logo_kerberos.gif

Difference between revisions of "LDAP on Kerberos"

From K5Wiki
Jump to: navigation, search
(2. Extract krb conf files)
(5. Build kerb. config (move this up?))
Line 86: Line 86:
 
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre>
  
# To restrict access to the local machine, <code>sudo vim /etc/default/slapd</code>, search for SLAPD_SERVICES and set it to: <pre>SLAPD_SERVICES="ldapi:///"</pre>
 
# To build Kerberos with LDAP back end support, install: <code>sudo apt-get install libldap2-dev</code>
  
# To build Kerberos with LDAP back end support, install: <code>sudo apt-get install libldap2-dev</code>
#
  
  +
# Reconfigure your kerberos
you need to install the
  
  +
#* Navigate to kerberos src
libldap2-dev package, and configure with --with-ldap.
  
  +
#* <code>make distclean</code>
 
  +
#* <code>util/reconf</code>
* Configuring your KDC is similar to setting up a normal KDC, but your
  
  +
#* <code>./configure --with-ldap</code>
dbmodule directive will look something like this:
  
  +
#* <code>make</code>
 
  +
#* <code>sudo make install</code>
[dbmodules]
  
 
# Create your database with kdb5_ldap_util instead of kdb5_util:<code>
LDAP = {
  
db_library = kldap
  
ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
  
ldap_kdc_dn = cn=admin,dc=example,dc=com
  
ldap_kadmind_dn = cn=admin,dc=example,dc=com
  
ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash
  
ldap_servers = ldapi:///
  
}
  
 
(In a real deployment, you would probably create user DNs for the KDC
  
and kadmin rather than using the admin DN, and grant them the minimum
  
necessary access. But creating users in an OpenLDAP database didn't
  
appear straightforward to me, so I skipped that step in my testing.)
  
 
* When you create your database, instead of using kdb5_util, you use
  
kdb5_ldap_util, like so:
  
 
 
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create \
  
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create \
 
-r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s
  
-r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s
 
  +
</code>
You'll have to enter your OpenLDAP admin pasword, which will be stored
  
in the admin.stash file for use by the KDC and kadmind.
  
 
There is more information in the krb5 admin guide (see the doc subdir of
  
your source tree).
  

Revision as of 16:08, 15 August 2009

1. Information about the system

- packages

  • Version of ubuntu
      lsb_release -a
      No LSB modules are available.
      Distributor ID:        Ubuntu
      Description:        Ubuntu 9.04
      Release:        9.04
      Codename:        jaunty
  • Version of slapd: 2.4.15 (Mar 19 2009)
      slapd -V
      @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $
      buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
  • Version of ldap-utils: 2.4.15
      dpkg -l ldap-utils

2. Extract krb conf files

  • It is crucial to have correct, consistent domain names. You must have the dbmodules in krb5.conf.
  • Save krb5.conf
  • Save kdc.conf
  • Save kadm5.acl

3. Env

You need to export these lines into your env. Based on where you saved these files.


KRB5_CONFIG=/tmp/krb5.conf

KRB5_KDC_PROFILE=/tmp/kdc.conf

LD_LIBRARY_PATH=[path to the kerberos src]/src/lib

I saved mine here:

KRB5_CONFIG=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/krb5.conf

KRB5_KDC_PROFILE=/home/haoqili/trunk/src/tests/kdc_realm2/sandbox/kdc.conf

LD_LIBRARY_PATH=/home/haoqili/trunk/src/lib

4. Kerb Schema Operations

Ubuntu Guide, loosely followed

  1. Locate the kerberos.schema. kerberos.schema which should be in /etc/ldap/schema/kerberos.schema. If it is not there, please copy it there from your kerberos trunk: cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
    Checkpoint: Make sure there is a list of different schemas in /etc/ldap/schema. Such as core.schema
  2. Make this schema_convert.conf. Note! This is different from the schema_convert.conf in the Ubuntu Guide.
  3. Make the directory to hold output: mkdir /tmp/ldif_output
  4. Convert schema --> LDIF with slaptest, make sure you have your correct schema_convert path: slaptest -f schema_convert.conf -F /tmp/ldif_output
    Checkpoint: Make sure you have "cn=config" in you /tmp/ldif_output
  5. Need to modify kerberos.ldif.
    • Find which number kerberos.ldif is listed as: sudo ls /tmp/ldifoutput/cn\=config/cn\=schema
    • Edit it: sudo view /tmp/ldifoutput/cn\=config/cn\=schema/cn={6}kerberos.ldif
      • change dn: cn={6}kerberos into dn: cn=kerberos,cn=schema,cn=config
      • change cn: {6}kerberos into cn: kerberos
      • Delete the bottom lines: from structuralObjectClasses: olcSchemaConfig to modifyTimestamp: 20090811205313Z
  6. load new schema, replace "-w a" with your password: sudo ldapadd -x -D cn=admin,cn=config -w a -f /tmp/ldifoutput/cn\=config/cn\=schema/cn\={6}kerberos.ldif -H ldapi:///
  • Command that worked: kdb5_ldap_util -D cn=admin,dc=example,dc=org -w a -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=org
  • krb5kdc -n

5. Build kerb. config (move this up?)

  1. Install slapd package: sudo apt-get install slapd
  2. Install ldap-utils package (for ldapsearch): sudo apt-get install ldap-utils
  3. Set the "domain" of your LDAP server with sudo dpkg-reconfigure slapd
    • Omit OpenLDAP server configuration: No
    • DNS domain name: example.org
    • Organization name: example.org [note: i used the same name for simplicity]
    • Databases backend to use: HDB
    • Do you want the database to be removed when slapd is purge: Yes
    • Move old database: Yes
    • Admin password: a
    • Confirm password: a
    • Allow LDAPv2 protocol: No
    Checkpoint: If you are successful, you should see as output:
    Stopping OpenLDAP: slapd.
    Moving old database directory to /var/backups:
    - directory unknown... done.
    Creating initial slapd configuration... done.
    Creating initial LDAP directory... done.
    * Reloading AppArmor profiles
    ... [ OK ]
    Starting OpenLDAP: slapd.
  4. If you haven't done so already, please copy kerberos.schema from your kerberos trunk into /etc/ldap/schema: cp src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema /etc/ldap/schema
  5. To restrict access to the local machine, sudo vim /etc/default/slapd, search for SLAPD_SERVICES and set it to: 
    SLAPD_SERVICES="ldapi:///"
  6. To build Kerberos with LDAP back end support, install: sudo apt-get install libldap2-dev
  7. Reconfigure your kerberos
    • Navigate to kerberos src
    • make distclean
    • util/reconf
    • ./configure --with-ldap
    • make
    • sudo make install
  8. Create your database with kdb5_ldap_util instead of kdb5_util:
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create \
-r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s

Retrieved from "https://k5wiki.kerberos.org./wiki?title=LDAP_on_Kerberos&oldid=2037"