Step 1 Installation and Basic Configuration of OpenLDAP and MITv5 Kerberos

Full blown authentication system

  1. Installation and basic configuration of OpenLDAP and MITv5 Kerberos
  2. Linking OpenLDAP with MITv5 Kerberos
  3. Linking FreeRADIUS
  4. Replication
  5. Hardening your setup
  6. Configure your clients
  7. Varia

inadmissiblenote: before I start explaining I would like to emphasize the importance of proper DNS records for your servers. You’ll need to have these in order to create your kerberos REALM properly and to avoid problems! You have been warned ;) .


We start off by installing and configuring OpenLDAP, later on referred to as ‘LDAP’.

First install the necessary LDAP packages:

sudo apt-get install slapd ldap-utils

Generate the hash of the LDAP password that you want to use:

sudo slappasswd -h {SSHA}

SSHA stands for Salted Secure Hash Algorithm. Other hash algorithms are also available but I choose SSHA since I believe it is more secure.
Create a new file to import the hash of the password:

 vim /home/jeroen/db_23032012.ldif
dn: cn=config
changetype: modify

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}HVL6nhuGNczdDSZ8GVvz7/LYAKRmYw==

Import the password:

ldapadd -Y EXTERNAL -H ldapi:/// -f /home/jeroen/db_23032012.ldif

Create an LDAP schema:

vim /home/jeroen/schema.ldif
# Create top-level object in domain
dn: ou=employees,dc=example,dc=com
objectClass: organizationalUnit
ou: employees

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: cn=IT,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: IT
gidNumber: 5000

dn: uid=jeroen,ou=employees,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount

dn: uid=john,ou=employees,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
cn: Joh Smith
sn: Smith
givenName: John
displayName: John Smith
title: Sir
telephoneNumber: +32 123 456 789
mobile: +32 987 654 321
ou: IT
uidNumber: 10000
gidNumber: 5000
gecos: John Smith
loginShell: /bin/zsh
homeDirectory: /home/john/

And add it to the LDAP:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f /home/jeroen/schema.ldif

Your LDAP server should be running now. You can test it by launching a search query:

ldapsearch -xLLL -b dc=example,dc=com

If you want to stop here, please don’t and take at least a quick look at section 5 ‘Hardening your setup’, since your LDAP is just configured with the unsafe basic config.

MITv5 Kerberos

First configure cron with ntpdate, as time synchronization is very important, as kerberos tickets are time dependent (a kerberos ticket is only valid for a certain amount of time in order to mitigate the possibility of a replay attack). If the clock skew between a server and the ticketing server is to great, you will get into problems. Write a script (without the script extension) in /etc/cron.hourly. The only thing you need to do is to put the following in it:

#! /usr/bin/bash

You can of course use any timeserver you want. Probably your NREN has his own NTP server, just like Belnet.
After this, install the necessary packages for kerberos:

sudo apt-get install krb5-kdc krb5-admin-server

Create a realm:

sudo krb5_newrealm

Add a principal:

sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc -x dn="uid=john,ou=employees,dc=example,dc=com" john
WARNING: no policy specified for john@EXAMPLE.COM; defaulting to no policy
Enter password for principal "john@EXAMPLE.COM":
Re-enter password for principal "john@EXAMPLE.COM":
Principal "john@EXAMPLE.COM" created.
kadmin.local: quit

Restart the kerberos server:

sudo /etc/init.d/krb5-admin-server restart

Test it:

kinit john@EXAMPLE.COM
Password for john@EXAMPLE.COM:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: john@EXAMPLE.COM

Valid starting     Expires            Service principal
03/23/12 14:19:36  03/24/12 00:19:36  krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 03/24/12 14:19:31

Issued           Expires          Principal
Jul 13 17:53:34  Jul 14 03:53:34  krbtgt/EXAMPLE.COM@EXAMPLE.COM

This was step 1. To proceed, go to step 2.