Kerberos: Difference between revisions

From DcSharedWiki
(create page)
 
(add kdb5_ldap_util commands)
Line 5: Line 5:
References:
References:
* http://web.mit.edu/Kerberos/krb5-1.8/krb5-1.8.2/doc/krb5-admin.html#Configuring Kerberos with OpenLDAP back-end
* http://web.mit.edu/Kerberos/krb5-1.8/krb5-1.8.2/doc/krb5-admin.html#Configuring Kerberos with OpenLDAP back-end

Other how-to
* http://www.rjsystems.nl/en/2100-kerberos-openldap-provider.php


== Install slapd ==
== Install slapd ==
Line 165: Line 168:
loginShell: /bin/bash
loginShell: /bin/bash
homeDirectory: /home/lilou
homeDirectory: /home/lilou

dn: ou=krb5,dc=coincoin,dc=eu
ou: krb5
objectClass: organizationalUnit

dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
cn: kdc-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos KDC server
userPassword: 5Wdx~FgK|VFm>>2`K1UW

dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
cn: adm-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos Administration server
userPassword: grh~1JnFvN*}]742_Jvc


slapadd -svl data.ldif
slapadd -svl data.ldif
/etc/init.d/slapd start
/etc/init.d/slapd start
Line 228: Line 251:
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
default_principal_flags = +preauth
</nowiki></pre>


Set up the realms subtree and the realm itself

<pre><nowiki>
kdb5_ldap_util -D "cn=admin,dc=piloucorp,dc=eu" create -subtrees dc=piloucorp,dc=eu -r PILOUCORP.EU -s -H ldap://ldap.piloucorp.eu
# slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=piloucorp,dc=eu
# slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu
</nowiki></pre>
</nowiki></pre>



Revision as of 19:16, 20 June 2010

How to install MIT Kerberos on Debian with slapd backend


References:

Other how-to

Install slapd

TODO increase level of configuration questions

Install ldap server

# slapd admin password will be asked
aptitude install slapd


Logs:

Syslog:

# /etc/rsyslog.d/slapd.conf
# minus before file => omit syncing the file after every loggin
# & ~               => don't transmist log to next logger
local4.* -/var/log/slapd.log
& ~


Logrotate:

# /etc/logrotate.d/slapd
/var/log/slapd.log 
{
    # 1 month
    weekly
    rotate 4
    missingok
    compress
    delaycompress
    notifempty
    postrotate
        /etc/init.d/slapd restart
    endscript
}


Install kdc Some informations will be asked:

  • REALM
  • FQDN of Kerberos server (check dns configuration !)
  • fqdn of administrative server for the kerberos realm
aptitude install krb5-kdc # dependances will be installed too (krb5-config, krb5-user, etc)


Install LDAP plugin for the Kerberos key server, include kerberos schema in schema used by slapd

aptitude install krb5-kdc-ldap
gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema
#Include Kerberos schema in slapd configuration in /etc/ldap/slapd.conf:
include         /etc/ldap/schema/kerberos.schema


Configure slapd /etc/ldap/ldap.conf (check dns configuration !)

BASE    dc=coincoin,dc=eu
URI     ldap://ldap.coincoin.eu


/etc/ldap/slapd.conf

# log all: change log level from 'none' to '256'
loglevel 256

# add ACL for Kerberos:
access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

# Providing access to realm container
access to dn.subtree="cn=COINCOIN.EU,cn=krb5,dc=coincoin,dc=eu"
        by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
        by * none

# Providing access to principals, if not underneath realm container
access to dn.subtree="ou=Users,dc=coincoin,dc=eu"
        by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
        by * none

access to *
        by * read

access to *
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write

# Comment all other default ACL

# add specific directives for database #1
suffix          "dc=coincoin,dc=eu"
rootdn          "cn=admin,dc=coincoin,dc=eu"

# add indexes
index           objectClass eq # by default
index           uid         eq
index           krbPrincipalName eq,pres,sub
#TODO check indexes are created !


Add ldap entries:

/etc/init.d/slapd stop
cat data.ldif
dn: ou=Users,dc=coincoin,dc=eu
ou: Users
objectClass: organizationalUnit

dn: ou=Groups,dc=coincoin,dc=eu
ou: Groups
objectClass: organizationalUnit

dn: cn=lilou,ou=Groups,dc=coincoin,dc=eu
cn: lilou
gidNumber: 1000
objectClass: top 
objectClass: posixGroup

dn: uid=lilou,ou=Users,dc=coincoin,dc=eu
uid: lilou
uidNumber: 1000
gidNumber: 1000
cn: Lilou
sn: Lilou
objectClass: top 
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/lilou

dn: ou=krb5,dc=coincoin,dc=eu
ou: krb5
objectClass: organizationalUnit

dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
cn: kdc-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos KDC server
userPassword: 5Wdx~FgK|VFm>>2`K1UW

dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
cn: adm-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos Administration server
userPassword: grh~1JnFvN*}]742_Jvc


slapadd -svl data.ldif
/etc/init.d/slapd start


Configure Kerberos /etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU
[...]

[realms]
        COINCOIN.EU = { 
                kdc = kdc.coincoin.eu
                admin_server = kdc.coincoin.eu
                database_module = openldap_ldapconf
        }   

[domain_realm]
        .coincoin.eu = COINCOIN.EU
        coincoin.eu = COINCOIN.EU

[dbdefaults]
        ldap_kerberos_container_dn = ou=krb5,dc=coincoin,dc=eu

[dbmodules]
        openldap_ldapconf = { 
            db_library = kldap
            ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
            ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
            ldap_service_password_file = /etc/krb5kdc/service.keyfile
            ldap_conns_per_server = 5 
        }   

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log
        # TODO logrotate


/etc/krb5kdc/kdc.conf

[kdcdefaults]
    kdc_ports = 750,88
    kdc_tcp_ports = 750,88

[realms]
    COINCOIN.EU = { 
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth


Set up the realms subtree and the realm itself

kdb5_ldap_util -D "cn=admin,dc=piloucorp,dc=eu" create -subtrees dc=piloucorp,dc=eu -r PILOUCORP.EU -s -H ldap://ldap.piloucorp.eu
# slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=piloucorp,dc=eu
# slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu


If the LDAP server and KDC service are running on the same machine:

# slapd listen only unix socket, in /etc/default/slapd:
SLAPD_SERVICES="ldapi:///"
/etc/init.d/slapd restart


You should disallow anonymous binding:

#Add at the beginning of /etc/ldap/slapd.conf
disallow bind_anon

/etc/init.d/slapd restart