====== Kerberos and LDAP ======
This goes through setting up Kerberos and LDAP for account management. Kerberos stores the passwords, LDAP stores the account information.
This was done on CentOS 5.6, but probably is portable elsewhere.
===== Servers =====
==== KDC ====
See [[kerberos kdc]] for more detailed instructions.
- For x86_64: yum install krb5-libs krb5-workstation pam_krb5 cyrus-sasl-gssapi.x86_64 openldap-clients krb5-server
- Edit:
* ''/etc/krb5.conf''
* ''/var/kerberos/krb5kdc/kdc.conf''
* ''/var/kerberos/krb5kdc/kadm5.acl''
- Create the krb database: # kdb5_util create -s
- Add an admin account: # kadmin.local -q "addprinc root/admin"
- Enable and start the services: # chkconfig kadmin on
# service kadmin start
# chkconfig krb5kdc on
# service krb5kdc start
- Update or disable your firewall: # chkconfig iptables off
# chkconfig ip6tables off
# service iptables stop
# service ip6tables stop
- Test: # kadmin
Authenticating as principal root/admin@THOUGHTBIT.COM with password.
Password for root/admin@THOUGHTBIT.COM:
kadmin: listprincs
K/M@THOUGHTBIT.COM
kadmin/admin@THOUGHTBIT.COM
kadmin/changepw@THOUGHTBIT.COM
kadmin/history@THOUGHTBIT.COM
kadmin/kdc.thoughtbit.com@THOUGHTBIT.COM
krbtgt/THOUGHTBIT.COM@THOUGHTBIT.COM
root/admin@THOUGHTBIT.COM
- Create a host principle: kadmin: addprinc -randkey host/kdc.thoughtbit.com
NOTICE: no policy specified for host/kdc.thoughtbit.com@THOUGHTBIT.COM; assigning "default"
Principal "host/kdc.thoughtbit.com@THOUGHTBIT.COM" created.
kadmin: ktadd host/kdc.thoughtbit.com
- Setup policies if you want
- Add other users: # kadmin
kadmin: addprinc john
==== LDAP ====
- For x86_64: yum install krb5-libs krb5-workstation pam_krb5 cyrus-sasl-gssapi.x86_64 openldap-clients openldap-servers
- Copy ''/etc/krb5.conf'' from the KDC
- Add a host principle and ldap principle: # kadmin
Authenticating as principal root/admin@THOUGHTBIT.COM with password.
Password for root/admin@THOUGHTBIT.COM:
kadmin: addprinc -randkey host/ldap-master.thoughtbit.com
NOTICE: no policy specified for host/ldap-master.thoughtbit.com@THOUGHTBIT.COM; assigning "default"
Principal "host/ldap-master.thoughtbit.com@THOUGHTBIT.COM" created
kadmin: ktadd host/ldap-master.thoughtbit.com
...
kadmin: addprinc -randkey ldap/ldap-master.thoughtbit.com
NOTICE: no policy specified for ldap/ldap-master.thoughtbit.com@THOUGHTBIT.COM; assigning "default"
Principal "ldap/ldap-master.thoughtbit.com@THOUGHTBIT.COM" created
kadmin: ktadd -k /etc/openldap/ldap.keytab ldap/ldap-master.thoughtbit.com
...
- make the ''ldap'' user own the ''ldap.keytab''
- Make ''slapd'' aware of the ldap key: # echo "export KRB5_KTNAME=/etc/openldap/ldap.keytab" >> /etc/sysconfig/ldap
- Edit ''/etc/openldap/slapd.conf''
* Add a ''rootpw'' which can be generated by the ''slappasswd'' command
* Add the access restrictions
- Edit ''/etc/ldap.conf'' and ''/etc/openldap/ldap.conf''
- Create ''/var/lib/ldap/DB_CONFIG'' (example can be found at ''/etc/openldap/DB_CONFIG.example'')
- Start/enable LDAP: # chkconfig ldap on
# service start ldap
- Add some users and groups
* To add from an LDIF file: ldapadd -x -D "cn=Manager,dc=thoughtbit,dc=com" -W -f example.ldif
* To search: ldapsearch -x -b 'dc=thoughtbit,dc=com' '(uid=john)'
==== LDAP Replication ====
=== cyrus-sasl ===
- configure saslauthd for kerberos5 (saslauthd doesn't need to be running as a daemon): # cat /usr/lib64/sasl2/slapd.conf
auxprop_plugin: slapd
mech_list: gssapi external
- test with ''testsaslauthd'': # kinit -k (to get a host princ)
# testsaslauthd -u USER -p PASSWORD
=== slurpd ===
slurpd needs a ticket cache setup with the principal that slurpd will use to authenticate to the replica with (defined in the updatedn)
- create a slurpd prinicpal on the ldap-master: # kadmin
...
kadmin: addprinc -randkey slurpd/ldap-master.thoughtbit.com
...
kadmin: ktadd -k /etc/openldap/slurpd.keytab slurpd/ldap-master.thoughtbit.com
...
kadmin: q
# chown ldap:ldap /etc/openldap/slurpd.keytab
- setup cronjob to keep ticket valid: # cat /etc/cron.d/ldap
# ldap kinit crontab
#
24 1,13 * * * ldap /usr/kerberos/bin/kinit -fpk -t /etc/openldap/slurpd.keytab -c /tmp/slurpd.krb5cache slurpd/ldap-master.thoughtbit.com
- make the ''slurpd'' daemon aware of the ticket cache. Add the following to ''/etc/sysconfig/ldap'': SLURPD_KRB5CCNAME=/tmp/slurpd.krb5cache
=== slapd ===
- ''slapd.conf'' on master contains replica connection info: # Replicas of this database
replogfile /var/lib/ldap/openldap-master-replog
replica uri=ldap://ldap-replica.thoughtbit.com
bindmethod=sasl saslmech=GSSAPI
authcId=slurpd/ldap-master.thoughtbit.com
- ''slapd.conf'' on replica has updatedn and acls: # add something similar to the following for your ACLs
access to *
by dn.regex="uid=slurpd/.*,cn=GSSAPI,cn=auth" write
# replication info
updatedn uid=slurpd/ldap-master.thoughtbit.com,cn=gssapi,cn=auth
updateref ldap://ldap-master.thoughtbit.com
- do a manual sync of the ldap database:
- stop ldap on both servers
- on master: slapcat -l /tmp/replication-log.ldif
- on replica (make sure to fix permissions too): slapadd -l /tmp/replication-log.ldif
- test the replication (it's useful to add ''SLAPD_OPTIONS="-d 1"'' to ''/etc/sysconfig/ldap'' for debugging on the replica)
===== Clients =====
Client configurations.
==== CentOS ====
- For x86_64: yum install krb5-libs krb5-workstation pam_krb5 cyrus-sasl-gssapi.x86_64 openldap-clients
- Copy:
* ''/etc/krb5.conf''
* ''/etc/ldap.conf''
* ''/etc/openldap/ldap.conf''
- Add a kerberos host principle
- Edit:
* ''/etc/pam.d/system-auth'' (adding in kerb stuff)
* ''/etc/nsswitch.conf''
* ''/etc/security/access.conf''
- See if ldap is setup right: # id john
uid=501(john) gid=501(media) groups=501(media)
- Login
- run ''klist'' and ''ldapwhoami''
===== Notes =====
* [[http://www.itp.uzh.ch/~dpotter/howto/kerberos]]
* [[http://aput.net/~jheiss/krbldap/howto.htm]]
==
{{tag>:linux:server :linux}}