Zum Inhalt springen

Benutzer:Philip/Kerberos and LDAP: Unterschied zwischen den Versionen

Zum nächsten Versionsunterschied →
VisuellWikitext
Philip (Diskussion | Beiträge)
574 Bearbeitungen
Die Seite wurde neu angelegt: This is a small write-up to get openldap running with sasl/gssapi and kerberos5. Thanks to sxw@freenode, who just knew what to do (in opposite to the various crappy how...
 
Philip (Diskussion | Beiträge)
574 Bearbeitungen
tidied up
Zeile 1: Zeile 1:
This is a small write-up to get openldap running with sasl/gssapi and
=Kerberos, SASL and OpenLDAP=
kerberos5. Thanks to sxw@freenode, who just knew what to do (in opposite to the
''This is a small write-up to get openldap running with sasl/gssapi and
various crappy howtos out there)
kerberos5. Thanks to sxw@irc.freenode.net, who happened to just know what to do (in contradiction to the various crappy howtos out there)''


It is based on:
It is based on:
* Ubuntu Feisty
* '''Ubuntu Feisty'''
* Openldap
* '''Openldap'''
* MIT Kerberos (but i guess heimdal will work just as well)
* '''MIT Kerberos''' (but i guess heimdal will work just as well)


I use <> brackets to indicate that you need to fill something in. Please mind
I use <> brackets to indicate that you need to fill something in. Please mind
Zeile 12: Zeile 12:
lowercase.
lowercase.


fqdn=fully qualified domain name
'''fqdn''': fully qualified domain name
realm=kerberos realm
'''realm''': kerberos realm
user=existing kerberos/ldap user
'''user''' existing kerberos/ldap user


* Check prerequisites for the openldap server:
===what you need to know===
** DNS MUST be ok:
Considering the high potential of neverending frustration and agony when deploying LDAP & Kerberos, you should ask yourself if you are ''really'' firm with all of the used software products, which include OpenLDAP, Kerberos, gcc and a text editor.
*** host <ipaddress that you want to use to connect to ldap> must return a hostname (DNS PTR record)
*** host <hostname returned previously> must return the same ip address (DNS A record)
*** that is, host <ip> and host <hostname> must return the equal opposite
** OpenLDAP server must give read access to root DSE on anonymouse binds
** have libsasl2-modules-gssapi-mit installed
** have libsasl2-dev installed


* Check prerequisites for the openldap client:
In particular you should know how to:
** you should be able to ldapsearch on the server
* Manage an OpenLDAP directory service (ldapsearch, ldapadd, ldapwhoami, configuring/starting/stopping slapd)
** OpenLDAP must be working (and should already have useraccounts to test with)
* Manage a Kerberos KDC, either MIT or Heimdal. This includes know-how about how to set up a realm, create policies, add/delete/change principals and so on
** Kerberos must be working (= get tickets for users)
* Manage the required infrastructure, such as DNS and NTP
** have libsasl2-dev installed
* Test your network and system for misconfiguration


===server prerequisites===
Check prerequisites for the openldap server:
* DNS MUST be ok:
** host <ipaddress that you want to use to connect to ldap> must return a hostname (DNS PTR record)
** host <hostname returned previously> must return the same ip address (DNS A record)
** that is, host <ip> and host <hostname> must return the equal opposite
* OpenLDAP server must give read access to root DSE on anonymouse binds
* have libsasl2-modules-gssapi-mit installed
* have libsasl2-dev installed


===client prerequisites===
Check prerequisites for the openldap client:
* you should be able to ldapsearch on the server
* OpenLDAP must be working (and should already have useraccounts to test with)
* Kerberos must be working (= get tickets for users)
* have libsasl2-dev installed
===create a keytab===
* Create a ldap service keytab on your kdc:
* Create a ldap service keytab on your kdc:
   kadmin.local -q "ank -randkey ldap/<fqdn>@<REALM>"
   kadmin.local -q "ank -randkey ldap/<fqdn>@<REALM>"
Zeile 39: Zeile 50:
   chown openldap.openldap /etc/ldap/ldap-host.keytab
   chown openldap.openldap /etc/ldap/ldap-host.keytab


* Now, try if you get SASL running with the example server/client thing:
===test with SASL example code===
** do on client/server:
* Now, try if you can get SASL running with the example server/client thing:
: do on client/server:
   gcc -o sample-client /usr/share/doc/libsasl2-dev/examples/sample-client.c -I. -I /usr/include/sasl -lsasl2
   gcc -o sample-client /usr/share/doc/libsasl2-dev/examples/sample-client.c -I. -I /usr/include/sasl -lsasl2
   gcc -o sample-server /usr/share/doc/libsasl2-dev/examples/sample-server.c -I. -I /usr/include/sasl -lsasl2
   gcc -o sample-server /usr/share/doc/libsasl2-dev/examples/sample-server.c -I. -I /usr/include/sasl -lsasl2


** in one terminal (as root, on the server):
: in one terminal (as root, on the server):
  export KRB5_KTNAME=/etc/ldap/ldap-host.keytab
  export KRB5_KTNAME=/etc/ldap/ldap-host.keytab
  ./sample-server.strace ./sample-server -s ldap
  ./sample-server.strace ./sample-server -s ldap


** in another terminal (on the client):
: in another terminal (on the client):
  kinit <user>
  kinit <user>
  ./sample-client -s ldap -n <fqdn> -u <user>
  ./sample-client -s ldap -n <fqdn> -u <user>


** crosspaste the S: and C: lines
: crosspaste the S: and C: lines


** do yourself a favour and do not continue unless you made the negotiation work (it makes sure that everything you need regarding sasl/kerberos is set up correctly).
: do yourself a favour and '''do not continue''' unless you made the negotiation work (it makes sure that everything you need regarding sasl/kerberos is set up correctly).


===prepare slapd startup===
* edit /etc/defaults/slapd and add the line
* edit /etc/defaults/slapd and add the line
  export KRB5_KTNAME=/etc/ldap/ldap-host.keytab
  export KRB5_KTNAME=/etc/ldap/ldap-host.keytab
Zeile 63: Zeile 76:
  sasl-host              <fqdn>
  sasl-host              <fqdn>


** restart slapd
* restart slapd


* try ldapwhoami -Y GSSAPI
===try GSSAPI bind===
** you should get a message indicating success with:
* try  
kinit <user>
ldapwhoami -Y GSSAPI
: you should get a message indicating success with:
  "dn:uid=<user>,cn=<realm>,cn=gssapi,cn=auth"
  "dn:uid=<user>,cn=<realm>,cn=gssapi,cn=auth"


===setup SASL<->LDAP user mapping===
* now, depending on your ldap setup, add something along the lines of
* now, depending on your ldap setup, add something along the lines of
  saslRegexp    uid=(.*),cn=(.*),cn=gssapi,cn=auth ldap:///ou=Users,o=organisation,c=org?sub?uid=$1
  saslRegexp    uid=(.*),cn=(.*),cn=gssapi,cn=auth ldap:///ou=Users,o=organisation,c=org?sub?uid=$1


** this will make ldap map the <user> part of <user>@<REALM> to a posixAccount uid found below ou=Users,o=organisation,c=org
: or
saslRegexp    uid=(.*),cn=<realm>,cn=gssapi,cn=auth ldap:///ou=Users,o=$2,c=org?sub?uid=$1
 
: depending on if you want to authenticate against more than one realm.
 
: The first example will make ldap map the <user> part of <user>@<REALM> to a posixAccount uid found below ou=Users,o=organisation,c=org
: The second example will try to search in <realm> below the hierarchy of c=org. You can improve that by writing a better regex which extracts the domain from the realm.


** you could use $2 to also map the realm accordingly.
* you could also use $2 to also map the realm in the username accordingly.
** restart slapd
* restart slapd


===try it!===
* get a ticket and look what you have here:
* get a ticket and look what you have here:
  kinit <user>
  kinit <user>
Zeile 83: Zeile 107:
* if you want to always use GSSAPI, put the line
* if you want to always use GSSAPI, put the line
  mech_list: GSSAPI
  mech_list: GSSAPI
** in the file /usr/lib/sasl2/slapd.conf - no, thats NOT a typo.
: in the file '''/usr/lib/sasl2/'''slapd.conf - no, thats NOT a typo.
Abgerufen von „https://metalab.at/alpakaparty/Benutzer:Philip/Kerberos_and_LDAP