logo_kerberos.gif

Difference between revisions of "LDAP on Kerberos"

From K5Wiki
Jump to: navigation, search
(Errors)
(4. Build kerb. config)
Line 85: Line 85:
 
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code>
 
#* for ldapsearch: <code>sudo apt-get install ldap-utils</code>
 
#* <code>sudo apt-get install libldap2-dev</code>
 
#* <code>sudo apt-get install libldap2-dev</code>
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code>
+
# Set "domain" of your LDAP server
##: Indented are the debconf-get-selections lines
+
#* Option 1, Interactive Option: <code>sudo dpkg-reconfigure slapd</code>
## Omit OpenLDAP server configuration: No
+
#*: Indented are the debconf-get-selections lines
##: slapd slapd/no_configuration boolean false
+
#*# Omit OpenLDAP server configuration: No
## DNS domain name: example.org
+
#*#: slapd slapd/no_configuration boolean false
##: slapd slapd/domain string example.org
+
#*# DNS domain name: example.org
## Organization name: example.org [note: i used the same name for simplicity]
+
#*#: slapd slapd/domain string example.org
##: slapd shared/organization string example.org
+
#*# Organization name: example.org [note: i used the same name for simplicity]
## Databases backend to use: HDB, instead of BDB
+
#*#: slapd shared/organization string example.org
##: slapd slapd/backend select HDB
+
#*# Databases backend to use: HDB, instead of BDB
## Do you want the database to be removed when slapd is purge: Yes
+
#*#: slapd slapd/backend select HDB
##: slapd slapd/purge_database boolean true
+
#*# Do you want the database to be removed when slapd is purge: Yes
## Move old database: Yes
+
#*#: slapd slapd/purge_database boolean true
##: slapd slapd/move_old_database boolean true
+
#*# Move old database: Yes
## Admin password: [your pwd]
+
#*#: slapd slapd/move_old_database boolean true
##: slapd slapd/password1 password
+
#*# Admin password: [your pwd]
##: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]
+
#*#: slapd slapd/password1 password
## Confirm password: [your pwd]
+
#*#: [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]
##: slapd slapd/password2 password
+
#*# Confirm password: [your pwd]
## Allow LDAPv2 protocol: No
+
#*#: slapd slapd/password2 password
##: slapd slapd/allow_ldap_v2 boolean false
+
#*# Allow LDAPv2 protocol: No
#: Checkpoint: If you are successful, you should see as output:
+
#*#: slapd slapd/allow_ldap_v2 boolean false
#:: ''Stopping OpenLDAP: slapd.''
+
#* Option 2, Noninteractive Option
#:: ''Moving old database directory to /var/backups:''
+
#*# Save this file in /tmp/debconfile: [debconfile]
#:: ''- directory unknown... done.''
+
#*# <code>sudo debconf-set-selections /tmp/debconfile</code>
#:: ''Creating initial slapd configuration... done.''
+
#*# <code>sudo dpkg-reconfigure --frontend=noninteractive slapd</code>
#:: ''Creating initial LDAP directory... done.''
+
#* Checkpoint: If you are successful, you should see as output:
#:: ''* Reloading AppArmor profiles ''
+
#*: ''Stopping OpenLDAP: slapd.''
#:: ''... [ OK ]''
+
#*: ''Moving old database directory to /var/backups:''
#:: ''Starting OpenLDAP: slapd.''
+
#*: ''- directory unknown... done.''
  +
#*: ''Creating initial slapd configuration... done.''
  +
#*: ''Creating initial LDAP directory... done.''
  +
#*: ''* Reloading AppArmor profiles ''
  +
#*: ''... [ OK ]''
  +
#*: ''Starting OpenLDAP: slapd.''
 
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code>
 
# If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: <code>sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema</code>
 
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre>
 
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre>

Revision as of 11:02, 24 August 2009

About

A guide to set up ldap backend for kerberos.

To Do

  • Slapd in sandbox, not /etc
  • Simpler Domain names D.COM, R.COM
  • Different domain names
  • Figure out required schemas
  • Figure out: In Kerb Schema Operations, I can do "or update slapd.conf with kerb schema or ldif" in some ubuntu
  • Play around to get minimum set of requirement
  • update tree too, got a fix

0. Sample code to follow

    1  cd /tmp
    2  vim krb5.conf
    3  vim kdc.conf
    4  vim kadm5.acl
    5  export KRB5_CONFIG=/tmp/krb5.conf
    6  export KRB5_KDC_PROFILE=/tmp/kdc.conf
    7  export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/
    8  mkdir krb5kdc
    9  sudo apt-get install slapd
   10  sudo apt-get install ldap-utils
   11  sudo dpkg-reconfigure slapd
   12  sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/
   13  sudo vim /etc/default/slapd
   14  sudo apt-get install libldap2-dev
   15  cd /home/haoqili/trunk/src/
   16  make distclean
   17  util/reconf
   18  ./configure --with-ldap
   19  make
   20  sudo make install
   21  vim /tmp/schema_convert.conf
   22  mkdir /tmp/ldif_output
   23  slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/
   24  sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif 
   25  sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
   26  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
   27  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
   28  kadmin.local
   29  krb5kdc -n

1. Information about the system

- packages

  • Version of ubuntu
      lsb_release -a
      No LSB modules are available.
      Distributor ID:        Ubuntu
      Description:        Ubuntu 9.04
      Release:        9.04
      Codename:        jaunty
  • Version of slapd: 2.4.15 (Mar 19 2009)
      slapd -V
      @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $
      buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
  • Version of ldap-utils: 2.4.15
      dpkg -l ldap-utils

2. Extract krb conf files

  • It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.
  • Save krb5.conf
  • Save kdc.conf
  • Save kadm5.acl

3. Env and Setup

You need to export these lines into your env. Based on where you saved these files.

  • export KRB5_CONFIG=/tmp/sandbox/krb5.conf
  • export KRB5_KDC_PROFILE=/tmp/sandbox/kdc.conf
  • make a krb5kdc folder: mkdir /tmp/sandbox/krb5kdc)

Whatever you do, be consistent

4. Build kerb. config

  1. Install Packages:
    • sudo apt-get install slapd
    • for ldapsearch: sudo apt-get install ldap-utils
    • sudo apt-get install libldap2-dev
  2. Set "domain" of your LDAP server
    • Option 1, Interactive Option: sudo dpkg-reconfigure slapd
      Indented are the debconf-get-selections lines
      1. Omit OpenLDAP server configuration: No
        slapd slapd/no_configuration boolean false
      2. DNS domain name: example.org
        slapd slapd/domain string example.org
      3. Organization name: example.org [note: i used the same name for simplicity]
        slapd shared/organization string example.org
      4. Databases backend to use: HDB, instead of BDB
        slapd slapd/backend select HDB
      5. Do you want the database to be removed when slapd is purge: Yes
        slapd slapd/purge_database boolean true
      6. Move old database: Yes
        slapd slapd/move_old_database boolean true
      7. Admin password: [your pwd]
        slapd slapd/password1 password
        [I'm not sure about the debconf-get-selection line here. There are 5 different password lines!]
      8. Confirm password: [your pwd]
        slapd slapd/password2 password
      9. Allow LDAPv2 protocol: No
        slapd slapd/allow_ldap_v2 boolean false
    • Option 2, Noninteractive Option
      1. Save this file in /tmp/debconfile: [debconfile]
      2. sudo debconf-set-selections /tmp/debconfile
      3. sudo dpkg-reconfigure --frontend=noninteractive slapd
    • Checkpoint: If you are successful, you should see as output:
      Stopping OpenLDAP: slapd.
      Moving old database directory to /var/backups:
      - directory unknown... done.
      Creating initial slapd configuration... done.
      Creating initial LDAP directory... done.
      * Reloading AppArmor profiles
      ... [ OK ]
      Starting OpenLDAP: slapd.
  3. If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
  4. To restrict access to the local machine, sudo vim /etc/default/slapd, search for SLAPD_SERVICES and set it to:
    SLAPD_SERVICES="ldapi:///"
  5. Reconfigure your kerberos
    • Navigate to kerberos src
    • make distclean
    • util/reconf
    • ./configure --with-ldap
    • make
    • sudo make install

5. Kerb Schema Operations

Loosely followed Ubuntu Guide and Kerberos V5 System Admin Guide

  1. You have not done so already, locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
    Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as
    • core.schema
    • inetorgperson.schema
    • kerberos.schema
    • misc.schema
    • openldap.schema
  2. Make this schema_convert.conf at /tmp/schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.
  3. Make the directory to hold output: mkdir /tmp/ldif_output
  4. Convert schema --> LDIF with slaptest: slaptest -f tmp/schema_convert.conf -F /tmp/ldif_output
    Output: "config file testing succeeded"
    Checkpoint: If you sudo ls /tmp/ldif_output/cn\=config/cn\=schema, you should see:
    cn={0}core.ldif
    cn={1}corba.ldif
    cn={2}cosine.ldif
    cn={3}duaconf.ldif
    cn={4}inetorgperson.ldif
    cn={5}java.ldif
    cn={6}kerberos.ldif
    cn={7}misc.ldif
    cn={8}openldap.ldif
    cn={9}nis.ldif
  5. Need to modify kerberos.ldif.
    • Find which number kerberos.ldif is listed as: sudo ls /tmp/ldif_output/cn\=config/cn\=schema
    • Edit it: sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif
      • change dn: cn={6}kerberos into dn: cn=kerberos,cn=schema,cn=config
      • change cn: {6}kerberos into cn: kerberos
      • Delete the bottom lines: from structuralObjectClasses: olcSchemaConfig to modifyTimestamp: 20090811205313Z
  6. load new schema: sudo ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///
    Output: adding new entry "cn=kerberos,cn=schema,cn=config"

6. Starting

  • Create your database with kdb5_ldap_util instead of kdb5_util:
    kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// create -s

output:

Initializing database for realm 'EXAMPLE.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

Kerberos container is missing. Creating now...
  • Stash the password:
    kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
    Checkpoint: If it works, you can do:
    • kadmin.local, try listprincs, quit by typing quit
  • krb5kdc
    Checkpoint: ps -ef | grep krb5kdc should show it running
  • Command to destroy kdb5_ldap_util: kdb5_ldap_util -D cn=admin,dc=example,dc=org -W -H ldapi:/// destroy

Scratch Pad

Assume People have done

   1  cd /tmp
   9  sudo apt-get install slapd
  10  sudo apt-get install ldap-utils
  14  sudo apt-get install libldap2-dev
  15  cd /home/haoqili/trunk/src/
  16  make distclean
  17  util/reconf
  18  ./configure --with-ldap
  19  make
  20  sudo make install

Code

   2  vim krb5.conf
   3  vim kdc.conf
   4  vim kadm5.acl
   5  export KRB5_CONFIG=/tmp/krb5.conf
   6  export KRB5_KDC_PROFILE=/tmp/kdc.conf
   7  export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/



   8  mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?
  11  sudo dpkg-reconfigure slapd
  12  sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/
  13  sudo vim /etc/default/slapd
  21  vim /tmp/schema_convert.conf
  22  mkdir /tmp/ldif_output
  23  slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/
  24  sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif 
  25  sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
  26  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
  27  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
  28  kadmin.local
  29  krb5kdc -n

Errors

  • sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
    ERROR: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    SOLUTION: Make sure that you have slapd started, and make sure that the -H ldapi:/// is consistent.
    sudo /usr/sbin/slapd -H ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/
    openldap 5716 1 0 11:55 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/
    • sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///
      Output: adding new entry "cn=kerberos,cn=schema,cn=config"
openldap 11434     1  0 12:06 ?        00:00:00 /usr/sbin/slapd -h ldap:/// -g openldap -u openldap -F /etc/ldap/slapd.d/
  • sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -h ldap:///
    ERROR: Could not create LDAP session handle for URI=ldap://ldap:%2F%2F%2F (-9): Bad parameter to an ldap routine
    SOLUTION: Change "-h" to "-H"
haoqili@reach-my-dream:~/trunk/src$ ps -ef | grep sla
haoqili  12228  4371  0 12:26 pts/0    00:00:00 grep sla
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
haoqili@reach-my-dream:~/trunk/src$ sudo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d/ 
haoqili@reach-my-dream:~/trunk/src$ sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldap:///
adding new entry "cn=kerberos,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
	additional info: olcAttributeTypes: Duplicate attributeType: "2.16.840.1.113719.1.301.4.1.1"
  • DbDriver is locked
sudo debconf-set-selections /tmp/debconfile 
[sudo] password for haoqili: 
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable

OR 

sudo dpkg-reconfigure --frontend=noninteractive
[sudo] password for haoqili: 
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by another process: Resource temporarily unavailable
  • SOLUTION: This will tell what is locking it: fuser -v /var/cache/debconf/config.dat. From here.