logo_kerberos.gif

Difference between revisions of "LDAP on Kerberos"

From K5Wiki
Jump to: navigation, search
(4. Build kerb. config)
(4. Build kerb. config)
Line 84: Line 84:
 
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code>
 
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code>
 
## Omit OpenLDAP server configuration: No
 
## Omit OpenLDAP server configuration: No
##: slapd slapd/no_configuration boolean false
+
##: slapd \t slapd/no_configuration boolean false
 
## DNS domain name: example.org
 
## DNS domain name: example.org
 
##: slapd slapd/domain string example.org
 
##: slapd slapd/domain string example.org

Revision as of 22:08, 17 August 2009

0. Sample code to follow

    1  cd /tmp
    2  vim krb5.conf
    3  vim kdc.conf
    4  vim kadm5.acl
    5  export KRB5_CONFIG=/tmp/krb5.conf
    6  export KRB5_KDC_PROFILE=/tmp/kdc.conf
    7  export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/
    8  mkdir krb5kdc
    9  sudo apt-get install slapd
   10  sudo apt-get install ldap-utils
   11  sudo dpkg-reconfigure slapd
   12  sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/
   13  sudo vim /etc/default/slapd
   14  sudo apt-get install libldap2-dev
   15  cd /home/haoqili/trunk/src/
   16  make distclean
   17  util/reconf
   18  ./configure --with-ldap
   19  make
   20  sudo make install
   21  vim /tmp/schema_convert.conf
   22  mkdir /tmp/ldif_output
   23  slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/
   24  sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif 
   25  sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
   26  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
   27  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
   28  kadmin.local
   29  krb5kdc -n

1. Information about the system

- packages

  • Version of ubuntu
      lsb_release -a
      No LSB modules are available.
      Distributor ID:        Ubuntu
      Description:        Ubuntu 9.04
      Release:        9.04
      Codename:        jaunty
  • Version of slapd: 2.4.15 (Mar 19 2009)
      slapd -V
      @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $
      buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
  • Version of ldap-utils: 2.4.15
      dpkg -l ldap-utils

2. Extract krb conf files

  • It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.
  • Save krb5.conf
  • Save kdc.conf
  • Save kadm5.acl

3. Env and Setup

You need to export these lines into your env. Based on where you saved these files.

KRB5_CONFIG=/tmp/krb5.conf

KRB5_KDC_PROFILE=/tmp/kdc.conf

\# LD_LIBRARY_PATH=[path to the kerberos src]/src/lib

I saved mine here:

KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf

KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf

\# LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib


You should also make a krb5kdc folder (like in /tmp/krb5kdc)

Whatever you do, be consistent

4. Build kerb. config

  1. Install slapd package: sudo apt-get install slapd
    Asks for password.
  2. Install ldap-utils package (for ldapsearch): sudo apt-get install ldap-utils
  3. Set the "domain" of your LDAP server with sudo dpkg-reconfigure slapd
    1. Omit OpenLDAP server configuration: No
      slapd \t slapd/no_configuration boolean false
    2. DNS domain name: example.org
      slapd slapd/domain string example.org
    3. Organization name: example.org [note: i used the same name for simplicity]
    4. Databases backend to use: HDB
    5. Do you want the database to be removed when slapd is purge: Yes
    6. Move old database: Yes
    7. Admin password: a
    8. Confirm password: a
    9. Allow LDAPv2 protocol: No
    Checkpoint: If you are successful, you should see as output:
    Stopping OpenLDAP: slapd.
    Moving old database directory to /var/backups:
    - directory unknown... done.
    Creating initial slapd configuration... done.
    Creating initial LDAP directory... done.
    * Reloading AppArmor profiles
    ... [ OK ]
    Starting OpenLDAP: slapd.
  4. If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
  5. To restrict access to the local machine, sudo vim /etc/default/slapd, search for SLAPD_SERVICES and set it to:
    SLAPD_SERVICES="ldapi:///"
  6. To build Kerberos with LDAP back end support, install: sudo apt-get install libldap2-dev
  7. Reconfigure your kerberos
    • Navigate to kerberos src
    • make distclean
    • util/reconf
    • ./configure --with-ldap
    • make
    • sudo make install

5. Kerb Schema Operations

Loosely followed Ubuntu Guide and Kerberos V5 System Admin Guide

  1. You have not done so already, locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
    Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema
  2. Make this schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.
  3. Make the directory to hold output: mkdir /tmp/ldif_output
  4. Convert schema --> LDIF with slaptest: slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output
    Output: "config file testing succeeded"
    Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output
  5. Need to modify kerberos.ldif.
    • Find which number kerberos.ldif is listed as: sudo ls /tmp/ldif_output/cn\=config/cn\=schema
    • Edit it: sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif
      • change dn: cn={6}kerberos into dn: cn=kerberos,cn=schema,cn=config
      • change cn: {6}kerberos into cn: kerberos
      • Delete the bottom lines: from structuralObjectClasses: olcSchemaConfig to modifyTimestamp: 20090811205313Z
  6. load new schema, replace "-w a" with your password: sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///
    Output: adding new entry "cn=kerberos,cn=schema,cn=config"

6. Starting

  • Create your database with kdb5_ldap_util instead of kdb5_util:
    kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s

output:

Initializing database for realm 'EXAMPLE.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

Kerberos container is missing. Creating now...
  • Stash the password:
    kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
    If it works, you can do:
    • kadmin.local, try listprincs, quit by typing quit
    • krb5kdc -n if it runs, the cursor blinks on a new line
  • Command to destroy kdb5_ldap_util: kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy

Scratch Pad

Assume People have done=

   1  cd /tmp
   9  sudo apt-get install slapd
  10  sudo apt-get install ldap-utils
  14  sudo apt-get install libldap2-dev
  15  cd /home/haoqili/trunk/src/
  16  make distclean
  17  util/reconf
  18  ./configure --with-ldap
  19  make
  20  sudo make install

Code

   2  vim krb5.conf
   3  vim kdc.conf
   4  vim kadm5.acl
   5  export KRB5_CONFIG=/tmp/krb5.conf
   6  export KRB5_KDC_PROFILE=/tmp/kdc.conf
   7  export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/



   8  mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?
  11  sudo dpkg-reconfigure slapd
  12  sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/
  13  sudo vim /etc/default/slapd
  21  vim /tmp/schema_convert.conf
  22  mkdir /tmp/ldif_output
  23  slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/
  24  sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif 
  25  sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
  26  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
  27  kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
  28  kadmin.local
  29  krb5kdc -n