| Linux System Administration |
| Home | Tech | Linux | Links | Consulting |
|
Integrated Kerberos-OpenLDAP consumer on Debian lenny
This page describes how to set up an OpenLDAP consumer server and an MIT Kerberos V slave server on the same host so that Kerberos uses LDAP as it back-end database. It depends on a previously installed Kerberos-OpenLDAP provider server, kls1.example.com. The system also relies heavily on timestamps, so reasonably accurate time synchronization among all participating hosts is essential. In this example, OpenLDAP and MIT Kerberos V are installed on a host running Debian 5.0 (lenny). If followed properly, the step-by-step process should produce an OpenLDAP provider server with a new DIT, followed by a Kerberos master server that stores its database in that same DIT. But, before the interesting parts can begin, it will first be necessary to install the operating system on a new host called kls2.example.com. A DNS server must also be available on the network with a zone file to which forward and reverse mappings can be added for this host. After the initial installation of the operating system, make sure these packages are installed on the system as well: ~# apt-get install ssh ntp ntpdate nmap Afterwards, edit /etc/ntp.conf so that the machine synchronizes to a common NTP server (preferably a local one) and edit /etc/default/ntpdate to use the same host also. Now the installation of the new server can begin. 1. Kerberos client install First, run the following command to test if the MIT Kerberos V server installed previously is available on the network: ~# nmap kls1.example.com This should be among the results: PORT STATE SERVICE 749/tcp open kerberos-adm If there is a problem, fix it first. If not, continue by installing these three packages:
~# apt-get install krb5-{config,user} libpam-krb5
A total of four packages are installed as a result, including one dependency: krb5-config 1.22 Configuration files for Kerberos Version 5 krb5-user 1.6.dfsg.4~beta1-5lenny2 Basic programs to authenticate using MIT Kerberos libkadm55 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos administration runtime libraries libpam-krb5 3.11-4 PAM module for MIT Kerberos During the installation, the krb5-config package will automatically have the default realm set to EXAMPLE.COM, but a few questions have to be answered for it as well: Kerberos servers for your realm: kls1.example.com Administrative server for your Kerberos realm: kls.example.com These settings, along with the default realm, are saved in /etc/krb5.conf. 2. Service princ & keytab Use kadmin to create a Kerberos principal for the LDAP service and a matching keytab file by issuing a few commands: ~# kadmin -p admin Authenticating as principal admin with password. Password for admin@EXAMPLE.COM: arietans kadmin: addprinc -randkey ldap/kls2.example.com WARNING: no policy specified for ldap/kls2.example.com@EXAMPLE.COM; defaulting to no policy Principal "ldap/kls2.example.com@EXAMPLE.COM" created. kadmin: ktadd ldap/kls2.example.com Entry for principal ldap/kls2.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal ldap/kls2.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal ldap/kls2.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal ldap/kls2.example.com with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: q ~# _ The -randkey switch is used because a machine cannot enter a password. To list the keys in /etc/krb5.keytab, use the klist -ke command. A host (or service) principal and a keytab file should be created for and saved on all of the various client machines that are part of a Kerberos realm. 3. OpenLDAP install Before starting the install process, run the following command to test if the previously installed OpenLDAP provider server is actually available on the network: ~# nmap kls1.example.com This should be among the results: PORT STATE SERVICE 389/tcp open ldap If there is a problem, fix it first. Otherwise, install these two packages: ~# apt-get install slapd ldap-utils A total of ten packages are installed as a result, including eight dependencies: ldap-utils 2.4.11-1 OpenLDAP utilities libdb4.2 4.2.52+dfsg-5 Berkeley v4.2 Database Libraries [runtime] libltdl3 1.5.26-4+lenny1 A system independent dlopen wrapper for GNU libtool libperl5.10 5.10.0-19lenny2 Shared Perl library libsasl2-modules 2.1.22.dfsg1-23+lenny1 Cyrus SASL - pluggable authentication modules libslp1 1.2.1-7.5 OpenSLP libraries odbcinst1debian1 2.2.11-16 Support library and helper program for accessing odbc ini file psmisc 22.6-1 Utilities that use the proc filesystem slapd 2.4.11-1 OpenLDAP server (slapd) unixodbc 2.2.11-16 ODBC tools libraries During the install process, an administrator password will be requested for slapd. Use somalica: Administrator password: somalica Confirm password: somalica This password is actually inconsequential and will not be needed again. Run the following command to test if the OpenLDAP server is actually running: ~# nmap kls2.example.com This should be among the results: PORT STATE SERVICE 389/tcp open ldap Perform a quick test by generating an LDIF dump of the contents of a the database: ~# slapcat dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: example.com dc: example structuralObjectClass: organization entryUUID: e12251be-a923-102e-8428-ff3aa2ce9756 creatorsName: createTimestamp: 20100208173356Z entryCSN: 20100208173356.975696Z#000000#000#000000 modifiersName: modifyTimestamp: 20100208173356Z dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e2NyeXB0fXpwYldxSC5GbjVzamc= structuralObjectClass: organizationalRole entryUUID: e122f4de-a923-102e-8429-ff3aa2ce9756 creatorsName: createTimestamp: 20100208173356Z entryCSN: 20100208173356.980385Z#000000#000#000000 modifiersName: modifyTimestamp: 20100208173356Z ~# _ 4. ldap.conf Edit /etc/ldap/ldap.conf and use these two lines: BASE dc=example,dc=com URI ldap://kls2.example.com/ This configuration file is used to set system-wide defaults for LDAP clients. 5. Kerberos slave install To set up a Kerberos slave server, install these two packages:
~# apt-get install krb5-{kdc,kdc-ldap}
These are also the only two packages that are installed as a result: krb5-kdc 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos key server (KDC) krb5-kdc-ldap 1.6.dfsg.4~beta1-5lenny2 MIT Kerberos key server (KDC) LDAP plugin Since the idea is for Kerberos to use OpenLDAP as its back-end database, see to it that the Kerberos KDC and administrative services start up after slapd by changing the names of the symbolic links for their respective startup scripts: ~# mv /etc/rc2.d/S18krb5-kdc /etc/rc2.d/S20krb5-kdc ~# _ Following this automated configuration sequence for the package, a message appears regarding krb5kdc: that the realm, EXAMPLE.COM cannot be initialize. This is because the realm, or rather the database for it, has not yet been created, but that is an issue that will be dealt with later. Edit /etc/krb5kdc/kdc.conf and modify these two lines − the same as the Kerberos master server is configured:
max_life = 1d 0h 0m 0s
max_renewable_life = 90d 0h 0m 0s
6. krb524d bug This version of Kerberos includes the V to IV ticket conversion daemon, krb524d. Unfortunately, it suffers from a type of bug, called a file descriptor leak, that manifests itself when running Kerberos together with an LDAP back-end. The bug causes slapd to slowly run out of file descriptors and eventually become unresponsive. Since it is unlikely that the Kerberos developers will address this problem (krb524d has been removed from current Kerberos V releases), a workaround is necessary. Create a file, called /usr/local/bin/slapd-check, with the following contents: #!/bin/sh PATH=/usr/bin:/bin openfiles=`lsof |grep -c slapd` daemonactive=`ps ax |grep -c krb524d` if [ $daemonactive -gt 0 ] && [ $openfiles -gt 100 ]; then killall krb524d krb524d -m fi exit 0 This script checks if krb524d is running, and if so, whether the number of files that slapd has open is greater than 100. If both these tests are true, krb524d is killed and restarted. Make the new script executable: ~# chmod 750 /usr/local/bin/slapd-check Finally, have cron (crontab -e) run this script every fifteen minutes: */15 * * * * /usr/local/bin/slapd-check 7. slapd.conf Unzip and copy the Kerberos schema file to the OpenLDAP server's schema directory: ~# gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > \ /etc/ldap/schema/kerberos.schema Edit /etc/ldap/slapd.conf and make a number of changes to it. Starting at the top of the file, add a line to include support for the Kerberos schema in the DIT: # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/kerberos.schema Comment out the logging option, which will return it to its default value (256): #loglevel "none" Later on, after the configuration is finished and the whole system is working properly, it will likely be desirable to once again return the loglevel value to "none", because Kerberos tends to cause a lot of slapd log output (at least once every minute) as it accesses its back-end database. This level of logging may also affect performance. Add an entry for a hard-coded root user, which is necessary for replication: # rootdn "cn=admin,dc=example,dc=com" rootdn "cn=manager" It does not matter that the rootdn is not part of the DIT; just as long as it exists and is unique within the same system of replicating servers. Add two new index directives for the uid and krb5principalname attributes: index objectClass eq index uid eq index krbPrincipalName eq,pres,sub The first eq index will facilitate searches for uid entries, while the second will do the same for Kerberos principal entries. Both will speed up the login process. Last, modify the ACLs to look like this:
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=example,dc=com" read
by anonymous auth
by * none
access to dn.subtree="ou=krb5,dc=example,dc=com"
by dn="cn=admin,dc=example,dc=com" read
by dn="cn=adm-srv,ou=krb5,dc=example,dc=com" read
by dn="cn=kdc-srv,ou=krb5,dc=example,dc=com" read
by * none
access to dn.base=""
by * read
access to *
by users read
by * none
It is pointless to add the same access directives here as on the provider to allow clients to write, since all OpenLDAP database synrepl replicas are strictly read-only. If clients attempt to write to it anyway, they will be given a referral (URL) to the provider before these ACLs are ever encountered. Edit /etc/default/slapd and allow the LDAP service to listen for IPC connections (Unix domain sockets) by adding this line to the end of the file: SLAPD_SERVICES="ldap:/// ldapi:///" This will instruct slapd to listen on IPC, instead of only TCP port 389, which is the default. Save all of these changes, but do not restart the LDAP service until later. 8. krb5.conf Edit the Kerberos realm configuration file, /etc/krb5.conf. This file is initially created by the Debian installer and contains information about the realms of a number of famous institutions, but none of that is necessary in this case. Instead, replace its contents with this:
[libdefaults]
default_realm = EXAMPLE.COM
forwardable = true
proxiable = true
[realms]
EXAMPLE.COM = {
kdc = kls2.example.com
admin_server = kls.example.com
database_module = openldap_ldapconf
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[dbdefaults]
ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=example,dc=com
ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=example,dc=com
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_conns_per_server = 5
}
[logging]
kdc = FILE:/var/log/krb5/kdc.log
default = FILE:/var/log/krb5/kdc.log
See this section for a more detailed explanation of this file. Note the absence of the ldap_servers statement from the list of openldap_ldapconf options. This is possible because the Kerberos daemons use IPC (Unix domain sockets) to connect to the LDAP back-end by default. After /etc/krb5.conf has been saved, create the Kerberos log directory: ~# mkdir /var/log/krb5 ~# _ To prevent the log file from growing too large, create a logrotate configuration file. Edit /etc/logrotate.d/krb5-kdc and give it the following contents:
/var/log/krb5/kdc.log {
daily
missingok
rotate 7
compress
delaycompress
notifempty
postrotate
/etc/init.d/krb5-kdc restart > /dev/null
endscript
}
The various password stashes that were created previously on the provider − for the KDC database master key, the KDC service (for cn=kdc-srv) and the Kerberos administration server (cn=adm-srv) − are also required on this host. However, instead of creating them from scratch as was done before, simply copy them from the provider: ~# scp kls1.example.com:/etc/krb5kdc/s* /etc/krb5kdc/ Two files will be copied as a result: stash contains the KDC database master key, while service.keyfile contains the two service passwords. 9. Provider modifications Switch over to the provider server, kls1.example.com, to make some changes there. Start by installing a package that will prevent a replication error from appearing in the syslog: root@kls1:~# apt-get install sasl2-bin A total of two packages are installed as a result, including one dependency: db4.6-util 4.6.21-11 Berkeley v4.6 Database Utilities sasl2-bin 2.1.22.dfsg1-23+lenny1 Cyrus SASL - administration programs for SASL users database The installation also warns that saslauthd requires some tending to before it will start up automatically, but that can be ignored. All that is important here is that the install process creates a small database file, /etc/sasldb2, that slapd needs to have write access to so that certain error messages will not be generated. Next, make sure that the sasl group has access to the file: root@kls1:~# chgrp sasl /etc/sasldb2 root@kls1:~# chmod 660 /etc/sasldb2 root@kls1:~# _ Then edit /etc/group on kls1 and add openldap to the sasl group: sasl:x:45:openldap Create a new LDAP entry that will be used to represent and authorize kls2 to read the entire DIT. Start by creating a file, ~/kls2.ldif, with the following contents:
dn: ou=consumers,dc=example,dc=com
ou: consumers
objectClass: organizationalUnit
dn: cn=kls2,ou=consumers,dc=example,dc=com
cn: kls2
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP server2 replicator
userPassword: {CRYPT}*
Add these new LDAP entries to the DIT with: root@kls1:~# kinit admin Password for admin@EXAMPLE.COM: arietans root@kls1:~# ldapadd -f ~/kls2.ldif SASL/GSSAPI authentication started SASL username: admin@EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. adding new entry "ou=consumers,dc=example,dc=com" adding new entry "cn=kls2,ou=consumers,dc=example,dc=com" root@kls1:~# _ Next, edit /etc/ldap/slapd.conf on kls1 and make a number of changes to it. First, add this extra authz-regexp stanza:
authz-regexp
uid=host/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth
cn=$1,ou=hosts,dc=example,dc=com
authz-regexp
uid=ldap/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth
cn=$1,ou=consumers,dc=example,dc=com
authz-regexp
uid=([^,]+),cn=example.com,cn=gssapi,cn=auth
uid=$1,ou=people,dc=example,dc=com
This is to map the GSSAPI name for kls2 to that of of the new LDAP entry, cn=kls2. Add two new eq index directives: index objectClass eq index uid eq index krbPrincipalName eq,pres,sub index entryUUID eq index entryCSN eq Then modify the ACLs to ensure that cn=kls2 has read access to everything in the database:
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=example,dc=com" write
by dn.one="ou=consumers,dc=example,dc=com" read
by anonymous auth
by * none
access to dn.subtree="ou=krb5,dc=example,dc=com"
by dn="cn=admin,dc=example,dc=com" write
by dn.one="ou=consumers,dc=example,dc=com" read
by dn="cn=adm-srv,ou=krb5,dc=example,dc=com" write
by dn="cn=kdc-srv,ou=krb5,dc=example,dc=com" read
by * none
access to attrs=loginShell
by dn="cn=admin,dc=example,dc=com" write
by self write
by users read
by * none
access to dn.base=""
by * read
access to *
by dn="cn=admin,dc=example,dc=com" write
by users read
by * none
This ensures that all entries directly under ou=consumers will have full read access to the DIT. Lastly, add these four lines to the end of the first database section to load, activate and configure the Sync Provider overlay:
access to *
by dn="cn=admin,dc=example,dc=com" write
by users read
by * none
moduleload syncprov
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
Having made certain changes to slapd.conf on kls1 that include new index directives, it not only becomes necessary to restart slapd, but also to reindex the database. Since it is best to run the slapindex command as the openldap user, first make this possible by altering the following line (that may not have the same UID and GID numbers) in the /etc/passwd file: openldap:x:105:107:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/sh Now stop the LDAP service, regenerate the database indices as the openldap user, and restart the LDAP service: root@kls1:~# /etc/init.d/krb5-admin-server stop root@kls1:~# /etc/init.d/krb5-kdc stop root@kls1:~# /etc/init.d/slapd stop Stopping OpenLDAP: slapd. root@kls1:~# su -c /usr/sbin/slapindex openldap root@kls1:~# /etc/init.d/slapd start Starting OpenLDAP: slapd. root@kls1:~# /etc/init.d/krb5-kdc start root@kls1:~# /etc/init.d/krb5-admin-server start root@kls1:~# _ 10. Kstart Return to kls2. To keep its copy of the LDAP database in sync, the consumer must contact the provider and authenticate itself just like any other client. It has previously been shown how to do this with a simple bind and a password, but in this case Kerberos will be used to take care of both slapd consumer authentication to the provider and encryption of the entire replication process. To make this possible, an initial Kerberos ticket (a TGT) must be obtained automatically on behalf of the openldap user, which owns the slapd process, and it must be renewed regularly. One way to do this is to run kinit -k with a cron job, but a better solution is to use a modified version of kinit, called k5start. Install it with: ~# apt-get install kstart This is the only package that gets installed as a result: kstart 3.14-1 Kerberos kinit supporting AFS and ticket refreshing To configure it, just add this line to the end of the /etc/inittab file to start running k5start in the background soon after the system boots up: KS:2345:respawn:/usr/bin/k5start -U -f /etc/krb5.keytab -K 10 -l 24h -k /tmp/krb5cc_105 -o openldap This must be written as a single line. A number of options have been used for this command:
After saving this modification to /etc/inittab, start k5start for the first time by forcing init to reload its configuration file: ~# kill -HUP 1 A new ticket cache file, /tmp/krb5cc_105, should be created almost immediately as a consequence. 11. sasldb2 Install a package, the sole purpose of which is to prevent a certain error from appearing in the syslog: ~# apt-get install sasl2-bin A total of two packages are installed as a result, including one dependency: db4.6-util 4.6.21-11 Berkeley v4.6 Database Utilities sasl2-bin 2.1.22.dfsg1-23+lenny1 Cyrus SASL - administration programs for SASL users database The sasldb2 database file is installed here for the same reasons as on kls1. Begin by making sure that the sasl group has access to the file: ~# chgrp sasl /etc/sasldb2 ~# chmod 660 /etc/sasldb2 ~# _ Then edit /etc/group and add openldap to the sasl group: sasl:x:45:openldap 12. Slapd kerberization This step is about kerberizing OpenLDAP. A number of requirements have already been met, but there is more. First, install this one package: ~# apt-get install libsasl2-modules-gssapi-mit Only one package is installed as a result with no dependencies: libsasl2-modules-gssapi-mit 2.1.22.dfsg1-23+lenny1 Cyrus SASL - pluggable authentication modules (GSSAPI) Change the permissions and ownership of the Kerberos service keytab file to allow slapd to read it: ~# chmod 640 /etc/krb5.keytab ~# chown root.openldap /etc/krb5.keytab ~# _ Next, three different files must be modified. First, edit /etc/default/slapd and and uncomment a line near the end of the file that will export the location of the Kerberos system keytab file as a variable: export KRB5_KTNAME=/etc/krb5.keytab Edit /etc/ldap/ldap.conf and add the following line, which specifies the authentication mechanism, to the end of the file: SASL_MECH GSSAPI Then, edit /etc/ldap/slapd.conf and add these lines to the end of the Global section (before any database definitions):
tool-threads 1
authz-regexp
uid=admin,cn=example.com,cn=gssapi,cn=auth
cn=admin,dc=example,dc=com
authz-regexp
uid=host/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth
cn=$1,ou=hosts,dc=example,dc=com
authz-regexp
uid=([^,]+),cn=example.com,cn=gssapi,cn=auth
uid=$1,ou=people,dc=example,dc=com
sasl-realm EXAMPLE.COM
All of these changes were also made on the provider server, kls1. 13. Syncrepl Continue to edit /etc/ldap/slapd.conf, this time to enable the replication process. Start by adding two more eq index entries: index objectClass eq index uid eq index krbPrincipalName eq,pres,sub index entryUUID eq index entryCSN eq These two eq indexes will accelerate the replication process. Then add this replication stanza to the end of the first database section:
access to *
by users read
by * none
syncrepl rid=123
provider=ldap://kls.example.com:389/
type=refreshAndPersist
retry="60 30 300 +"
searchbase="dc=example,dc=com"
bindmethod=sasl
saslmech=gssapi
With the refreshAndPersist replication type, any changes made to the provider database are immediately sent to the consumer. Note that the provider's alias, ldapks, is used here, so if the OpenLDAP provider is ever moved to a different host, only the alias will need to be changed − not the configurations of the various consumers. Alternatively, in case a more bandwidth-friendly solution is desired, the refreshOnly replication strategy can be used instead:
syncrepl rid=123
provider=ldap://kls.example.com:389/
type=refreshOnly
interval=00:00:05:00
searchbase="dc=example,dc=com"
bindmethod=sasl
saslmech=gssapi
Usually, complete replication of the provider's copy of the OpenLDAP database is only possible if specific access rules are added to the provider's slapd.conf to ensure that each consumer server has read access to everything. However, in this case it is currently unnecessary to change the provider's ACLs, because other than a few unnecessary passwords, all users have complete access to the DIT anyway. 14. Referrals Still editing /etc/ldap/slapd.conf, add a referral to the end of the file, below the syncrepl stanza, to inform clients where to find the provider when they need to make changes to the LDAP database:
bindmethod=sasl
saslmech=gssapi
updateref ldap://kls.example.com:389/
Finally, since some LDAP client applications do not understand referrals, implement the chain overlay to allow slapd to chase referrals on behalf of such clients by adding the following lines to the global section of slapd.conf, before any database definitions:
sasl-realm EXAMPLE.COM
moduleload back_ldap
overlay chain
chain-uri ldap://kls.example.com:389/
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod=sasl
saslmech=gssapi
mode=self
chain-return-error TRUE
Having saved all of the previous changes to /etc/slapd.conf, stop the LDAP service, delete the now-redundant local database, and restart the service. This will cause the consumer to synchronize its database with the provider for the first time: ~# /etc/init.d/slapd stop Stopping OpenLDAP: slapd. ~# rm /var/lib/ldap/* ~# /etc/init.d/slapd start Starting OpenLDAP: slapd. ~# _ If the original copy of the local database on kls2 is not deleted, its two existing entries − the domain component and the admin user (with password somalica) − will not be replaced with those of the provider, even though the rest of the DIT will be synchronized. If everything works as expected, it should now be possible to run the slapcat command on both the consumer and the provider and verify that, in both cases, the entire output is exactly the same. 15. Kerberos server start Start the Kerberos admin and KDC servers for the first time: ~# /etc/init.d/krb5-kdc start ~# _ If there are no errors, run the following command to verify that the new MIT Kerberos V master server is indeed available on the network: ~# nmap -sU kls2.example.com. Note the trailing dot! This should be among the results: PORT STATE SERVICE 88/udp open|filtered kerberos-sec 750/udp open|filtered kerberos 4444/udp open|filtered krb524 16. Authentication test Run some tests. First try a simple unauthenticated (-x) LDAP query: ~# ldapsearch -x -LLL cn=kls2 No such object (32) ~# _ As on kls1, this no longer works. The authenticated version will also give an error: ~# ldapsearch -LLL cn=kls2 SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) ~# _ Acquire a Kerberos ticket for the admin user (password arietans): ~# kinit admin Password for admin@EXAMPLE.COM: arietans ~# _ A verification of the ticket should show a success: ~# klist -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 02/09/10 03:49:04 02/10/10 03:49:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM ~# _ Now the authenticated version of the query should also work: ~# ldapsearch -LLL cn=kls2 SASL/GSSAPI authentication started SASL username: admin@EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. dn: cn=kls2,ou=consumers,dc=example,dc=com cn: kls2 objectClass: simpleSecurityObject objectClass: organizationalRole description: LDAP server2 replicator userPassword:: e0NSWVBUfSo= ~# _ 17. Proxy authorization Before the chaining configuration added in step 14 will work, more changes first have to be made to the OpenLDAP provider server, kls1.example.com. What is required is something called SASL proxy authorization. With this mechanism it is possible to allow an authenticated user, such as the consumer server in this example, to assume the identity of other users and use that to relay their write requests on to the provider server. The ability to assume another user's identity is important, as it would otherwise not be possible to enforce existing access rules. Two changes are needed to enable proxy authorization. First, the cn=kls2 LDAP object must be modified to include the authzTo attribute, which will allow it to act as an authorization proxy for certain users. Second, an authz-policy directive must be added to the slapd.conf file. Start by creating an LDIF file on the provider server, called ~/kls2-mod.ldif, with the following contents: dn: cn=kls2,ou=consumers,dc=example,dc=com changetype: modify add: authzTo authzTo: dn.regex:^uid=[^,]+,ou=people,dc=example,dc=com$ authzTo: dn.exact:cn=admin,dc=example,dc=com - The authzTo attribute is a source rule that determines which user identities it is allowed to assume; in this case its value is a regular expression that matches all uid objects in the ou=people,dc=example,dc=com container. Run the following command to apply this modification: root@kls1:~# ldapmodify -f ~/kls2-mod.ldif SASL/GSSAPI authentication started SASL username: admin@EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. modifying entry "cn=kls2,ou=consumers,dc=example,dc=com" root@kls1:~# _ Next, edit /etc/ldap/slapd.conf on kls1 and add this line to the end of the Global directives section: sasl-realm EXAMPLE.COM authz-policy to This statement enables proxy authorization using rules associated with the authzTo attribute of the authentication DN (in this case cn=kls2). Without this, the authzTo attribute that was added to the cn=kls2 entry would be ignored. Having made these changes to /etc/slapd.conf, save them and restart the LDAP service: root@kls1:~# /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd. root@kls1:~# _ 18. Proxy auth test This last step will test whether the proxy authorization actually works. This is easily done on the consumer server using the ldapadd command. This exercise will also be used as an excuse to create a new user account. Start by using kadmin to create an account for a user ccolumbus with password NewWorld: ~# kadmin -p admin Authenticating as principal admin with password. Password for admin@EXAMPLE.COM: arietans kadmin: addprinc ccolumbus WARNING: no policy specified for ccolumbus@EXAMPLE.COM; defaulting to no policy Enter password for principal "ccolumbus@EXAMPLE.COM": NewWorld Re-enter password for principal "ccolumbus@EXAMPLE.COM": NewWorld Principal "ccolumbus@EXAMPLE.COM" created. kadmin: q ~# _ Having completed that, the object is now to test the proxy authentication configuration by creating a matching LDAP user account for ccolumbus. If this works, the changes will be immediately available on the consumer server (or within five minutes if refreshOnly replication is used). First, create a file, called ~/ccolumbus.ldif, with the following contents:
dn: cn=ccolumbus,ou=groups,dc=example,dc=com
cn: ccolumbus
gidNumber: 20001
objectClass: top
objectClass: posixGroup
dn: uid=ccolumbus,ou=people,dc=example,dc=com
uid: ccolumbus
uidNumber: 20001
gidNumber: 20001
cn: Christopher
sn: Columbus
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/ccolumbus
userPassword: {CRYPT}*
Then apply this change with the ldapadd command: ~# ldapadd -f ~/ccolumbus.ldif SASL/GSSAPI authentication started SASL username: admin@EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. adding new entry "cn=ccolumbus,ou=groups,dc=example,dc=com" adding new entry "uid=ccolumbus,ou=people,dc=example,dc=com" ~# _ That looked like a success. Over on kls1, this is what appeared in the syslog as a result: Feb 13 23:20:09 kls1 slapd[3968]: conn=2 op=2 \ BIND authcid="ldap/kls2.example.com@EXAMPLE.COM" \ authzid="ldap/kls2.example.com@EXAMPLE.COM" Feb 13 23:20:09 kls1 slapd[3968]: conn=2 op=2 \ BIND dn="cn=kls2,ou=consumers,dc=example,dc=com" \ mech=GSSAPI sasl_ssf=56 ssf=56 Feb 13 23:20:09 kls1 slapd[3968]: \ conn=2 op=2 RESULT tag=97 err=0 text= Feb 13 23:20:09 kls1 slapd[3968]: \ conn=2 op=3 PROXYAUTHZ dn="cn=admin,dc=example,dc=com" Feb 13 23:20:09 kls1 slapd[3968]: \ conn=2 op=3 ADD dn="cn=ccolumbus,ou=groups,dc=example,dc=com" This confirms that kls2 is using its Kerberos ID, ldap/kls2.example.com@EXAMPLE.COM, which is then translated by the authz-regexp statement on kls1 to cn=kls2, which is then authorized to act as a proxy for cn=admin, which is in turn authorized to add the new cn=ccolumbus entry. For another confirmation of success, a search for uid=ccolumbus should show that this entry has indeed been added to the DIT: ~# ldapsearch -LLL uid=ccolumbus SASL/GSSAPI authentication started SASL username: admin@EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. dn: uid=ccolumbus,ou=people,dc=example,dc=com uid: ccolumbus uidNumber: 20001 gidNumber: 20001 cn: Christopher sn: Columbus objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /home/ccolumbus userPassword:: e0NSWVBUfSo= ~# _ 19. See also
20. Further reading
21. Sources
Last modified: 2017-08-02, 17:50
©2003-2020 RJ Systems. Permission is granted to copy, distribute and/or modify the content of this page under the terms of the OpenContent License, version 1.0. |
