldap_init in -lldap<br />
configure:24605: gcc -o conftest -g -O2 conftest.c -lldap -lresolv >&5<br />
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_pvt_sb_do_write@OPENLDAP_2.4_2'<br />
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_free@OPENLDAP_2.4_2'<br />
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_skip_data@OPENLDAP_2.4_2'<br />
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_reset@OPENLDAP_2.4_2'<br />
... 50 more lines like so ...<br />
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_sockbuf_alloc@OPENLDAP_2.4_2'<br />
collect2: ld returned 1 exit status<br />
configure:24612: $? = 1<br />
configure: failed program was:<br />
| /* confdefs.h. */<br />
| #define PACKAGE_NAME "Kerberos 5"<br />
| #define PACKAGE_TARNAME "krb5"<br />
| #define PACKAGE_VERSION "1.7-prerelease"<br />
| #define PACKAGE_STRING "Kerberos 5 1.7-prerelease"<br />
| #define PACKAGE_BUGREPORT "krb5-bugs@mit.edu"<br />
| #define STDC_HEADERS 1<br />
| #define HAVE_SYS_TYPES_H 1<br />
| #define HAVE_SYS_STAT_H 1<br />
| #define HAVE_STDLIB_H 1<br />
... continues ...<br />
| #define HAVE_GETHOSTBYNAME_R 1<br />
| #define HAVE_GETSERVBYNAME_R 1<br />
| #define HAVE_GMTIME_R 1<br />
| #define HAVE_LOCALTIME_R 1<br />
| #define HAVE_LDAP_H 1<br />
| #define HAVE_LBER_H 1<br />
| /* end confdefs.h. */<br />
|<br />
| /* Override any GCC internal prototype to avoid an error.<br />
| Use char because int might match the return type of a GCC<br />
| builtin and then its argument prototype would still apply. */<br />
| #ifdef __cplusplus<br />
| extern "C"<br />
| #endif<br />
| char ldap_init ();<br />
| int<br />
| main ()<br />
| {<br />
| return ldap_init ();<br />
| ;<br />
| return 0;<br />
| }<br />
configure:24633: result: no<br />
configure:24638: error: libldap not found or missing ldap_init<br />
</pre><br />
<br />
:So Greg says: "I think maybe your OpenLDAP source installation in /usr/local/lib is messing up the system library." So it might be better if I start a new Ubuntu virtual machine without being stupid and compiling the entire OpenLDAP.<br />
<br />
=== Starting Over ===<br />
I ran into some more troubles. So I decided to start again, with a brand new virtual machine<br />
<br />
The bolded lines are for ldap. The non-bolded ones are for general make krb5 from source<br />
* To start again if you screwed up anywhere, do <code>make distclean</code> if you want to remove "make" or <code>make clean</code> if you don't want to remove "make" (sometimes you have to do <code>rm config.cache</code>), and then proceed to <code>util/reconf</code><br />
<br />
* Stuff you need to install for the krb5 build<br />
** subversion: <code>sudo apt-get install subversion</code><br />
** autoconf: <code>sudo apt-get install autoconf</code><br />
** <code>sudo apt-get install ncurses-dev</code><br />
** yacc: <code>sudo apt-get install byacc</code><br />
* <code>svn checkout svn://anonsvn.mit.edu/krb5/trunk</code><br />
* Navigate to trunk/src<br />
* <code>util/reconf</code><br />
* 1: <code><b>sudo apt-get install slapd</b></code><br />
* 2: <code><b>sudo apt-get install ldap-utils</b></code><br />
* 3: <b>Navigate to /etc/ldap/scheme and then do: <code>sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema</code></b><br />
* 4: <b><code>sudo vim /etc/default/slapd</code> and change SLAPD_SERVICES to: <code>SLAPD_SERVICES="ldapi:///"</code> to restrict access to the local machine</b><br />
* 5: <b>Test to see if it works by: <code>ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL -b dc=example,dc=com</code></b><br />
* 6: <b><code>sudo apt-get install libldap2-dev</code></b><br />
* 8: <b><code>./configure --with-ldap</code></b> Skipping step 7 intentionally. It can be done later. If you are not doing ldap stuff, just do <code>./configure</code><br />
* <code>make</code><br />
* <code>sudo make install</code><br><br />
(I didn't do <code>make check</code>)<br />
* 7: <b> Change kdc.conf according to 7. above</b><br />
* 9: <b> To run it: <code>sudo /usr/local/sbin/kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s</code></b><br />
<br />
=== Figuring out stuff ===<br />
* [ https://help.ubuntu.com/9.04/serverguide/C/serverguide.pdf good guide]<br />
** Locate the kerberos schema: <br />
:: /etc/ldap/schema/kerberos.schema<br />
:* Create this file:<br />
:: sudo vim /etc/ldap/schema/schema_testing.conf<br />
<pre><br />
include /etc/ldap/schema/core.schema<br />
include /etc/ldap/schema/collective.schema<br />
include /etc/ldap/schema/corba.schema<br />
include /etc/ldap/schema/cosine.schema<br />
include /etc/ldap/schema/duaconf.schema<br />
include /etc/ldap/schema/dyngroup.schema<br />
include /etc/ldap/schema/inetorgperson.schema<br />
include /etc/ldap/schema/java.schema<br />
include /etc/ldap/schema/kerberos.schema<br />
include /etc/ldap/schema/nis.schema<br />
include /etc/ldap/schema/openldap.schema<br />
include /etc/ldap/schema/ppolicy.schema<br />
</pre><br />
:* Make the temp dir to hold output: <br />
:: mkdir /tmp/ldifoutput<br />
:* Convert schema --> LDIF with slaptest:<br />
:: slaptest -f schema_testing.conf -F /tmp/ldifoutput<br />
:* Edit /tmp/ldifoutput/cn=config/cn=schema/cn={8}kerberos.ldif<br />
:: sudo vi /tmp/ldifoutput/cn\=config/cn\=schema/cn\=\{8\}kerberos.ldif <br />
<pre><br />
change dn: cn={8}kerberos into<br />
dn: dn: cn=kerberos,cn=schema,cn=config<br />
<br />
change cn: {8}kerberos into<br />
cn: kerberos<br />
<br />
remove lines:<br />
structuralObjectClass: olcsch... <br />
till end<br />
<pre><br />
:* Start the slapd<br />
:: sudo slpad -h ldapi:/// -F /etc/ldap/slapd.d/ <br />
:: The "-F" is for slapd-config-directory<br />
:*<br />
=== LDAP notes ===<br />
<br />
* Man pages<br />
** [http://docs.sun.com/app/docs/doc/816-5166/kdb5-ldap-util-1m?a=view good man page]<br />
** [http://linux.die.net/man/8/kdb5_ldap_util another one]<br />
<br />
* If you can't start slapd, try <code>sudo</code><br />
* [http://www.openldap.org/doc/admin21/runningslapd.html bug level, -d #]<br />
<pre><br />
Level Description<br />
-1 enable all debugging<br />
0 no debugging<br />
1 trace function calls<br />
2 debug packet handling<br />
4 heavy trace debugging<br />
8 connection management<br />
16 print out packets sent and received<br />
32 search filter processing<br />
64 configuration file processing<br />
128 access control list processing<br />
256 stats log connections/operations/results<br />
512 stats log entries sent<br />
1024 print communication with shell backends<br />
2048 print entry parsing debugging <br />
</pre><br />
<br />
* src/kadmin/dbutil/kdb5_ldap_util<br />
* src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2128
LDAP on Kerberos
2009-08-18T19:27:10Z
<p>Haoqili: /* Errors */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"<br />
<br />
*<br />
<pre><br />
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla<br />
haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ <br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
adding new entry "cn=kerberos,cn=schema,cn=config"<br />
ldap_add: Other (e.g., implementation specific) error (80)<br />
additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2127
LDAP on Kerberos
2009-08-18T19:20:36Z
<p>Haoqili: /* Errors */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
*: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2126
LDAP on Kerberos
2009-08-18T19:16:41Z
<p>Haoqili: /* Errors */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
*: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.<br />
*: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///<br />
**:Output: adding new entry "cn=kerberos,cn=schema,cn=config"<br />
<pre><br />
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
</pre><br />
<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine<br />
*: SOLUTION: Change "-h" to "-H"</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2125
LDAP on Kerberos
2009-08-18T19:07:21Z
<p>Haoqili: /* Errors */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br />
$ sudo /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/<br />
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///<br />
*: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2124
LDAP on Kerberos
2009-08-18T18:48:53Z
<p>Haoqili: /* Scratch Pad */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n<br />
<br />
== Errors ==<br />
* sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
*: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2123
LDAP on Kerberos
2009-08-18T17:51:38Z
<p>Haoqili: /* To Do */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
* update tree too, got a fix<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2122
LDAP on Kerberos
2009-08-18T16:46:09Z
<p>Haoqili: /* To Do */</p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Slapd in sandbox, not /etc<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2120
LDAP on Kerberos
2009-08-18T15:58:35Z
<p>Haoqili: </p>
<hr />
<div>==About==<br />
A guide to set up ldap backend for kerberos.<br />
<br />
== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=Kdc.conf&diff=2119
Kdc.conf
2009-08-18T15:56:08Z
<p>Haoqili: </p>
<hr />
<div>save it in /tmp/kdc.conf<br />
<pre><br />
[kdcdefaults]<br />
kdc_ports = 8888<br />
<br />
[realms]<br />
EXAMPLE.ORG = {<br />
database_name = /tmp/krb5kdc/principal<br />
acl_file = /tmp/kadm5.acl<br />
<br />
key_stash_file = /tmp/krb5kdc/.k5.EXAMPLE.ORG<br />
admin_keytab = FILE:/tmp/krb5kdc/kadm5.keytab<br />
kdc_ports = 8888<br />
kpasswd_port = 8887<br />
kadmind_port = 8886<br />
max_life = 10h 0m 0s<br />
max_renewable_life = 7d 0h 0m 0s<br />
}<br />
[logging]<br />
kdc = FILE:/tmp/kdc.log<br />
</pre><br />
<br />
==/tmp/kdc_template.conf==<br />
<br />
<pre><br />
[kdcdefaults]<br />
kdc_ports = 8888<br />
<br />
[realms]<br />
EXAMPLE.ORG = {<br />
database_name = %(sandir)s/principal<br />
acl_file = %(sandir)s/kadm5.acl<br />
key_stash_file = %(sandir)s/.k5.EXAMPLE.ORG<br />
admin_keytab = FILE:%(sandir)s/kadm5.keytab<br />
kdc_ports = 8888<br />
kpasswd_port = 8887<br />
kadmind_port = 8886<br />
max_life = 10h 0m 0s<br />
max_renewable_life = 7d 0h 0m 0s<br />
}<br />
[logging]<br />
kdc = FILE:/tmp/myrealKDC.log<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=Krb5.conf&diff=2118
Krb5.conf
2009-08-18T15:55:38Z
<p>Haoqili: </p>
<hr />
<div>save it in /tmp/krb5.conf<br><br />
<br />
<pre><br />
[libdefaults]<br />
default_realm = EXAMPLE.ORG<br />
default_tkt_enctypes = des3-hmac-sha1 aes128-cts<br />
default_tgs_enctypes = des3-hmac-sha1 aes128-cts<br />
<br />
[realms]<br />
EXAMPLE.ORG = {<br />
admin_server = A.EXAMPLE.ORG<br />
default_domain = EXAMPLE.ORG<br />
kdc = localhost.localdomain:8888<br />
database_module = LDAP<br />
}<br />
<br />
[dbdefaults]<br />
ldap_kerberos_container_dn = "cn=krbContainer,dc=example,dc=org"<br />
<br />
[dbmodules]<br />
LDAP = {<br />
db_library = kldap<br />
ldap_kerberos_container_dn = "cn=krbContainer,dc=example,dc=org"<br />
ldap_kdc_dn = cn=admin,dc=example,dc=org<br />
ldap_kadmind_dn = cn=admin,dc=example,dc=org<br />
ldap_service_password_file = /tmp/krb5kdc/admin.stash<br />
ldap_servers = ldapi:///<br />
}<br />
[domain_realm]<br />
<br />
[logging]<br />
kdc = FILE:/tmp/kdc_fromkrb.log<br />
default = FILE:/tmp/krb5.log<br />
admin_server = FILE:/tmp/admin.log<br />
</pre><br />
<br />
==/tmp/krb5_template.conf==<br />
<pre><br />
[libdefaults]<br />
default_realm = EXAMPLE.ORG<br />
default_tkt_enctypes = des3-hmac-sha1 aes128-cts<br />
default_tgs_enctypes = des3-hmac-sha1 aes128-cts<br />
<br />
[realms]<br />
EXAMPLE.ORG = {<br />
admin_server = A.EXAMPLE.ORG<br />
default_domain = EXAMPLE.ORG<br />
kdc = %(localFQDN)s:8888<br />
database_module = LDAP<br />
}<br />
<br />
[dbdefaults]<br />
ldap_kerberos_container_dn = "cn=krbContainer,dc=example,dc=org"<br />
<br />
[dbmodules]<br />
LDAP = {<br />
db_library = kldap<br />
ldap_kerberos_container_dn = "cn=krbContainer,dc=example,dc=org"<br />
ldap_kdc_dn = cn=admin,dc=example,dc=org<br />
ldap_kadmind_dn = cn=admin,dc=example,dc=org<br />
ldap_service_password_file = /tmp/krb5kdc/admin.stash<br />
ldap_servers = ldapi:///<br />
}<br />
[domain_realm]<br />
<br />
[logging]<br />
kdc = FILE:/tmp/kdc_fromkrb.log<br />
default = FILE:/tmp/krb5.log<br />
admin_server = FILE:/tmp/admin.log<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=Krb5.conf&diff=2117
Krb5.conf
2009-08-18T15:54:53Z
<p>Haoqili: took out old</p>
<hr />
<div>/tmp/krb5_t.conf<br><br />
<pre><br />
[libdefaults]<br />
default_realm = EXAMPLE.ORG<br />
default_tkt_enctypes = des3-hmac-sha1 aes128-cts<br />
default_tgs_enctypes = des3-hmac-sha1 aes128-cts<br />
<br />
[realms]<br />
EXAMPLE.ORG = {<br />
admin_server = A.EXAMPLE.ORG<br />
default_domain = EXAMPLE.ORG<br />
kdc = %(localFQDN)s:8888<br />
database_module = LDAP<br />
}<br />
<br />
[dbdefaults]<br />
ldap_kerberos_container_dn = "cn=krbContainer,dc=example,dc=org"<br />
<br />
[dbmodules]<br />
LDAP = {<br />
db_library = kldap<br />
ldap_kerberos_container_dn = "cn=krbContainer,dc=example,dc=org"<br />
ldap_kdc_dn = cn=admin,dc=example,dc=org<br />
ldap_kadmind_dn = cn=admin,dc=example,dc=org<br />
ldap_service_password_file = /tmp/krb5kdc/admin.stash<br />
ldap_servers = ldapi:///<br />
}<br />
[domain_realm]<br />
<br />
[logging]<br />
kdc = FILE:/tmp/kdc_fromkrb.log<br />
default = FILE:/tmp/krb5.log<br />
admin_server = FILE:/tmp/admin.log<br />
</pre><br />
<br />
--------------------------<br />
<br />
you can save it in /tmp/krb5.conf<br><br />
<br />
<pre><br />
[libdefaults]<br />
default_realm = EXAMPLE.ORG<br />
default_tkt_enctypes = des3-hmac-sha1 aes128-cts<br />
default_tgs_enctypes = des3-hmac-sha1 aes128-cts<br />
<br />
[realms]<br />
EXAMPLE.ORG = {<br />
admin_server = A.EXAMPLE.ORG<br />
default_domain = EXAMPLE.ORG<br />
kdc = localhost.localdomain:8888<br />
database_module = LDAP<br />
}<br />
<br />
[dbdefaults]<br />
ldap_kerberos_container_dn = "cn=krbContainer,dc=example,dc=org"<br />
<br />
[dbmodules]<br />
LDAP = {<br />
db_library = kldap<br />
ldap_kerberos_container_dn = "cn=krbContainer,dc=example,dc=org"<br />
ldap_kdc_dn = cn=admin,dc=example,dc=org<br />
ldap_kadmind_dn = cn=admin,dc=example,dc=org<br />
ldap_service_password_file = /tmp/krb5kdc/admin.stash<br />
ldap_servers = ldapi:///<br />
}<br />
[domain_realm]<br />
<br />
[logging]<br />
kdc = FILE:/tmp/kdc_fromkrb.log<br />
default = FILE:/tmp/krb5.log<br />
admin_server = FILE:/tmp/admin.log<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=Kdc.conf&diff=2116
Kdc.conf
2009-08-18T15:53:40Z
<p>Haoqili: </p>
<hr />
<div>/tmp/kdc_t.conf<br />
<pre><br />
[kdcdefaults]<br />
kdc_ports = 8888<br />
<br />
[realms]<br />
EXAMPLE.ORG = {<br />
database_name = %(sandir)s/principal<br />
acl_file = %(sandir)s/kadm5.acl<br />
key_stash_file = %(sandir)s/.k5.EXAMPLE.ORG<br />
admin_keytab = FILE:%(sandir)s/kadm5.keytab<br />
kdc_ports = 8888<br />
kpasswd_port = 8887<br />
kadmind_port = 8886<br />
max_life = 10h 0m 0s<br />
max_renewable_life = 7d 0h 0m 0s<br />
}<br />
[logging]<br />
kdc = FILE:/tmp/myrealKDC.log<br />
</pre><br />
--------------------<br />
<br />
you can save it in /tmp/kdc.conf<br />
<pre><br />
[kdcdefaults]<br />
kdc_ports = 8888<br />
<br />
[realms]<br />
EXAMPLE.ORG = {<br />
database_name = /tmp/krb5kdc/principal<br />
acl_file = /tmp/kadm5.acl<br />
<br />
key_stash_file = /tmp/krb5kdc/.k5.EXAMPLE.ORG<br />
admin_keytab = FILE:/tmp/krb5kdc/kadm5.keytab<br />
kdc_ports = 8888<br />
kpasswd_port = 8887<br />
kadmind_port = 8886<br />
max_life = 10h 0m 0s<br />
max_renewable_life = 7d 0h 0m 0s<br />
}<br />
[logging]<br />
kdc = FILE:/tmp/kdc.log<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=Kdc.conf&diff=2115
Kdc.conf
2009-08-18T15:53:16Z
<p>Haoqili: took out old</p>
<hr />
<div>/tmp/kdc_t.conf<br />
<pre><br />
[kdcdefaults]<br />
kdc_ports = 8888<br />
<br />
[realms]<br />
EXAMPLE.ORG = {<br />
database_name = %(sandir)s/principal<br />
acl_file = %(sandir)s/kadm5.acl<br />
key_stash_file = %(sandir)s/.k5.EXAMPLE.ORG<br />
admin_keytab = FILE:%(sandir)s/kadm5.keytab<br />
kdc_ports = 8888<br />
kpasswd_port = 8887<br />
kadmind_port = 8886<br />
max_life = 10h 0m 0s<br />
max_renewable_life = 7d 0h 0m 0s<br />
}<br />
[logging]<br />
kdc = FILE:/tmp/myrealKDC.log<br />
</pre><br />
--------------------<br />
<br />
you can save it in /tmp/kdc.conf<br />
<pre><br />
[kdcdefaults]<br />
kdc_ports = 8888<br />
<br />
[realms]<br />
EXAMPLE.ORG = {<br />
database_name = /tmp/krb5kdc/principal<br />
acl_file = /tmp/kadm5.acl<br />
<br />
key_stash_file = /tmp/krb5kdc/.k5.EXAMPLE.ORG<br />
admin_keytab = FILE:/tmp/krb5kdc/kadm5.keytab<br />
kdc_ports = 8888<br />
kpasswd_port = 8887<br />
kadmind_port = 8886<br />
max_life = 10h 0m 0s<br />
max_renewable_life = 7d 0h 0m 0s<br />
}<br />
[logging]<br />
kdc = FILE:/tmp/myrealKDC.log<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=Kadm5.acl&diff=2114
Kadm5.acl
2009-08-18T15:52:48Z
<p>Haoqili: </p>
<hr />
<div>save: /tmp/kadm5.acl<br />
<br />
Yes, it is only one line long<br />
<br />
<pre><br />
*/admin *<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2113
LDAP on Kerberos
2009-08-18T15:51:30Z
<p>Haoqili: /* 5. Kerb Schema Operations */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2112
LDAP on Kerberos
2009-08-18T15:50:48Z
<p>Haoqili: /* 6. Starting */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2111
LDAP on Kerberos
2009-08-18T15:50:13Z
<p>Haoqili: /* 6. Starting */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: Checkpoint: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
<br />
* <code>krb5kdc</code> <br />
*: If it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2110
LDAP on Kerberos
2009-08-18T15:49:05Z
<p>Haoqili: /* 5. Kerb Schema Operations */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2109
LDAP on Kerberos
2009-08-18T15:48:35Z
<p>Haoqili: /* 5. Kerb Schema Operations */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif <br />
#:: cn={1}corba.ldif <br />
#:: cn={2}cosine.ldif <br />
#:: cn={3}duaconf.ldif <br />
#:: cn={4}inetorgperson.ldif<br />
#:: cn={5}java.ldif <br />
#:: cn={6}kerberos.ldif<br />
#:: cn={7}misc.ldif<br />
#:: cn={8}openldap.ldif<br />
#:: cn={9}nis.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2108
LDAP on Kerberos
2009-08-18T15:47:31Z
<p>Haoqili: /* 5. Kerb Schema Operations */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see:<br />
#:: cn={0}core.ldif cn={4}inetorgperson.ldif cn={8}openldap.ldif<br />
#:: cn={1}corba.ldif cn={5}java.ldif cn={9}nis.ldif<br />
#:: cn={2}cosine.ldif cn={6}kerberos.ldif<br />
#:: cn={3}duaconf.ldif cn={7}misc.ldif<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2107
LDAP on Kerberos
2009-08-18T15:41:53Z
<p>Haoqili: /* To Do */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=Schema_convert.conf&diff=2106
Schema convert.conf
2009-08-18T15:40:47Z
<p>Haoqili: </p>
<hr />
<div>/tmp/schema_convert.conf<br><br />
<br />
<pre><br />
include /etc/ldap/schema/core.schema<br />
include /etc/ldap/schema/corba.schema<br />
include /etc/ldap/schema/cosine.schema<br />
include /etc/ldap/schema/duaconf.schema<br />
include /etc/ldap/schema/inetorgperson.schema<br />
include /etc/ldap/schema/java.schema<br />
include /etc/ldap/schema/kerberos.schema<br />
include /etc/ldap/schema/misc.schema<br />
include /etc/ldap/schema/openldap.schema<br />
include /etc/ldap/schema/nis.schema<br />
</pre></div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2105
LDAP on Kerberos
2009-08-18T15:40:27Z
<p>Haoqili: /* 5. Kerb Schema Operations */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2104
LDAP on Kerberos
2009-08-18T15:39:23Z
<p>Haoqili: /* To Do */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Figure out required schemas<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]]. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2103
LDAP on Kerberos
2009-08-18T15:39:08Z
<p>Haoqili: /* 5. Kerb Schema Operations */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as<br />
#:* core.schema<br />
#:* inetorgperson.schema<br />
#:* kerberos.schema<br />
#:* misc.schema<br />
#:* openldap.schema<br />
# Make this [[schema_convert.conf]]. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2102
LDAP on Kerberos
2009-08-18T15:37:28Z
<p>Haoqili: /* 4. Build kerb. config */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: Indented are the debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema<br />
# Make this [[schema_convert.conf]]. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2101
LDAP on Kerberos
2009-08-18T15:36:32Z
<p>Haoqili: /* 4. Build kerb. config */ Zhanna's comments</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install Packages:<br />
#* <code> sudo apt-get install slapd</code><br />
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code><br />
#* <code>sudo apt-get install libldap2-dev</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: [your pwd]<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: [your pwd]<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema<br />
# Make this [[schema_convert.conf]]. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2100
LDAP on Kerberos
2009-08-18T15:34:01Z
<p>Haoqili: /* 3. Env and Setup */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install slapd package: <code> sudo apt-get install slapd</code><br />
#: Asks for password.<br />
# Install ldap-utils package (for ldapsearch): <code>sudo apt-get install ldap-utils</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: a<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: a<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# To build Kerberos with LDAP back end support, install: <code>sudo apt-get install libldap2-dev</code><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema<br />
# Make this [[schema_convert.conf]]. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2099
LDAP on Kerberos
2009-08-18T15:33:39Z
<p>Haoqili: /* 3. Env and Setup */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
*export KRB5_CONFIG=/tmp/sandbox/krb5.conf<br />
<br />
*export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf<br />
<br />
* make a krb5kdc folder (like in /tmp/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install slapd package: <code> sudo apt-get install slapd</code><br />
#: Asks for password.<br />
# Install ldap-utils package (for ldapsearch): <code>sudo apt-get install ldap-utils</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: a<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: a<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# To build Kerberos with LDAP back end support, install: <code>sudo apt-get install libldap2-dev</code><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema<br />
# Make this [[schema_convert.conf]]. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2091
LDAP on Kerberos
2009-08-18T12:35:49Z
<p>Haoqili: /* Assume People have done= */</p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
\# LD_LIBRARY_PATH=[path to the kerberos src]/src/lib<br />
<br />
I saved mine here:<br />
<br />
KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf<br />
<br />
KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf<br />
<br />
\# LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib<br />
<br />
-------<br />
You should also make a krb5kdc folder (like in /tmp/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install slapd package: <code> sudo apt-get install slapd</code><br />
#: Asks for password.<br />
# Install ldap-utils package (for ldapsearch): <code>sudo apt-get install ldap-utils</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: a<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: a<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# To build Kerberos with LDAP back end support, install: <code>sudo apt-get install libldap2-dev</code><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema<br />
# Make this [[schema_convert.conf]]. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done===<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2090
LDAP on Kerberos
2009-08-18T12:31:59Z
<p>Haoqili: </p>
<hr />
<div>== To Do ==<br />
* Simpler Domain names D.COM, R.COM<br />
* Different domain names<br />
* Play around to get minimum set of requirement<br />
<br />
== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
\# LD_LIBRARY_PATH=[path to the kerberos src]/src/lib<br />
<br />
I saved mine here:<br />
<br />
KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf<br />
<br />
KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf<br />
<br />
\# LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib<br />
<br />
-------<br />
You should also make a krb5kdc folder (like in /tmp/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install slapd package: <code> sudo apt-get install slapd</code><br />
#: Asks for password.<br />
# Install ldap-utils package (for ldapsearch): <code>sudo apt-get install ldap-utils</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: a<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: a<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# To build Kerberos with LDAP back end support, install: <code>sudo apt-get install libldap2-dev</code><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema<br />
# Make this [[schema_convert.conf]]. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done====<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2089
LDAP on Kerberos
2009-08-18T05:37:00Z
<p>Haoqili: /* 4. Build kerb. config */</p>
<hr />
<div>== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
\# LD_LIBRARY_PATH=[path to the kerberos src]/src/lib<br />
<br />
I saved mine here:<br />
<br />
KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf<br />
<br />
KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf<br />
<br />
\# LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib<br />
<br />
-------<br />
You should also make a krb5kdc folder (like in /tmp/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install slapd package: <code> sudo apt-get install slapd</code><br />
#: Asks for password.<br />
# Install ldap-utils package (for ldapsearch): <code>sudo apt-get install ldap-utils</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
##: debconf-get-selection lines<br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: a<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: a<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# To build Kerberos with LDAP back end support, install: <code>sudo apt-get install libldap2-dev</code><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema<br />
# Make this [[schema_convert.conf]]. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done====<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2088
LDAP on Kerberos
2009-08-18T05:35:20Z
<p>Haoqili: /* 4. Build kerb. config */</p>
<hr />
<div>== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
\# LD_LIBRARY_PATH=[path to the kerberos src]/src/lib<br />
<br />
I saved mine here:<br />
<br />
KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf<br />
<br />
KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf<br />
<br />
\# LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib<br />
<br />
-------<br />
You should also make a krb5kdc folder (like in /tmp/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install slapd package: <code> sudo apt-get install slapd</code><br />
#: Asks for password.<br />
# Install ldap-utils package (for ldapsearch): <code>sudo apt-get install ldap-utils</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
## Omit OpenLDAP server configuration: No<br />
##: slapd slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
##: slapd shared/organization string example.org<br />
## Databases backend to use: HDB, instead of BDB<br />
##: slapd slapd/backend select HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
##: slapd slapd/purge_database boolean true<br />
## Move old database: Yes<br />
##: slapd slapd/move_old_database boolean true<br />
## Admin password: a<br />
##: slapd slapd/password1 password<br />
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]<br />
## Confirm password: a<br />
##: slapd slapd/password2 password<br />
## Allow LDAPv2 protocol: No<br />
##: slapd slapd/allow_ldap_v2 boolean false<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# To build Kerberos with LDAP back end support, install: <code>sudo apt-get install libldap2-dev</code><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema<br />
# Make this [[schema_convert.conf]]. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done====<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili
https://k5wiki.kerberos.org/wiki?title=LDAP_on_Kerberos&diff=2087
LDAP on Kerberos
2009-08-18T03:08:59Z
<p>Haoqili: /* 4. Build kerb. config */</p>
<hr />
<div>== 0. Sample code to follow ==<br />
<pre><br />
1 cd /tmp<br />
2 vim krb5.conf<br />
3 vim kdc.conf<br />
4 vim kadm5.acl<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
8 mkdir krb5kdc<br />
9 sudo apt-get install slapd<br />
10 sudo apt-get install ldap-utils<br />
11 sudo dpkg-reconfigure slapd<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
13 sudo vim /etc/default/slapd<br />
14 sudo apt-get install libldap2-dev<br />
15 cd /home/haoqili/trunk/src/<br />
16 make distclean<br />
17 util/reconf<br />
18 ./configure --with-ldap<br />
19 make<br />
20 sudo make install<br />
21 vim /tmp/schema_convert.conf<br />
22 mkdir /tmp/ldif_output<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
28 kadmin.local<br />
29 krb5kdc -n<br />
</pre><br />
<br />
== 1. Information about the system ==<br />
- packages<br />
* Version of ubuntu<br />
lsb_release -a<br />
No LSB modules are available.<br />
Distributor ID: Ubuntu<br />
Description: Ubuntu 9.04<br />
Release: 9.04<br />
Codename: jaunty<br />
* Version of slapd: 2.4.15 (Mar 19 2009)<br />
slapd -V<br />
@(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $<br />
buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd<br />
<br />
* Version of ldap-utils: 2.4.15<br />
dpkg -l ldap-utils<br />
<br />
== 2. Extract krb conf files ==<br />
* It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.<br />
* Save [[krb5.conf]]<br />
* Save [[kdc.conf]]<br />
* Save [[kadm5.acl]]<br />
<br />
== 3. Env and Setup==<br />
You need to export these lines into your env. Based on where you saved these files.<br />
<br />
KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
\# LD_LIBRARY_PATH=[path to the kerberos src]/src/lib<br />
<br />
I saved mine here:<br />
<br />
KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf<br />
<br />
KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf<br />
<br />
\# LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib<br />
<br />
-------<br />
You should also make a krb5kdc folder (like in /tmp/krb5kdc)<br />
<br />
Whatever you do, be consistent<br />
<br />
== 4. Build kerb. config ==<br />
<br />
# Install slapd package: <code> sudo apt-get install slapd</code><br />
#: Asks for password.<br />
# Install ldap-utils package (for ldapsearch): <code>sudo apt-get install ldap-utils</code><br />
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code><br />
## Omit OpenLDAP server configuration: No<br />
##: slapd \t slapd/no_configuration boolean false<br />
## DNS domain name: example.org<br />
##: slapd slapd/domain string example.org<br />
## Organization name: example.org [note: i used the same name for simplicity]<br />
## Databases backend to use: HDB<br />
## Do you want the database to be removed when slapd is purge: Yes<br />
## Move old database: Yes<br />
## Admin password: a<br />
## Confirm password: a<br />
## Allow LDAPv2 protocol: No<br />
#: Checkpoint: If you are successful, you should see as output:<br />
#:: ''Stopping OpenLDAP: slapd.''<br />
#:: ''Moving old database directory to /var/backups:''<br />
#:: ''- directory unknown... done.''<br />
#:: ''Creating initial slapd configuration... done.''<br />
#:: ''Creating initial LDAP directory... done.''<br />
#:: ''* Reloading AppArmor profiles ''<br />
#:: ''... [ OK ]'' <br />
#:: ''Starting OpenLDAP: slapd.''<br />
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre><br />
# To build Kerberos with LDAP back end support, install: <code>sudo apt-get install libldap2-dev</code><br />
# Reconfigure your kerberos<br />
#* Navigate to kerberos src<br />
#* <code>make distclean</code><br />
#* <code>util/reconf</code><br />
#* <code>./configure --with-ldap</code><br />
#* <code>make</code><br />
#* <code>sudo make install</code><br />
<br />
== 5. Kerb Schema Operations ==<br />
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide]<br />
<br />
# You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code><br />
#: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema<br />
# Make this [[schema_convert.conf]]. Note! This is different from the schema_convert.conf in the Ubuntu Guide.<br />
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code><br />
# Convert schema --> LDIF with slaptest: <code>slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output</code><br />
#: Output: "config file testing succeeded"<br />
#: Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output<br />
# Need to modify kerberos.ldif. <br />
#* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code><br />
#* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code><br />
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config''<br />
#** change ''cn: {6}kerberos'' into ''cn: kerberos''<br />
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z''<br />
# load new schema, replace "-w a" with your password: <code>sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code><br />
#: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"''<br />
<br />
== 6. Starting ==<br />
* Create your database with kdb5_ldap_util instead of kdb5_util:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
</code><br />
output:<br />
<pre><br />
Initializing database for realm 'EXAMPLE.ORG'<br />
You will be prompted for the database Master Password.<br />
It is important that you NOT FORGET this password.<br />
Enter KDC database master key: <br />
Re-enter KDC database master key to verify: <br />
<br />
Kerberos container is missing. Creating now...<br />
</pre><br />
* Stash the password:<br />
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code><br />
*: If it works, you can do:<br />
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code><br />
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line<br />
<br />
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code><br />
<br />
== Scratch Pad ==<br />
<br />
===Assume People have done====<br />
1 cd /tmp<br />
<br />
9 sudo apt-get install slapd<br />
<br />
10 sudo apt-get install ldap-utils<br />
<br />
14 sudo apt-get install libldap2-dev<br />
<br />
15 cd /home/haoqili/trunk/src/<br />
<br />
16 make distclean<br />
<br />
17 util/reconf<br />
<br />
18 ./configure --with-ldap<br />
<br />
19 make<br />
<br />
20 sudo make install<br />
<br />
===Code===<br />
2 vim krb5.conf<br />
<br />
3 vim kdc.conf<br />
<br />
4 vim kadm5.acl<br />
<br />
5 export KRB5_CONFIG=/tmp/krb5.conf<br />
<br />
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf<br />
<br />
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/<br />
<br />
---------------------------------------<br />
---------------------------------------<br />
---------------------------------------<br />
<br />
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?<br />
<br />
11 sudo dpkg-reconfigure slapd<br />
<br />
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/<br />
<br />
13 sudo vim /etc/default/slapd<br />
<br />
21 vim /tmp/schema_convert.conf<br />
<br />
22 mkdir /tmp/ldif_output<br />
<br />
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/<br />
<br />
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif <br />
<br />
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///<br />
<br />
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s<br />
<br />
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org<br />
<br />
28 kadmin.local<br />
<br />
29 krb5kdc -n</div>
Haoqili