1
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3
<html xmlns="http://www.w3.org/1999/xhtml">
4
<head xmlns="http://www.w3.org/1999/xhtml">
5
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
6
<title xmlns="">Kerberos and LDAP</title>
7
<link rel="stylesheet" href="../../libs/ubuntu-book.css" type="text/css" />
8
<link rel="home" href="index.html" title="Ubuntu Server Guide" />
9
<link rel="up" href="network-authentication.html" title="Chapter 6. Network Authentication" />
10
<link rel="prev" href="kerberos.html" title="Kerberos" />
11
<link rel="next" href="dns.html" title="Chapter 7. Domain Name Service (DNS)" />
12
<link rel="copyright" href="legal.html" title="Credits and License" />
16
<img id="topcap" alt="" src="https://help.ubuntu.com/htdocs/ubuntunew/img/cap-top.png" />
17
<div id="layout" class="container clear-block">
18
<script xmlns="" src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script>
19
<script xmlns="" type="text/javascript">
20
_uacct = "UA-1018242-8";
24
<div id="logo-floater">
26
<a href="https://help.ubuntu.com" title="Ubuntu Documentation">
27
<img alt="Ubuntu" id="logo" src="https://help.ubuntu.com/htdocs/ubuntunew/img/logo.png" />
32
<form action="http://www.google.com/cse" id="cse-search-box">
34
<input type="hidden" name="cx" value="003883529982892832976:e2vwumte3fq" />
35
<input type="hidden" name="ie" value="UTF-8" />
36
<input type="text" name="q" size="27" />
37
<input type="submit" name="sa" value="Search" />
42
document.write('<form action="https://help.ubuntu.com/search.html" id="cse-search-box">');
43
document.write(' <div>');
44
document.write(' <input type="hidden" name="cof" value="FORID:9" />');
45
document.write(' <input type="hidden" name="cx" value="003883529982892832976:e2vwumte3fq" />');
46
document.write(' <input type="hidden" name="ie" value="UTF-8" />');
47
document.write(' <input type="text" name="q" size="27" />');
48
document.write(' <input type="submit" name="sa" value="Search" />');
49
document.write(' </div>');
50
document.write('</form>');
53
<a href="https://help.ubuntu.com/">
54
<img alt="Official Documentation" src="https://help.ubuntu.com/htdocs/ubuntunew/img/help-about.png" />
55
<span>Official Documentation</span>
61
<div class="breadcrumbs"><a href="https://help.ubuntu.com/">Ubuntu Documentation</a> > <a href="https://help.ubuntu.com/11.04">Ubuntu 11.04</a> > <span class="breadcrumb-link"><a href="index.html">Ubuntu Server Guide</a></span> > <span class="breadcrumb-link"><a href="network-authentication.html">Network Authentication</a></span> > <span class="breadcrumb-node">Kerberos and LDAP</span></div>
62
<div xmlns="http://www.w3.org/1999/xhtml" class="sect1" title="Kerberos and LDAP">
63
<div class="titlepage">
66
<h2 class="title" style="clear: both"><a id="kerberos-ldap"></a>Kerberos and LDAP</h2>
71
Replicating a Kerberos principal database between two servers can be complicated, and adds an additional user
72
database to your network. Fortunately, MIT Kerberos can be configured to use an <span class="application"><strong>LDAP</strong></span>
73
directory as a principal database. This section covers configuring a primary and secondary kerberos server to use
74
<span class="application"><strong>OpenLDAP</strong></span> for the principal database.
76
<div class="sect2" title="Configuring OpenLDAP">
77
<div class="titlepage">
80
<h3 class="title"><a id="kerberos-ldap-openldap"></a>Configuring OpenLDAP</h3>
85
First, the necessary <span class="emphasis"><em>schema</em></span> needs to be loaded on an <span class="application"><strong>OpenLDAP</strong></span> server that has
86
network connectivity to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP replication
87
configured between at least two servers. For information on setting up OpenLDAP see <a class="xref" href="openldap-server.html" title="OpenLDAP Server">the section called “OpenLDAP Server”</a>.
90
It is also required to configure OpenLDAP for TLS and SSL connections, so that traffic between the KDC and LDAP server is encrypted.
91
See <a class="xref" href="openldap-server.html#openldap-tls" title="TLS and SSL">the section called “TLS and SSL”</a> for details.
93
<div class="itemizedlist">
94
<ul class="itemizedlist" type="disc">
97
To load the schema into LDAP, on the LDAP server install the <span class="application"><strong>krb5-kdc-ldap</strong></span> package.
98
From a terminal enter:
101
<span class="command"><strong>sudo apt-get install krb5-kdc-ldap</strong></span>
104
<li class="listitem">
106
Next, extract the <code class="filename">kerberos.schema.gz</code> file:
109
<span class="command"><strong>sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz</strong></span>
110
<span class="command"><strong>sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/</strong></span>
113
<li class="listitem">
115
The <span class="emphasis"><em>kerberos</em></span> schema needs to be added to the <span class="emphasis"><em>cn=config</em></span> tree.
116
The procedure to add a new schema to <span class="application"><strong>slapd</strong></span> is also detailed in
117
<a class="xref" href="openldap-server.html#openldap-configuration" title="Further Configuration">the section called “Further Configuration”</a>.
119
<div class="procedure">
120
<ol class="procedure" type="1">
121
<li class="step" title="Step 1">
123
First, create a configuration file named <code class="filename">schema_convert.conf</code>, or a similar
124
descriptive name, containing the following lines:
126
<pre class="programlisting">
127
include /etc/ldap/schema/core.schema
128
include /etc/ldap/schema/collective.schema
129
include /etc/ldap/schema/corba.schema
130
include /etc/ldap/schema/cosine.schema
131
include /etc/ldap/schema/duaconf.schema
132
include /etc/ldap/schema/dyngroup.schema
133
include /etc/ldap/schema/inetorgperson.schema
134
include /etc/ldap/schema/java.schema
135
include /etc/ldap/schema/misc.schema
136
include /etc/ldap/schema/nis.schema
137
include /etc/ldap/schema/openldap.schema
138
include /etc/ldap/schema/ppolicy.schema
139
include /etc/ldap/schema/kerberos.schema
142
<li class="step" title="Step 2">
144
Create a temporary directory to hold the LDIF files:
147
<span class="command"><strong>mkdir /tmp/ldif_output</strong></span>
150
<li class="step" title="Step 3">
152
Now use <span class="application"><strong>slapcat</strong></span> to convert the schema files:
155
<span class="command"><strong>slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}kerberos,cn=schema,cn=config" > /tmp/cn=kerberos.ldif</strong></span>
158
Change the above file and path names to match your own if they are different.
161
<li class="step" title="Step 4">
163
Edit the generated <code class="filename">/tmp/cn\=kerberos.ldif</code> file, changing the following attributes:
165
<pre class="programlisting">
166
dn: cn=kerberos,cn=schema,cn=config
171
And remove the following lines from the end of the file:
173
<pre class="programlisting">
174
structuralObjectClass: olcSchemaConfig
175
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc
176
creatorsName: cn=config
177
createTimestamp: 20090111203515Z
178
entryCSN: 20090111203515.326445Z#000000#000#000000
179
modifiersName: cn=config
180
modifyTimestamp: 20090111203515Z
182
<div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;">
183
<table border="0" summary="Note">
185
<td rowspan="2" align="center" valign="top" width="25">
186
<img alt="[Note]" src="../../libs/admon/note.png" />
188
<th align="left"></th>
191
<td align="left" valign="top">
193
The attribute values will vary, just be sure the attributes are removed.
200
<li class="step" title="Step 5">
202
Load the new schema with <span class="application"><strong>ldapadd</strong></span>:
205
<span class="command"><strong>ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=kerberos.ldif</strong></span>
208
<li class="step" title="Step 6">
210
Add an index for the <span class="emphasis"><em>krb5principalname</em></span> attribute:
213
<span class="command"><strong>ldapmodify -x -D cn=admin,cn=config -W</strong></span>
214
<code class="computeroutput">Enter LDAP Password:
215
<strong class="userinput"><code>dn: olcDatabase={1}hdb,cn=config
217
olcDbIndex: krbPrincipalName eq,pres,sub</code></strong>
219
modifying entry "olcDatabase={1}hdb,cn=config"</code>
222
<li class="step" title="Step 7">
224
Finally, update the Access Control Lists (ACL):
227
<span class="command"><strong>ldapmodify -x -D cn=admin,cn=config -W</strong></span>
228
<code class="computeroutput">Enter LDAP Password:
229
<strong class="userinput"><code>dn: olcDatabase={1}hdb,cn=config
231
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=exampl
232
e,dc=com" write by anonymous auth by self write by * none
235
olcAccess: to dn.base="" by * read
238
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read</code></strong>
240
modifying entry "olcDatabase={1}hdb,cn=config"
250
That's it, your LDAP directory is now ready to serve as a Kerberos principal database.
253
<div class="sect2" title="Primary KDC Configuration">
254
<div class="titlepage">
257
<h3 class="title"><a id="kerberos-ldap-primary-kdc"></a>Primary KDC Configuration</h3>
262
With <span class="application"><strong>OpenLDAP</strong></span> configured it is time to configure the KDC.
264
<div class="itemizedlist">
265
<ul class="itemizedlist" type="disc">
266
<li class="listitem">
268
First, install the necessary packages, from a terminal enter:
271
<span class="command"><strong>sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap</strong></span>
274
<li class="listitem">
276
Now edit <code class="filename">/etc/krb5.conf</code> adding the following options to under the appropriate sections:
278
<pre class="programlisting">
280
default_realm = EXAMPLE.COM
286
kdc = kdc01.example.com
287
kdc = kdc02.example.com
288
admin_server = kdc01.example.com
289
admin_server = kdc02.example.com
290
default_domain = example.com
291
database_module = openldap_ldapconf
297
.example.com = EXAMPLE.COM
303
ldap_kerberos_container_dn = dc=example,dc=com
306
openldap_ldapconf = {
308
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
310
# this object needs to have read rights on
311
# the realm container, principal container and realm sub-trees
312
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
314
# this object needs to have read and write rights on
315
# the realm container, principal container and realm sub-trees
316
ldap_service_password_file = /etc/krb5kdc/service.keyfile
317
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
318
ldap_conns_per_server = 5
321
<div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;">
322
<table border="0" summary="Note">
324
<td rowspan="2" align="center" valign="top" width="25">
325
<img alt="[Note]" src="../../libs/admon/note.png" />
327
<th align="left"></th>
330
<td align="left" valign="top">
332
Change <span class="emphasis"><em>example.com</em></span>, <span class="emphasis"><em>dc=example,dc=com</em></span>, <span class="emphasis"><em>cn=admin,dc=example,dc=com</em></span>,
333
and <span class="emphasis"><em>ldap01.example.com</em></span> to the appropriate domain, LDAP object, and LDAP server for your network.
340
<li class="listitem">
342
Next, use the <span class="application"><strong>kdb5_ldap_util</strong></span> utility to create the realm:
345
<span class="command"><strong>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com</strong></span>
348
<li class="listitem">
350
Create a stash of the password used to bind to the LDAP server. This password is used by the <span class="emphasis"><em>ldap_kdc_dn</em></span> and
351
<span class="emphasis"><em>ldap_kadmin_dn</em></span> options in <code class="filename">/etc/krb5.conf</code>:
354
<span class="command"><strong>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com</strong></span>
357
<li class="listitem">
359
Copy the CA certificate from the LDAP server:
362
<span class="command"><strong>scp ldap01:/etc/ssl/certs/cacert.pem .</strong></span>
363
<span class="command"><strong>sudo cp cacert.pem /etc/ssl/certs</strong></span>
366
And edit <code class="filename">/etc/ldap/ldap.conf</code> to use the certificate:
368
<pre class="programlisting">
369
TLS_CACERT /etc/ssl/certs/cacert.pem
371
<div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;">
372
<table border="0" summary="Note">
374
<td rowspan="2" align="center" valign="top" width="25">
375
<img alt="[Note]" src="../../libs/admon/note.png" />
377
<th align="left"></th>
380
<td align="left" valign="top">
382
The certificate will also need to be copied to the Secondary KDC, to allow the connection to the LDAP servers using
393
You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication.
394
To add a principal using the <span class="application"><strong>kadmin.local</strong></span> utility enter:
397
<span class="command"><strong>sudo kadmin.local</strong></span>
398
<code class="computeroutput">Authenticating as principal root/admin@EXAMPLE.COM with password.
399
kadmin.local: <strong class="userinput"><code>addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve</code></strong>
400
WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy
401
Enter password for principal "steve@EXAMPLE.COM":
402
Re-enter password for principal "steve@EXAMPLE.COM":
403
Principal "steve@EXAMPLE.COM" created.</code>
406
There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData attributes added to the
407
<span class="emphasis"><em>uid=steve,ou=people,dc=example,dc=com</em></span> user object. Use the <span class="application"><strong>kinit</strong></span> and
408
<span class="application"><strong>klist</strong></span> utilities to test that the user is indeed issued a ticket.
410
<div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;">
411
<table border="0" summary="Note">
413
<td rowspan="2" align="center" valign="top" width="25">
414
<img alt="[Note]" src="../../libs/admon/note.png" />
416
<th align="left"></th>
419
<td align="left" valign="top">
421
If the user object is already created the <span class="emphasis"><em>-x dn="..."</em></span> option is needed to add the Kerberos attributes.
422
Otherwise a new <span class="emphasis"><em>principal</em></span> object will be created in the realm subtree.
429
<div class="sect2" title="Secondary KDC Configuration">
430
<div class="titlepage">
433
<h3 class="title"><a id="kerberos-ldap-secondary-kdc"></a>Secondary KDC Configuration</h3>
438
Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the normal Kerberos database.
440
<div class="itemizedlist">
441
<ul class="itemizedlist" type="disc">
442
<li class="listitem">
444
First, install the necessary packages. In a terminal enter:
447
<span class="command"><strong>sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap</strong></span>
450
<li class="listitem">
452
Next, edit <code class="filename">/etc/krb5.conf</code> to use the LDAP backend:
454
<pre class="programlisting">
456
default_realm = EXAMPLE.COM
462
kdc = kdc01.example.com
463
kdc = kdc02.example.com
464
admin_server = kdc01.example.com
465
admin_server = kdc02.example.com
466
default_domain = example.com
467
database_module = openldap_ldapconf
473
.example.com = EXAMPLE.COM
478
ldap_kerberos_container_dn = dc=example,dc=com
481
openldap_ldapconf = {
483
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
485
# this object needs to have read rights on
486
# the realm container, principal container and realm sub-trees
487
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
489
# this object needs to have read and write rights on
490
# the realm container, principal container and realm sub-trees
491
ldap_service_password_file = /etc/krb5kdc/service.keyfile
492
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
493
ldap_conns_per_server = 5
497
<li class="listitem">
499
Create the stash for the LDAP bind password:
502
<span class="command"><strong>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com</strong></span>
505
<li class="listitem">
507
Now, on the <span class="emphasis"><em>Primary KDC</em></span> copy the <code class="filename">/etc/krb5kdc/.k5.EXAMPLE.COM</code>
508
<span class="emphasis"><em>Master Key</em></span> stash to the Secondary KDC. Be sure to copy the file over an encrypted
509
connection such as <span class="application"><strong>scp</strong></span>, or on physical media.
512
<span class="command"><strong>sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~</strong></span>
513
<span class="command"><strong>sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/</strong></span>
515
<div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;">
516
<table border="0" summary="Note">
518
<td rowspan="2" align="center" valign="top" width="25">
519
<img alt="[Note]" src="../../libs/admon/note.png" />
521
<th align="left"></th>
524
<td align="left" valign="top">
526
Again, replace <span class="emphasis"><em>EXAMPLE.COM</em></span> with your actual realm.
533
<li class="listitem">
535
Finally, start the <span class="application"><strong>krb5-kdc</strong></span> daemon:
538
<span class="command"><strong>sudo /etc/init.d/krb5-kdc start</strong></span>
544
You now have redundant KDCs on your network, and with redundant LDAP servers you should be able to
545
continue to authenticate users if one LDAP server, one Kerberos server, or one LDAP and one Kerberos
546
server become unavailable.
549
<div class="sect2" title="Resources">
550
<div class="titlepage">
553
<h3 class="title"><a id="kerberos-ldap-resources"></a>Resources</h3>
557
<div class="itemizedlist">
558
<ul class="itemizedlist" type="disc">
559
<li class="listitem">
561
The <a class="ulink" href="http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend" target="_top">
562
Kerberos Admin Guide</a> has some additional details.
565
<li class="listitem">
567
For more information on <span class="application"><strong>kdb5_ldap_util</strong></span> see
568
<a class="ulink" href="http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Global-Operations-on-the-Kerberos-LDAP-Database" target="_top">
569
Section 5.6</a> and the
570
<a class="ulink" href="http://manpages.ubuntu.com/manpages/natty/en/man8/kdb5_ldap_util.8.html" target="_top">kdb5_ldap_util man page</a>.
573
<li class="listitem">
575
Another useful link is the <a class="ulink" href="http://manpages.ubuntu.com/manpages/natty/en/man5/krb5.conf.5.html" target="_top">krb5.conf man page</a>.
578
<li class="listitem">
580
Also, see the <a class="ulink" href="https://help.ubuntu.com/community/Kerberos#kerberos-ldap" target="_top">Kerberos and LDAP</a> Ubuntu wiki page.
588
<div xmlns="http://www.w3.org/1999/xhtml" class="navfooter">
590
<table width="100%" summary="Navigation footer">
592
<td width="40%" align="left"><a accesskey="p" href="kerberos.html"><img src="../../libs/navig/prev.png" alt="Prev" /></a> </td>
593
<td width="20%" align="center">
594
<a accesskey="u" href="network-authentication.html">
595
<img src="../../libs/navig/up.png" alt="Up" />
598
<td width="40%" align="right"> <a accesskey="n" href="dns.html"><img src="../../libs/navig/next.png" alt="Next" /></a></td>
601
<td width="40%" align="left" valign="top">Kerberos </td>
602
<td width="20%" align="center">
603
<a accesskey="h" href="index.html">
604
<img src="../../libs/navig/home.png" alt="Home" />
607
<td width="40%" align="right" valign="top"> Chapter 7. Domain Name Service (DNS)</td>
613
<div id="ubuntulinks">
614
<p>The material in this document is available under a free license, see <a href="/legal.html">Legal</a> for details<br />
615
For information on contributing see the <a href="https://wiki.ubuntu.com/DocumentationTeam">Ubuntu Documentation Team wiki page</a>. To report a problem, visit the <a href="https://bugs.launchpad.net/ubuntu/+source/ubuntu-docs">bug page for Ubuntu Documentation</a></p>
619
<img src="https://help.ubuntu.com/htdocs/ubuntunew/img/cap-bottom.png" alt="" />