sysadmin/linux/example_sdf_howto.sdf

######################################
#
#  $Id$
#
######################################
#
#  $Log$
#
#
######################################


# Build the title
!define DOC_NAME           "OpenLDAP 2 + Kerberos V"
!define DOC_TYPE           "HowTo"
!define DOC_AUTHOR         "Sebastian Utz"
!build_title


H1: Description

[left='0.5in']Install and configure MIT Kerberos V5, and so on do the same with OpenLDAP 2.

[left='0.5in']Make this both work together in a common way to use the great secured ticket based, 
'single-sign-on' KerberosV mechanism for query request authentications against the LDAP server.


H2:  MIT Kerberos V


H3: install Kerberos V

H4: debian:
    
!block inline
<pre style="margin-left:60px;">
apt-get install  libkrb53 libkadm55 krb5-user krb5-kdc krb5-admin-server krb5-config
</pre>
!endblock
    
    [left='0.5in']This installs the minimum recommend packages needed for a Kerberos V server
    Optional packages are:
    
!block inline
<pre style="margin-left:60px;">
krb5-doc               Documentation for krb5
krb5-telnetd          Secure telnet server supporting MIT Kerberos
krb5-ftpd              Secure FTP server supporting MIT Kerberos
krb5-rsh-server     Secure replacements for rshd and rlogind using MIT Kerberos
krb5-clients           Secure replacements for ftp, telnet and rsh using MIT Kerberos
</pre>
!endblock


H4: other systems:
  
    [left='0.5in']configure parameters (as used at the Debian packages) are not tested by me on other systems, but if you wanna try out these, your response is very welcomed, here they are:
    

!block inline
<pre style="margin-left:60px;">
--prefix=/usr
--enable-shared 
--with-ccopts="-g -O2 -D_REENTRANT"
--localstatedir=/etc
--mandir=/usr/share/man
--without-tcl
</pre>
!endblock

    [left='0.5in']and...

!block inline
<pre style="margin-left:60px;">
./configure;make;make install 
</pre>
!endblock

    [left='0.5in']...would do the rest...


H3: configure Kerberos V

H4:  prepare DNS for Kerberos

    [left='0.5in']as Turbo Fredriksson wrotes
    ({{CMD[jump="http://www.bayour.com/LDAPv3-HOWTO.html#4.3.3.1.Preparing%20the%20DNS%20for%20KerberosV"]Prepare the DNS for KerberosV}}):

    [left='0.5in'; right='1in']"The DNS should be setup like follows to get full Kerberos network support.
     However, it seems like very few programs (OpenLDAP doesn't seem to) actually use the SRV entries, which is 'Server Location' entries.
     So if you don't want to/can't change the DNS, it is not required..."

    [left='0.5in'; right='1in']"NOTE: I upgraded my Kerberos server (from 1.2.2 to 1.2.4) the other day, and I got the question if my DNS was listing the location of my 
     KDC's (which it does) so maybe Kerberos is now using the SRV entries.
     I haven't verified what's the case here, it doesn't matter that much to me at the moment... :)"


    [left='0.5in']...i agree with, so there's currently no need for other comments.....

!block inline
<pre style="margin-left:60px;">
; IP addresses to the Kerberos/LDAP servers...
kerberos                IN      A       [IP OF YOUR 1st KERBEROS SERVER]
kerberos-1              IN      A       [IP OF YOUR 2nd KERBEROS SERVER]
kerberos-2              IN      A       [IP OF YOUR 3rd KERBEROS SERVER]
ldap                    IN      A       [IP OF YOUR 1st LDAP SERVER]
ldap-1                  IN      A       [IP OF YOUR 2nd LDAP SERVER]
ldap-2                  IN      A       [IP OF YOUR 3rd LDAP SERVER]
;
; Master setup
_kerberos               IN      TXT     "[YOUR KERBEROS REALM]"
_kerberos-master._udp   IN      SRV     0 0 88 kerberos
_kerberos-adm._tcp      IN      SRV     0 0 749 kerberos
_kpasswd._udp           IN      SRV     0 0 464 Kerberos
;
; Round-robin setup
_kerberos._udp          IN      SRV     0 0 88 kerberos
                        IN      SRV     0 0 88 kerberos-1
                        IN      SRV     0 0 88 kerberos-2
_ldap._tcp.[DOMAIN NAME] IN      SRV     0 0 389 ldap
                        IN      SRV     0 0 389 ldap-1
                        IN      SRV     0 0 389 ldap-2
</pre>
!endblock      


H4:  edit /etc/kdc5.conf

    [left='0.5in']example /etc/kdc5.conf:
    
!block inline
<pre style="margin-left:60px;">
[libdefaults]
        default_realm = [YOUR KERBEROS REALM]
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        [YOUR KERBEROS REALM] = {
                kdc = kerberos.[YOUR DOMAINNAME]:88
                admin_server = kerberos.[YOUR DOMAINNAME]:749
                default_domain = [YOUR DOMAINNAME]
        }

[domain_realm]
        .[YOUR DOMAINNAME] = [YOUR KERBEROS REALM]

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log

[login]
        krb4_convert = false
        krb4_get_tickets = false
</pre>
!endblock      


H4: create KerberosV realm

    [left="0.5in"]If not already run at debian installer scripts, run {{N[bold]krb5_newrealm}}.
    For non-debian-users or if above script fails, run commands by step:

!block inline
<pre style="margin-left:60px;">
kdb5_util create -s
kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin"
kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/changepw"
/etc/init.d/krb5-kdc start || true
/etc/init.d/krb5-admin-server start ||true
</pre>
!endblock      


    [left="0.5in"]Add some kind of KDC admin user:
    
!block inline
<pre style="margin-left:60px;">
kadmin.local -q "addprinc krbadm@[YOUR KERBEROS REALM]"
</pre>
!endblock      


    [left="0.5in"]For later use, we need a LDAP administrator principial at KDC.
    This will have, as we configure later ins this document, full access to the LDAP database.

!block inline
<pre style="margin-left:60px;">
kadmin.local -q "addprinc ldapadm@[YOUR KERBEROS REALM]"
</pre>
!endblock      


H5: setting up KerberosV access rights

1	jonen	1.1	######################################
2			#
3			# $Id$
4			#
5			######################################
6			#
7			# $Log$
8			#
9			#
10			######################################
11
12
13			# Build the title
14			!define DOC_NAME "OpenLDAP 2 + Kerberos V"
15			!define DOC_TYPE "HowTo"
16			!define DOC_AUTHOR "Sebastian Utz"
17			!build_title
18
19
20
21			H1: Description
22
23			[left='0.5in']Install and configure MIT Kerberos V5, and so on do the same with OpenLDAP 2.
24
25			[left='0.5in']Make this both work together in a common way to use the great secured ticket based,
26			'single-sign-on' KerberosV mechanism for query request authentications against the LDAP server.
27
28
29
30			H2: MIT Kerberos V
31
32
33			H3: install Kerberos V
34
35			H4: debian:
36
37			!block inline
38			<pre style="margin-left:60px;">
39			apt-get install libkrb53 libkadm55 krb5-user krb5-kdc krb5-admin-server krb5-config
40			</pre>
41			!endblock
42
43			[left='0.5in']This installs the minimum recommend packages needed for a Kerberos V server
44			Optional packages are:
45
46			!block inline
47			<pre style="margin-left:60px;">
48			krb5-doc Documentation for krb5
49			krb5-telnetd Secure telnet server supporting MIT Kerberos
50			krb5-ftpd Secure FTP server supporting MIT Kerberos
51			krb5-rsh-server Secure replacements for rshd and rlogind using MIT Kerberos
52			krb5-clients Secure replacements for ftp, telnet and rsh using MIT Kerberos
53			</pre>
54			!endblock
55
56
57
58			H4: other systems:
59
60			[left='0.5in']configure parameters (as used at the Debian packages) are not tested by me on other systems, but if you wanna try out these, your response is very welcomed, here they are:
61
62
63			!block inline
64			<pre style="margin-left:60px;">
65			--prefix=/usr
66			--enable-shared
67			--with-ccopts="-g -O2 -D_REENTRANT"
68			--localstatedir=/etc
69			--mandir=/usr/share/man
70			--without-tcl
71			</pre>
72			!endblock
73
74			[left='0.5in']and...
75
76			!block inline
77			<pre style="margin-left:60px;">
78			./configure;make;make install
79			</pre>
80			!endblock
81
82			[left='0.5in']...would do the rest...
83
84
85			H3: configure Kerberos V
86
87			H4: prepare DNS for Kerberos
88
89			[left='0.5in']as Turbo Fredriksson wrotes
90			({{CMD[jump="http://www.bayour.com/LDAPv3-HOWTO.html#4.3.3.1.Preparing%20the%20DNS%20for%20KerberosV"]Prepare the DNS for KerberosV}}):
91
92			[left='0.5in'; right='1in']"The DNS should be setup like follows to get full Kerberos network support.
93			However, it seems like very few programs (OpenLDAP doesn't seem to) actually use the SRV entries, which is 'Server Location' entries.
94			So if you don't want to/can't change the DNS, it is not required..."
95
96			[left='0.5in'; right='1in']"NOTE: I upgraded my Kerberos server (from 1.2.2 to 1.2.4) the other day, and I got the question if my DNS was listing the location of my
97			KDC's (which it does) so maybe Kerberos is now using the SRV entries.
98			I haven't verified what's the case here, it doesn't matter that much to me at the moment... :)"
99
100
101			[left='0.5in']...i agree with, so there's currently no need for other comments.....
102
103			!block inline
104			<pre style="margin-left:60px;">
105			; IP addresses to the Kerberos/LDAP servers...
106			kerberos IN A [IP OF YOUR 1st KERBEROS SERVER]
107			kerberos-1 IN A [IP OF YOUR 2nd KERBEROS SERVER]
108			kerberos-2 IN A [IP OF YOUR 3rd KERBEROS SERVER]
109			ldap IN A [IP OF YOUR 1st LDAP SERVER]
110			ldap-1 IN A [IP OF YOUR 2nd LDAP SERVER]
111			ldap-2 IN A [IP OF YOUR 3rd LDAP SERVER]
112			;
113			; Master setup
114			_kerberos IN TXT "[YOUR KERBEROS REALM]"
115			_kerberos-master._udp IN SRV 0 0 88 kerberos
116			_kerberos-adm._tcp IN SRV 0 0 749 kerberos
117			_kpasswd._udp IN SRV 0 0 464 Kerberos
118			;
119			; Round-robin setup
120			_kerberos._udp IN SRV 0 0 88 kerberos
121			IN SRV 0 0 88 kerberos-1
122			IN SRV 0 0 88 kerberos-2
123			_ldap._tcp.[DOMAIN NAME] IN SRV 0 0 389 ldap
124			IN SRV 0 0 389 ldap-1
125			IN SRV 0 0 389 ldap-2
126			</pre>
127			!endblock
128
129
130
131
132			H4: edit /etc/kdc5.conf
133
134			[left='0.5in']example /etc/kdc5.conf:
135
136			!block inline
137			<pre style="margin-left:60px;">
138			[libdefaults]
139			default_realm = [YOUR KERBEROS REALM]
140			default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
141			default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
142			permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
143			krb4_config = /etc/krb.conf
144			krb4_realms = /etc/krb.realms
145			kdc_timesync = 1
146			ccache_type = 4
147			forwardable = true
148			proxiable = true
149
150			[realms]
151			[YOUR KERBEROS REALM] = {
152			kdc = kerberos.[YOUR DOMAINNAME]:88
153			admin_server = kerberos.[YOUR DOMAINNAME]:749
154			default_domain = [YOUR DOMAINNAME]
155			}
156
157			[domain_realm]
158			.[YOUR DOMAINNAME] = [YOUR KERBEROS REALM]
159
160			[logging]
161			kdc = FILE:/var/log/kerberos/krb5kdc.log
162			admin_server = FILE:/var/log/kerberos/kadmin.log
163			default = FILE:/var/log/kerberos/krb5lib.log
164
165			[login]
166			krb4_convert = false
167			krb4_get_tickets = false
168			</pre>
169			!endblock
170
171
172			H4: create KerberosV realm
173
174			[left="0.5in"]If not already run at debian installer scripts, run {{N[bold]krb5_newrealm}}.
175			For non-debian-users or if above script fails, run commands by step:
176
177			!block inline
178			<pre style="margin-left:60px;">
179			kdb5_util create -s
180			kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin"
181			kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/changepw"
182			/etc/init.d/krb5-kdc start \|\| true
183			/etc/init.d/krb5-admin-server start \|\|true
184			</pre>
185			!endblock
186
187
188			[left="0.5in"]Add some kind of KDC admin user:
189
190			!block inline
191			<pre style="margin-left:60px;">
192			kadmin.local -q "addprinc krbadm@[YOUR KERBEROS REALM]"
193			</pre>
194			!endblock
195
196
197			[left="0.5in"]For later use, we need a LDAP administrator principial at KDC.
198			This will have, as we configure later ins this document, full access to the LDAP database.
199
200			!block inline
201			<pre style="margin-left:60px;">
202			kadmin.local -q "addprinc ldapadm@[YOUR KERBEROS REALM]"
203			</pre>
204			!endblock
205
206
207			H5: setting up KerberosV access rights
208
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26