logo_kerberos.gif

Difference between revisions of "LDAP on Kerberos"

From K5Wiki
Jump to: navigation, search
(5. Kerb Schema Operations)
(6. Starting)
Line 115: Line 115:
 
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code>
 
*: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code>
 
*: If it works, you can do:
 
*: If it works, you can do:
*: <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code>
+
*:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code>
*: <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line
+
*:* <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line
   
 
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code>
 
* Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code>

Revision as of 10:24, 17 August 2009

1. Information about the system

- packages

  • Version of ubuntu
      lsb_release -a
      No LSB modules are available.
      Distributor ID:        Ubuntu
      Description:        Ubuntu 9.04
      Release:        9.04
      Codename:        jaunty
  • Version of slapd: 2.4.15 (Mar 19 2009)
      slapd -V
      @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $
      buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
  • Version of ldap-utils: 2.4.15
      dpkg -l ldap-utils

2. Extract krb conf files

  • It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.
  • Save krb5.conf
  • Save kdc.conf
  • Save kadm5.acl

3. Env

You need to export these lines into your env. Based on where you saved these files.

KRB5_CONFIG=/tmp/krb5.conf

KRB5_KDC_PROFILE=/tmp/kdc.conf

LD_LIBRARY_PATH=[path to the kerberos src]/src/lib

I saved mine here:

KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf

KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf

LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib


You should also make a krb5kdc folder (like in /tmp/krb5kdc)

Whatever you do, be consistent

4. Build kerb. config

  1. Install slapd package: sudo apt-get install slapd
    Asks for password.
  2. Install ldap-utils package (for ldapsearch): sudo apt-get install ldap-utils
  3. Set the "domain" of your LDAP server with sudo dpkg-reconfigure slapd
    • Omit OpenLDAP server configuration: No
    • DNS domain name: example.org
    • Organization name: example.org [note: i used the same name for simplicity]
    • Databases backend to use: HDB
    • Do you want the database to be removed when slapd is purge: Yes
    • Move old database: Yes
    • Admin password: a
    • Confirm password: a
    • Allow LDAPv2 protocol: No
    Checkpoint: If you are successful, you should see as output:
    Stopping OpenLDAP: slapd.
    Moving old database directory to /var/backups:
    - directory unknown... done.
    Creating initial slapd configuration... done.
    Creating initial LDAP directory... done.
    * Reloading AppArmor profiles
    ... [ OK ]
    Starting OpenLDAP: slapd.
  4. If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
  5. To restrict access to the local machine, sudo vim /etc/default/slapd, search for SLAPD_SERVICES and set it to:
    SLAPD_SERVICES="ldapi:///"
  6. To build Kerberos with LDAP back end support, install: sudo apt-get install libldap2-dev
  7. Reconfigure your kerberos
    • Navigate to kerberos src
    • make distclean
    • util/reconf
    • ./configure --with-ldap
    • make
    • sudo make install

5. Kerb Schema Operations

Loosely followed Ubuntu Guide and Kerberos V5 System Admin Guide

  1. You have not done so already, locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
    Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema
  2. Make this schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.
  3. Make the directory to hold output: mkdir /tmp/ldif_output
  4. Convert schema --> LDIF with slaptest: slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output
    Output: "config file testing succeeded"
    Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output
  5. Need to modify kerberos.ldif.
    • Find which number kerberos.ldif is listed as: sudo ls /tmp/ldif_output/cn\=config/cn\=schema
    • Edit it: sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif
      • change dn: cn={6}kerberos into dn: cn=kerberos,cn=schema,cn=config
      • change cn: {6}kerberos into cn: kerberos
      • Delete the bottom lines: from structuralObjectClasses: olcSchemaConfig to modifyTimestamp: 20090811205313Z
  6. load new schema, replace "-w a" with your password: sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///
    Output: adding new entry "cn=kerberos,cn=schema,cn=config"

6. Starting

  • Create your database with kdb5_ldap_util instead of kdb5_util:
    kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s

output:

Initializing database for realm 'EXAMPLE.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

Kerberos container is missing. Creating now...
  • Stash the password:
    kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
    If it works, you can do:
    • kadmin.local, try listprincs, quit by typing quit
    • krb5kdc -n if it runs, the cursor blinks on a new line
  • Command to destroy kdb5_ldap_util: kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy