Kerberos and LDAP

This goes through setting up Kerberos and LDAP for account management. Kerberos stores the passwords, LDAP stores the account information.

This was done on CentOS 5.6, but probably is portable elsewhere.

Servers

KDC

See kerberos kdc for more detailed instructions.

  1. For x86_64:
    yum install krb5-libs krb5-workstation pam_krb5 cyrus-sasl-gssapi.x86_64 openldap-clients krb5-server
  2. Edit:
    • /etc/krb5.conf
    • /var/kerberos/krb5kdc/kdc.conf
    • /var/kerberos/krb5kdc/kadm5.acl
  3. Create the krb database:
    # kdb5_util create -s
  4. Add an admin account:
    # kadmin.local -q "addprinc root/admin"
  5. Enable and start the services:
    # chkconfig kadmin on
    # service kadmin start 
    # chkconfig krb5kdc on
    # service krb5kdc start
  6. Update or disable your firewall:
    # chkconfig iptables off
    # chkconfig ip6tables off
    # service iptables stop
    # service ip6tables stop
  7. Test:
    # kadmin
    Authenticating as principal root/admin@THOUGHTBIT.COM with password.
    Password for root/admin@THOUGHTBIT.COM:
    kadmin:  listprincs
    K/M@THOUGHTBIT.COM
    kadmin/admin@THOUGHTBIT.COM
    kadmin/changepw@THOUGHTBIT.COM
    kadmin/history@THOUGHTBIT.COM
    kadmin/kdc.thoughtbit.com@THOUGHTBIT.COM
    krbtgt/THOUGHTBIT.COM@THOUGHTBIT.COM
    root/admin@THOUGHTBIT.COM
  8. Create a host principle:
    kadmin: addprinc -randkey host/kdc.thoughtbit.com
    NOTICE: no policy specified for host/kdc.thoughtbit.com@THOUGHTBIT.COM; assigning "default"
    Principal "host/kdc.thoughtbit.com@THOUGHTBIT.COM" created.
    kadmin: ktadd host/kdc.thoughtbit.com
  9. Setup policies if you want
  10. Add other users:
    # kadmin
    kadmin: addprinc john

LDAP

  1. For x86_64:
    yum install krb5-libs krb5-workstation pam_krb5 cyrus-sasl-gssapi.x86_64 openldap-clients openldap-servers
  2. Copy /etc/krb5.conf from the KDC
  3. Add a host principle and ldap principle:
    # kadmin
    Authenticating as principal root/admin@THOUGHTBIT.COM with password.
    Password for root/admin@THOUGHTBIT.COM:
    kadmin: addprinc -randkey host/ldap-master.thoughtbit.com
    NOTICE: no policy specified for host/ldap-master.thoughtbit.com@THOUGHTBIT.COM; assigning "default"
    Principal "host/ldap-master.thoughtbit.com@THOUGHTBIT.COM" created
    kadmin: ktadd host/ldap-master.thoughtbit.com
    ...
    kadmin: addprinc -randkey ldap/ldap-master.thoughtbit.com
    NOTICE: no policy specified for ldap/ldap-master.thoughtbit.com@THOUGHTBIT.COM; assigning "default"
    Principal "ldap/ldap-master.thoughtbit.com@THOUGHTBIT.COM" created
    kadmin: ktadd -k /etc/openldap/ldap.keytab ldap/ldap-master.thoughtbit.com
    ...
  4. make the ldap user own the ldap.keytab
  5. Make slapd aware of the ldap key:
    # echo "export KRB5_KTNAME=/etc/openldap/ldap.keytab" >> /etc/sysconfig/ldap
  6. Edit /etc/openldap/slapd.conf
    • Add a rootpw which can be generated by the slappasswd command
    • Add the access restrictions
  7. Edit /etc/ldap.conf and /etc/openldap/ldap.conf
  8. Create /var/lib/ldap/DB_CONFIG (example can be found at /etc/openldap/DB_CONFIG.example)
  9. Start/enable LDAP:
    # chkconfig ldap on
    # service start ldap
  10. Add some users and groups
    • To add from an LDIF file:
      ldapadd -x -D "cn=Manager,dc=thoughtbit,dc=com" -W -f example.ldif
    • To search:
      ldapsearch -x -b 'dc=thoughtbit,dc=com' '(uid=john)'

LDAP Replication

cyrus-sasl

  1. configure saslauthd for kerberos5 (saslauthd doesn't need to be running as a daemon):
    # cat /usr/lib64/sasl2/slapd.conf
    auxprop_plugin: slapd
    mech_list: gssapi external
  2. test with testsaslauthd: <code># kinit -k (to get a host princ) # testsaslauthd -u USER -p PASSWORD</code>

slurpd

slurpd needs a ticket cache setup with the principal that slurpd will use to authenticate to the replica with (defined in the updatedn)

  1. create a slurpd prinicpal on the ldap-master:
    # kadmin
    ...
    kadmin: addprinc -randkey slurpd/ldap-master.thoughtbit.com
    ...
    kadmin: ktadd -k /etc/openldap/slurpd.keytab slurpd/ldap-master.thoughtbit.com
    ...
    kadmin: q
    # chown ldap:ldap /etc/openldap/slurpd.keytab
  2. setup cronjob to keep ticket valid:
    # cat /etc/cron.d/ldap
    # ldap kinit crontab
    #
    
    24 1,13 * * * ldap /usr/kerberos/bin/kinit -fpk -t /etc/openldap/slurpd.keytab -c /tmp/slurpd.krb5cache slurpd/ldap-master.thoughtbit.com
  3. make the slurpd daemon aware of the ticket cache. Add the following to /etc/sysconfig/ldap:
    SLURPD_KRB5CCNAME=/tmp/slurpd.krb5cache

slapd

  1. slapd.conf on master contains replica connection info:
    # Replicas of this database
    replogfile /var/lib/ldap/openldap-master-replog
    replica uri=ldap://ldap-replica.thoughtbit.com
         bindmethod=sasl saslmech=GSSAPI
         authcId=slurpd/ldap-master.thoughtbit.com
  2. slapd.conf on replica has updatedn and acls:
    # add something similar to the following for your ACLs
    access to *
            by dn.regex="uid=slurpd/.*,cn=GSSAPI,cn=auth" write
    
    # replication info
    updatedn uid=slurpd/ldap-master.thoughtbit.com,cn=gssapi,cn=auth
    updateref ldap://ldap-master.thoughtbit.com
  3. do a manual sync of the ldap database:
    1. stop ldap on both servers
    2. on master:
      slapcat -l /tmp/replication-log.ldif
    3. on replica (make sure to fix permissions too):
      slapadd -l /tmp/replication-log.ldif
  4. test the replication (it's useful to add SLAPD_OPTIONS=“-d 1” to /etc/sysconfig/ldap for debugging on the replica)

Clients

Client configurations.

CentOS

  1. For x86_64:
    yum install krb5-libs krb5-workstation pam_krb5 cyrus-sasl-gssapi.x86_64 openldap-clients
  2. Copy:
    • /etc/krb5.conf
    • /etc/ldap.conf
    • /etc/openldap/ldap.conf
  3. Add a kerberos host principle
  4. Edit:
    • /etc/pam.d/system-auth (adding in kerb stuff)
    • /etc/nsswitch.conf
    • /etc/security/access.conf
  5. See if ldap is setup right:
    # id john
    uid=501(john) gid=501(media) groups=501(media)
  6. Login
    1. run klist and ldapwhoami

Notes

linux/server/kerberos_and_ldap.txt · Last modified: 2011/03/14 21:54 by john
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki