2012. június 5., kedd

Kerberos with LDAP Backend on Ubuntu 12.04 - Part One

Last time we set up a pretty LDAP-server and we have managed to let the users change their passwords too. Now it is upmost time to make our lives a bit more difficult so we are going to set up an MIT Kerberos server alongside.
(Ez a cikk magyarul is olvasható.)
Two pieces of advice and a warning:
  • Do not start setting up your Kerberos-server without a pretty good name resolution working.
  • Do not start setting up your Kerberos-server without a low starum time-server working.
  • The Kerberos KDC needs an awful lot of time before functioning - the one running in my Virtualbox needs long-long minutes before it is ready to serve the incoming requests. Before this time passes you can easily get some ugly GSSAPI and Kerberos errors. Once the Kerberos gets ready the errors diasappear - till the next restart.
We begin with extending the capabilities of our OpenLDAP-server with a lovely kerberos-schema. Install a package in "download only" mode - it depends on everything we need later but the real installation does not take place so we are not being annoyed by a lot of error messages for a while.
sudo apt-get install -d krb5-kdc-ldap
Lets pull out the schema. We can dive into the deb file or we can ignite a nice command (pay attention: you can have a differnet file name - because you may do the installation on another architecture or because a newer version):
dpkg-deb --fsys-tarfile /var/cache/apt/archives/krb5-kdc-ldap_1.10+dfsg~beta1-2_amd64.deb |tar -xvf - --strip-components 5 ./usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
By this time yhou should have the kerberos.schema.gz file in your folder.
Put it in the right place:
sudo sh -c "zcat kerberos.schema.gz >/etc/ldap/schema/kerberos.schema"
Create a file called schema_convert.conf  (you can use another name but ever HOWTO uses this one):
include /etc/ldap/schema/kerberos.schema
Create a temporary folder:
mkdir /tmp/ldif_output
Issue the following command. It extraxts the LDIF file we need and some others as well:
slaptest -f schema_convert.conf -F /tmp/ldif_output/
Edit the file  /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{0\}kerberos.ldif .
  • In the first (if you count the comments then the fourth) line change dn: cn={0}kerberos to dn: cn=kerberos,cn=schema,cn=config .
  • In the third (with comments: fith) line from the line cn: {0}kerberos leave only cn: kerberos .
  • Remove the last seven lines (starting from: structuralObjectClass: olcSchemaConfig)
Add the polished LDIF to the LDAP:
sudo ldapadd -Y EXTERNAL -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{0\}kerberos.ldif
If you happen to get the message:
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available:
you have two choices. First one is to extend your ldapadd command with a -H ldapi:/// swicth. The other is to add a new line to the file /etc/ldap/ldap.conf :
URI     ldapi:///
Clearly this is a more beautiful solution.
You can find the newly inserted schema in the configuration of slapd:
sudo ldapsearch -Q -LLL -Y EXTERNAL -b cn=schema,cn=config dn
To be continued in a few day's time.

Further reading:

Nincsenek megjegyzések: