Documentation< Previous | Contents | Next >
4.1. Configuring OpenLDAP
First, the necessary schema needs to be loaded on an OpenLDAP server that has network connectivity to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP replication configured between at least two servers. For information on setting up OpenLDAP see Section 1, “OpenLDAP Server” [p. 115].
It is also required to configure OpenLDAP for TLS and SSL connections, so that traffic between the KDC and LDAP server is encrypted. See Section 1.8, “TLS” [p. 129] for details.
cn=admin,cn=config is a user we created with rights to edit the ldap database. Many times it is the RootDN. Change its value to reflect your setup.
• To load the schema into LDAP, on the LDAP server install the krb5-kdc-ldap package. From a terminal enter:
sudo apt install krb5-kdc-ldap
• Next, extract the kerberos.schema.gz file:
sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/
• The kerberos schema needs to be added to the cn=config tree. The procedure to add a new schema to slapd is also detailed in Section 1.4, “Modifying the slapd Configuration Database” [p. 120].
1. First, create a configuration file named schema_convert.conf, or a similar descriptive name, containing the following lines:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/kerberos.schema
2. Create a temporary directory to hold the LDIF files:
mkdir /tmp/ldif_output
3. Now use slapcat to convert the schema files:
slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \ "cn={12}kerberos,cn=schema,cn=config" > /tmp/cn=kerberos.ldif
Change the above file and path names to match your own if they are different.
4. Edit the generated /tmp/cn\=kerberos.ldif file, changing the following attributes:
dn: cn=kerberos,cn=schema,cn=config
...
cn: kerberos
And remove the following lines from the end of the file:
structuralObjectClass: olcSchemaConfig entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc creatorsName: cn=config
createTimestamp: 20090111203515Z
entryCSN: 20090111203515.326445Z#000000#000#000000
modifiersName: cn=config modifyTimestamp: 20090111203515Z
The attribute values will vary, just be sure the attributes are removed.
5. Load the new schema with ldapadd:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=kerberos.ldif
6. Add an index for the krb5principalname attribute:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///
dn: olcDatabase={1}mdb,cn=config add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub
modifying entry "olcDatabase={1}mdb,cn=config"
7. Finally, update the Access Control Lists (ACL):
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///
dn: olcDatabase={1}mdb,cn=config replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
-
add: olcAccess
olcAccess: to dn.base="" by * read
-
add: olcAccess
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
modifying entry "olcDatabase={1}mdb,cn=config"
That's it, your LDAP directory is now ready to serve as a Kerberos principal database.