Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Kerberos and LDAP

    Încărcat de

    Swamy Hiremath
    89 vizualizări5 pagini
    This document discusses configuring Kerberos and LDAP integration on Ubuntu 11.10. It involves loading the Kerberos schema into OpenLDAP, configuring the primary KDC to use LDAP as the principal database, and configuring the secondary KDC similarly for redundancy. Key steps include loading the Kerberos schema into LDAP, configuring the primary KDC in /etc/krb5.conf to use the LDAP backend, creating principals using kadmin.local, and configuring the secondary KDC to also use the LDAP backend by copying the primary KDC's master key. This provides a redundant principal database via LDAP and redundant KDCs for authentication.

    Descriere originală:

    Drepturi de autor

    © Attribution Non-Commercial (BY-NC)

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    This document discusses configuring Kerberos and LDAP integration on Ubuntu 11.10. It involves loading the Kerberos schema into OpenLDAP, configuring the primary KDC to use LDAP as the principal database, and configuring the secondary KDC similarly for redundancy. Key steps include loading the Kerberos schema into LDAP, configuring the primary KDC in /etc/krb5.conf to use the LDAP backend, creating principals using kadmin.local, and configuring the secondary KDC to also use the LDAP backend by copying the primary KDC's master key. This provides a redundant principal database via LDAP and redundant KDCs for authentication.

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    89 vizualizări5 pagini

    Kerberos and LDAP

    Încărcat de

    Swamy Hiremath
    This document discusses configuring Kerberos and LDAP integration on Ubuntu 11.10. It involves loading the Kerberos schema into OpenLDAP, configuring the primary KDC to use LDAP as the principal database, and configuring the secondary KDC similarly for redundancy. Key steps include loading the Kerberos schema into LDAP, configuring the primary KDC in /etc/krb5.conf to use the LDAP backend, creating principals using kadmin.local, and configuring the secondary KDC to also use the LDAP backend by copying the primary KDC's master key. This provides a redundant principal database via LDAP and redundant KDCs for authentication.

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 5

    6/26/12

    Kerberos and LDAP


    Ubuntu.com Community Support Partners

    Official Documentation

    Community Help Wiki


    Search

    Ubuntu 11.10 Ubuntu Server Guide Network Authentication

    Kerberos and LDAP

    Previous | Next

    Replicating a Kerberos principal database between two servers can be complicated, and adds an additional user database to your network. Fortunately, MIT Kerberos can be configured to use an LDAP directory as a principal database. This section covers configuring a primary and secondary kerberos server to use OpenLDAP for the principal database. Configuring OpenLDAP Primary KDC Configuration Secondary KDC Configuration Resources

    Configuring OpenLDAP
    First, the necessary schema needs to be loaded on an OpenLDAP server that has network connectivity to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP replication configured between at least two servers. For information on setting up OpenLDAP see OpenLDAP Server. It is also required to configure OpenLDAP for TLS and SSL connections, so that traffic between the KDC and LDAP server is encrypted. See TLS for details. 1. To load the schema into LDAP, on the LDAP server install the krb5-kdc-ldap package. From a terminal enter: sd atgtisalkb-d-dp uo p-e ntl r5kcla 2. Next, extract the k r e o . c e a g file: ebrsshm.z sd gi - /s/hr/o/r5kcla/ebrsshm.z uo zp d ursaedckb-d-dpkreo.ceag sd c /s/hr/o/r5kcla/ebrsshm /t/dpshm/ uo p ursaedckb-d-dpkreo.cea ecla/cea 3. The kerberos schema needs to be added to the cn=config tree. The procedure to add a new schema to slapd is also detailed in Modifying the slapd Configuration Database. 1. First, create a configuration file named s h m _ o v r . o f or a similar descriptive name, containing the following lines: ceacnetcn, icue/t/dpshm/oeshm nld ecla/ceacr.cea icue/t/dpshm/olcieshm nld ecla/ceacletv.cea icue/t/dpshm/ob.cea nld ecla/ceacrashm icue/t/dpshm/oieshm nld ecla/ceacsn.cea icue/t/dpshm/ucn.cea nld ecla/ceadaofshm icue/t/dpshm/ygopshm nld ecla/ceadnru.cea icue/t/dpshm/ntrpro.cea nld ecla/ceaieogesnshm icue/t/dpshm/aashm nld ecla/ceajv.cea icue/t/dpshm/icshm nld ecla/ceams.cea icue/t/dpshm/i.cea nld ecla/ceansshm icue/t/dpshm/pndpshm nld ecla/ceaoela.cea icue/t/dpshm/plc.cea nld ecla/ceapoiyshm icue/t/dpshm/ebrsshm nld ecla/ceakreo.cea 2. Create a temporary directory to hold the LDIF files: mdr/m/dfotu ki tpli_upt 3. Now use slapcat to convert the schema files: sact- shm_ovr.of- /m/dfotu -0- "n lpa f ceacnetcn F tpli_upt n s c= {2kreo,nshm,ncni">/m/nkreo.df 1}ebrsc=ceac=ofg tpc=ebrsli Change the above file and path names to match your own if they are different. 4. Edit the generated / m / n = e b r s l i file, changing the following attributes: tpc\kreo.df d:c=ebrsc=ceac=ofg n nkreo,nshm,ncni .. . c:kreo n ebrs

    https://help.ubuntu.com/11.10/serverguide/kerberos-ldap.html

    1/5

    6/26/12
    c:kreo n ebrs

    Kerberos and LDAP

    And remove the following lines from the end of the file: srcuaOjcCas occeaofg tutrlbetls: lShmCni etyUD 1cd1-4b12-fe36ca6d nrUI: 8c0076-0d9b-70c75c cetrNm:c=ofg raosae ncni cetTmsap 2001231Z raeietm: 0911055 etyS:2001231.245#00000000 nrCN 0911055364Z000#0#000 mdfesae c=ofg oiirNm: ncni mdfTmsap 2001231Z oiyietm: 0911055 The attribute values will vary, just be sure the attributes are removed. 5. Load the new schema with ldapadd: laad- - c=di,ncni - - /m/n=ebrsli dpd x D namnc=ofg W f tpc\kreo.df 6. Add an index for the krb5principalname attribute: lamdf - - c=di,ncni dpoiy x D namnc=ofg W EtrLA Pswr: ne DP asod d:ocaaae{}d,ncni n lDtbs=1hbc=ofg ad ocbne d: lDIdx ocbne:kbrniaNm e,rssb lDIdx rPicplae qpe,u mdfigety"lDtbs=1hbc=ofg oiyn nr ocaaae{}d,ncni" 7. Finally, update the Access Control Lists (ACL): lamdf - - c=di,ncni dpoiy x D namnc=ofg W EtrLA Pswr: ne DP asod d:ocaaae{}d,ncni n lDtbs=1hbc=ofg rpae occes elc: lAcs occes t atsuePswr,hdwathnekbrniaKyb d=c=di,ceap lAcs: o tr=srasodsaoLsCag,rPicple y n"namnd=xml ed=o"wieb aoyosat b sl wieb *nn ,ccm rt y nnmu uh y ef rt y oe ad occes d: lAcs occes t d.ae" b *ra lAcs: o nbs=" y ed ad occes d: lAcs occes t *b d=c=di,ceaped=o"wieb *ra lAcs: o y n"namnd=xml,ccm rt y ed mdfigety"lDtbs=1hbc=ofg oiyn nr ocaaae{}d,ncni"

    That's it, your LDAP directory is now ready to serve as a Kerberos principal database.

    Primary KDC Configuration


    With OpenLDAP configured it is time to configure the KDC. 1. First, install the necessary packages, from a terminal enter: sd atgtisalkb-d kb-di-evrkb-d-dp uo p-e ntl r5kc r5amnsre r5kcla 2. Now edit / t / r 5 c n adding the following options to under the appropriate sections: eckb.of [idfut] lbeals dfutram=EAPECM eal_el XML.O .. . [els ram] EAPECM={ XML.O kc=kc1eapecm d d0.xml.o kc=kc2eapecm d d0.xml.o amnsre =kc1eapecm di_evr d0.xml.o amnsre =kc2eapecm di_evr d0.xml.o dfutdmi =eapecm eal_oan xml.o dtbs_oue=oela_dpof aaaemdl pndplacn } .. .

    https://help.ubuntu.com/11.10/serverguide/kerberos-ldap.html

    2/5

    6/26/12
    [oanram dmi_el] .xml.o =EAPECM eapecm XML.O

    Kerberos and LDAP

    .. . [beals ddfut] la_ebrscnanrd =d=xml,ccm dpkreo_otie_n ceaped=o [boue] dmdls oela_dpof={ pndplacn d_irr =kdp blbay la la_d_n="namnd=xml,ccm dpkcd c=di,ceaped=o" #ti ojc nest hv ra rgt o hs bet ed o ae ed ihs n #teramcnanr picplcnanradramsbtes h el otie, rnia otie n el u-re la_amn_n="namnd=xml,ccm dpkdidd c=di,ceaped=o" #ti ojc nest hv ra adwiergt o hs bet ed o ae ed n rt ihs n #teramcnanr picplcnanradramsbtes h el otie, rnia otie n el u-re la_evc_asodfl =/t/r5d/evc.efl dpsriepswr_ie eckbkcsriekyie la_evr =las/la0.xml.o las/la0.xml.o dpsres dp:/dp1eapecm dp:/dp2eapecm la_on_e_evr=5 dpcnsprsre } Change example.com, dc=example,dc=com, cn=admin,dc=example,dc=com, and ldap01.example.com to the appropriate domain, LDAP object, and LDAP server for your network. 3. Next, use the kdb5_ldap_util utility to create the realm: sd kb_dpui - c=di,ceaped=o cet -utesd=xml,ccmuo d5la_tl D namnd=xml,ccm rae sbre ceaped=o r EAPECM- - la:/dp1eapecm XML.O s H dp/la0.xml.o 4. Create a stash of the password used to bind to the LDAP server. This password is used by the ldap_kdc_dn and ldap_kadmin_dn options in /t/r5cn: eckb.of sd kb_dpui - c=di,ceaped=o sahrp - /t/r5d/evc.efl uo d5la_tl D namnd=xml,ccm tssvw f eckbkcsriekyie c=di,ceaped=o namnd=xml,ccm 5. Copy the CA certificate from the LDAP server: spla0:ecslcrsccr.e . c dp1/t/s/et/aetpm sd c ccr.e /t/s/et uo p aetpm ecslcrs And edit / t / d p l a . o fto use the certificate: ecla/dpcn TSCCR /t/s/et/aetpm L_AET ecslcrsccr.e The certificate will also need to be copied to the Secondary KDC, to allow the connection to the LDAP servers using LDAPS. You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication. To add a principal using the kadmin.local utility enter: sd kdi.oa uo amnlcl Atetctn a picplro/di@XML.O wt pswr. uhniaig s rnia otamnEAPECM ih asod kdi.oa: adrn - d=udseeo=eped=xml,ccm see amnlcl dpic x n"i=tv,upol,ceaped=o" tv WRIG n plc seiidfrseeEAPECM dfutn t n plc ANN: o oiy pcfe o tv@XML.O; ealig o o oiy Etrpswr frpicpl"tv@XML.O" ne asod o rnia seeEAPECM: R-ne pswr frpicpl"tv@XML.O" eetr asod o rnia seeEAPECM: Picpl"tv@XML.O"cetd rnia seeEAPECM rae. There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData attributes added to the uid=steve,ou=people,dc=example,dc=com user object. Use the kinit and klist utilities to test that the user is indeed issued a ticket. If the user object is already created the -x dn="..." option is needed to add the Kerberos attributes. Otherwise a new principal object will be created in the realm subtree.

    Secondary KDC Configuration


    Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the normal Kerberos database. 1. First, install the necessary packages. In a terminal https://help.ubuntu.com/11.10/serverguide/kerberos-ldap.html enter:

    3/5

    6/26/12

    Kerberos and LDAP


    1. First, install the necessary packages. In a terminal enter: sd atgtisalkb-d kb-di-evrkb-d-dp uo p-e ntl r5kc r5amnsre r5kcla 2. Next, edit / t / r 5 c n to use the LDAP backend: eckb.of [idfut] lbeals dfutram=EAPECM eal_el XML.O .. . [els ram] EAPECM={ XML.O kc=kc1eapecm d d0.xml.o kc=kc2eapecm d d0.xml.o amnsre =kc1eapecm di_evr d0.xml.o amnsre =kc2eapecm di_evr d0.xml.o dfutdmi =eapecm eal_oan xml.o dtbs_oue=oela_dpof aaaemdl pndplacn } .. . [oanram dmi_el] .xml.o =EAPECM eapecm XML.O .. . [beals ddfut] la_ebrscnanrd =d=xml,ccm dpkreo_otie_n ceaped=o [boue] dmdls oela_dpof={ pndplacn d_irr =kdp blbay la la_d_n="namnd=xml,ccm dpkcd c=di,ceaped=o" #ti ojc nest hv ra rgt o hs bet ed o ae ed ihs n #teramcnanr picplcnanradramsbtes h el otie, rnia otie n el u-re la_amn_n="namnd=xml,ccm dpkdidd c=di,ceaped=o" #ti ojc nest hv ra adwiergt o hs bet ed o ae ed n rt ihs n #teramcnanr picplcnanradramsbtes h el otie, rnia otie n el u-re la_evc_asodfl =/t/r5d/evc.efl dpsriepswr_ie eckbkcsriekyie la_evr =las/la0.xml.o las/la0.xml.o dpsres dp:/dp1eapecm dp:/dp2eapecm la_on_e_evr=5 dpcnsprsre } 3. Create the stash for the LDAP bind password: sd kb_dpui - c=di,ceaped=o sahrp - /t/r5d/evc.efl uo d5la_tl D namnd=xml,ccm tssvw f eckbkcsriekyie c=di,ceaped=o namnd=xml,ccm 4. Now, on the Primary KDC copy the / t / r 5 d / k . X M L . O Master Key stash to the Secondary KDC. Be sure to copy the file eckbkc.5EAPECM over an encrypted connection such as scp, or on physical media. sd sp/t/r5d/k.XML.O seekc2eapecm~ uo c eckbkc.5EAPECM tv@d0.xml.o: sd m .5EAPECM/t/r5d/ uo v k.XML.O eckbkc Again, replace EXAMPLE.COM with your actual realm. 5. Finally, start the krb5-kdc daemon: sd /t/ntdkb-d sat uo ecii./r5kc tr You now have redundant KDCs on your network, and with redundant LDAP servers you should be able to continue to authenticate users if one LDAP server, one Kerberos server, or one LDAP and one Kerberos server become unavailable.

    Resources
    1. The Kerberos Admin Guide has some additional details. 2. For more information on kdb5_ldap_util see Section 5.6 and the kdb5_ldap_util man page. 3. Another useful link is the krb5.conf man page. 4. Also, see the Kerberos and LDAP Ubuntu wiki page.

    https://help.ubuntu.com/11.10/serverguide/kerberos-ldap.html

    4/5

    6/26/12

    Kerberos and LDAP


    Previous | Next

    The material in this document is available under a free license, see Legal for details For information on contributing see the Ubuntu Documentation Team wiki page. To report a problem, visit the bug page for Ubuntu Documentation

    https://help.ubuntu.com/11.10/serverguide/kerberos-ldap.html

    5/5

    S-ar putea să vă placă și