Difference between revisions of "LDAP on Kerberos"
From K5Wiki
(→6. Starting) |
(→0. Sample code to follow) |
||
(65 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
+ | ==About== |
||
+ | A guide to set up ldap backend for kerberos. |
||
+ | |||
+ | == To Do == |
||
+ | * Slapd in sandbox, not /etc |
||
+ | * Simpler Domain names D.COM, R.COM |
||
+ | * Different domain names |
||
+ | * Figure out required schemas |
||
+ | * Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu |
||
+ | * Play around to get minimum set of requirement |
||
+ | |||
+ | * update tree too, got a fix |
||
+ | |||
+ | == 0. Sample code to follow == |
||
+ | <pre> |
||
+ | 1 cd /tmp |
||
+ | 2 vim krb5.conf |
||
+ | 3 vim kdc.conf |
||
+ | 4 vim kadm5.acl |
||
+ | 5 export KRB5_CONFIG=/tmp/krb5.conf |
||
+ | 6 export KRB5_KDC_PROFILE=/tmp/kdc.conf |
||
+ | 7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/ |
||
+ | 8 mkdir krb5kdc |
||
+ | 9 sudo apt-get install slapd |
||
+ | 10 sudo apt-get install ldap-utils |
||
+ | 11 sudo dpkg-reconfigure slapd |
||
+ | 12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/ |
||
+ | 13 sudo vim /etc/default/slapd |
||
+ | 14 sudo apt-get install libldap2-dev |
||
+ | 15 cd /home/haoqili/trunk/src/ |
||
+ | 16 make distclean |
||
+ | 17 autoreconf |
||
+ | 18 ./configure --with-ldap |
||
+ | 19 make |
||
+ | 20 sudo make install |
||
+ | 21 vim /tmp/schema_convert.conf |
||
+ | 22 mkdir /tmp/ldif_output |
||
+ | 23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/ |
||
+ | 24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif |
||
+ | 25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:/// |
||
+ | 26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s |
||
+ | 27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org |
||
+ | 28 kadmin.local |
||
+ | 29 krb5kdc -n |
||
+ | </pre> |
||
+ | |||
== 1. Information about the system == |
== 1. Information about the system == |
||
- packages |
- packages |
||
Line 22: | Line 68: | ||
* Save [[kadm5.acl]] |
* Save [[kadm5.acl]] |
||
− | == 3. Env == |
+ | == 3. Env and Setup== |
You need to export these lines into your env. Based on where you saved these files. |
You need to export these lines into your env. Based on where you saved these files. |
||
+ | *export KRB5_CONFIG=/tmp/sandbox/krb5.conf |
||
− | KRB5_CONFIG=/tmp/krb5.conf |
||
+ | *export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf |
||
− | KRB5_KDC_PROFILE=/tmp/kdc.conf |
||
+ | * make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc) |
||
− | LD_LIBRARY_PATH=[path to the kerberos src]/src/lib |
||
+ | Whatever you do, be consistent |
||
− | |||
− | I saved mine here: |
||
− | |||
− | KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf |
||
− | |||
− | KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf |
||
− | |||
− | LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib |
||
== 4. Build kerb. config == |
== 4. Build kerb. config == |
||
− | # Install slapd package: <code> sudo apt-get install slapd</code> |
||
+ | # Install Packages: |
||
− | # |
+ | #* <code> sudo apt-get install slapd</code> |
− | # |
+ | #* for ldapsearch: <code>sudo apt-get install ldap-utils</code> |
− | #* |
+ | #* <code>sudo apt-get install libldap2-dev</code> |
− | # |
+ | # Set "domain" of your LDAP server |
− | #* |
+ | #* Option 1, Interactive Option: <code>sudo dpkg-reconfigure slapd</code> |
− | #* |
+ | #*: Indented are the debconf-get-selections lines |
− | #* |
+ | #*# Omit OpenLDAP server configuration: No |
− | #* |
+ | #*#: slapd slapd/no_configuration boolean false |
− | #* |
+ | #*# DNS domain name: example.org |
− | #* |
+ | #*#: slapd slapd/domain string example.org |
− | #* |
+ | #*# Organization name: example.org [note: i used the same name for simplicity] |
− | #: |
+ | #*#: slapd shared/organization string example.org |
− | # |
+ | #*# Databases backend to use: HDB, instead of BDB |
− | # |
+ | #*#: slapd slapd/backend select HDB |
− | # |
+ | #*# Do you want the database to be removed when slapd is purge: Yes |
− | # |
+ | #*#: slapd slapd/purge_database boolean true |
− | # |
+ | #*# Move old database: Yes |
− | # |
+ | #*#: slapd slapd/move_old_database boolean true |
− | # |
+ | #*# Admin password: [your pwd] |
− | # |
+ | #*#: slapd slapd/password1 password |
− | # |
+ | #*#: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!] |
+ | #*# Confirm password: [your pwd] |
||
+ | #*#: slapd slapd/password2 password |
||
+ | #*# Allow LDAPv2 protocol: No |
||
+ | #*#: slapd slapd/allow_ldap_v2 boolean false |
||
+ | #* Option 2, Noninteractive Option |
||
+ | #*# <code>sudo apt-get install debconf-utils</code> |
||
+ | #*# Save this file in /tmp/debconfile: [[debconfile]] |
||
+ | #*# <code>sudo debconf-set-selections /tmp/debconfile</code> |
||
+ | #*# <code>sudo dpkg-reconfigure --frontend=noninteractive slapd</code> |
||
+ | #* Checkpoint: If you are successful, you should see as output: |
||
+ | #*: ''Stopping OpenLDAP: slapd.'' |
||
+ | #*: ''Moving old database directory to /var/backups:'' |
||
+ | #*: ''- directory unknown... done.'' |
||
+ | #*: ''Creating initial slapd configuration... done.'' |
||
+ | #*: ''Creating initial LDAP directory... done.'' |
||
+ | #*: ''* Reloading AppArmor profiles '' |
||
+ | #*: ''... [ OK ]'' |
||
+ | #*: ''Starting OpenLDAP: slapd.'' |
||
+ | # If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code> |
||
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre> |
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre> |
||
− | # To build Kerberos with LDAP back end support, install: <code>sudo apt-get install libldap2-dev</code> |
||
# Reconfigure your kerberos |
# Reconfigure your kerberos |
||
#* Navigate to kerberos src |
#* Navigate to kerberos src |
||
Line 77: | Line 115: | ||
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide] |
Loosely followed [http://ajuda.ubuntu.cat/9.04/serverguide/kerberos-ldap.html Ubuntu Guide] and [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend Kerberos V5 System Admin Guide] |
||
− | # |
+ | # You have not done so already, locate the kerberos.schema. [[kerberos.schema]] which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: <code>cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code> |
− | #: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as |
+ | #: Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as |
− | # |
+ | #:* core.schema |
+ | #:* inetorgperson.schema |
||
+ | #:* kerberos.schema |
||
+ | #:* misc.schema |
||
+ | #:* openldap.schema |
||
+ | # Make this [[schema_convert.conf]] at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide. |
||
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code> |
# Make the directory to hold output: <code>mkdir /tmp/ldif_output </code> |
||
− | # Convert schema --> LDIF with slaptest |
+ | # Convert schema --> LDIF with slaptest: <code>slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output</code> |
− | #: |
+ | #: Output: "config file testing succeeded" |
+ | #: Checkpoint: If you <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code>, you should see: |
||
+ | #:: cn={0}core.ldif |
||
+ | #:: cn={1}corba.ldif |
||
+ | #:: cn={2}cosine.ldif |
||
+ | #:: cn={3}duaconf.ldif |
||
+ | #:: cn={4}inetorgperson.ldif |
||
+ | #:: cn={5}java.ldif |
||
+ | #:: cn={6}kerberos.ldif |
||
+ | #:: cn={7}misc.ldif |
||
+ | #:: cn={8}openldap.ldif |
||
+ | #:: cn={9}nis.ldif |
||
# Need to modify kerberos.ldif. |
# Need to modify kerberos.ldif. |
||
− | #* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ |
+ | #* Find which number kerberos.ldif is listed as: <code>sudo ls /tmp/ldif_output/cn\=config/cn\=schema</code> |
− | #* Edit it: <code> sudo |
+ | #* Edit it: <code> sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif</code> |
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config'' |
#** change ''dn: cn={6}kerberos'' into ''dn: cn=kerberos,cn=schema,cn=config'' |
||
#** change ''cn: {6}kerberos'' into ''cn: kerberos'' |
#** change ''cn: {6}kerberos'' into ''cn: kerberos'' |
||
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z'' |
#** Delete the bottom lines: from ''structuralObjectClasses: olcSchemaConfig'' to ''modifyTimestamp: 20090811205313Z'' |
||
− | # load new schema |
+ | # load new schema: <code>sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///</code> |
+ | #: Note if you get a "Can't contact LDAP server" error, check your <code>ps -ef | grep slapd</code> to see its details and change accordingly. A common way to fix it is to sudo ldapadd with ldap:/// instead of ldapi:/// |
||
+ | #: Output: ''adding new entry "cn=kerberos,cn=schema,cn=config"'' |
||
== 6. Starting == |
== 6. Starting == |
||
− | * Create your database with kdb5_ldap_util instead of kdb5_util: |
+ | * Create your database with kdb5_ldap_util instead of kdb5_util: |
+ | *: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s |
||
+ | *: note that if you have ldapadd with ldap:/// instead of ldapi:///, it should also be ldap:/// here |
||
</code> |
</code> |
||
− | * <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code> |
||
+ | output: |
||
− | *: If it works, you can do: |
||
+ | <pre> |
||
− | *: <code>kadmin.local</code>, try <code>listprincs</code> |
||
+ | Initializing database for realm 'EXAMPLE.ORG' |
||
− | *: <code>krb5kdc -n</code> if it runs, the cursor blinks on a new line |
||
+ | You will be prompted for the database Master Password. |
||
+ | It is important that you NOT FORGET this password. |
||
+ | Enter KDC database master key: |
||
+ | Re-enter KDC database master key to verify: |
||
+ | |||
+ | Kerberos container is missing. Creating now... |
||
+ | </pre> |
||
+ | * Stash the password: |
||
+ | *: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code> |
||
+ | *: Checkpoint: If it works, you can do: |
||
+ | *:* <code>kadmin.local</code>, try <code>listprincs</code>, quit by typing <code>quit</code> |
||
+ | |||
+ | * <code>krb5kdc</code> |
||
+ | *: Checkpoint: <code>ps -ef | grep krb5kdc</code> should show it running |
||
+ | |||
+ | * Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy</code> |
||
+ | |||
+ | == Scratch Pad == |
||
+ | |||
+ | ===Assume People have done=== |
||
+ | 1 cd /tmp |
||
+ | |||
+ | 9 sudo apt-get install slapd |
||
+ | |||
+ | 10 sudo apt-get install ldap-utils |
||
+ | |||
+ | 14 sudo apt-get install libldap2-dev |
||
+ | |||
+ | 15 cd /home/haoqili/trunk/src/ |
||
+ | |||
+ | 16 make distclean |
||
+ | |||
+ | 17 util/reconf |
||
+ | |||
+ | 18 ./configure --with-ldap |
||
+ | |||
+ | 19 make |
||
+ | |||
+ | 20 sudo make install |
||
+ | |||
+ | ===Code=== |
||
+ | 2 vim krb5.conf |
||
+ | |||
+ | 3 vim kdc.conf |
||
+ | |||
+ | 4 vim kadm5.acl |
||
+ | |||
+ | 5 export KRB5_CONFIG=/tmp/krb5.conf |
||
+ | |||
+ | 6 export KRB5_KDC_PROFILE=/tmp/kdc.conf |
||
+ | |||
+ | 7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/ |
||
+ | |||
+ | --------------------------------------- |
||
+ | --------------------------------------- |
||
+ | --------------------------------------- |
||
+ | |||
+ | 8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)? |
||
+ | |||
+ | 11 sudo dpkg-reconfigure slapd |
||
+ | |||
+ | 12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/ |
||
+ | |||
+ | 13 sudo vim /etc/default/slapd |
||
+ | |||
+ | 21 vim /tmp/schema_convert.conf |
||
+ | |||
+ | 22 mkdir /tmp/ldif_output |
||
+ | |||
+ | 23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/ |
||
+ | |||
+ | 24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif |
||
+ | |||
+ | 25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:/// |
||
+ | |||
+ | 26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s |
||
+ | |||
+ | 27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org |
||
+ | |||
+ | 28 kadmin.local |
||
+ | |||
+ | 29 krb5kdc -n |
||
+ | |||
+ | == Errors == |
||
+ | * sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:/// |
||
+ | *: ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) |
||
+ | *: SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent. |
||
+ | *: sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ |
||
+ | *: openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ |
||
+ | |||
+ | ** sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:/// |
||
+ | **:Output: adding new entry "cn=kerberos,cn=schema,cn=config" |
||
+ | <pre> |
||
+ | openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ |
||
+ | </pre> |
||
+ | |||
+ | * sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:/// |
||
+ | *: ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine |
||
+ | *: SOLUTION: Change "-h" to "-H" |
||
+ | |||
+ | * |
||
+ | <pre> |
||
+ | haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla |
||
+ | haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla |
||
+ | haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:/// |
||
+ | ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) |
||
+ | haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ |
||
+ | haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:/// |
||
+ | adding new entry "cn=kerberos,cn=schema,cn=config" |
||
+ | ldap_add: Other (e.g., implementation specific) error (80) |
||
+ | additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1" |
||
+ | </pre> |
||
+ | |||
+ | * DbDriver is locked |
||
+ | <pre> |
||
+ | sudo debconf-set-selections /tmp/debconfile |
||
+ | [sudo] password for haoqili: |
||
+ | debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable |
||
+ | |||
+ | OR |
||
+ | |||
+ | sudo dpkg-reconfigure --frontend=noninteractive |
||
+ | [sudo] password for haoqili: |
||
+ | debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable |
||
+ | </pre> |
||
+ | |||
+ | *: SOLUTION: This will tell what is locking it: <code>fuser -v /var/cache/debconf/config.dat</code>. [http://spiralinks.blogspot.com/2009/07/debian-apt-get-interrupted-leaves-files.html From here.] |
||
+ | |||
+ | * Here is a series of steps, some with errors that I got when I am changing the domain name (specified from sudo dpkg-reconfigure slapd) from "example.org" to "D.COM." The errors might be helpful in pointing people to the right direction if they encounter the same errors. |
||
+ | ** With my config files still with realms set to "example.org", after I did |
||
+ | <pre> |
||
+ | sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:/// |
||
+ | Enter LDAP Password: |
||
+ | adding new entry "cn=kerberos,cn=schema,cn=config" |
||
+ | </pre> |
||
+ | |||
+ | ** I then did <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s </code> |
||
+ | **: ERROR: kdb5_ldap_util: Invalid credentials while initializing database |
||
+ | **: Explaination: this is because the dc is no longer example.org anymore. So I did: |
||
+ | ** Changing this command to reflect the correct domain: <code>kdb5_ldap_util -D cn=admin,dc=D,dc=COM -H ldapi:/// create -s</code> |
||
+ | **: Output: |
||
+ | <pre> |
||
+ | Password for "cn=admin,dc=D,dc=COM": |
||
+ | Initializing database for realm 'EXAMPLE.ORG' |
||
+ | You will be prompted for the database Master Password. |
||
+ | It is important that you NOT FORGET this password. |
||
+ | Enter KDC database master key: |
||
+ | Re-enter KDC database master key to verify: |
||
− | * Command to destroy kdb5_ldap_util: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy</code> |
||
+ | Kerberos container is missing. Creating now... |
||
+ | </pre> |
||
+ | **: ERROR: kdb5_ldap_util: Kerberos Container create FAILED: Server is unwilling to perform while creating realm 'EXAMPLE.ORG' |
||
+ | **: Explaination: this is because even though the command domain names have changed, the config files (krb5.conf, kdc.conf) also need to reflect the correct domain name. |
||
+ | * After changing all the example.org's into d.com's, the create command worked. So I proceeded to: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// stashsrvpw cn=admin,dc=D,dc=COM</code>, I entered my passwords |
||
+ | * kadmin.local and krb5kdc failed with errors: |
||
+ | <pre> |
||
+ | $ kadmin.local |
||
+ | Authenticating as principal haoqili/admin@D.COM with password. |
||
+ | kadmin.local: Server error while initializing kadmin.local interface |
||
− | 18:10, 15 August 2009 (EDT) |
||
+ | $ krb5kdc |
||
− | *Command that worked: <code>kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code> |
||
+ | krb5kdc: cannot initialize realm D.COM - see log file for details |
||
− | *<code>krb5kdc -n</code> |
||
+ | </pre> |
||
+ | ** I looked at the kdc log file, it says: ''krb5kdc: Error reading password from stash: Bind DN entry missing in stash file - while initializing database for realm D.COM'' |
||
+ | *$ kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org |
||
+ | *: Password for "cn=admin,dc=example,dc=org": |
||
+ | *: Re-enter password for "cn=admin,dc=example,dc=org": |
||
+ | *: ERROR: kdb5_ldap_util: Permission denied Failed to open file /usr/local/var/service_passwd: Permission denied |
||
+ | *: SOLUTION: make sure your config files are exported in the terminal you use to do this command. |
Latest revision as of 12:26, 22 December 2015
Contents
About
A guide to set up ldap backend for kerberos.
To Do
- Slapd in sandbox, not /etc
- Simpler Domain names D.COM, R.COM
- Different domain names
- Figure out required schemas
- Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu
- Play around to get minimum set of requirement
- update tree too, got a fix
0. Sample code to follow
1 cd /tmp 2 vim krb5.conf 3 vim kdc.conf 4 vim kadm5.acl 5 export KRB5_CONFIG=/tmp/krb5.conf 6 export KRB5_KDC_PROFILE=/tmp/kdc.conf 7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/ 8 mkdir krb5kdc 9 sudo apt-get install slapd 10 sudo apt-get install ldap-utils 11 sudo dpkg-reconfigure slapd 12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/ 13 sudo vim /etc/default/slapd 14 sudo apt-get install libldap2-dev 15 cd /home/haoqili/trunk/src/ 16 make distclean 17 autoreconf 18 ./configure --with-ldap 19 make 20 sudo make install 21 vim /tmp/schema_convert.conf 22 mkdir /tmp/ldif_output 23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/ 24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif 25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:/// 26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s 27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org 28 kadmin.local 29 krb5kdc -n
1. Information about the system
- packages
- Version of ubuntu
lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 9.04 Release: 9.04 Codename: jaunty
- Version of slapd: 2.4.15 (Mar 19 2009)
slapd -V @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $ buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
- Version of ldap-utils: 2.4.15
dpkg -l ldap-utils
2. Extract krb conf files
- It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.
- Save krb5.conf
- Save kdc.conf
- Save kadm5.acl
3. Env and Setup
You need to export these lines into your env. Based on where you saved these files.
- export KRB5_CONFIG=/tmp/sandbox/krb5.conf
- export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf
- make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)
Whatever you do, be consistent
4. Build kerb. config
- Install Packages:
-
sudo apt-get install slapd
- for ldapsearch:
sudo apt-get install ldap-utils
-
sudo apt-get install libldap2-dev
-
- Set "domain" of your LDAP server
- Option 1, Interactive Option:
sudo dpkg-reconfigure slapd
- Indented are the debconf-get-selections lines
- Omit OpenLDAP server configuration: No
- slapd slapd/no_configuration boolean false
- DNS domain name: example.org
- slapd slapd/domain string example.org
- Organization name: example.org [note: i used the same name for simplicity]
- slapd shared/organization string example.org
- Databases backend to use: HDB, instead of BDB
- slapd slapd/backend select HDB
- Do you want the database to be removed when slapd is purge: Yes
- slapd slapd/purge_database boolean true
- Move old database: Yes
- slapd slapd/move_old_database boolean true
- Admin password: [your pwd]
- slapd slapd/password1 password
- [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]
- Confirm password: [your pwd]
- slapd slapd/password2 password
- Allow LDAPv2 protocol: No
- slapd slapd/allow_ldap_v2 boolean false
- Option 2, Noninteractive Option
-
sudo apt-get install debconf-utils
- Save this file in /tmp/debconfile: debconfile
-
sudo debconf-set-selections /tmp/debconfile
-
sudo dpkg-reconfigure --frontend=noninteractive slapd
-
- Checkpoint: If you are successful, you should see as output:
- Stopping OpenLDAP: slapd.
- Moving old database directory to /var/backups:
- - directory unknown... done.
- Creating initial slapd configuration... done.
- Creating initial LDAP directory... done.
- * Reloading AppArmor profiles
- ... [ OK ]
- Starting OpenLDAP: slapd.
- Option 1, Interactive Option:
- If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema:
sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
- To restrict access to the local machine,
sudo vim /etc/default/slapd
, search for SLAPD_SERVICES and set it to:SLAPD_SERVICES="ldapi:///"
- Reconfigure your kerberos
- Navigate to kerberos src
-
make distclean
-
util/reconf
-
./configure --with-ldap
-
make
-
sudo make install
5. Kerb Schema Operations
Loosely followed Ubuntu Guide and Kerberos V5 System Admin Guide
- You have not done so already, locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk:
cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
- Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as
- core.schema
- inetorgperson.schema
- kerberos.schema
- misc.schema
- openldap.schema
- Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as
- Make this schema_convert.conf at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.
- Make the directory to hold output:
mkdir /tmp/ldif_output
- Convert schema --> LDIF with slaptest:
slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output
- Output: "config file testing succeeded"
- Checkpoint: If you
sudo ls /tmp/ldif_output/cn\=config/cn\=schema
, you should see:- cn={0}core.ldif
- cn={1}corba.ldif
- cn={2}cosine.ldif
- cn={3}duaconf.ldif
- cn={4}inetorgperson.ldif
- cn={5}java.ldif
- cn={6}kerberos.ldif
- cn={7}misc.ldif
- cn={8}openldap.ldif
- cn={9}nis.ldif
- Need to modify kerberos.ldif.
- Find which number kerberos.ldif is listed as:
sudo ls /tmp/ldif_output/cn\=config/cn\=schema
- Edit it:
sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif
- change dn: cn={6}kerberos into dn: cn=kerberos,cn=schema,cn=config
- change cn: {6}kerberos into cn: kerberos
- Delete the bottom lines: from structuralObjectClasses: olcSchemaConfig to modifyTimestamp: 20090811205313Z
- Find which number kerberos.ldif is listed as:
- load new schema:
sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///
- Note if you get a "Can't contact LDAP server" error, check your
ps -ef | grep slapd
to see its details and change accordingly. A common way to fix it is to sudo ldapadd with ldap:/// instead of ldapi:/// - Output: adding new entry "cn=kerberos,cn=schema,cn=config"
- Note if you get a "Can't contact LDAP server" error, check your
6. Starting
- Create your database with kdb5_ldap_util instead of kdb5_util:
-
kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s
- note that if you have ldapadd with ldap:/// instead of ldapi:///, it should also be ldap:/// here
-
output:
Initializing database for realm 'EXAMPLE.ORG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Kerberos container is missing. Creating now...
- Stash the password:
-
kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
- Checkpoint: If it works, you can do:
-
kadmin.local
, trylistprincs
, quit by typingquit
-
-
-
krb5kdc
- Checkpoint:
ps -ef | grep krb5kdc
should show it running
- Checkpoint:
- Command to destroy kdb5_ldap_util:
kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy
Scratch Pad
Assume People have done
1 cd /tmp
9 sudo apt-get install slapd
10 sudo apt-get install ldap-utils
14 sudo apt-get install libldap2-dev
15 cd /home/haoqili/trunk/src/
16 make distclean
17 util/reconf
18 ./configure --with-ldap
19 make
20 sudo make install
Code
2 vim krb5.conf
3 vim kdc.conf
4 vim kadm5.acl
5 export KRB5_CONFIG=/tmp/krb5.conf
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?
11 sudo dpkg-reconfigure slapd
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/
13 sudo vim /etc/default/slapd
21 vim /tmp/schema_convert.conf
22 mkdir /tmp/ldif_output
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
28 kadmin.local
29 krb5kdc -n
Errors
- sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
- ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
- SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.
- sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/
- openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/
- sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///
- Output: adding new entry "cn=kerberos,cn=schema,cn=config"
- sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///
openldap 11434 1 0 12:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/
- sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///
- ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine
- SOLUTION: Change "-h" to "-H"
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla haoqili 12228 4371 0 12:26 pts/0 00:00:00 grep sla haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:/// ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:/// adding new entry "cn=kerberos,cn=schema,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"
- DbDriver is locked
sudo debconf-set-selections /tmp/debconfile [sudo] password for haoqili: debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable OR sudo dpkg-reconfigure --frontend=noninteractive [sudo] password for haoqili: debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable
- SOLUTION: This will tell what is locking it:
fuser -v /var/cache/debconf/config.dat
. From here.
- SOLUTION: This will tell what is locking it:
- Here is a series of steps, some with errors that I got when I am changing the domain name (specified from sudo dpkg-reconfigure slapd) from "example.org" to "D.COM." The errors might be helpful in pointing people to the right direction if they encounter the same errors.
- With my config files still with realms set to "example.org", after I did
sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:/// Enter LDAP Password: adding new entry "cn=kerberos,cn=schema,cn=config"
- I then did
kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// create -s
- ERROR: kdb5_ldap_util: Invalid credentials while initializing database
- Explaination: this is because the dc is no longer example.org anymore. So I did:
- Changing this command to reflect the correct domain:
kdb5_ldap_util -D cn=admin,dc=D,dc=COM -H ldapi:/// create -s
- Output:
- I then did
Password for "cn=admin,dc=D,dc=COM": Initializing database for realm 'EXAMPLE.ORG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Kerberos container is missing. Creating now...
- ERROR: kdb5_ldap_util: Kerberos Container create FAILED: Server is unwilling to perform while creating realm 'EXAMPLE.ORG'
- Explaination: this is because even though the command domain names have changed, the config files (krb5.conf, kdc.conf) also need to reflect the correct domain name.
- After changing all the example.org's into d.com's, the create command worked. So I proceeded to:
kdb5_ldap_util -D cn=admin,dc=example,dc=org -H ldapi:/// stashsrvpw cn=admin,dc=D,dc=COM
, I entered my passwords - kadmin.local and krb5kdc failed with errors:
$ kadmin.local Authenticating as principal haoqili/admin@D.COM with password. kadmin.local: Server error while initializing kadmin.local interface $ krb5kdc krb5kdc: cannot initialize realm D.COM - see log file for details
- I looked at the kdc log file, it says: krb5kdc: Error reading password from stash: Bind DN entry missing in stash file - while initializing database for realm D.COM
- $ kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
- Password for "cn=admin,dc=example,dc=org":
- Re-enter password for "cn=admin,dc=example,dc=org":
- ERROR: kdb5_ldap_util: Permission denied Failed to open file /usr/local/var/service_passwd: Permission denied
- SOLUTION: make sure your config files are exported in the terminal you use to do this command.