Scribd
Upload
151 views5 pages

Krb5 Ldap Ubuntu

This document discusses configuring a primary and secondary Kerberos server to use OpenLDAP as the principal database. Key steps include loading the Kerberos schema into OpenLDAP, configuring the primary KDC to use LDAP, creating realm and principals in LDAP, and configuring the secondary KDC to use the LDAP backend for authentication.

Uploaded by

Karthik Srivatsa
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
151 views5 pages

Krb5 Ldap Ubuntu

This document discusses configuring a primary and secondary Kerberos server to use OpenLDAP as the principal database. Key steps include loading the Kerberos schema into OpenLDAP, configuring the primary KDC to use LDAP, creating realm and principals in LDAP, and configuring the secondary KDC to use the LDAP backend for authentication.

Uploaded by

Karthik Srivatsa
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Kerberos and LDAP

https://help.ubuntu.com/9.04/serverguide/C/kerbero...

Search

OfficialDocumentation
UbuntuDocumentation>Ubuntu9.04>UbuntuServerGuide>NetworkAuthentication>KerberosandLDAP

ReplicatingaKerberosprincipaldatabasebetweentwoserverscanbecomplicated,andaddsanadditionaluserdatabaseto yournetwork.Fortunately,MITKerberoscanbeconfiguredtouseanLDAPdirectoryasaprincipaldatabase.Thissection coversconfiguringaprimaryandsecondarykerberosservertouseOpenLDAPfortheprincipaldatabase.

ConfiguringOpenLDAP
First,thenecessaryschemaneedstobeloadedonanOpenLDAPserverthathasnetworkconnectivitytothePrimaryand SecondaryKDCs.TherestofthissectionassumesthatyoualsohaveLDAPreplicationconfiguredbetweenatleasttwo servers.ForinformationonsettingupOpenLDAPseethesectioncalledOpenLDAPServer. ItisalsorequiredtoconfigureOpenLDAPforTLSandSSLconnections,sothattrafficbetweentheKDCandLDAPserveris encrypted.SeethesectioncalledTLSandSSLfordetails. ToloadtheschemaintoLDAP,ontheLDAPserverinstallthekrb5-kdc-ldappackage.Fromaterminalenter:
sudo apt-get install krb5-kdc-ldap

Next,extractthekerberos.schema.gzfile:
sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/

Thekerberosschemaneedstobeaddedtothecn=configtree.Theproceduretoaddanewschematoslapdisalso detailedinthesectioncalledConfiguration. 1. First,createaconfigurationfilenamedschema_convert.conf,orasimilardescriptivename,containingthe followinglines:


include include include include include include include include include include include include include /etc/ldap/schema/core.schema /etc/ldap/schema/collective.schema /etc/ldap/schema/corba.schema /etc/ldap/schema/cosine.schema /etc/ldap/schema/duaconf.schema /etc/ldap/schema/dyngroup.schema /etc/ldap/schema/inetorgperson.schema /etc/ldap/schema/java.schema /etc/ldap/schema/misc.schema /etc/ldap/schema/nis.schema /etc/ldap/schema/openldap.schema /etc/ldap/schema/ppolicy.schema /etc/ldap/schema/kerberos.schema

2. CreateatemporarydirectorytoholdtheLDIFfiles:
mkdir /tmp/ldif_output

3. Nowuseslaptesttoconverttheschemafiles:
slaptest -f schema_convert.conf -F /tmp/ldif_output

Changetheabovefileandpathnamestomatchyourowniftheyaredifferent. 4. Editthegenerated/tmp/ldif_output/cn=config/cn=schema/cn={12}kerberos.ldiffile,changingthefollowing attributes:


dn: cn=kerberos,cn=schema,cn=config

1 of 5

21/01/10 11:04

Kerberos and LDAP


... cn: kerberos

https://help.ubuntu.com/9.04/serverguide/C/kerbero...

Andremovethefollowinglinesfromtheendofthefile:
structuralObjectClass: olcSchemaConfig entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc creatorsName: cn=config createTimestamp: 20090111203515Z entryCSN: 20090111203515.326445Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20090111203515Z

Theattributevalueswillvary,justbesuretheattributesareremoved. 5. Loadthenewschemawithldapadd:
ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}kerberos.ldif

6. Addanindexforthekrb5principalnameattribute:
ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: krbPrincipalName eq,pres,sub modifying entry "olcDatabase={1}hdb,cn=config"

7. Finally,updatetheAccessControlLists(ACL):
ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: olcDatabase={1}hdb,cn=config replace: olcAccess olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=exampl e,dc=com" write by anonymous auth by self write by * none add: olcAccess olcAccess: to dn.base="" by * read add: olcAccess olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read modifying entry "olcDatabase={1}hdb,cn=config"

That'sit,yourLDAPdirectoryisnowreadytoserveasaKerberosprincipaldatabase.

PrimaryKDCConfiguration
WithOpenLDAPconfigureditistimetoconfiguretheKDC. First,installthenecessarypackages,fromaterminalenter:
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap

Nowedit/etc/krb5.confaddingthefollowingoptionstoundertheappropriatesections:
[libdefaults] default_realm = EXAMPLE.COM ... [realms] EXAMPLE.COM = { kdc = kdc01.example.com kdc = kdc02.example.com admin_server = kdc01.example.com admin_server = kdc02.example.com default_domain = example.com database_module = openldap_ldapconf }

2 of 5

21/01/10 11:04

Kerberos and LDAP


... [domain_realm] .example.com = EXAMPLE.COM

https://help.ubuntu.com/9.04/serverguide/C/kerbero...

... [dbdefaults] ldap_kerberos_container_dn = dc=example,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=admin,dc=example,dc=com" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com ldap_conns_per_server = 5 }

Changeexample.com,dc=example,dc=com,cn=admin,dc=example,dc=com,and ldap01.example.comtotheappropriatedomain,LDAPobject,andLDAPserverforyour network. Next,usethekdb5_ldap_utilutilitytocreatetherealm:


sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.ex

CreateastashofthepasswordusedtobindtotheLDAPserver.Thispasswordisusedbytheldap_kdc_dnand ldap_kadmin_dnoptionsin/etc/krb5.conf:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

CopytheCAcertificatefromtheLDAPserver:
scp ldap01:/etc/ssl/certs/cacert.pem . sudo cp cacert.pem /etc/ssl/certs

Andedit/etc/ldap/ldap.conftousethecertificate:
TLS_CACERT /etc/ssl/certs/cacert.pem

ThecertificatewillalsoneedtobecopiedtotheSecondaryKDC,toallowtheconnectionto theLDAPserversusingLDAPS. YoucannowaddKerberosprincipalstotheLDAPdatabase,andtheywillbecopiedtoanyotherLDAPserversconfigured forreplication.Toaddaprincipalusingthekadmin.localutilityenter:


sudo kadmin.local Authenticating as principal root/[email protected] with password. kadmin.local: addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve WARNING: no policy specified for [email protected]; defaulting to no policy Enter password for principal "[email protected]": Re-enter password for principal "[email protected]": Principal "[email protected]" created.

ThereshouldnowbekrbPrincipalName,krbPrincipalKey,krbLastPwdChange,andkrbExtraDataattributesaddedtothe uid=steve,ou=people,dc=example,dc=comuserobject.Usethekinitandklistutilitiestotestthattheuserisindeedissueda ticket.

Iftheuserobjectisalreadycreatedthe-xdn="..."optionisneededtoaddtheKerberosattributes.

3 of 5

21/01/10 11:04

Kerberos and LDAP

https://help.ubuntu.com/9.04/serverguide/C/kerbero...

Otherwiseanewprincipalobjectwillbecreatedintherealmsubtree.

SecondaryKDCConfiguration
ConfiguringaSecondaryKDCusingtheLDAPbackendissimilartoconfiguringoneusingthenormalKerberosdatabase. First,installthenecessarypackages.Inaterminalenter:
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap

Next,edit/etc/krb5.conftousetheLDAPbackend:
[libdefaults] default_realm = EXAMPLE.COM ... [realms] EXAMPLE.COM = { kdc = kdc01.example.com kdc = kdc02.example.com admin_server = kdc01.example.com admin_server = kdc02.example.com default_domain = example.com database_module = openldap_ldapconf } ... [domain_realm] .example.com = EXAMPLE.COM ... [dbdefaults] ldap_kerberos_container_dn = dc=example,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=admin,dc=example,dc=com" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com ldap_conns_per_server = 5 }

CreatethestashfortheLDAPbindpassword:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

Now,onthePrimaryKDCcopythe/etc/krb5kdc/.k5.EXAMPLE.COMMasterKeystashtotheSecondaryKDC.Besureto copythefileoveranencryptedconnectionsuchasscp,oronphysicalmedia.
sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM [email protected]:~ sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/

Again,replaceEXAMPLE.COMwithyouractualrealm. Finally,startthekrb5-kdcdaemon:
sudo /etc/init.d/krb5-kdc start

YounowhaveredundantKDCsonyournetwork,andwithredundantLDAPserversyoushouldbeabletocontinueto authenticateusersifoneLDAPserver,oneKerberosserver,oroneLDAPandoneKerberosserverbecomeunavailable.

Resources

4 of 5

21/01/10 11:04

Kerberos and LDAP


TheKerberosAdminGuidehassomeadditionaldetails.

https://help.ubuntu.com/9.04/serverguide/C/kerbero...

Formoreinformationonkdb5_ldap_utilseeSection5.6andthekdb5_ldap_utilmanpage. Anotherusefullinkisthekrb5.confmanpage.

Kerberos

Chapter7.DomainNameService(DNS)

Thematerialinthisdocumentisavailableunderafreelicense,seeLegalfordetails ForinformationoncontributingseetheUbuntuDocumentationTeamwikipage.Toreportaproblem,visitthebugpageforUbuntuDocumentation

5 of 5

21/01/10 11:04

You might also like