Table of Contents

Kerberos and LDAP

This goes through setting up Kerberos and LDAP for account management. Kerberos stores the passwords, LDAP stores the account information.

This was done on CentOS 5.6, but probably is portable elsewhere.

Servers

KDC

See kerberos kdc for more detailed instructions.

  1. For x86_64: 
    yum install krb5-libs krb5-workstation pam_krb5 cyrus-sasl-gssapi.x86_64 openldap-clients krb5-server
  2. Edit:
    • /etc/krb5.conf
    • /var/kerberos/krb5kdc/kdc.conf
    • /var/kerberos/krb5kdc/kadm5.acl
  3. Create the krb database: 
    # kdb5_util create -s
  4. Add an admin account: 
    # kadmin.local -q "addprinc root/admin"
  5. Enable and start the services: 
    # chkconfig kadmin on
# service kadmin start 
# chkconfig krb5kdc on
# service krb5kdc start
  6. Update or disable your firewall: 
    # chkconfig iptables off
# chkconfig ip6tables off
# service iptables stop
# service ip6tables stop
  7. Test: 
    # kadmin
Authenticating as principal root/admin@THOUGHTBIT.COM with password.
Password for root/admin@THOUGHTBIT.COM:
kadmin:  listprincs
K/M@THOUGHTBIT.COM
kadmin/admin@THOUGHTBIT.COM
kadmin/changepw@THOUGHTBIT.COM
kadmin/history@THOUGHTBIT.COM
kadmin/kdc.thoughtbit.com@THOUGHTBIT.COM
krbtgt/THOUGHTBIT.COM@THOUGHTBIT.COM
root/admin@THOUGHTBIT.COM
  8. Create a host principle: 
    kadmin: addprinc -randkey host/kdc.thoughtbit.com
NOTICE: no policy specified for host/kdc.thoughtbit.com@THOUGHTBIT.COM; assigning "default"
Principal "host/kdc.thoughtbit.com@THOUGHTBIT.COM" created.
kadmin: ktadd host/kdc.thoughtbit.com
  9. Setup policies if you want
  10. Add other users: 
    # kadmin
kadmin: addprinc john

LDAP

  1. For x86_64: 
    yum install krb5-libs krb5-workstation pam_krb5 cyrus-sasl-gssapi.x86_64 openldap-clients openldap-servers
  2. Copy /etc/krb5.conf from the KDC
  3. Add a host principle and ldap principle: 
    # kadmin
Authenticating as principal root/admin@THOUGHTBIT.COM with password.
Password for root/admin@THOUGHTBIT.COM:
kadmin: addprinc -randkey host/ldap-master.thoughtbit.com
NOTICE: no policy specified for host/ldap-master.thoughtbit.com@THOUGHTBIT.COM; assigning "default"
Principal "host/ldap-master.thoughtbit.com@THOUGHTBIT.COM" created
kadmin: ktadd host/ldap-master.thoughtbit.com
...
kadmin: addprinc -randkey ldap/ldap-master.thoughtbit.com
NOTICE: no policy specified for ldap/ldap-master.thoughtbit.com@THOUGHTBIT.COM; assigning "default"
Principal "ldap/ldap-master.thoughtbit.com@THOUGHTBIT.COM" created
kadmin: ktadd -k /etc/openldap/ldap.keytab ldap/ldap-master.thoughtbit.com
...
  4. make the ldap user own the ldap.keytab
  5. Make slapd aware of the ldap key: 
    # echo "export KRB5_KTNAME=/etc/openldap/ldap.keytab" >> /etc/sysconfig/ldap
  6. Edit /etc/openldap/slapd.conf
    • Add a rootpw which can be generated by the slappasswd command
    • Add the access restrictions
  7. Edit /etc/ldap.conf and /etc/openldap/ldap.conf
  8. Create /var/lib/ldap/DB_CONFIG (example can be found at /etc/openldap/DB_CONFIG.example)
  9. Start/enable LDAP: 
    # chkconfig ldap on
# service start ldap
  10. Add some users and groups
    • To add from an LDIF file: 
      ldapadd -x -D "cn=Manager,dc=thoughtbit,dc=com" -W -f example.ldif
    • To search: 
      ldapsearch -x -b 'dc=thoughtbit,dc=com' '(uid=john)'

LDAP Replication

cyrus-sasl

  1. configure saslauthd for kerberos5 (saslauthd doesn't need to be running as a daemon): 
    # cat /usr/lib64/sasl2/slapd.conf
auxprop_plugin: slapd
mech_list: gssapi external
  2. test with testsaslauthd: <code># kinit -k (to get a host princ) # testsaslauthd -u USER -p PASSWORD</code>

slurpd

slurpd needs a ticket cache setup with the principal that slurpd will use to authenticate to the replica with (defined in the updatedn)

  1. create a slurpd prinicpal on the ldap-master: 
    # kadmin
...
kadmin: addprinc -randkey slurpd/ldap-master.thoughtbit.com
...
kadmin: ktadd -k /etc/openldap/slurpd.keytab slurpd/ldap-master.thoughtbit.com
...
kadmin: q
# chown ldap:ldap /etc/openldap/slurpd.keytab
  2. setup cronjob to keep ticket valid: 
    # cat /etc/cron.d/ldap
# ldap kinit crontab
#

24 1,13 * * * ldap /usr/kerberos/bin/kinit -fpk -t /etc/openldap/slurpd.keytab -c /tmp/slurpd.krb5cache slurpd/ldap-master.thoughtbit.com
  3. make the slurpd daemon aware of the ticket cache. Add the following to /etc/sysconfig/ldap: 
    SLURPD_KRB5CCNAME=/tmp/slurpd.krb5cache

slapd

  1. slapd.conf on master contains replica connection info: 
    # Replicas of this database
replogfile /var/lib/ldap/openldap-master-replog
replica uri=ldap://ldap-replica.thoughtbit.com
     bindmethod=sasl saslmech=GSSAPI
     authcId=slurpd/ldap-master.thoughtbit.com
  2. slapd.conf on replica has updatedn and acls: 
    # add something similar to the following for your ACLs
access to *
        by dn.regex="uid=slurpd/.*,cn=GSSAPI,cn=auth" write

# replication info
updatedn uid=slurpd/ldap-master.thoughtbit.com,cn=gssapi,cn=auth
updateref ldap://ldap-master.thoughtbit.com
  3. do a manual sync of the ldap database:
    1. stop ldap on both servers
    2. on master: 
      slapcat -l /tmp/replication-log.ldif
    3. on replica (make sure to fix permissions too): 
      slapadd -l /tmp/replication-log.ldif
  4. test the replication (it's useful to add SLAPD_OPTIONS=“-d 1” to /etc/sysconfig/ldap for debugging on the replica)

Clients

Client configurations.

CentOS

  1. For x86_64: 
    yum install krb5-libs krb5-workstation pam_krb5 cyrus-sasl-gssapi.x86_64 openldap-clients
  2. Copy:
    • /etc/krb5.conf
    • /etc/ldap.conf
    • /etc/openldap/ldap.conf
  3. Add a kerberos host principle
  4. Edit:
    • /etc/pam.d/system-auth (adding in kerb stuff)
    • /etc/nsswitch.conf
    • /etc/security/access.conf
  5. See if ldap is setup right: 
    # id john
uid=501(john) gid=501(media) groups=501(media)
  6. Login
    1. run klist and ldapwhoami

Notes

,