2240
<sect1 id="kerberos-ldap" status="review">
2241
<title>Kerberos and LDAP</title>
2244
Replicating a Kerberos principal database between two servers can be complicated, and adds an additional user
2245
database to your network. Fortunately, MIT Kerberos can be configured to use an <application>LDAP</application>
2246
directory as a principal database. This section covers configuring a primary and secondary kerberos server to use
2247
<application>OpenLDAP</application> for the principal database.
2250
<sect2 id="kerberos-ldap-openldap" status="review">
2251
<title>Configuring OpenLDAP</title>
2254
First, the necessary <emphasis>schema</emphasis> needs to be loaded on an <application>OpenLDAP</application> server that has
2255
network connectivity to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP replication
2256
configured between at least two servers. For information on setting up OpenLDAP see <xref linkend="openldap-server"/>.
2261
It is recommended to configure OpenLDAP for TLS and SSL connections, so that traffic between the KDC and LDAP server is encrypted.
2262
See <xref linkend="openldap-tls"/> for details.
2269
To load the schema into LDAP, on the LDAP server install the <application>krb5-kdc-ldap</application> package.
2270
From a terminal enter:
2274
<command>sudo apt-get install krb5-kdc-ldap</command>
2280
Next, extract the <filename>kerberos.schema.gz</filename> file:
2284
<command>sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz</command>
2285
<command>sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/</command>
2292
The <emphasis>kerberos</emphasis> schema needs to be added to the <emphasis>cn=config</emphasis> tree.
2293
The procedure to add a new schema to <application>slapd</application> is also detailed in
2294
<xref linkend="openldap-configuration"/>.
2300
First, create a configuration file named <filename>schema_convert.conf</filename>, or a similar
2301
descriptive name, containing the following lines:
2305
include /etc/ldap/schema/core.schema
2306
include /etc/ldap/schema/collective.schema
2307
include /etc/ldap/schema/corba.schema
2308
include /etc/ldap/schema/cosine.schema
2309
include /etc/ldap/schema/duaconf.schema
2310
include /etc/ldap/schema/dyngroup.schema
2311
include /etc/ldap/schema/inetorgperson.schema
2312
include /etc/ldap/schema/java.schema
2313
include /etc/ldap/schema/misc.schema
2314
include /etc/ldap/schema/nis.schema
2315
include /etc/ldap/schema/openldap.schema
2316
include /etc/ldap/schema/ppolicy.schema
2317
include /etc/ldap/schema/kerberos.schema
2325
Create a temporary directory to hold the LDIF files:
2328
<command>mkdir /tmp/ldif_output</command>
2335
Now use <application>slaptest</application> to convert the schema files:
2339
<command>slaptest -f schema_convert.conf -F /tmp/ldif_output</command>
2343
Change the above file and path names to match your own if they are different.
2350
Edit the generated <filename>/tmp/ldif_output/cn=config/cn=schema/cn={12}kerberos.ldif</filename>
2351
file, changing the following attributes:
2355
dn: cn=kerberos,cn=schema,cn=config
2361
And remove the following lines from the end of the file:
2365
structuralObjectClass: olcSchemaConfig
2366
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc
2367
creatorsName: cn=config
2368
createTimestamp: 20090111203515Z
2369
entryCSN: 20090111203515.326445Z#000000#000#000000
2370
modifiersName: cn=config
2371
modifyTimestamp: 20090111203515Z
2376
The attribute values will vary, just be sure the attributes are removed.
2384
Finally, load the new schema with <application>ldapadd</application>:
2388
<command>ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}kerberos.ldif</command>
2397
That's it, your LDAP directory is now ready to serve as a Kerberos principal database.
2401
<sect2 id="kerberos-ldap-primary-kdc" status="review">
2402
<title>Primary KDC Configuration</title>
2405
With <application>OpenLDAP</application> configured it is time to configure the KDC.
2411
First, install the necessary packages, from a terminal enter:
2415
<command>sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap</command>
2422
Now edit <filename>/etc/krb5.conf</filename> adding the following options to under the appropriate sections:
2427
default_realm = EXAMPLE.COM
2433
kdc = kdc01.example.com
2434
kdc = kdc02.example.com
2435
admin_server = kdc01.example.com
2436
admin_server = kdc02.example.com
2437
default_domain = example.com
2438
database_module = openldap_ldapconf
2444
.example.com = EXAMPLE.COM
2450
ldap_kerberos_container_dn = dc=example,dc=com
2453
openldap_ldapconf = {
2455
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
2457
# this object needs to have read rights on
2458
# the realm container, principal container and realm sub-trees
2459
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
2461
# this object needs to have read and write rights on
2462
# the realm container, principal container and realm sub-trees
2463
ldap_service_password_file = /etc/krb5kdc/service.keyfile
2464
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
2465
ldap_conns_per_server = 5
2471
Change <emphasis>example.com</emphasis>, <emphasis>dc=example,dc=com</emphasis>, <emphasis>cn=admin,dc=example,dc=com</emphasis>,
2472
and <emphasis>ldap01.example.com</emphasis> to the appropriate domain, LDAP object, and LDAP server for your network.
2480
Next, use the <application>kdb5_ldap_util</application> utility to create the realm:
2484
<command>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com</command>
2491
Create a stash of the password used to bind to the LDAP server. This password is used by the <emphasis>ldap_kdc_dn</emphasis> and
2492
<emphasis>ldap_kadmin_dn</emphasis> options in <filename>/etc/krb5.conf</filename>:
2496
<command>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com</command>
2503
Finally, add an index for the <emphasis>krb5principalname</emphasis> attribute:
2507
<command>ldapmodify -x -D cn=admin,cn=config -W</command>
2508
<computeroutput>Enter LDAP Password:
2509
<userinput>dn: olcDatabase={1}hdb,cn=config
2511
olcDbIndex: krbPrincipalName eq,pres,sub</userinput>
2513
modifying entry "olcDatabase={1}hdb,cn=config"</computeroutput>
2520
You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication.
2521
To add a principal using the <application>kadmin.local</application> utility enter:
2525
<command>sudo kadmin.local</command>
2526
<computeroutput>Authenticating as principal root/admin@EXAMPLE.COM with password.
2527
kadmin.local: <userinput>addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve</userinput>
2528
WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy
2529
Enter password for principal "steve@EXAMPLE.COM":
2530
Re-enter password for principal "steve@EXAMPLE.COM":
2531
Principal "steve@EXAMPLE.COM" created.</computeroutput>
2535
There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData attributes added to the
2536
<emphasis>uid=steve,ou=people,dc=example,dc=com</emphasis> user object. Use the <application>kinit</application> and
2537
<application>klist</application> utilities to test that the user is indeed issued a ticket.
2542
If the user object is already created the <emphasis>-x dn="..."</emphasis> option is needed to add the Kerberos attributes.
2543
Otherwise a new <emphasis>principal</emphasis> object will be created in the realm subtree.
2548
<sect2 id="kerberos-ldap-secondary-kdc" status="review">
2549
<title>Secondary KDC Configuration</title>
2552
Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the normal Kerberos database.
2558
First, install the necessary packages. In a terminal enter:
2562
<command>sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap</command>
2569
Next, edit <filename>/etc/krb5.conf</filename> to use the LDAP backend:
2574
default_realm = EXAMPLE.COM
2580
kdc = kdc01.example.com
2581
kdc = kdc02.example.com
2582
admin_server = kdc01.example.com
2583
admin_server = kdc02.example.com
2584
default_domain = example.com
2585
database_module = openldap_ldapconf
2591
.example.com = EXAMPLE.COM
2596
ldap_kerberos_container_dn = dc=example,dc=com
2599
openldap_ldapconf = {
2601
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
2603
# this object needs to have read rights on
2604
# the realm container, principal container and realm sub-trees
2605
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
2607
# this object needs to have read and write rights on
2608
# the realm container, principal container and realm sub-trees
2609
ldap_service_password_file = /etc/krb5kdc/service.keyfile
2610
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
2611
ldap_conns_per_server = 5
2620
Create the stash for the LDAP bind password:
2624
<command>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com</command>
2631
Now, on the <emphasis>Primary KDC</emphasis> copy the <filename>/etc/krb5kdc/.k5.EXAMPLE.COM</filename>
2632
<emphasis>Master Key</emphasis> stash to the Secondary KDC. Be sure to copy the file over an encrypted
2633
connection such as <application>scp</application>, or on physical media.
2637
<command>sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~</command>
2638
<command>sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/</command>
2643
Again, replace <emphasis>EXAMPLE.COM</emphasis> with your actual realm.
2651
Finally, start the <application>krb5-kdc</application> daemon:
2655
<command>sudo /etc/init.d/krb5-kdc start</command>
2662
You now have redundant KDCs on your network, and with redundant LDAP servers you should be able to
2663
continue to authenticate users if one LDAP server, one Kerberos server, or one LDAP and one Kerberos
2664
server become unavailable.
2668
<sect2 id="kerberos-ldap-resources" status="review">
2669
<title>Resources</title>
2674
The <ulink url="http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend">
2675
Kerberos Admin Guide</ulink> has some additional details.
2680
For more information on <application>kdb5_ldap_util</application> see
2681
<ulink url="http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Global-Operations-on-the-Kerberos-LDAP-Database">
2682
Section 5.6</ulink> and the
2683
<ulink url="http://manpages.ubuntu.com/manpages/jaunty/en/man8/kdb5_ldap_util.8.html">kdb5_ldap_util man page</ulink>.
2688
Another useful link is the <ulink url="http://manpages.ubuntu.com/manpages/jaunty/en/man5/krb5.conf.5.html">krb5.conf man page</ulink>.