Ubuntu Server Guide
Primary KDC Configuration (LDAP)
Download 1.23 Mb. Pdf ko'rish
|
ubuntu-server-guide (1)
|
Primary KDC Configuration (LDAP)
With OpenLDAP configured it is time to configure the KDC. In this example we are doing it in the same OpenLDAP server to take advantage of local unix socket communication. • Reconfigure the krb5−config package if neededd to get a good starting point with /etc/krb5.conf: sudo dpkg−r e c o n f i g u r e krb5−c o n f i g • Now edit /etc/krb5.conf adding the database_module option to the EXAMPLE.COM realm section: [ r e a l m s ] EXAMPLE.COM = { kdc = kdc01 . example . com kdc = kdc02 . example . com admin_server = kdc01 . example . com default_domain = example . com database_module = op enl da p _ l d a p c on f } Then also add these new sections: [ d b d e f a u l t s ] ldap_kerberos_container_dn = cn=krbC ontainer , dc=example , dc=com [ dbmodules ] o p e n l da p_ l da pc on f = { d b _ l i b r a r y = kldap # i f e i t h e r o f t h e s e i s f a l s e , then t h e ldap_kdc_dn n e e d s t o # have w r i t e a c c e s s d i s a b l e _ l a s t _ s u c c e s s = t r u e d i s a b l e _ l o c k o u t = t r u e # t h i s o b j e c t n e e d s t o have r e a d r i g h t s on # t h e realm c o n t a i n e r , p r i n c i p a l c o n t a i n e r and realm sub− t r e e s ldap_kdc_dn = ” u i d=kdc−s e r v i c e , dc=example , dc=com” # t h i s o b j e c t n e e d s t o have r e a d and w r i t e r i g h t s on # t h e realm c o n t a i n e r , p r i n c i p a l c o n t a i n e r and realm sub− t r e e s ldap_kadmind_dn = ” u i d=kadmin−s e r v i c e , dc=example , dc=com” l d a p _ s e r v i c e _ p a s s w o r d _ f i l e = / e t c / krb5kdc / s e r v i c e . k e y f i l e l d a p _ s e r v e r s = l d a p i : / / / ldap_conns_per_server = 5 } • Next, use the kdb5_ldap_util utility to create the realm: $ sudo kdb5_ldap_util −D cn=admin , dc=example , dc=com c r e a t e −s u b t r e e s dc= example , dc=com −r EXAMPLE.COM −s −H l d a p i : / / / Password f o r ” cn=admin , dc=example , dc=com ” : I n i t i a l i z i n g d a t a b a s e f o r realm ’EXAMPLE.COM’ You w i l l be prompted f o r t h e d a t a b a s e Master Password . 186 I t i s i m p o r t a n t t h a t you NOT FORGET t h i s password . Enter KDC d a t a b a s e master key : Re−e n t e r KDC d a t a b a s e master key t o v e r i f y : • Create a stash of the password used to bind to the LDAP server. Run it once for each ldap_kdc_dn and ldap_kadmin_dn:: sudo kdb5_ldap_util −D cn=admin , dc=example , dc=com s t a s h s r v p w −f / e t c / krb5kdc / s e r v i c e . k e y f i l e u i d=kdc−s e r v i c e , dc=example , dc=com sudo kdb5_ldap_util −D cn=admin , dc=example , dc=com s t a s h s r v p w −f / e t c / krb5kdc / s e r v i c e . k e y f i l e u i d=kadmin−s e r v i c e , dc=example , dc=com Note The /etc/krb5kdc/service. keyfile file now contains clear text versions of the passwords used by the KDC to contact the LDAP server! • Create a /etc/krb5kdc/kadm5.acl file for the admin server, if you haven’t already: */admin@EXAMPLE .COM * • Start the Kerberos KDC and admin server: sudo s y s t e m c t l s t a r t krb5−kdc . s e r v i c e krb5−admin−s e r v e r . s e r v i c e You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication. To add a principal using the kadmin.local utility enter: $ sudo kadmin . l o c a l A u t h e n t i c a t i n g a s p r i n c i p a l r o o t /admin@EXAMPLE .COM with password . kadmin . l o c a l : a d d p r i n c ubuntu WARNING: no p o l i c y s p e c i f i e d f o r ubuntu@EXAMPLE .COM; d e f a u l t i n g t o no p o l i c y Enter password f o r p r i n c i p a l ”ubuntu@EXAMPLE .COM” : Re−e n t e r password f o r p r i n c i p a l ”ubuntu@EXAMPLE .COM” : P r i n c i p a l ”ubuntu@EXAMPLE .COM” c r e a t e d . kadmin . l o c a l : The above will create an ubuntu principal with a dn of krbPrincipalName=ubuntu@EXAMPLE.COM,cn =EXAMPLE.COM,cn=krbContainer,dc=example,dc=com. Let’s say, however, that you already have an user in your directory, and it’s in uid=testuser1,ou=People,dc=example,dc=com, how to add the kerberos attributes to it? You use the −x parameter: $ sudo kadmin . l o c a l A u t h e n t i c a t i n g a s p r i n c i p a l r o o t /admin@EXAMPLE .COM with password . kadmin . l o c a l : a d d p r i n c −x dn=u i d=t e s t u s e r 1 , ou=People , dc=example , dc=com t e s t u s e r 1 WARNING: no p o l i c y s p e c i f i e d f o r testuser1@EXAMPLE .COM; d e f a u l t i n g t o no p o l i c y Enter password f o r p r i n c i p a l ”testuser1@EXAMPLE .COM” : Re−e n t e r password f o r p r i n c i p a l ”testuser1@EXAMPLE .COM” : P r i n c i p a l ”testuser1@EXAMPLE .COM” c r e a t e d . Since the specified dn already exists, kadmin.local will just add the required kerberos attributes to this existing entry. If it didn’t exist, it would be created from scratch, with just the kerberos attributes, like what happened with the ubuntu example above, but in the specified location. Both places are visible for kinit , since, when the realm was created with kdb5_ldap_util, the default value for the search scope and base were taken: subtree, and dc=example,dc=com. 187 |
