kerberos+ldap

Experimental set up Kerberos + LDAP centralized user authentication and authorization system based on

 

[root@localhost openldap]# kinit ldapadmin
kinit: Cannot resolve network address for KDC in realm "EXAMPLE.COM" while getting initial credentials

Problem Solving: possible approaches: edit my /etc/hostsfile and add the following to it:10.0.0.1 example.com（krb5.conf里面的realm设置的域名）

 

 

 

1, the installation ldap

yum install db4 db4-utils db4-devel cyrus-sasl* krb5-server-ldap -y

yum install openldap openldap-clients openldap-servers openldap-devel compat-openldap -y

 

 

View installed version:

rpm -qa openldap

 

2, the configuration ldap

Update the configuration database:

rm -rf /var/lib/ldap/*

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

chown -R ldap.ldap /var/lib/ldap

 

Note: In previous versions 2.4, OpenLDAP using the slapd.conf configuration file to configure the server, and then start using slapd.d 2.4 directory holds various configuration after the breakdown, it is important to note that the data storage location that is directory /etc/openldap/slapd.d. Although the data file of the system is transparent format, it is recommended to use ldapadd, ldapdelete, ldapmodify commands to modify rather than direct editing. All of the following users to add, modify configuration files are generated .ldif suffix and use ldapdelete, ldapmodify command is its entry into force, etc.

 

The default configuration file is saved in /etc/openldap/slapd.d, back them up:

cp -rf /etc/openldap/slapd.d /etc/openldap/slapd.d.bak

 

Add some basic configuration, and the introduction of schema kerberos and openldap:

(The ldap schema defines the structure and rules to be followed ldap directory, schema provides a way to ldap server ldap directory categories, attributes, etc. recognition, so that these can be identified ldap server)

cp  /usr/share/doc/krb5-server-ldap-1.9/kerberos.schema  /etc/openldap/schema/

touch /etc/openldap/slapd.conf

vim /etc/openldap/slapd.conf

 

Update slapd.d

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d

 

Note: /etc/openldap/slapd.conf Do not add corba.schama, otherwise there may be error

Start slapd service slapd start

Delete all the files in that directory, otherwise it is impossible to start the LDAP service

rm -f /etc/openldap/slapd.d/cn=config/cn=schema/*

 Or go to the directory to delete all duplicates

3, start the service

Start the LDAP service:

chkconfig --level 345 slapd on

 service slapd start

 

Failed to start re-update slapd.d

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d

Restart service slapd start

 

 

View status verification service port:

ps aux | grep slapd | grep -v grep

netstat -tunlp  | grep :389

 

4、LDAP集成Kerberos

Re-integration after first installed kerberos service

1 Install and open the ntp service

yum intall -y ntp

 service ntpd start

After the installation is complete,

2 kerberos server installation

yum install -y krb5-server krb5-libs krb5-workstation krb5- krb5-auth-dialog

View installed version:

rpm -qa krb5-server-ldap

 

Modify the kerberos configuration file

vim /etc/krb5.conf

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = file: /var/log/kadmind.log

 

[libdefaults]

 default_realm = EXAMPLE.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 

[realms]

 EXAMPLE.COM = {

  kdc = 192.168.10.130:88 (Kerberos server ip)

  admin_server = 192.168.10.130:749

  default_domain = EXAMPLE.COM

 }

 

[domain_realm]

 .example.com = EXAMPLE.COM

 example.com = EXAMPLE.COM

 

Wherein, any one can be taken, EXAMPLE.COM, but requires a unified front.

vim /var/kerberos/krb5kdc/kdc.conf, do not change

 

 

Create / kerberos database initialization

(Database management set password is 12345678 EXAMPLE.COM is the database name [-r specified realm name])

/ Usr / sbin / kdb5_util create -s -r EXAMPLE.COM (-s representation generator stash file and then stored therein master server key [krb5kdc] -r develop a realm name, as defined in krb5.conf when a plurality realm necessary)

vim /var/kerberos/krb5kdc/kadm5.acl

 

 

Start kerberos service

   service krb5kdc start

service kadmin start

 

When a database is created, / var / Kerberos / krb5kdc / directory generation

Kadm5.acl

kdc.conf

principal

principal.adm5

principal.kadmin5.lock

principal.ok

 

In order for Kerberos to bind to OpenLDAP server, you need to create a user administrator and a principal, and generate the keytab file

Set the file permissions for the LDAP service runs a human-readable (usually ldap):

 Add the database administrator:

Create a management user password is 12345678 ldapadmin

-q the kadmin.local "addprinc [email protected]"   (specified key generated principal

 

Another new user ldap / c2bde55 (-randkey random key is generated Principal)

kadmin.local -q "addprinc -randkey ldap/[email protected]"

  

 

expand:

View principal: listprincs

Change the user password: change_password -pw xxx User

Delete principal: delete_principal user

 

Forming ldap.keytab file

kadmin.local -q "ktadd -k /etc/openldap/ldap.keytab ldap/[email protected]"2

 chown ldap:ldap /etc/openldap/ldap.keytab && chmod 640 /etc/openldap/ldap.keytab

 

Use ldapadmin user testing:

kinit ldapadmin

  

 

Restart slapd service

service slapd restart

 

If you do not take effect, execute the following command:

cp /etc/openldap/ldap.keytab /etc/krb5.keytab

chgrp ldap /etc/krb5.keytab && chmod 640 /etc/krb5.keytab

 

5, create an LDAP database

/Etc/openldap/slapd.d into the catalog, view

cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif can see some default configuration, for example:

olcSuffix: dc=my-domain,dc=com

olcRootDN: cn=Manager,dc=my-domain,dc=com

 

Establish modify.ldif file, as follows:

vim /etc/openldap/slapd.d/modify.ldif

 

dn: olcDatabase={2}bdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=example,dc=com

 

dn: olcDatabase={2}bdb,cn=config

changetype: modify

replace: olcRootDN

# Temporary lines to allow initial setup

olcRootDN: uid=ldapadmin,ou=people,dc=example,dc=com

 

dn: olcDatabase={2}bdb,cn=config

changetype: modify

add: olcRootPW

olcRootPW: 12345678

 

dn: cn=config

changetype: modify

add: olcAuthzRegexp

olcAuthzRegexp: uid=([^,]*),cn=GSSAPI,cn=auth uid=#1,ou=people,dc=example,dc=com

 

dn: olcDatabase={2}bdb,cn=config

changetype: modify

add: olcAccess

# Everyone can read everything

olcAccess: {0}to dn.base="" by * read

# The ldapadm dn has full write access

olcAccess: {1}to * by dn="uid=ldapadmin,ou=people,dc=example,dc=com" by dn="cn=root,dc=example,dc=com" write by * read

 

Use the following command to import update the configuration:

ldapmodify -Y EXTERNAL -H ldapi:/// -f modify.ldif

 

 

Note: cn = root, dc = example, dc = com authorized to use Kerberos integration

Error occurred during update configuration: additional info: modify / add: olcRootPW: no equality matching rule, modify add modify.ldif corresponding option is to replace

 

6 , introduced into the system user linux

Then you can from / etc / passwd, / etc / shadow, / etc / groups generated ldif ldap database update, which requires the use migrationtools tools.

Migrationtools installation tools:

yum install migrationtools -y

 

Use the migration tool to generate a template to modify the default configuration:

# vim /usr/share/migrationtools/migrate_common.ph

# 71 line default dns domain

DEFAULT_MAIL_DOMAIN = "example.com";

The default base line # 74

DEFAULT_BASE = "dc=example,dc=com";

 

Generate a template file: import system user information into ldif format

/usr/share/migrationtools/migrate_base.pl > /opt/base.ldif

 

You can then modify the file, and then execute the import command:

 ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 123456 -f /opt/base.ldif

 

The test users into ldap can be selectively introduced into the specified user:

# First add users

useradd test

# Find a test user on the system, it will test the user information into passwd.txt

grep -E "test" /etc/passwd >/opt/passwd.txt

 

Use tools to become passwd.txt file ldif format

/usr/share/migrationtools/migrate_passwd.pl /opt/passwd.txt /opt/passwd.ldif

Finally, again in the lead-in information passwd.ldif in /etc/openslapd/slapd.d

ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /opt/passwd.ldif

Into user groups in ldap:

# Ldif file generating user group, and then introduced into

grep -E "test" /etc/group >/opt/group.txt

/usr/share/migrationtools/migrate_group.pl /opt/group.txt /opt/group.ldif

ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f /opt/group.ldif

7, LDAP user additions and deletions to modify

Query: Query test newly added user:

# ldapsearch -LLL -x -D 'uid=ldapadmin,ou=people,dc=example,dc=com' -w 12345678 -b 'dc=example,dc=com' 'uid=test'

 

modify

After a good user adds, it needs to set the initial password, run the following command:

ldappasswd -x -D 'uid=ldapadmin,ou=people,dc=example,dc=com' -w 12345678  " uid=test,ou=people,dc=example,dc=com" -S

Password changes 123456

 

 

Delete (do not delete, and otherwise had new)

delete users

# ldapdelete -x -w 12345678 -D'uid=ldapadmin,ou=people,dc=example,dc=com' "uid=test,ou=people,dc=example,dc=com"

 

Delete a group entry:

# ldapdelete -x -w 12345678 -D'uid=ldapadmin,ou=people,dc=example,dc=com' "cn=test,ou=group,dc=example,dc=com"

 

8, client configuration to open another virtual machine ip is 192.168.10.131

Openldap client installation:

yum install openldap-clients -y

 

/Etc/openldap/ldap.conf modify the following two configurations:

BASE    dc=example,dc=com

URI ldap: //192.168.10.130 (server IP)

 

vim /etc/krb5.conf

 

Then, run the following command to test:

Delete ticket

Kdestroy abnormal operation will be reported

 

Run ldapsearch -x -b 'dc = example, dc = com'

(Note at this time should turn off the firewall to the server, or run this command error)

 

 

# Reacquire ticket

kinit ldapadmin  

 

No error

 

Run ldapsearch -b 'dc = example, dc = com' -x

 

# ldapwhoami -x

 

 

# Direct input ldapsearch -x will not complain

 

 

# Ldapsearch error

 

Ldap_sasl_interactive_bind_s report errors and found /etc/krb5.keytab does not exist, do the following: cp /etc/openldap/ldap.keytab (server) /etc/krb5.keytab (client)

chgrp ldap /etc/krb5.keytab && chmod 640 /etc/krb5.keytab

To run slapd as the root user)

If the error: SASL (-4): no mechanism available: No worthy mechs found

ldapsearch -x add a parameter, skip sasl certification

  

9, Kerberos integration (common integrated manner LDAP database) server

1) Configuration

Kerberos-related data needs to be stored in a database, where we choose to use LDAP as its database, the purpose is to facilitate (only unified backup LDAP database can) data backup. If you need to use its own database, it is necessary to replace the following command kdb5_ldap_util kdb5_util.

vim /etc/krb5.conf end as follows:

[dbdefaults]

    ldap_kerberos_container_dn = cn=kerberos,dc=example,dc=com

 

[dbmodules]

    openldap_ldapconf = {

        db_library = kldap

        ldap_servers = ldapi://

        ldap_kerberos_container_dn = cn=kerberos,dc=example,dc=com

        ldap_kdc_dn = cn=root,dc=example,dc=com

        ldap_kadmind_dn = cn=root,dc=example,dc=com

        ldap_service_password_file = /etc/krb5.ldap

        ldap_conns_per_server = 5

    }

 

Which ldap_kdc_dn and ldap_kadmind_dn respectively when the Kerberos LDAP database access services and account management. The former need to have read access, which requires read and write permissions. For here is simple and convenient unified with cn = root, dc = example, dc = com manage a

说明： ldap_kerberos_container_dn must start with a 'cn'

 

2) ldap add users

vim user.ldif reads as follows:

dn: cn=kerberos,dc=example,dc=com

cn: kerberos # This is a user added kerberos

objectClass: organizationalRole

 

dn: cn=root,dc=example,dc=com

cn: root # This is to add a root user

userPassword:: e1NTSEF9UTg2T1hqeXcreCtzck5yL1JEUzhLbTBGQ2tZeFBzWnI=

objectClass: simpleSecurityObject

objectClass: organizationalRole

  

执行命令：ldapadd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 -f user.ldif

Administrator to modify the ordinary user's password:

ldappasswd -x -D "uid=ldapadmin,ou=people,dc=example,dc=com" -w 12345678 "cn=root,dc=example,dc=com" -s 123456

To modify the password 123456

 

3) generating access services ldap password file

Because Kerberos requires ldap_kdc_dn ldap_kadmind_dn and password to access the LDAP database, perform the command: 12345678

# kdb5_ldap_util -D uid=ldapadmin,ou=people,dc=example,dc=com  -w 12345678 stashsrvpw -f /etc/krb5.ldap cn=root,dc=example,dc=com

 

Enter here is 12345678

# cat /etc/krb5.ldap

 

4) Create a database password kerberos: 12345678 123 456 123 456

kdb5_ldap_util -D uid=ldapadmin,ou=people,dc=example,dc=com -H ldapi:// create -r EXAMPLE.COM -s

 

5) Restart Kerberos

service krb5kdc restart

 

6) Test: Add User

# kadmin.local

kadmin.local:  addprinc test

 

The password is 123456

then

# slapcat |grep “test”

 

 

Use Kerberos + LDAP integration for authentication, LDAP carry out account management, Kerberos authentication.

1) as the user authentication using the LDAP.

Users only need to (such as uid = test, ou = People, dc = example, dc = com) is added to userPassword members. If you add the command line, you need to prepare the following documents (userPassword corresponding password is 123456):

vim  test.ldif

dn: uid=test,ou=People,dc=example,dc=com

changetype: modify

add: userPassword

userPassword:: e1NTSEF9Ym0rZXloV1ExalB1aWNEVU1BaHlNM0hZVHh3REIrWU4K

Then execute the command

# ldapmodify -x -D 'cn=root,dc=example,dc=com' -w 123456 -h 127.0.0.1 -f test.ldif

 

 After the command is executed successfully, by

# ldapsearch -x -D 'uid=test,ou=People,dc=example,dc=com' -w 123456 127.0.0.1 -b 'ou=People,dc=example,dc=com'

confirm.

 

 

2) to use Kerberos authentication.

The user needs a password field modified as follows (the userPassword corresponding password from the echo -n "{SASL}[email protected]" | base64 generation):

dn: uid=test,ou=People,dc=example,dc=com

changetype: modify

replace: userPassword

userPassword:: e1NBU0x9dGVzdEBFWEFNUExFLkNPTQ==

 

Performing ldapmodify -x -D 'cn = root, dc = example, dc = com' -w 123456 -h 127.0.0.1 -f test.ldif apply the modifications.

 

3) modify the configuration

# vim /etc/sysconfig/saslauthd

Modify the value

MECH=kerberos5

 

Restart: service saslauthd restart

 

Create a file vim /etc/sasl2/slapd.conf

内容：pwcheck_method: saslauthd

 

Restart: service slapd restart

 

4) execute the command: service saslauthd status -l to see if an error

 Not being given

 Do the following:

# kadmin.local -q "ank -clearpolicy -randkey host/c2bde55"

# kadmin.local -q "ktadd host/c2bde55"

 

# service saslauthd restart

 

# Ps -aux | grep saslauthd

 

# kadmin.local -q 'ank -pw 123456 test'

Configuring test the user's password is: 123456

# testsaslauthd -u test -p 123456

 

An error Execute the following command

 kadmin.local -q "ank -clearpolicy -randkey host/localhost"

kadmin.local -q "ktadd host/localhost"

  

Configuring test the user's password is: 123456 success

 

 

So far, Kerberos authentication test is successful.

Ldapsearch test whether LDAP authentication is successful

ldapsearch -x -D 'uid=test,ou=People,dc=example,dc=com' -w 123456 -h 127.0.0.1 -b 'ou=People,dc=example,dc=com'

 

 Successful outcome

If unsuccessful execution:

kadmin.local -q "ank -clearpolicy -randkey host/localhost"

kadmin.local -q "ktadd host/localhost"

 

Client Authentication: the server-side firewall close

ldapsearch -x -D 'uid = test, ou = People, dc = example, dc = com' -w 123456 -h 192.168.10.130 (ip address server) -b 'ou = People, dc = example, dc = com'