Difference between revisions of "LDAP on Kerberos"
From K5Wiki
(→4. Build kerb. config) |
(→4. Build kerb. config) |
||
Line 84: | Line 84: | ||
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code> |
# Set the "domain" of your LDAP server with <code>sudo dpkg-reconfigure slapd</code> |
||
## Omit OpenLDAP server configuration: No |
## Omit OpenLDAP server configuration: No |
||
− | ##: slapd slapd/no_configuration boolean false |
+ | ##: slapd \t slapd/no_configuration boolean false |
## DNS domain name: example.org |
## DNS domain name: example.org |
||
##: slapd slapd/domain string example.org |
##: slapd slapd/domain string example.org |
Revision as of 22:08, 17 August 2009
Contents
0. Sample code to follow
1 cd /tmp 2 vim krb5.conf 3 vim kdc.conf 4 vim kadm5.acl 5 export KRB5_CONFIG=/tmp/krb5.conf 6 export KRB5_KDC_PROFILE=/tmp/kdc.conf 7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/ 8 mkdir krb5kdc 9 sudo apt-get install slapd 10 sudo apt-get install ldap-utils 11 sudo dpkg-reconfigure slapd 12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/ 13 sudo vim /etc/default/slapd 14 sudo apt-get install libldap2-dev 15 cd /home/haoqili/trunk/src/ 16 make distclean 17 util/reconf 18 ./configure --with-ldap 19 make 20 sudo make install 21 vim /tmp/schema_convert.conf 22 mkdir /tmp/ldif_output 23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/ 24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif 25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:/// 26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s 27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org 28 kadmin.local 29 krb5kdc -n
1. Information about the system
- packages
- Version of ubuntu
lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 9.04 Release: 9.04 Codename: jaunty
- Version of slapd: 2.4.15 (Mar 19 2009)
slapd -V @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $ buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
- Version of ldap-utils: 2.4.15
dpkg -l ldap-utils
2. Extract krb conf files
- It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.
- Save krb5.conf
- Save kdc.conf
- Save kadm5.acl
3. Env and Setup
You need to export these lines into your env. Based on where you saved these files.
KRB5_CONFIG=/tmp/krb5.conf
KRB5_KDC_PROFILE=/tmp/kdc.conf
\# LD_LIBRARY_PATH=[path to the kerberos src]/src/lib
I saved mine here:
KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf
KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf
\# LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib
You should also make a krb5kdc folder (like in /tmp/krb5kdc)
Whatever you do, be consistent
4. Build kerb. config
- Install slapd package:
sudo apt-get install slapd
- Asks for password.
- Install ldap-utils package (for ldapsearch):
sudo apt-get install ldap-utils
- Set the "domain" of your LDAP server with
sudo dpkg-reconfigure slapd
- Omit OpenLDAP server configuration: No
- slapd \t slapd/no_configuration boolean false
- DNS domain name: example.org
- slapd slapd/domain string example.org
- Organization name: example.org [note: i used the same name for simplicity]
- Databases backend to use: HDB
- Do you want the database to be removed when slapd is purge: Yes
- Move old database: Yes
- Admin password: a
- Confirm password: a
- Allow LDAPv2 protocol: No
- Checkpoint: If you are successful, you should see as output:
- Stopping OpenLDAP: slapd.
- Moving old database directory to /var/backups:
- - directory unknown... done.
- Creating initial slapd configuration... done.
- Creating initial LDAP directory... done.
- * Reloading AppArmor profiles
- ... [ OK ]
- Starting OpenLDAP: slapd.
- Omit OpenLDAP server configuration: No
- If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema:
sudo cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
- To restrict access to the local machine,
sudo vim /etc/default/slapd
, search for SLAPD_SERVICES and set it to:SLAPD_SERVICES="ldapi:///"
- To build Kerberos with LDAP back end support, install:
sudo apt-get install libldap2-dev
- Reconfigure your kerberos
- Navigate to kerberos src
-
make distclean
-
util/reconf
-
./configure --with-ldap
-
make
-
sudo make install
5. Kerb Schema Operations
Loosely followed Ubuntu Guide and Kerberos V5 System Admin Guide
- You have not done so already, locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk:
cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
- Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema
- Make this schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.
- Make the directory to hold output:
mkdir /tmp/ldif_output
- Convert schema --> LDIF with slaptest:
slaptest -f [path to]/schema_convert.conf -F /tmp/ldif_output
- Output: "config file testing succeeded"
- Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output
- Need to modify kerberos.ldif.
- Find which number kerberos.ldif is listed as:
sudo ls /tmp/ldif_output/cn\=config/cn\=schema
- Edit it:
sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn={6}kerberos.ldif
- change dn: cn={6}kerberos into dn: cn=kerberos,cn=schema,cn=config
- change cn: {6}kerberos into cn: kerberos
- Delete the bottom lines: from structuralObjectClasses: olcSchemaConfig to modifyTimestamp: 20090811205313Z
- Find which number kerberos.ldif is listed as:
- load new schema, replace "-w a" with your password:
sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///
- Output: adding new entry "cn=kerberos,cn=schema,cn=config"
6. Starting
- Create your database with kdb5_ldap_util instead of kdb5_util:
-
kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
-
output:
Initializing database for realm 'EXAMPLE.ORG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Kerberos container is missing. Creating now...
- Stash the password:
-
kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
- If it works, you can do:
-
kadmin.local
, trylistprincs
, quit by typingquit
-
krb5kdc -n
if it runs, the cursor blinks on a new line
-
-
- Command to destroy kdb5_ldap_util:
kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// destroy
Scratch Pad
Assume People have done=
1 cd /tmp
9 sudo apt-get install slapd
10 sudo apt-get install ldap-utils
14 sudo apt-get install libldap2-dev
15 cd /home/haoqili/trunk/src/
16 make distclean
17 util/reconf
18 ./configure --with-ldap
19 make
20 sudo make install
Code
2 vim krb5.conf
3 vim kdc.conf
4 vim kadm5.acl
5 export KRB5_CONFIG=/tmp/krb5.conf
6 export KRB5_KDC_PROFILE=/tmp/kdc.conf
7 export LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib/
8 mkdir /tmp/krb5kdc (or should it be /tmp/sandbox/krb5kdc)?
11 sudo dpkg-reconfigure slapd
12 sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema/
13 sudo vim /etc/default/slapd
21 vim /tmp/schema_convert.conf
22 mkdir /tmp/ldif_output
23 slaptest -f /tmp/schema_convert.conf -F /tmp/ldif_output/
24 sudo vim /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif
25 sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{6\}kerberos.ldif -H ldapi:///
26 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// create -s
27 kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
28 kadmin.local
29 krb5kdc -n