Kerberos and LDAP

https://help.ubuntu.com/9.04/serverguide/C/kerbero...

Search

OfficialDocumentation
UbuntuDocumentation>Ubuntu9.04>UbuntuServerGuide>NetworkAuthentication>KerberosandLDAP

ReplicatingaKerberosprincipaldatabasebetweentwoserverscanbecomplicated,andaddsanadditionaluserdatabaseto yournetwork.Fortunately,MITKerberoscanbeconfiguredtouseanLDAPdirectoryasaprincipaldatabase.Thissection coversconfiguringaprimaryandsecondarykerberosservertouseOpenLDAPfortheprincipaldatabase.

ConfiguringOpenLDAP
First,thenecessaryschemaneedstobeloadedonanOpenLDAPserverthathasnetworkconnectivitytothePrimaryand SecondaryKDCs.TherestofthissectionassumesthatyoualsohaveLDAPreplicationconfiguredbetweenatleasttwo servers.ForinformationonsettingupOpenLDAPseethesectioncalledOpenLDAPServer. ItisalsorequiredtoconfigureOpenLDAPforTLSandSSLconnections,sothattrafficbetweentheKDCandLDAPserveris encrypted.SeethesectioncalledTLSandSSLfordetails. ToloadtheschemaintoLDAP,ontheLDAPserverinstallthekrb5-kdc-ldappackage.Fromaterminalenter:
sudo apt-get install krb5-kdc-ldap

Next,extractthekerberos.schema.gzfile:
sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/

Thekerberosschemaneedstobeaddedtothecn=configtree.Theproceduretoaddanewschematoslapdisalso detailedinthesectioncalledConfiguration. 1. First,createaconfigurationfilenamedschema_convert.conf,orasimilardescriptivename,containingthe followinglines:

include include include include include include include include include include include include include /etc/ldap/schema/core.schema /etc/ldap/schema/collective.schema /etc/ldap/schema/corba.schema /etc/ldap/schema/cosine.schema /etc/ldap/schema/duaconf.schema /etc/ldap/schema/dyngroup.schema /etc/ldap/schema/inetorgperson.schema /etc/ldap/schema/java.schema /etc/ldap/schema/misc.schema /etc/ldap/schema/nis.schema /etc/ldap/schema/openldap.schema /etc/ldap/schema/ppolicy.schema /etc/ldap/schema/kerberos.schema

2. CreateatemporarydirectorytoholdtheLDIFfiles:
mkdir /tmp/ldif_output

3. Nowuseslaptesttoconverttheschemafiles:
slaptest -f schema_convert.conf -F /tmp/ldif_output

Changetheabovefileandpathnamestomatchyourowniftheyaredifferent. 4. Editthegenerated/tmp/ldif_output/cn=config/cn=schema/cn={12}kerberos.ldiffile,changingthefollowing attributes:

dn: cn=kerberos,cn=schema,cn=config

1 of 5

21/01/10 11:04

Kerberos and LDAP

... cn: kerberos

https://help.ubuntu.com/9.04/serverguide/C/kerbero...

Andremovethefollowinglinesfromtheendofthefile:
structuralObjectClass: olcSchemaConfig entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc creatorsName: cn=config createTimestamp: 20090111203515Z entryCSN: 20090111203515.326445Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20090111203515Z

Theattributevalueswillvary,justbesuretheattributesareremoved. 5. Loadthenewschemawithldapadd:
ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}kerberos.ldif

6. Addanindexforthekrb5principalnameattribute:
ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: krbPrincipalName eq,pres,sub modifying entry "olcDatabase={1}hdb,cn=config"

7. Finally,updatetheAccessControlLists(ACL):
ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: olcDatabase={1}hdb,cn=config replace: olcAccess olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=exampl e,dc=com" write by anonymous auth by self write by * none add: olcAccess olcAccess: to dn.base="" by * read add: olcAccess olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read modifying entry "olcDatabase={1}hdb,cn=config"

That'sit,yourLDAPdirectoryisnowreadytoserveasaKerberosprincipaldatabase.

PrimaryKDCConfiguration
WithOpenLDAPconfigureditistimetoconfiguretheKDC. First,installthenecessarypackages,fromaterminalenter:
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap

Nowedit/etc/krb5.confaddingthefollowingoptionstoundertheappropriatesections:
[libdefaults] default_realm = EXAMPLE.COM ... [realms] EXAMPLE.COM = { kdc = kdc01.example.com kdc = kdc02.example.com admin_server = kdc01.example.com admin_server = kdc02.example.com default_domain = example.com database_module = openldap_ldapconf }

2 of 5

21/01/10 11:04

Kerberos and LDAP

... [domain_realm] .example.com = EXAMPLE.COM

https://help.ubuntu.com/9.04/serverguide/C/kerbero...

... [dbdefaults] ldap_kerberos_container_dn = dc=example,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=admin,dc=example,dc=com" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com ldap_conns_per_server = 5 }

Changeexample.com,dc=example,dc=com,cn=admin,dc=example,dc=com,and ldap01.example.comtotheappropriatedomain,LDAPobject,andLDAPserverforyour network. Next,usethekdb5_ldap_utilutilitytocreatetherealm:

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.ex

CreateastashofthepasswordusedtobindtotheLDAPserver.Thispasswordisusedbytheldap_kdc_dnand ldap_kadmin_dnoptionsin/etc/krb5.conf:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

CopytheCAcertificatefromtheLDAPserver:
scp ldap01:/etc/ssl/certs/cacert.pem . sudo cp cacert.pem /etc/ssl/certs

Andedit/etc/ldap/ldap.conftousethecertificate:
TLS_CACERT /etc/ssl/certs/cacert.pem

ThecertificatewillalsoneedtobecopiedtotheSecondaryKDC,toallowtheconnectionto theLDAPserversusingLDAPS. YoucannowaddKerberosprincipalstotheLDAPdatabase,andtheywillbecopiedtoanyotherLDAPserversconfigured forreplication.Toaddaprincipalusingthekadmin.localutilityenter:

sudo kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy Enter password for principal "steve@EXAMPLE.COM": Re-enter password for principal "steve@EXAMPLE.COM": Principal "steve@EXAMPLE.COM" created.

ThereshouldnowbekrbPrincipalName,krbPrincipalKey,krbLastPwdChange,andkrbExtraDataattributesaddedtothe uid=steve,ou=people,dc=example,dc=comuserobject.Usethekinitandklistutilitiestotestthattheuserisindeedissueda ticket.

Iftheuserobjectisalreadycreatedthe-xdn="..."optionisneededtoaddtheKerberosattributes.

3 of 5

21/01/10 11:04

Kerberos and LDAP

https://help.ubuntu.com/9.04/serverguide/C/kerbero...

Otherwiseanewprincipalobjectwillbecreatedintherealmsubtree.

SecondaryKDCConfiguration
ConfiguringaSecondaryKDCusingtheLDAPbackendissimilartoconfiguringoneusingthenormalKerberosdatabase. First,installthenecessarypackages.Inaterminalenter:
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap

Next,edit/etc/krb5.conftousetheLDAPbackend:
[libdefaults] default_realm = EXAMPLE.COM ... [realms] EXAMPLE.COM = { kdc = kdc01.example.com kdc = kdc02.example.com admin_server = kdc01.example.com admin_server = kdc02.example.com default_domain = example.com database_module = openldap_ldapconf } ... [domain_realm] .example.com = EXAMPLE.COM ... [dbdefaults] ldap_kerberos_container_dn = dc=example,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=admin,dc=example,dc=com" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com ldap_conns_per_server = 5 }

CreatethestashfortheLDAPbindpassword:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

Now,onthePrimaryKDCcopythe/etc/krb5kdc/.k5.EXAMPLE.COMMasterKeystashtotheSecondaryKDC.Besureto copythefileoveranencryptedconnectionsuchasscp,oronphysicalmedia.
sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~ sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/

Again,replaceEXAMPLE.COMwithyouractualrealm. Finally,startthekrb5-kdcdaemon:
sudo /etc/init.d/krb5-kdc start

YounowhaveredundantKDCsonyournetwork,andwithredundantLDAPserversyoushouldbeabletocontinueto authenticateusersifoneLDAPserver,oneKerberosserver,oroneLDAPandoneKerberosserverbecomeunavailable.

Resources

4 of 5

21/01/10 11:04

Kerberos and LDAP

TheKerberosAdminGuidehassomeadditionaldetails.

https://help.ubuntu.com/9.04/serverguide/C/kerbero...

Formoreinformationonkdb5_ldap_utilseeSection5.6andthekdb5_ldap_utilmanpage. Anotherusefullinkisthekrb5.confmanpage.

Kerberos

Chapter7.DomainNameService(DNS)

Thematerialinthisdocumentisavailableunderafreelicense,seeLegalfordetails ForinformationoncontributingseetheUbuntuDocumentationTeamwikipage.Toreportaproblem,visitthebugpageforUbuntuDocumentation

5 of 5

21/01/10 11:04