| 1 |
###################################### |
| 2 |
# |
| 3 |
# $Id$ |
| 4 |
# |
| 5 |
###################################### |
| 6 |
# |
| 7 |
# $Log$ |
| 8 |
# |
| 9 |
# |
| 10 |
###################################### |
| 11 |
|
| 12 |
|
| 13 |
# Build the title |
| 14 |
!define DOC_NAME "OpenLDAP 2 + Kerberos V" |
| 15 |
!define DOC_TYPE "HowTo" |
| 16 |
!define DOC_AUTHOR "Sebastian Utz" |
| 17 |
!build_title |
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
H1: Description |
| 22 |
|
| 23 |
[left='0.5in']Install and configure MIT Kerberos V5, and so on do the same with OpenLDAP 2. |
| 24 |
|
| 25 |
[left='0.5in']Make this both work together in a common way to use the great secured ticket based, |
| 26 |
'single-sign-on' KerberosV mechanism for query request authentications against the LDAP server. |
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
H2: MIT Kerberos V |
| 31 |
|
| 32 |
|
| 33 |
H3: install Kerberos V |
| 34 |
|
| 35 |
H4: debian: |
| 36 |
|
| 37 |
!block inline |
| 38 |
<pre style="margin-left:60px;"> |
| 39 |
apt-get install libkrb53 libkadm55 krb5-user krb5-kdc krb5-admin-server krb5-config |
| 40 |
</pre> |
| 41 |
!endblock |
| 42 |
|
| 43 |
[left='0.5in']This installs the minimum recommend packages needed for a Kerberos V server |
| 44 |
Optional packages are: |
| 45 |
|
| 46 |
!block inline |
| 47 |
<pre style="margin-left:60px;"> |
| 48 |
krb5-doc Documentation for krb5 |
| 49 |
krb5-telnetd Secure telnet server supporting MIT Kerberos |
| 50 |
krb5-ftpd Secure FTP server supporting MIT Kerberos |
| 51 |
krb5-rsh-server Secure replacements for rshd and rlogind using MIT Kerberos |
| 52 |
krb5-clients Secure replacements for ftp, telnet and rsh using MIT Kerberos |
| 53 |
</pre> |
| 54 |
!endblock |
| 55 |
|
| 56 |
|
| 57 |
|
| 58 |
H4: other systems: |
| 59 |
|
| 60 |
[left='0.5in']configure parameters (as used at the Debian packages) are not tested by me on other systems, but if you wanna try out these, your response is very welcomed, here they are: |
| 61 |
|
| 62 |
|
| 63 |
!block inline |
| 64 |
<pre style="margin-left:60px;"> |
| 65 |
--prefix=/usr |
| 66 |
--enable-shared |
| 67 |
--with-ccopts="-g -O2 -D_REENTRANT" |
| 68 |
--localstatedir=/etc |
| 69 |
--mandir=/usr/share/man |
| 70 |
--without-tcl |
| 71 |
</pre> |
| 72 |
!endblock |
| 73 |
|
| 74 |
[left='0.5in']and... |
| 75 |
|
| 76 |
!block inline |
| 77 |
<pre style="margin-left:60px;"> |
| 78 |
./configure;make;make install |
| 79 |
</pre> |
| 80 |
!endblock |
| 81 |
|
| 82 |
[left='0.5in']...would do the rest... |
| 83 |
|
| 84 |
|
| 85 |
H3: configure Kerberos V |
| 86 |
|
| 87 |
H4: prepare DNS for Kerberos |
| 88 |
|
| 89 |
[left='0.5in']as Turbo Fredriksson wrotes |
| 90 |
({{CMD[jump="http://www.bayour.com/LDAPv3-HOWTO.html#4.3.3.1.Preparing%20the%20DNS%20for%20KerberosV"]Prepare the DNS for KerberosV}}): |
| 91 |
|
| 92 |
[left='0.5in'; right='1in']"The DNS should be setup like follows to get full Kerberos network support. |
| 93 |
However, it seems like very few programs (OpenLDAP doesn't seem to) actually use the SRV entries, which is 'Server Location' entries. |
| 94 |
So if you don't want to/can't change the DNS, it is not required..." |
| 95 |
|
| 96 |
[left='0.5in'; right='1in']"NOTE: I upgraded my Kerberos server (from 1.2.2 to 1.2.4) the other day, and I got the question if my DNS was listing the location of my |
| 97 |
KDC's (which it does) so maybe Kerberos is now using the SRV entries. |
| 98 |
I haven't verified what's the case here, it doesn't matter that much to me at the moment... :)" |
| 99 |
|
| 100 |
|
| 101 |
[left='0.5in']...i agree with, so there's currently no need for other comments..... |
| 102 |
|
| 103 |
!block inline |
| 104 |
<pre style="margin-left:60px;"> |
| 105 |
; IP addresses to the Kerberos/LDAP servers... |
| 106 |
kerberos IN A [IP OF YOUR 1st KERBEROS SERVER] |
| 107 |
kerberos-1 IN A [IP OF YOUR 2nd KERBEROS SERVER] |
| 108 |
kerberos-2 IN A [IP OF YOUR 3rd KERBEROS SERVER] |
| 109 |
ldap IN A [IP OF YOUR 1st LDAP SERVER] |
| 110 |
ldap-1 IN A [IP OF YOUR 2nd LDAP SERVER] |
| 111 |
ldap-2 IN A [IP OF YOUR 3rd LDAP SERVER] |
| 112 |
; |
| 113 |
; Master setup |
| 114 |
_kerberos IN TXT "[YOUR KERBEROS REALM]" |
| 115 |
_kerberos-master._udp IN SRV 0 0 88 kerberos |
| 116 |
_kerberos-adm._tcp IN SRV 0 0 749 kerberos |
| 117 |
_kpasswd._udp IN SRV 0 0 464 Kerberos |
| 118 |
; |
| 119 |
; Round-robin setup |
| 120 |
_kerberos._udp IN SRV 0 0 88 kerberos |
| 121 |
IN SRV 0 0 88 kerberos-1 |
| 122 |
IN SRV 0 0 88 kerberos-2 |
| 123 |
_ldap._tcp.[DOMAIN NAME] IN SRV 0 0 389 ldap |
| 124 |
IN SRV 0 0 389 ldap-1 |
| 125 |
IN SRV 0 0 389 ldap-2 |
| 126 |
</pre> |
| 127 |
!endblock |
| 128 |
|
| 129 |
|
| 130 |
|
| 131 |
|
| 132 |
H4: edit /etc/kdc5.conf |
| 133 |
|
| 134 |
[left='0.5in']example /etc/kdc5.conf: |
| 135 |
|
| 136 |
!block inline |
| 137 |
<pre style="margin-left:60px;"> |
| 138 |
[libdefaults] |
| 139 |
default_realm = [YOUR KERBEROS REALM] |
| 140 |
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 |
| 141 |
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 |
| 142 |
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 |
| 143 |
krb4_config = /etc/krb.conf |
| 144 |
krb4_realms = /etc/krb.realms |
| 145 |
kdc_timesync = 1 |
| 146 |
ccache_type = 4 |
| 147 |
forwardable = true |
| 148 |
proxiable = true |
| 149 |
|
| 150 |
[realms] |
| 151 |
[YOUR KERBEROS REALM] = { |
| 152 |
kdc = kerberos.[YOUR DOMAINNAME]:88 |
| 153 |
admin_server = kerberos.[YOUR DOMAINNAME]:749 |
| 154 |
default_domain = [YOUR DOMAINNAME] |
| 155 |
} |
| 156 |
|
| 157 |
[domain_realm] |
| 158 |
.[YOUR DOMAINNAME] = [YOUR KERBEROS REALM] |
| 159 |
|
| 160 |
[logging] |
| 161 |
kdc = FILE:/var/log/kerberos/krb5kdc.log |
| 162 |
admin_server = FILE:/var/log/kerberos/kadmin.log |
| 163 |
default = FILE:/var/log/kerberos/krb5lib.log |
| 164 |
|
| 165 |
[login] |
| 166 |
krb4_convert = false |
| 167 |
krb4_get_tickets = false |
| 168 |
</pre> |
| 169 |
!endblock |
| 170 |
|
| 171 |
|
| 172 |
H4: create KerberosV realm |
| 173 |
|
| 174 |
[left="0.5in"]If not already run at debian installer scripts, run {{N[bold]krb5_newrealm}}. |
| 175 |
For non-debian-users or if above script fails, run commands by step: |
| 176 |
|
| 177 |
!block inline |
| 178 |
<pre style="margin-left:60px;"> |
| 179 |
kdb5_util create -s |
| 180 |
kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin" |
| 181 |
kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/changepw" |
| 182 |
/etc/init.d/krb5-kdc start || true |
| 183 |
/etc/init.d/krb5-admin-server start ||true |
| 184 |
</pre> |
| 185 |
!endblock |
| 186 |
|
| 187 |
|
| 188 |
[left="0.5in"]Add some kind of KDC admin user: |
| 189 |
|
| 190 |
!block inline |
| 191 |
<pre style="margin-left:60px;"> |
| 192 |
kadmin.local -q "addprinc krbadm@[YOUR KERBEROS REALM]" |
| 193 |
</pre> |
| 194 |
!endblock |
| 195 |
|
| 196 |
|
| 197 |
[left="0.5in"]For later use, we need a LDAP administrator principial at KDC. |
| 198 |
This will have, as we configure later ins this document, full access to the LDAP database. |
| 199 |
|
| 200 |
!block inline |
| 201 |
<pre style="margin-left:60px;"> |
| 202 |
kadmin.local -q "addprinc ldapadm@[YOUR KERBEROS REALM]" |
| 203 |
</pre> |
| 204 |
!endblock |
| 205 |
|
| 206 |
|
| 207 |
H5: setting up KerberosV access rights |
| 208 |
|
Parent Directory
| 
Revision Log
