logo_kerberos.gif

Difference between revisions of "LDAP on Kerberos"

From K5Wiki
Jump to: navigation, search
(To Do)
Line 3: Line 3:
   
 
== To Do ==
 
== To Do ==
  +
* Slapd in sandbox, not /etc
 
* Simpler Domain names D.COM, R.COM
 
* Simpler Domain names D.COM, R.COM
 
* Different domain names
 
* Different domain names

Revision as of 11:46, 18 August 2009

About

A guide to set up ldap backend for kerberos.

To Do

  • Slapd in sandbox, not /etc
  • Simpler Domain names D.COM, R.COM
  • Different domain names
  • Figure out required schemas
  • Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu
  • Play around to get minimum set of requirement

0. Sample code to follow

    1  cd /tmp
    2  vim krb5.conf
    3  vim kdc.conf
    4  vim kadm5.acl
    5  export KRB5_CONFIG=/tmp/krb5.conf
    6  export KRB5_KDC_PROFILE=/tmp/kdc.conf
    7  export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/
    8  mkdir krb5kdc
    9  sudo apt-get install slapd
   10  sudo apt-get install ldap-utils
   11  sudo dpkg-reconfigure slapd
   12  sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/
   13  sudo vim /etc/default/slapd
   14  sudo apt-get install libldap2-dev
   15  cd /home/haoqili/trunk/src/
   16  make distclean
   17  util/reconf
   18  ./configure --with-ldap
   19  make
   20  sudo make install
   21  vim /tmp/schema_convert.conf
   22  mkdir /tmp/ldif_output
   23  slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/
   24  sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif 
   25  sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
   26  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
   27  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
   28  kadmin.local
   29  krb5kdc -n

1. Information about the system

- packages

  • Version of ubuntu
      lsb_release -a
      No LSB modules are available.
      Distributor ID:        Ubuntu
      Description:        Ubuntu 9.04
      Release:        9.04
      Codename:        jaunty
  • Version of slapd: 2.4.15 (Mar 19 2009)
      slapd -V
      @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $
      buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
  • Version of ldap-utils: 2.4.15
      dpkg -l ldap-utils

2. Extract krb conf files

  • It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.
  • Save krb5.conf
  • Save kdc.conf
  • Save kadm5.acl

3. Env and Setup

You need to export these lines into your env. Based on where you saved these files.

  • export KRB5_CONFIG=/tmp/sandbox/krb5.conf
  • export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf
  • make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)

Whatever you do, be consistent

4. Build kerb. config

  1. Install Packages:
    • sudo apt-get install slapd
    • for ldapsearch: sudo apt-get install ldap-utils
    • sudo apt-get install libldap2-dev
  2. Set the "domain" of your LDAP server with sudo dpkg-reconfigure slapd
    1. Indented are the debconf-get-selection lines
    2. Omit OpenLDAP server configuration: No
      slapd slapd/no_configuration boolean false
    3. DNS domain name: example.org
      slapd slapd/domain string example.org
    4. Organization name: example.org [note: i used the same name for simplicity]
      slapd shared/organization string example.org
    5. Databases backend to use: HDB, instead of BDB
      slapd slapd/backend select HDB
    6. Do you want the database to be removed when slapd is purge: Yes
      slapd slapd/purge_database boolean true
    7. Move old database: Yes
      slapd slapd/move_old_database boolean true
    8. Admin password: [your pwd]
      slapd slapd/password1 password
      [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]
    9. Confirm password: [your pwd]
      slapd slapd/password2 password
    10. Allow LDAPv2 protocol: No
      slapd slapd/allow_ldap_v2 boolean false
    Checkpoint: If you are successful, you should see as output:
    Stopping OpenLDAP: slapd.
    Moving old database directory to /var/backups:
    - directory unknown... done.
    Creating initial slapd configuration... done.
    Creating initial LDAP directory... done.
    * Reloading AppArmor profiles
    ... [ OK ]
    Starting OpenLDAP: slapd.
  3. If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
  4. To restrict access to the local machine, sudo vim /etc/default/slapd, search for SLAPD_SERVICES and set it to:
    SLAPD_SERVICES="ldapi:///"
  5. Reconfigure your kerberos
    • Navigate to kerberos src
    • make distclean
    • util/reconf
    • ./configure --with-ldap
    • make
    • sudo make install

5. Kerb Schema Operations

Loosely followed Ubuntu Guide and Kerberos V5 System Admin Guide

  1. You have not done so already, locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
    Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as
    • core.schema
    • inetorgperson.schema
    • kerberos.schema
    • misc.schema
    • openldap.schema
  2. Make this schema_convert.conf at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.
  3. Make the directory to hold output: mkdir /tmp/ldif_output
  4. Convert schema --> LDIF with slaptest: slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output
    Output: "config file testing succeeded"
    Checkpoint: If you sudo ls /tmp/ldif_output/cn\=config/cn\=schema, you should see:
    cn={0}core.ldif
    cn={1}corba.ldif
    cn={2}cosine.ldif
    cn={3}duaconf.ldif
    cn={4}inetorgperson.ldif
    cn={5}java.ldif
    cn={6}kerberos.ldif
    cn={7}misc.ldif
    cn={8}openldap.ldif
    cn={9}nis.ldif
  5. Need to modify kerberos.ldif.
    • Find which number kerberos.ldif is listed as: sudo ls /tmp/ldif_output/cn\=config/cn\=schema
    • Edit it: sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif
      • change dn: cn={6}kerberos into dn: cn=kerberos,cn=schema,cn=config
      • change cn: {6}kerberos into cn: kerberos
      • Delete the bottom lines: from structuralObjectClasses: olcSchemaConfig to modifyTimestamp: 20090811205313Z
  6. load new schema: sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///
    Output: adding new entry "cn=kerberos,cn=schema,cn=config"

6. Starting

  • Create your database with kdb5_ldap_util instead of kdb5_util:
    kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s

output:

Initializing database for realm 'EXAMPLE.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

Kerberos container is missing. Creating now...
  • Stash the password:
    kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
    Checkpoint: If it works, you can do:
    • kadmin.local, try listprincs, quit by typing quit
  • krb5kdc
    Checkpoint: ps -ef | grep krb5kdc should show it running
  • Command to destroy kdb5_ldap_util: kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy

Scratch Pad

Assume People have done

   1  cd /tmp
   9  sudo apt-get install slapd
  10  sudo apt-get install ldap-utils
  14  sudo apt-get install libldap2-dev
  15  cd /home/haoqili/trunk/src/
  16  make distclean
  17  util/reconf
  18  ./configure --with-ldap
  19  make
  20  sudo make install

Code

   2  vim krb5.conf
   3  vim kdc.conf
   4  vim kadm5.acl
   5  export KRB5_CONFIG=/tmp/krb5.conf
   6  export KRB5_KDC_PROFILE=/tmp/kdc.conf
   7  export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/



   8  mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?
  11  sudo dpkg-reconfigure slapd
  12  sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/
  13  sudo vim /etc/default/slapd
  21  vim /tmp/schema_convert.conf
  22  mkdir /tmp/ldif_output
  23  slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/
  24  sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif 
  25  sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
  26  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
  27  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
  28  kadmin.local
  29  krb5kdc -n