logo_kerberos.gif

Difference between revisions of "LDAP on Kerberos"

From K5Wiki
Jump to: navigation, search
(4. Build kerb. config (move this up?))
(4. Build kerb. config)
Line 73: Line 73:
 
#* <code>make</code>
 
#* <code>make</code>
 
#* <code>sudo make install</code>
 
#* <code>sudo make install</code>
# Create your database with kdb5_ldap_util instead of kdb5_util:<code>
 
kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org</code>
 
   
 
== 5. Kerb Schema Operations ==
 
== 5. Kerb Schema Operations ==

Revision as of 17:03, 15 August 2009

1. Information about the system

- packages

  • Version of ubuntu
      lsb_release -a
      No LSB modules are available.
      Distributor ID:        Ubuntu
      Description:        Ubuntu 9.04
      Release:        9.04
      Codename:        jaunty
  • Version of slapd: 2.4.15 (Mar 19 2009)
      slapd -V
      @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $
      buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
  • Version of ldap-utils: 2.4.15
      dpkg -l ldap-utils

2. Extract krb conf files

  • It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.
  • Save krb5.conf
  • Save kdc.conf
  • Save kadm5.acl

3. Env

You need to export these lines into your env. Based on where you saved these files.


KRB5_CONFIG=/tmp/krb5.conf

KRB5_KDC_PROFILE=/tmp/kdc.conf

LD_LIBRARY_PATH=[path to the kerberos src]/src/lib

I saved mine here:

KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf

KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf

LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib

4. Build kerb. config

  1. Install slapd package: sudo apt-get install slapd
  2. Install ldap-utils package (for ldapsearch): sudo apt-get install ldap-utils
  3. Set the "domain" of your LDAP server with sudo dpkg-reconfigure slapd
    • Omit OpenLDAP server configuration: No
    • DNS domain name: example.org
    • Organization name: example.org [note: i used the same name for simplicity]
    • Databases backend to use: HDB
    • Do you want the database to be removed when slapd is purge: Yes
    • Move old database: Yes
    • Admin password: a
    • Confirm password: a
    • Allow LDAPv2 protocol: No
    Checkpoint: If you are successful, you should see as output:
    Stopping OpenLDAP: slapd.
    Moving old database directory to /var/backups:
    - directory unknown... done.
    Creating initial slapd configuration... done.
    Creating initial LDAP directory... done.
    * Reloading AppArmor profiles
    ... [ OK ]
    Starting OpenLDAP: slapd.
  4. If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
  5. To restrict access to the local machine, sudo vim /etc/default/slapd, search for SLAPD_SERVICES and set it to:
    SLAPD_SERVICES="ldapi:///"
  6. To build Kerberos with LDAP back end support, install: sudo apt-get install libldap2-dev
  7. Reconfigure your kerberos
    • Navigate to kerberos src
    • make distclean
    • util/reconf
    • ./configure --with-ldap
    • make
    • sudo make install

5. Kerb Schema Operations

Ubuntu Guide, loosely followed

  1. Locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
    Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema
  2. Make this schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.
  3. Make the directory to hold output: mkdir /tmp/ldif_output
  4. Convert schema --> LDIF with slaptest, make sure you have your correct schema_convert path: slaptest -f schema_convert.conf -F /tmp/ldif_output
    Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output
  5. Need to modify kerberos.ldif.
    • Find which number kerberos.ldif is listed as: sudo ls /tmp/ldifoutput/cn\=config/cn\=schema
    • Edit it: sudo view /tmp/ldifoutput/cn\=config/cn\=schema/cn={6}kerberos.ldif
      • change dn: cn={6}kerberos into dn: cn=kerberos,cn=schema,cn=config
      • change cn: {6}kerberos into cn: kerberos
      • Delete the bottom lines: from structuralObjectClasses: olcSchemaConfig to modifyTimestamp: 20090811205313Z
  6. load new schema, replace "-w a" with your password: sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldifoutput/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///
  • Command that worked: kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
  • krb5kdc -n