1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
.. _ldap_be_ubuntu:
LDAP backend on Ubuntu 10.4 (lucid)
===================================
Setting up Kerberos v1.9 with LDAP backend on Ubuntu 10.4 (Lucid Lynx)
Prerequisites
-------------
Install the following packages: *slapd, ldap-utils* and *libldap2-dev*
You can install the necessary packages with these commands::
sudo apt-get install slapd
sudo apt-get install ldap-utils
sudo apt-get install libldap2-dev
Extend the user schema using schemas from standart OpenLDAP
distribution: *cosine, mics, nis, inetcomperson* ::
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/mics.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetcomperson.ldif
Building Kerberos from source
-----------------------------
::
./configure --with-ldap
make
sudo make install
Setting up Kerberos
-------------------
Configuration
~~~~~~~~~~~~~
Update kdc.conf with the LDAP back-end information::
[realms]
EXAMPLE.COM = {
database_module = LDAP
}
[dbmodules]
LDAP = {
db_library = kldap
ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com
ldap_kdc_dn = cn=admin,dc=example,dc=com
ldap_kadmind_dn = cn=admin,dc=example,dc=com
ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash
ldap_servers = ldapi:///
}
Schema
~~~~~~
From the source tree copy
``src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema`` into
``/etc/ldap/schema``
Warning: this step should be done after slapd is installed to avoid
problems with slapd installation.
To convert kerberos.schema to run-time configuration (``cn=config``)
do the following:
#. Create a temporary file ``/tmp/schema_convert.conf`` with the
following content::
include /etc/ldap/schema/kerberos.schema
#. Create a temporary directory ``/tmp/krb5_ldif``.
#. Run::
slaptest -f /tmp/schema_convert.conf -F /tmp/krb5_ldif
This should in a new file named
``/tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif``.
#. Edit ``/tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif`` by
replacing the lines::
dn: cn={0}kerberos
cn: {0}kerberos
with
dn: cn=kerberos,cn=schema,cn=config
cn: kerberos
Also, remove following attribute-value pairs::
structuralObjectClass: olcSchemaConfig
entryUUID: ...
creatorsName: cn=config
createTimestamp: ...
entryCSN: ...
modifiersName: cn=config
modifyTimestamp: ...
#. Load the new schema with ldapadd (with the proper authentication)::
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif
which should result the message ``adding new entry
"cn=kerberos,cn=schema,cn=config"``.
Create Kerberos database
------------------------
Using LDAP administrator credentials, create Kerberos database and
master key stash::
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s
Stash the LDAP administrative passwords::
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=com
Start :ref:`krb5kdc(8)`::
krb5kdc
To destroy database run::
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// destroy -f
Useful references
-----------------
* `Kerberos and LDAP <https://help.ubuntu.com/10.04/serverguide/C/kerberos-ldap.html>`_
|
