Step 2 Linking OpenLDAP With MITv5 Kerberos

Full blown authentication system

  1. Installation and basic configuration of OpenLDAP and MITv5 Kerberos
  2. Linking OpenLDAP with MITv5 Kerberos
  3. Linking FreeRADIUS
  4. Replication
  5. Hardening your setup
  6. Configure your clients
  7. Varia

We link LDAP with Kerberos by using the LDAP as a Kerberos principals database. This is how you can obtain this:
OpenLDAP
Install the following package:

sudo apt-get install krb5-kdc-ldap

Unzip the kerberos scheme and copy it to the /etc/ldap/schema directory:

sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/

First, create a configuration file named schema_convert.conf, or a similar descriptive name, containing the following lines:

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/kerberos.schema

Create a temporary directory to hold the LDIF files:

mkdir /tmp/ldif_output

Now, use slapcat to convert the schema files:

slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}kerberos,cn=schema,cn=config" > /tmp/cn=kerberos.ldif_output

Edit the generated /tmp/cn\=kerberos.ldif file, changing the following attributes:

dn: cn=kerberos,cn=schema,cn=config
...
cn: kerberos

And remove the following lines from the end of the file (they will be similar):

structuralObjectClass: olcSchemaConfig
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc
creatorsName: cn=config
createTimestamp: 20090111203515Z
entryCSN: 20090111203515.326445Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090111203515Z

Load the new schema with ldapadd:

ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=kerberos.ldif_output

Add an index for the krb5principalname attribute (don’t forget to press [ENTER] or you could wait a long time for nothing):

ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub

modifying entry "olcDatabase={1}hdb,cn=config"
^C

Finally, update the Access Control Lists (ACL):

ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
-
add: olcAccess
olcAccess: to dn.base="" by * read
-
add: olcAccess
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

modifying entry "olcDatabase={1}hdb,cn=config"

MITv5 Kerberos

Modify the configuration as described:

vim /etc/krb5.conf
...
[realms]
EXMAPLE.COM = {
kdc = provider.example.com
admin_server = provider.example.com
default_domain = example.com
database_module = openldap_ldapconf
}

...
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
...
[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com

[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com",

# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"

# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldap://provider.example.com
ldap_conns_per_server = 5
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

Next, use the kdb5_ldap_util utility to create the realm:

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://provider.example.com

Create a stash of the password used to bind to the LDAP server. This password is used by the ldap_kdc_dn and ldap_kadmin_dn options in /etc/krb5.conf:

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

This was step 2. To proceed, go to step 3.
inadmissible