Ubuntu Server Guide Changes, errors and bugs
Secondary KDC Configuration (LDAP)
Download 1.27 Mb. Pdf ko'rish
|
ubuntu-server-guide
- Bu sahifa navigatsiya:
- Resources • Configuring Kerberos with OpenLDAP back-end • MIT Kerberos backend types OpenLDAP Server
|
Secondary KDC Configuration (LDAP)
The setup of the secondary KDC (and its OpenLDAP replica) is very similar. Once you have the OpenLDAP replication setup, repeat these steps on the secondary: - install krb5-kdc-ldap, ldap-utils. Do not install krb5- admin-server. - load the kerberos schema using schema2ldif - add the index for krbPrincipalName - add the ACLs - configure krb5.conf in the same way, initially. If you want and if you configured SSL properly, you can add ldaps://kdc01.example.com to the ldap_servers list after ldapi:///, so that the Secondary KDC can have two LDAP backends at its disposal - DO NOT run kdb5_ldap_util. There is no need to create the database since it’s being replicated from the Primary - copy over the following files from the Primary KDC and place them in the same location on the Secondary: - /etc/krb5kdc/stash - /etc/krb5kdc/service. keyfile - start the KDC: sudo systemctl start krb5−kdc.service Resources • Configuring Kerberos with OpenLDAP back-end • MIT Kerberos backend types OpenLDAP Server The Lightweight Directory Access Protocol, or LDAP, is a protocol for querying and modifying a X.500-based directory service running over TCP/IP. The current LDAP version is LDAPv3, as defined in RFC4510, and the implementation used in Ubuntu is OpenLDAP.” The LDAP protocol accesses directories. A common mistake is to call a directory an LDAP directory, or LDAP database, but it’s really so common, and we all know what we are talking about, that it’s ok. Here are some key concepts and terms: • A directory is a tree of data entries that is hierarchical in nature and is called the Directory Information Tree (DIT). • An entry consists of a set of attributes. • An attribute has a key (a name/description) and one or more values. • Every attribute must be defined in at least one objectClass. 186 • Attributes and objectclasses are defined in schemas (an objectclass is actually considered as a special kind of attribute). • Each entry has a unique identifier: its Distinguished Name (DN or dn). This, in turn, consists of a Relative Distinguished Name (RDN) followed by the parent entry’s DN. • The entry’s DN is not an attribute. It is not considered part of the entry itself. Note The terms object, container, and node have certain connotations but they all essentially mean the same thing as entry, the technically correct term. For example, below we have a single entry consisting of 11 attributes where the following is true: • DN is “cn=John Doe,dc=example,dc=com” • RDN is “cn=John Doe” • parent DN is “dc=example,dc=com” dn : cn=John Doe , dc=example , dc=com cn : John Doe givenName : John sn : Doe telephoneNumber : +1 888 555 6789 telephoneNumber : +1 888 555 1232 m a i l : john@example . com manager : cn=Larry Smith , dc=example , dc=com o b j e c t C l a s s : i n e t O r g P e r s o n o b j e c t C l a s s : o r g a n i z a t i o n a l P e r s o n o b j e c t C l a s s : p e r s o n o b j e c t C l a s s : top The above entry is in LDIF format (LDAP Data Interchange Format). Any information that you feed into your DIT must also be in such a format. It is defined in RFC2849. Such a directory accessed via LDAP is good for anything that involves a large number of access requests to a mostly-read, attribute-based (name:value) backend, and that can benefit from a hierarchical struc- ture. Examples include an address book, company directory, a list of email addresses, and a mail server’s configuration. Installation The installation of slapd will create a minimal working configuration with a top level entry, and an adminis- trator’s DN. In particular, it will create a database instance that you can use to store your data. However, the suffix (or base DN) of this instance will be determined from the domain name of the host. If you want something different, you can change it right after the installation when you still don’t have any useful data. Note This guide will use a database suffix of dc=example,dc=com. Proceed with the install of the server and the main command line utilities: sudo apt i n s t a l l s l a p d ldap−u t i l s If you want to change your DIT suffix, now would be a good time, because changing it discards your existing one. To change the suffix, run the following command: sudo dpkg−r e c o n f i g u r e s l a p d 187 To switch your DIT suffix to dc=example,dc=com, for example, so you can follow this guide more closely, answer example.com when asked about the DNS domain name. Throughout this guide we will issue many commands with the LDAP utilities. To save some typing, we can configure the OpenLDAP libraries with certain defaults in /etc/ldap/ldap.conf: BASE dc=example , dc=com URI l d a p : / / l d a p 0 1 . example . com TLS_CACERT / e t c / s s l / c e r t s / ca− c e r t i f i c a t e s . c r t Download 1.27 Mb. Do'stlaringiz bilan baham: 
|