Experimental set up Kerberos + LDAP centralized user authentication and authorization system based on
[root@localhost openldap]# kinit ldapadmin
kinit: Cannot resolve network address for KDC in realm "EXAMPLE.COM" while getting initial credentials
Problem Solving: possible approaches: edit my /etc/hosts
file and add the following to it:10.0.0.1 example.com(krb5.conf里面的realm设置的域名)
1, the installation ldap
yum install db4 db4-utils db4-devel cyrus-sasl* krb5-server-ldap -y
yum install openldap openldap-clients openldap-servers openldap-devel compat-openldap -y
View installed version:
rpm -qa openldap
2, the configuration ldap
Update the configuration database:
rm -rf /var/lib/ldap/*
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap.ldap /var/lib/ldap
Note: In previous versions 2.4, OpenLDAP using the slapd.conf configuration file to configure the server, and then start using slapd.d 2.4 directory holds various configuration after the breakdown, it is important to note that the data storage location that is directory /etc/openldap/slapd.d. Although the data file of the system is transparent format, it is recommended to use ldapadd, ldapdelete, ldapmodify commands to modify rather than direct editing. All of the following users to add, modify configuration files are generated .ldif suffix and use ldapdelete, ldapmodify command is its entry into force, etc.
The default configuration file is saved in /etc/openldap/slapd.d, back them up:
cp -rf /etc/openldap/slapd.d /etc/openldap/slapd.d.bak
Add some basic configuration, and the introduction of schema kerberos and openldap:
(The ldap schema defines the structure and rules to be followed ldap directory, schema provides a way to ldap server ldap directory categories, attributes, etc. recognition, so that these can be identified ldap server)
cp /usr/share/doc/krb5-server-ldap-1.9/kerberos.schema /etc/openldap/schema/
touch /etc/openldap/slapd.conf
vim /etc/openldap/slapd.conf
Update slapd.d
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d
Note: /etc/openldap/slapd.conf Do not add corba.schama, otherwise there may be error
Start slapd service slapd start
Delete all the files in that directory, otherwise it is impossible to start the LDAP service
rm -f /etc/openldap/slapd.d/cn=config/cn=schema/*
Or go to the directory to delete all duplicates
3, start the service
Start the LDAP service:
chkconfig --level 345 slapd on
service slapd start
Failed to start re-update slapd.d
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d
Restart service slapd start
View status verification service port:
ps aux | grep slapd | grep -v grep
netstat -tunlp | grep :389
4、LDAP集成Kerberos
Re-integration after first installed kerberos service
1 Install and open the ntp service
yum intall -y ntp
service ntpd start
After the installation is complete,
2 kerberos server installation
yum install -y krb5-server krb5-libs krb5-workstation krb5- krb5-auth-dialog
View installed version:
rpm -qa krb5-server-ldap
Modify the kerberos configuration file
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = file: /var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = 192.168.10.130:88 (Kerberos server ip)
admin_server = 192.168.10.130:749
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Wherein, any one can be taken, EXAMPLE.COM, but requires a unified front.
vim /var/kerberos/krb5kdc/kdc.conf, do not change
Create / kerberos database initialization
(Database management set password is 12345678 EXAMPLE.COM is the database name [-r specified realm name])
/ Usr / sbin / kdb5_util create -s -r EXAMPLE.COM (-s representation generator stash file and then stored therein master server key [krb5kdc] -r develop a realm name, as defined in krb5.conf when a plurality realm necessary)
vim /var/kerberos/krb5kdc/kadm5.acl
Start kerberos service
service krb5kdc start
service kadmin start
When a database is created, / var / Kerberos / krb5kdc / directory generation
Kadm5.acl
kdc.conf
principal
principal.adm5
principal.kadmin5.lock
principal.ok
In order for Kerberos to bind to OpenLDAP server, you need to create a user administrator and a principal, and generate the keytab file
Set the file permissions for the LDAP service runs a human-readable (usually ldap):
Add the database administrator:
Create a management user password is 12345678 ldapadmin
-q the kadmin.local "addprinc [email protected]" (specified key generated principal
Another new user ldap / c2bde55 (-randkey random key is generated Principal)
kadmin.local -q "addprinc -randkey ldap/[email protected]"
expand:
View principal: listprincs
Change the user password: change_password -pw xxx User
Delete principal: delete_principal user
Forming ldap.keytab file
kadmin.local -q "ktadd -k /etc/openldap/ldap.keytab ldap/[email protected]"2
chown ldap:ldap /etc/openldap/ldap.keytab && chmod 640 /etc/openldap/ldap.keytab
Use ldapadmin user testing:
kinit ldapadmin
Restart slapd service
service slapd restart
If you do not take effect, execute the following command:
cp /etc/openldap/ldap.keytab /etc/krb5.keytab
chgrp ldap /etc/krb5.keytab && chmod 640 /etc/krb5.keytab
5, create an LDAP database
/Etc/openldap/slapd.d into the catalog, view
cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif can see some default configuration, for example:
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
Establish modify.ldif file, as follows:
vim /etc/openldap/slapd.d/modify.ldif
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcRootDN
# Temporary lines to allow initial setup
olcRootDN: uid=ldapadmin,ou=people,dc=example,dc=com
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 12345678
dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=([^,]*),cn=GSSAPI,cn=auth uid=#1,ou=people,dc=example,dc=com
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
# Everyone can read everything
olcAccess: {0}to dn.base="" by * read
# The ldapadm dn has full write access
olcAccess: {1}to * by dn="uid=ldapadmin,ou=people,dc=example,dc=com" by dn="cn=root,dc=example,dc=com" write by * read
Use the following command to import update the configuration:
ldapmodify -Y EXTERNAL -H ldapi:/// -f modify.ldif
Note: cn = root, dc = example, dc = com authorized to use Kerberos integration
Error occurred during update configuration: additional info: modify / add: olcRootPW: no equality matching rule, modify add modify.ldif corresponding option is to replace
6 , introduced into the system user linux
Then you can from / etc / passwd, / etc / shadow, / etc / groups generated ldif ldap database update, which requires the use migrationtools tools.
Migrationtools installation tools:
yum install migrationtools -y
Use the migration tool to generate a template to modify the default configuration:
# vim /usr/share/migrationtools/migrate_common.ph
# 71 line default dns domain
DEFAULT_MAIL_DOMAIN = "example.com";
The default base line # 74
DEFAULT_BASE = "dc=example,dc=com";
Generate a template file: import system user information into ldif format
/usr/share/migrationtools/migrate_base.pl > /opt/base.ldif
You can then modify the file, and then execute the import command:
ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 123456 -f /opt/base.ldif
The test users into ldap can be selectively introduced into the specified user:
# First add users
useradd test
# Find a test user on the system, it will test the user information into passwd.txt
grep -E "test" /etc/passwd >/opt/passwd.txt
Use tools to become passwd.txt file ldif format
/usr/share/migrationtools/migrate_passwd.pl /opt/passwd.txt /opt/passwd.ldif
Finally, again in the lead-in information passwd.ldif in /etc/openslapd/slapd.d
ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /opt/passwd.ldif
Into user groups in ldap:
# Ldif file generating user group, and then introduced into
grep -E "test" /etc/group >/opt/group.txt
/usr/share/migrationtools/migrate_group.pl /opt/group.txt /opt/group.ldif
ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /opt/group.ldif
7, LDAP user additions and deletions to modify
Query: Query test newly added user:
# ldapsearch -LLL -x -D 'uid=ldapadmin,ou=people,dc=example,dc=com' -w 12345678 -b 'dc=example,dc=com' 'uid=test'
modify
After a good user adds, it needs to set the initial password, run the following command:
ldappasswd -x -D 'uid=ldapadmin,ou=people,dc=example,dc=com' -w 12345678 " uid=test,ou=people,dc=example,dc=com" -S
Password changes 123456
Delete (do not delete, and otherwise had new)
delete users
# ldapdelete -x -w 12345678 -D'uid=ldapadmin,ou=people,dc=example,dc=com' "uid=test,ou=people,dc=example,dc=com"
Delete a group entry:
# ldapdelete -x -w 12345678 -D'uid=ldapadmin,ou=people,dc=example,dc=com' "cn=test,ou=group,dc=example,dc=com"
8, client configuration to open another virtual machine ip is 192.168.10.131
Openldap client installation:
yum install openldap-clients -y
/Etc/openldap/ldap.conf modify the following two configurations:
BASE dc=example,dc=com
URI ldap: //192.168.10.130 (server IP)
vim /etc/krb5.conf
Then, run the following command to test:
Delete ticket
Kdestroy abnormal operation will be reported
Run ldapsearch -x -b 'dc = example, dc = com'
(Note at this time should turn off the firewall to the server, or run this command error)
# Reacquire ticket
kinit ldapadmin
No error
Run ldapsearch -b 'dc = example, dc = com' -x
# ldapwhoami -x
# Direct input ldapsearch -x will not complain
# Ldapsearch error
Ldap_sasl_interactive_bind_s report errors and found /etc/krb5.keytab does not exist, do the following: cp /etc/openldap/ldap.keytab (server) /etc/krb5.keytab (client)
chgrp ldap /etc/krb5.keytab && chmod 640 /etc/krb5.keytab
To run slapd as the root user)
If the error: SASL (-4): no mechanism available: No worthy mechs found
ldapsearch -x add a parameter, skip sasl certification
9, Kerberos integration (common integrated manner LDAP database) server
1) Configuration
Kerberos-related data needs to be stored in a database, where we choose to use LDAP as its database, the purpose is to facilitate (only unified backup LDAP database can) data backup. If you need to use its own database, it is necessary to replace the following command kdb5_ldap_util kdb5_util.
vim /etc/krb5.conf end as follows:
[dbdefaults]
ldap_kerberos_container_dn = cn=kerberos,dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_servers = ldapi://
ldap_kerberos_container_dn = cn=kerberos,dc=example,dc=com
ldap_kdc_dn = cn=root,dc=example,dc=com
ldap_kadmind_dn = cn=root,dc=example,dc=com
ldap_service_password_file = /etc/krb5.ldap
ldap_conns_per_server = 5
}
Which ldap_kdc_dn and ldap_kadmind_dn respectively when the Kerberos LDAP database access services and account management. The former need to have read access, which requires read and write permissions. For here is simple and convenient unified with cn = root, dc = example, dc = com manage a
说明: ldap_kerberos_container_dn must start with a 'cn'
2) ldap add users
vim user.ldif reads as follows:
dn: cn=kerberos,dc=example,dc=com
cn: kerberos # This is a user added kerberos
objectClass: organizationalRole
dn: cn=root,dc=example,dc=com
cn: root # This is to add a root user
userPassword:: e1NTSEF9UTg2T1hqeXcreCtzck5yL1JEUzhLbTBGQ2tZeFBzWnI=
objectClass: simpleSecurityObject
objectClass: organizationalRole
执行命令:ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f user.ldif
Administrator to modify the ordinary user's password:
ldappasswd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 "cn=root,dc=example,dc=com" -s 123456
To modify the password 123456
3) generating access services ldap password file
Because Kerberos requires ldap_kdc_dn ldap_kadmind_dn and password to access the LDAP database, perform the command: 12345678
# kdb5_ldap_util -D uid=ldapadmin,ou=people,dc=example,dc=com -w 12345678 stashsrvpw -f /etc/krb5.ldap cn=root,dc=example,dc=com
Enter here is 12345678
# cat /etc/krb5.ldap
4) Create a database password kerberos: 12345678 123 456 123 456
kdb5_ldap_util -D uid=ldapadmin,ou=people,dc=example,dc=com -H ldapi:// create -r EXAMPLE.COM -s
5) Restart Kerberos
service krb5kdc restart
6) Test: Add User
# kadmin.local
kadmin.local: addprinc test
The password is 123456
then
# slapcat |grep “test”
Use Kerberos + LDAP integration for authentication, LDAP carry out account management, Kerberos authentication.
1) as the user authentication using the LDAP.
Users only need to (such as uid = test, ou = People, dc = example, dc = com) is added to userPassword members. If you add the command line, you need to prepare the following documents (userPassword corresponding password is 123456):
vim test.ldif
dn: uid=test,ou=People,dc=example,dc=com
changetype: modify
add: userPassword
userPassword:: e1NTSEF9Ym0rZXloV1ExalB1aWNEVU1BaHlNM0hZVHh3REIrWU4K
Then execute the command
# ldapmodify -x -D 'cn=root,dc=example,dc=com' -w 123456 -h 127.0.0.1 -f test.ldif
After the command is executed successfully, by
# ldapsearch -x -D 'uid=test,ou=People,dc=example,dc=com' -w 123456 127.0.0.1 -b 'ou=People,dc=example,dc=com'
confirm.
2) to use Kerberos authentication.
The user needs a password field modified as follows (the userPassword corresponding password from the echo -n "{SASL}[email protected]" | base64 generation):
dn: uid=test,ou=People,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NBU0x9dGVzdEBFWEFNUExFLkNPTQ==
Performing ldapmodify -x -D 'cn = root, dc = example, dc = com' -w 123456 -h 127.0.0.1 -f test.ldif apply the modifications.
3) modify the configuration
# vim /etc/sysconfig/saslauthd
Modify the value
MECH=kerberos5
Restart: service saslauthd restart
Create a file vim /etc/sasl2/slapd.conf
内容:pwcheck_method: saslauthd
Restart: service slapd restart
4) execute the command: service saslauthd status -l to see if an error
Not being given
Do the following:
# kadmin.local -q "ank -clearpolicy -randkey host/c2bde55"
# kadmin.local -q "ktadd host/c2bde55"
# service saslauthd restart
# Ps -aux | grep saslauthd
# kadmin.local -q 'ank -pw 123456 test'
Configuring test the user's password is: 123456
# testsaslauthd -u test -p 123456
An error Execute the following command
kadmin.local -q "ank -clearpolicy -randkey host/localhost"
kadmin.local -q "ktadd host/localhost"
Configuring test the user's password is: 123456 success
So far, Kerberos authentication test is successful.
Ldapsearch test whether LDAP authentication is successful
ldapsearch -x -D 'uid=test,ou=People,dc=example,dc=com' -w 123456 -h 127.0.0.1 -b 'ou=People,dc=example,dc=com'
Successful outcome
If unsuccessful execution:
kadmin.local -q "ank -clearpolicy -randkey host/localhost"
kadmin.local -q "ktadd host/localhost"
Client Authentication: the server-side firewall close
ldapsearch -x -D 'uid = test, ou = People, dc = example, dc = com' -w 123456 -h 192.168.10.130 (ip address server) -b 'ou = People, dc = example, dc = com'