How to Configure the Master KDC to Use an LDAP Directory Server

Language:

This procedure uses the following configuration parameters:

Realm name = EXAMPLE.COM
DNS domain name = example.com
Master KDC = kdc1.example.com
Directory Server = dsserver.example.com
admin principal = kws/admin
FMRI for the LDAP service = svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1
Online help URL = http://docs.oracle.com/cd/E23824_01/html/821-1456/aadmin-23.html

Note - Adjust the URL to point to the location of the online help, as described in gkadmin GUI.

Before You Begin

The host is configured to use DNS. For better performance, install the KDC and the LDAP Directory Service on the same server. In addition, a Directory Server should be running. The following procedure works with servers using the Oracle Directory Server Enterprise Edition. For more information, see Oracle Identity Management - Documentation.

You must assume the root role on the KDC server. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

Configure the master KDC to use SSL to reach the Directory Server.
The following steps configure the KDC to use the Directory Server's self-signed certificate.
1. On the Directory Server, export the self-signed certificate.
```
# /export/sun-ds6.1/ds6/bin/dsadm show-cert -F der /export/sun-ds6.1/directory2 \
defaultCert > /tmp/defaultCert.cert.der
```
2. On the master KDC, import the Directory Server's certificate.
```
# pktool setpin keystore=nss dir=/var/ldap
# chmod a+r /var/ldap/*.db
# pktool import keystore=nss objtype=cert trust="CT" \
infile=/tmp/defaultCert.cert.der \
label=defaultCert dir=/var/ldap
```
  For more information, see the pktool(1) man page.
3. On the master KDC, test that SSL is working.
  This example assumes that the cn=directory manager entry has administration privileges.
```
master# /usr/bin/ldapsearch -Z -P /var/ldap -D "cn=directory manager" \
-h dsserver.example.com -b "" -s base objectclass='*'
Subject:
"CN=dsserver.example.com,CN=636,CN=Directory Server,O=Example Corporation
```
  Note that the CN=dsserver.example.com entry must include the fully qualified host name, not a short version.
Populate the LDAP directory, if necessary.

Add the Kerberos schema to LDAP's existing schema.

# ldapmodify -h dsserver.example.com -D "cn=directory manager" \
-f /usr/share/lib/ldif/kerberos.ldif

Create the Kerberos container in the LDAP directory.
Add the following entries to the krb5.conf file.
1. Define the database type.
  Add an entry to define the database_module to the realms section.
```
database_module = LDAP
```
2. Define the database module.
```
[dbmodules]
LDAP = {
ldap_kerberos_container_dn = "cn=krbcontainer,dc=example,dc=com"
db_library = kldap
ldap_kdc_dn = "cn=kdc service,ou=profile,dc=example,dc=com"
ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=example,dc=com"
ldap_cert_path = /var/ldap
ldap_servers = ldaps://dsserver.example.com
}
```
3. Create the KDC in the LDAP directory.
  This command creates krbcontainer and several other objects. It also creates a /var/krb5/.k5.EXAMPLE.COM master key and stash file for the key. For information about the options to the command, see the kdb5_ldap_util(1M) man page.
```
# kdb5_ldap_util -D "cn=directory manager" create
   -P master-key -r EXAMPLE.COM -s
```
Stash the KDC bind Distinguished Name (DN) passwords.
These passwords are used by the KDC when it binds to the Directory Server. The KDC uses different roles depending on the type of access the KDC is using.
```
# kdb5_ldap_util stashsrvpw "cn=kdc service,ou=profile,dc=example,dc=com"
# kdb5_ldap_util stashsrvpw "cn=kadmin service,ou=profile,dc=example,dc=com"
```

Add KDC service roles.

Create a kdc_roles.ldif file with contents like this:

dn: cn=kdc service,ou=profile,dc=example,dc=com
cn: kdc service
sn: kdc service
objectclass: top
objectclass: person
userpassword: xxxxxxxx

dn: cn=kadmin service,ou=profile,dc=example,dc=com
cn: kadmin service
sn: kadmin service
objectclass: top
objectclass: person
userpassword: xxxxxxxx

Create the role entries in the LDAP directory

# ldapmodify -a -h dsserver.example.com -D "cn=directory manager" -f kdc_roles.ldif

Set the ACLs for the kadmin-related roles.

# cat << EOF | ldapmodify -h dsserver.example.com -D "cn=directory manager"
# Set kadmin ACL for everything under krbcontainer.
dn: cn=krbcontainer,dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///cn=krbcontainer,dc=example,dc=com")(targetattr="krb*")(version 3.0;\
acl kadmin_ACL; allow (all)\
userdn = "ldap:///cn=kadmin service,ou=profile,dc=example,dc=com";)

# Set kadmin ACL for everything under the people subtree if there are
# mix-in entries for krb princs:
dn: ou=people,dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///ou=people,dc=example,dc=com")(targetattr="krb*")(version 3.0;\
acl kadmin_ACL; allow (all)\
userdn = "ldap:///cn=kadmin service,ou=profile,dc=example,dc=com";)
EOF

Edit the Kerberos configuration file, krb5.conf.
You need to name the realms and the servers. For a description of this file, see the krb5.conf(4) man page.
```
kdc1 # pfedit /etc/krb5/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM

[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com
admin_server = kdc1.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
#
# if the domain name and realm name are equivalent,
# this entry is not needed
#
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log

[appdefaults]
gkadmin = {
help_url = http://docs.oracle.com/cd/E23824_01/html/821-1456/aadmin-23.html
}
```
Note - Adjust the URL to point to the location of the online help, as described in gkadmin GUI.

In this example, the lines for default_realm, kdc, admin_server, and all domain_realm entries were changed. In addition, the online help URL was changed.

Note - If you must communicate with an older Kerberos system, you might need to restrict the encryption types. For a description of the issues involved with restricting the encryption types, see Kerberos Encryption Types.
Edit the KDC configuration file, kdc.conf.
You need to name the realm. For a description of this file, see the kdc.conf(4) man page.

In this example, in addition to the realm name definition, the administrator changes incremental propagation and logging defaults.
```
kdc1 # pfedit /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports = 88,750

[realms]
EXAMPLE.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}
```
Note - If you must communicate with an older Kerberos system, you might need to restrict the encryption types. For a description of the issues involved with restricting the encryption types, see Kerberos Encryption Types.
Edit the Kerberos access control list file, kadm5.acl.
Once populated, the /etc/krb5/kadm5.acl file should contain all principal names that are allowed to administer the KDC.
```
kws/admin@EXAMPLE.COM   *
```
The preceding entry gives the kws/admin principal in the EXAMPLE.COM realm the ability to modify principals and policies in the KDC. The default principal entry is an asterisk (*), which matches all admin principals. This entry can be a security risk. Modify the file to explicitly list every admin principal and their rights. For more information, see the kadm5.acl(4) man page.
Start the kadmin.local command and create admin principals.
```
kdc1 # /usr/sbin/kadmin.local
kadmin.local: 
```
1. Add administration principals to the database.
  You can add as many admin principals as you need. You must create at least one admin principal to complete the KDC configuration process. For this example, you create the kws/admin principal. You can substitute an appropriate principal name instead of “kws”.
```
kadmin.local: addprinc kws/admin
Enter password for principal kws/admin@EXAMPLE.COM:/** Type strong password **/
Re-enter password for principal kws/admin@EXAMPLE.COM: xxxxxxxx
Principal "kws/admin@EXAMPLE.COM" created.
kadmin.local:
```
2. Quit kadmin.local.
```
kadmin.local: quit
```

(Optional) Configure LDAP dependencies for Kerberos services.

If the LDAP and KDC servers are running on the same host and if the LDAP service is configured with SMF, add a dependency to the LDAP service for the Kerberos daemons. This dependency will restart the KDC service if the LDAP service is restarted.

Add the dependency to the krb5kdc service.

# svccfg -s security/krb5kdc
svc:/network/security/krb5kdc> addpg dsins1 dependency
svc:/network/security/krb5kdc> setprop dsins1/entities = \
fmri: "svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1"
svc:/network/security/krb5kdc> setprop dsins1/grouping = astring: "require_all"
svc:/network/security/krb5kdc> setprop dsins1/restart_on = astring: "restart"
svc:/network/security/krb5kdc> setprop dsins1/type = astring: "service"
svc:/network/security/krb5kdc> exit

Add the dependency to the kadmin service.

# svccfg -s security/kadmin
svc:/network/security/kadmin> addpg dsins1 dependency
svc:/network/security/kadmin> setprop dsins1/entities =\
fmri: "svc:/application/sun/ds:ds--var-opt-SUNWdsee-dsins1"
svc:/network/security/kadmin> setprop dsins1/grouping = astring: "require_all"
svc:/network/security/kadmin> setprop dsins1/restart_on = astring: "restart"
svc:/network/security/kadmin> setprop dsins1/type = astring: "service"
svc:/network/security/kadmin> exit

Complete Kerberos configuration in LDAP by performing Step 7 through Step 9 in How to Manually Configure a Master KDC.
Configure Slave KDCs.
To provide redundancy, make sure to install at least one slave KDC. For instructions, see How to Manually Configure a Slave KDC.