logo_kerberos.gif

LDAP on Kerberos

From K5Wiki
Revision as of 15:35, 15 August 2009 by Haoqili (talk | contribs) (6. Build kerb. config)

Jump to: navigation, search

1. Information about the system

- packages

  • Version of ubuntu
      lsb_release -a
      No LSB modules are available.
      Distributor ID:        Ubuntu
      Description:        Ubuntu 9.04
      Release:        9.04
      Codename:        jaunty
  • Version of slapd: 2.4.15 (Mar 19 2009)
      slapd -V
      @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $
      buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
  • Version of ldap-utils: 2.4.15
      dpkg -l ldap-utils

2. Extract krb conf files

3. Env

You need to export these lines into your env. Based on where you saved these files.


KRB5_CONFIG=/tmp/krb5.conf

KRB5_KDC_PROFILE=/tmp/kdc.conf

LD_LIBRARY_PATH=[path to the kerberos src]/src/lib

I saved mine here:

KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf

KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf

LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib

4. Kerb Schema Operations

Ubuntu Guide, loosely followed

  1. Locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
    Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema
  2. Make this schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.
  3. Make the directory to hold output: mkdir /tmp/ldif_output
  4. Convert schema --> LDIF with slaptest, make sure you have your correct schema_convert path: slaptest -f schema_convert.conf -F /tmp/ldif_output
    Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output
  5. Need to modify kerberos.ldif.
    • Find which number kerberos.ldif is listed as: sudo ls /tmp/ldifoutput/cn\=config/cn\=schema
    • Edit it: sudo view /tmp/ldifoutput/cn\=config/cn\=schema/cn={6}kerberos.ldif
      • change dn: cn={6}kerberos into dn: cn=kerberos,cn=schema,cn=config
      • change cn: {6}kerberos into cn: kerberos
      • Delete the bottom lines: from structuralObjectClasses: olcSchemaConfig to modifyTimestamp: 20090811205313Z
  6. load new schema, replace "-w a" with your password: sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldifoutput/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///
  • Command that worked: kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
  • krb5kdc -n

5. Build kerb. config (move this up?)

  1. Install slapd package: sudo apt-get install slapd
  2. Install ldap-utils package (for ldapsearch): sudo apt-get install ldap-utils
  3. Set the "domain" of your LDAP server with sudo dpkg-reconfigure slapd
    • Omit OpenLDAP server configuration: No
    • DNS domain name: example.org
    • Organization name: example.org [note: i used the same name for simplicity]
    • Databases backend to use: HDB
    • Do you want the database to be removed when slapd is purge: Yes
    • Move old database: Yes
    • Admin password: a
    • Confirm password: a
    • Allow LDAPv2 protocol: No
    Checkpoint: If you are successful, you should see as output:
Stopping OpenLDAP: slapd.
  Moving old database directory to /var/backups:
  - directory unknown... done.
  Creating initial slapd configuration... done.
  Creating initial LDAP directory... done.
 * Reloading AppArmor profiles ...                                               [ OK ] 
Starting OpenLDAP: slapd.
  1. If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
  2. To restrict access to the local machine, sudo vim /etc/default/slapd, search for SLAPD_SERVICES and set it to:
    SLAPD_SERVICES="ldapi:///"
    To restrict access to the local machine.


  • To build Kerberos with LDAP back end support, you need to install the

libldap2-dev package, and configure with --with-ldap.

  • Configuring your KDC is similar to setting up a normal KDC, but your

dbmodule directive will look something like this:

[dbmodules]
  LDAP = {
    db_library = kldap
    ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
    ldap_kdc_dn = cn=admin,dc=example,dc=com
    ldap_kadmind_dn = cn=admin,dc=example,dc=com
    ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash
    ldap_servers = ldapi:///
  }

(In a real deployment, you would probably create user DNs for the KDC and kadmin rather than using the admin DN, and grant them the minimum necessary access. But creating users in an OpenLDAP database didn't appear straightforward to me, so I skipped that step in my testing.)

  • When you create your database, instead of using kdb5_util, you use

kdb5_ldap_util, like so:

kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create \
-r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s

You'll have to enter your OpenLDAP admin pasword, which will be stored in the admin.stash file for use by the KDC and kadmind.

There is more information in the krb5 admin guide (see the doc subdir of your source tree).