Ubuntu Server Guide Changes, errors and bugs
Download 1.27 Mb. Pdf ko'rish
|
ubuntu-server-guide
|
Configuring OpenLDAP
We are going to install the OpenLDAP server on the same host as the KDC, to simplify the communication between them. In such a setup, we can use the ldapi:/// transport, which is via an unix socket, and don’t need to setup SSL certificates to secure the communication between the Kerberos services and OpenLDAP. Note, however, that SSL is still needed for the OpenLDAP replication. See LDAP with TLS for details. If you want to use an existing OpenLDAP server that you have somewhere else, that’s of course also possible, but keep in mind that you should then use SSL for the communication between the KDC and this OpenLDAP server. First, the necessary schema needs to be loaded on an OpenLDAP server that has network connectivity to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP replication configured between at least two servers. For information on setting up OpenLDAP see OpenLDAP Server. Note cn=admin,dc=example,dc=com is a default admin user that is created during the installation of the slapd package (the OpenLDAP server). The domain component will change for your server, so adjust accordingly. • Install the necessary packages (it’s assumed that OpenLDAP is already installed): sudo apt i n s t a l l krb5−kdc−l d a p krb5−admin−s e r v e r • Next, extract the kerberos.schema.gz file: 181 sudo cp / u s r / s h a r e / doc / krb5−kdc−l d a p / k e r b e r o s . schema . gz / e t c / l d a p / schema / sudo g u n z i p / e t c / l d a p / schema / k e r b e r o s . schema . gz • The kerberos schema needs to be added to the cn=config tree. This schema file needs to be converted to LDIF format before it can be added. For that we will use a helper tool, called schema2ldif, provided by the package of the same name which is available in the Universe archive: sudo apt i n s t a l l s c h e m a 2 l d i f • To import the kerberos schema, run: $ sudo ldap−schema−manager − i k e r b e r o s . schema SASL/EXTERNAL a u t h e n t i c a t i o n s t a r t e d SASL username : gidNumber=0+uidNumber=0, cn=p e e r c r e d , cn=e x t e r n a l , cn=auth SASL SSF : 0 e x e c u t i n g ’ ldapadd −Y EXTERNAL −H l d a p i : / / / −f / e t c / l d a p / schema / k e r b e r o s . l d i f ’ SASL/EXTERNAL a u t h e n t i c a t i o n s t a r t e d SASL username : gidNumber=0+uidNumber=0, cn=p e e r c r e d , cn=e x t e r n a l , cn=auth SASL SSF : 0 adding new e n t r y ” cn=k e r b e r o s , cn=schema , cn=c o n f i g ” • With the new schema loaded, let’s index an attribute often used in searches: $ sudo l d a p m o d i f y −Q −Y EXTERNAL −H l d a p i : / / / < add : olcDbIndex olcDbIndex : krbPrincipalName eq , p r e s , sub EOF m o d i f y i n g e n t r y ” o l c D a t a b a s e ={1}mdb , cn=c o n f i g ” • Let’s create LDAP entries for the Kerberos administrative entities that will contact the OpenLDAP server to perform operations. There are two: Download 1.27 Mb. Do'stlaringiz bilan baham: 
|