As mentioned previously, to authenticate Kerberos users through GSSAPI, the Directory Server must have its own Principal in the KDC. For authentication to work properly, the Principal information must reside in a Kerberos keytab on the Directory Server machine. This information must be in a file that is readable by the user account under which the Directory Server operates.
Create a keytab file with the correct properties by using the following command sequence:
$ /usr/sbin/kadmin -p kws/admin Enter Password: secret kadmin: ktadd -k //local/ds/config/ldap.keytab ldap/directory.example.com Entry for principal ldap/directory.example.com with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/local/ds/config/ldap.keytab. kadmin: quit $ |
Change the permissions and ownership on this custom keytab. Make the keytab owned by the user account used to run Directory Server and readable only by that user:
$ chown unixuser:unixgroup /local/ds/config /ldap.keytab $ chmod 600 /local/ds/config/ldap.keytab $ |
By default, the Directory Server tries to use the standard Kerberos keytab in the file /etc/kerb5/krb5.keytab. However, making this file readable by the Directory Server user could constitute a security risk, which is why a custom keytab was created for the Directory Server.
Configure the Directory Server to use the new custom keytab. Do this by setting the KRB5_KTNAME environment variable.
Finally, restart the Directory Server to allow these changes to take effect:
$ KRB5_KTNAME=/etc/krb5/ldap.keytab dsadm restart /local/ds |