|
From: | Syan Tan |
Subject: | [Gnumed-devel] ldap kerberos stuff, for future reference if needed. |
Date: | Sun, 05 Feb 2006 09:43:30 +0800 |
This might be useful for secure messaging , and possibly secure login.
LDAP resources
urls for getting started:
http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html
http://www.openldap.org/doc/admin23
the stooges ldif at http://www.yolinux.com/TUTORIALS/OpenLDAP2.0-stooges.ldif-sample.txt
shows a 3 level 3 stooges heirarchy, with an organization 3 stooges, two membership groups A and B, Larry and Moe in A, and Curly in B.
steps
1. install ldap
synaptic - search ldap, select openldap packages, and "apply"
2. change /etc/ldap/slapd.conf
append the stooges-slapd.conf extract that has the stooges database.
change "database ldbm" to "database bdb" , because this the debian default backend type ( berkeley db)
3. insert the stooges.ldif
this can be done without invoke gsasl, by being root, and doing
slapadd -l stooges.ldif
slapadd isn't available to the ordinary user.
4. setting up kerberos - in order to allow ordinary users to use ldap.
synaptic - search kerberos, and install kerberos 5 server and client (and docs).
5. make a nice network environment for kerberos -
A. change /etc/hosts so that localhost.localdomain is no longer just 127.0.0.1 , but whatever the machine's
network address is on your local network. tethereal shows that it is inbuilt into kerberos clients not to contact 127.0.0.1
when looking for the key distribution centre server (kdc ).
B. change /etc/resolve.conf : this should have nameserver <my network address> , as it is going to point
to a named server , which is the bind9 dns package that is going to be installed to allow a local dns to help find the
kdc server, and the kerberos admin server.
C. install bind9 using synaptic.
D. create a new db file called db.kdc by copying db.empty in /etc/bind/ to /etc/bind/db.kdc , and appending something like
$ORIGIN localdomain.
_kerberos TXT "LOCALHOST";
kerberos CNAME LOCALHOST;
_kerberos._udp SRV 0 0 88 localhost;
;_kerberos._tcp SRV 0 0 88 localhost;
_kerberos-master._udp SRV 0 0 88 localhost;
_kerberos-adm._tcp SRV 0 0 749 localhost;
_kpasswd._udp SRV 0 0 464 localhost
;
what this bind fragment means, I'm guessing from the tethereal packets:
the $ORIGIN command is the most important, which means it appends ".localdomain" to each of the entries and any mappings.
_kerberos._udp SRV 0 0 88 localhost
will map to
_kerberos._udp.localdomain and this will map to localhost.localdomain:88
port 88 is the default server port for the kerberos kdc.
It's very easy to get confused between localhost, and localdomain. The _kerberos._udp service name is used as a constant
name by the kerberos client software, and it expects a dns to give back the kdc server address.
Finally, link in the /etc/bind/db.kdc zone definition in /etc/bind/named.conf.local by adding something like
zone "localdomain" { type master; file "/etc/bind/db.kdc"; };
then run "/etc/init.d/bind restart ", to see if it worked. I don't know why zone "localdomain" will coexist with zone "localhost".
E. install the LOCALDOMAIN realm if not already done so via the debian installation script for kerberos ( it should have prompted for
a realm name). the command krb5_newrealm as root will do this.
6. Add some users for kerberos.
kadmin.local as root allows local administration of kerberos.
the kadmin commands addprinc, listprincs, change_password (cpw) are needed.
kadmin.local: listprincs
K/address@hidden
admin/address@hidden
kadmin/address@hidden
kadmin/address@hidden
kadmin/address@hidden
kadmin/address@hidden
krbtgt/address@hidden
-----------------
ldap/address@hidden
sjtan/address@hidden
the 2 last users, were manually added, and seem to work.
- the @LOCALDOMAIN is the kerberos security realm of the user, not a internet address.
- the policy stuff seems to be unnecessary to change.
the ldap user needs to be there, for the ldap gsasl credential getting mechanism to work, and this
needs to be added by doing "addprinc ldap/address@hidden" on the kadmin command line.
7. logging into kerberos.
the kinit command allows anyone to login as a certain principal.
it stores the credential on the local machine as /tmp/krb5cc_1000 , where 1000 is the unix user's uid.
the credential is time limited, and needs renewing if allowed in the kerberos configuration.
8. using ldapadd after kinit.
ldapadd should work now from an ordinary after kinit,
but make sure the /etc/conf/slapd.conf allows access.
in slapd.conf:
access to * by users write
should allow every kinit authenticated user to change anything in the ldap database. ( needs to be refined)
[Prev in Thread] | Current Thread | [Next in Thread] |