Ubuntu Server Guide
Download 1.23 Mb. Pdf ko'rish
|
ubuntu-server-guide (1)
|
– ldap_kdc_dn: needs to have read rights on the realm container, principal container and
realm sub-trees. If disable_last_success and disable_lockout are not set, however, then ldap_kdc_dn needs write access to the kerberos container just like the admin dn below. – ldap_kadmind_dn: needs to have read and write rights on the realm container, principal container and realm sub-trees Here is the command to create these entities: $ ldapadd −x −D cn=admin , dc=example , dc=com −W < u i d : kdc−s e r v i c e o b j e c t C l a s s : a c c o u n t o b j e c t C l a s s : s i m p l e S e c u r i t y O b j e c t userPassword : {CRYPT}x d e s c r i p t i o n : Account used f o r t h e Ke rbe r o s KDC dn : u i d=kadmin−s e r v i c e , dc=example , dc=com u i d : kadmin−s e r v i c e o b j e c t C l a s s : a c c o u n t o b j e c t C l a s s : s i m p l e S e c u r i t y O b j e c t userPassword : {CRYPT}x d e s c r i p t i o n : Account used f o r t h e Ke rbe r o s Admin s e r v e r EOF Enter LDAP Password : adding new e n t r y ” u i d=kdc−s e r v i c e , dc=example , dc=com” adding new e n t r y ” u i d=kadmin−s e r v i c e , dc=example , dc=com” Now let’s set a password for them. Note that first the tool asks for the password you want for the specified user dn, and then for the password of the cn=admin dn: $ ldappasswd -x -D cn=admin,dc=example,dc=com -W -S uid=kdc-service,dc=example,dc=com New password: <– password you want for uid-kdc-service Re-enter new password: Enter LDAP Password: <– password for the dn specified with the -D option Repeat for the uid=kadmin−service dn. These passwords will be needed later. You can test these with ldapwhoami: 184 $ ldapwhoami −x −D u i d=kdc−s e r v i c e , dc=example , dc=com −W Enter LDAP Password : dn : u i d=kdc−s e r v i c e , dc=example , dc=com • Finally, update the Access Control Lists (ACL). These can be tricky, as it highly depends on what you have defined already. By default, the slapd package configures your database with the following ACLs: o l c A c c e s s : {0} t o a t t r s=userPassword by s e l f w r i t e by anonymous auth by * none o l c A c c e s s : {1} t o a t t r s=shadowLastChange by s e l f w r i t e by * r e a d o l c A c c e s s : {2} t o * by * r e a d We need to insert new rules before the final to * by * read one, to control access to the Kerberos related entries and attributes: $ sudo l da p m o d i f y −Q −Y EXTERNAL −H l d a p i : / / / < add : o l c A c c e s s o l c A c c e s s : {2} t o a t t r s=k r b P r i n c i p a l K e y by anonymous auth by dn . e x a c t=”u i d=kdc−s e r v i c e , dc=example , dc=com” r e a d by dn . e x a c t=”u i d=kadmin−s e r v i c e , dc=example , dc=com” w r i t e by s e l f w r i t e by * none − add : o l c A c c e s s o l c A c c e s s : {3} t o dn . s u b t r e e =”cn=krbCont ainer , dc=example , dc=com” by dn . e x a c t=”u i d=kdc−s e r v i c e , dc=example , dc=com” r e a d by dn . e x a c t=”u i d=kadmin−s e r v i c e , dc=example , dc=com” w r i t e by * none EOF m o d i f y i n g e n t r y ” o l c D a t a b a s e ={1}mdb , cn=c o n f i g ” This will make the existing {2} rule become {4}. Check with sudo slapcat −b cn=config (the output below was reformatted a bit for clarity): o l c A c c e s s : {0} t o a t t r s=userPassword by s e l f w r i t e by anonymous auth by * none o l c A c c e s s : {1} t o a t t r s=shadowLastChange by s e l f w r i t e by * r e a d o l c A c c e s s : {2} t o a t t r s=k r b P r i n c i p a l K e y by anonymous auth by dn . e x a c t=”u i d=kdc−s e r v i c e , dc=example , dc=com” r e a d by dn . e x a c t=”u i d=kadmin−s e r v i c e , dc=example , dc=com” w r i t e by s e l f w r i t e by * none o l c A c c e s s : {3} t o dn . s u b t r e e =”cn=krbCont ainer , dc=example , dc=com” by dn . e x a c t=”u i d=kdc−s e r v i c e , dc=example , dc=com” r e a d by dn . e x a c t=”u i d=kadmin−s e r v i c e , dc=example , dc=com” w r i t e by * none o l c A c c e s s : {4} t o * by * r e a d That’s it, your LDAP directory is now ready to serve as a Kerberos principal database. 185 |
