Escolar Documentos
Profissional Documentos
Cultura Documentos
https://help.ubuntu.com/9.04/serverguide/C/kerbero...
Search
OfficialDocumentation
UbuntuDocumentation>Ubuntu9.04>UbuntuServerGuide>NetworkAuthentication>KerberosandLDAP
ConfiguringOpenLDAP
First,thenecessaryschemaneedstobeloadedonanOpenLDAPserverthathasnetworkconnectivitytothePrimaryand SecondaryKDCs.TherestofthissectionassumesthatyoualsohaveLDAPreplicationconfiguredbetweenatleasttwo servers.ForinformationonsettingupOpenLDAPseethesectioncalledOpenLDAPServer. ItisalsorequiredtoconfigureOpenLDAPforTLSandSSLconnections,sothattrafficbetweentheKDCandLDAPserveris encrypted.SeethesectioncalledTLSandSSLfordetails. ToloadtheschemaintoLDAP,ontheLDAPserverinstallthekrb5-kdc-ldappackage.Fromaterminalenter:
sudo apt-get install krb5-kdc-ldap
Next,extractthekerberos.schema.gzfile:
sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/
2. CreateatemporarydirectorytoholdtheLDIFfiles:
mkdir /tmp/ldif_output
3. Nowuseslaptesttoconverttheschemafiles:
slaptest -f schema_convert.conf -F /tmp/ldif_output
1 of 5
21/01/10 11:04
https://help.ubuntu.com/9.04/serverguide/C/kerbero...
Andremovethefollowinglinesfromtheendofthefile:
structuralObjectClass: olcSchemaConfig entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc creatorsName: cn=config createTimestamp: 20090111203515Z entryCSN: 20090111203515.326445Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20090111203515Z
Theattributevalueswillvary,justbesuretheattributesareremoved. 5. Loadthenewschemawithldapadd:
ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}kerberos.ldif
6. Addanindexforthekrb5principalnameattribute:
ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: krbPrincipalName eq,pres,sub modifying entry "olcDatabase={1}hdb,cn=config"
7. Finally,updatetheAccessControlLists(ACL):
ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: olcDatabase={1}hdb,cn=config replace: olcAccess olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=exampl e,dc=com" write by anonymous auth by self write by * none add: olcAccess olcAccess: to dn.base="" by * read add: olcAccess olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read modifying entry "olcDatabase={1}hdb,cn=config"
That'sit,yourLDAPdirectoryisnowreadytoserveasaKerberosprincipaldatabase.
PrimaryKDCConfiguration
WithOpenLDAPconfigureditistimetoconfiguretheKDC. First,installthenecessarypackages,fromaterminalenter:
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap
Nowedit/etc/krb5.confaddingthefollowingoptionstoundertheappropriatesections:
[libdefaults] default_realm = EXAMPLE.COM ... [realms] EXAMPLE.COM = { kdc = kdc01.example.com kdc = kdc02.example.com admin_server = kdc01.example.com admin_server = kdc02.example.com default_domain = example.com database_module = openldap_ldapconf }
2 of 5
21/01/10 11:04
https://help.ubuntu.com/9.04/serverguide/C/kerbero...
... [dbdefaults] ldap_kerberos_container_dn = dc=example,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=admin,dc=example,dc=com" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com ldap_conns_per_server = 5 }
CreateastashofthepasswordusedtobindtotheLDAPserver.Thispasswordisusedbytheldap_kdc_dnand ldap_kadmin_dnoptionsin/etc/krb5.conf:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com
CopytheCAcertificatefromtheLDAPserver:
scp ldap01:/etc/ssl/certs/cacert.pem . sudo cp cacert.pem /etc/ssl/certs
Andedit/etc/ldap/ldap.conftousethecertificate:
TLS_CACERT /etc/ssl/certs/cacert.pem
Iftheuserobjectisalreadycreatedthe-xdn="..."optionisneededtoaddtheKerberosattributes.
3 of 5
21/01/10 11:04
https://help.ubuntu.com/9.04/serverguide/C/kerbero...
Otherwiseanewprincipalobjectwillbecreatedintherealmsubtree.
SecondaryKDCConfiguration
ConfiguringaSecondaryKDCusingtheLDAPbackendissimilartoconfiguringoneusingthenormalKerberosdatabase. First,installthenecessarypackages.Inaterminalenter:
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap
Next,edit/etc/krb5.conftousetheLDAPbackend:
[libdefaults] default_realm = EXAMPLE.COM ... [realms] EXAMPLE.COM = { kdc = kdc01.example.com kdc = kdc02.example.com admin_server = kdc01.example.com admin_server = kdc02.example.com default_domain = example.com database_module = openldap_ldapconf } ... [domain_realm] .example.com = EXAMPLE.COM ... [dbdefaults] ldap_kerberos_container_dn = dc=example,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=admin,dc=example,dc=com" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com ldap_conns_per_server = 5 }
CreatethestashfortheLDAPbindpassword:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com
Now,onthePrimaryKDCcopythe/etc/krb5kdc/.k5.EXAMPLE.COMMasterKeystashtotheSecondaryKDC.Besureto copythefileoveranencryptedconnectionsuchasscp,oronphysicalmedia.
sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~ sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/
Again,replaceEXAMPLE.COMwithyouractualrealm. Finally,startthekrb5-kdcdaemon:
sudo /etc/init.d/krb5-kdc start
YounowhaveredundantKDCsonyournetwork,andwithredundantLDAPserversyoushouldbeabletocontinueto authenticateusersifoneLDAPserver,oneKerberosserver,oroneLDAPandoneKerberosserverbecomeunavailable.
Resources
4 of 5
21/01/10 11:04
https://help.ubuntu.com/9.04/serverguide/C/kerbero...
Formoreinformationonkdb5_ldap_utilseeSection5.6andthekdb5_ldap_utilmanpage. Anotherusefullinkisthekrb5.confmanpage.
Kerberos
Chapter7.DomainNameService(DNS)
Thematerialinthisdocumentisavailableunderafreelicense,seeLegalfordetails ForinformationoncontributingseetheUbuntuDocumentationTeamwikipage.Toreportaproblem,visitthebugpageforUbuntuDocumentation
5 of 5
21/01/10 11:04