Kerberos
From DcSharedWiki
How to install MIT Kerberos on Debian with slapd backend
References:
- http://web.mit.edu/Kerberos/krb5-1.8/krb5-1.8.2/doc/krb5-admin.html#Configuring Kerberos with OpenLDAP back-end
Other how-to
Install slapd
TODO increase level of configuration questions
Install ldap server
# slapd admin password will be asked aptitude install slapd
Logs:
Syslog:
# /etc/rsyslog.d/slapd.conf # minus before file => omit syncing the file after every loggin # & ~ => don't transmist log to next logger local4.* -/var/log/slapd.log & ~
Logrotate:
# /etc/logrotate.d/slapd
/var/log/slapd.log
{
# 1 month
weekly
rotate 4
missingok
compress
delaycompress
notifempty
postrotate
/etc/init.d/slapd restart
endscript
}
Install kdc
Some informations will be asked:
- REALM
- FQDN of Kerberos server (check dns configuration !)
- fqdn of administrative server for the kerberos realm
aptitude install krb5-kdc # dependances will be installed too (krb5-config, krb5-user, etc)
Install LDAP plugin for the Kerberos key server, include kerberos schema in schema used by slapd
aptitude install krb5-kdc-ldap gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema #Include Kerberos schema in slapd configuration in /etc/ldap/slapd.conf: include /etc/ldap/schema/kerberos.schema
Configure slapd
/etc/ldap/ldap.conf (check dns configuration !)
BASE dc=coincoin,dc=eu URI ldap://ldap.coincoin.eu
/etc/ldap/slapd.conf
# log all: change log level from 'none' to '256'
loglevel 256
# add ACL for Kerberos:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
# Providing access to realm container
access to dn.subtree="cn=COINCOIN.EU,cn=krb5,dc=coincoin,dc=eu"
by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
by * none
# Providing access to principals, if not underneath realm container
access to dn.subtree="ou=Users,dc=coincoin,dc=eu"
by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
by * none
access to *
by * read
access to *
by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
# Comment all other default ACL
# add specific directives for database #1
suffix "dc=coincoin,dc=eu"
rootdn "cn=admin,dc=coincoin,dc=eu"
# add indexes
index objectClass eq # by default
index uid eq
index krbPrincipalName eq,pres,sub
#TODO check indexes are created !
Add ldap entries:
/etc/init.d/slapd stop cat data.ldif dn: ou=Users,dc=coincoin,dc=eu ou: Users objectClass: organizationalUnit dn: ou=Groups,dc=coincoin,dc=eu ou: Groups objectClass: organizationalUnit dn: cn=lilou,ou=Groups,dc=coincoin,dc=eu cn: lilou gidNumber: 1000 objectClass: top objectClass: posixGroup dn: uid=lilou,ou=Users,dc=coincoin,dc=eu uid: lilou uidNumber: 1000 gidNumber: 1000 cn: Lilou sn: Lilou objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /home/lilou dn: ou=krb5,dc=coincoin,dc=eu ou: krb5 objectClass: organizationalUnit dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu cn: kdc-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos KDC server userPassword: 5Wdx~FgK|VFm>>2`K1UW dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu cn: adm-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos Administration server userPassword: grh~1JnFvN*}]742_Jvc slapadd -svl data.ldif /etc/init.d/slapd start
Configure Kerberos
/etc/krb5.conf
[libdefaults]
default_realm = COINCOIN.EU
[...]
[realms]
COINCOIN.EU = {
kdc = kdc.coincoin.eu
admin_server = kdc.coincoin.eu
database_module = openldap_ldapconf
}
[domain_realm]
.coincoin.eu = COINCOIN.EU
coincoin.eu = COINCOIN.EU
[dbdefaults]
ldap_kerberos_container_dn = ou=krb5,dc=coincoin,dc=eu
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_conns_per_server = 5
}
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
# TODO logrotate
/etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
kdc_tcp_ports = 750,88
[realms]
COINCOIN.EU = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
Set up the realms subtree and the realm itself
kdb5_ldap_util -D "cn=admin,dc=piloucorp,dc=eu" create -subtrees dc=piloucorp,dc=eu -r PILOUCORP.EU -s -H ldap://ldap.piloucorp.eu # slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=piloucorp,dc=eu # slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu
If the LDAP server and KDC service are running on the same machine:
# slapd listen only unix socket, in /etc/default/slapd: SLAPD_SERVICES="ldapi:///" /etc/init.d/slapd restart
You should disallow anonymous binding:
#Add at the beginning of /etc/ldap/slapd.conf disallow bind_anon /etc/init.d/slapd restart
