Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020
 
 

Configuring a Master KDC on an Oracle Unified Directory Server

By installing the KDC and LDAP on the same server you get better performance.

    The main steps are:

  1. Installing the OUD package

  2. Configuring the OUD server

  3. Adding the OUD server to the Kerberos configuration file

  4. Creating keys for the KDC and specifying a privileged port for the OUD servers

  5. Configuring KDC roles and services on the OUD server

  6. Creating and installing a certificate and keys for the OUD server

  7. Testing

  8. Synchronizing the master KDC's clock with the clock synchronization server

How to Configure a Master KDC on an Oracle Unified Directory LDAP Directory Server

This procedure configures a KDC master and an OUD server on the same system. The KDC uses the OpenLDAP client library, as will the Kerberos clients that you configure later.

Before You Begin

Ensure that the system is configured to use DNS. This procedure uses OUD for LDAP. For more information, see the Oracle Fusion Middleware Installation Guide for Oracle Unified Directory 11g Release 2 (11.1.2) .

You are in the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Download the OUD package.

    Follow the directions on the Downloads for Oracle Identity Management web site.

  2. Configure the OUD LDAP server.

    See the links to OUD information on the Oracle Identity Management page.

      This sample configuration uses the following parameters:

    • Listener port: 1389

    • TLS port: 1636 (privileged port)

    • Administrator connector port: 4444

    • Password: nnnnnnnn

    • Certificates: StartTLS and TLS

    • Process: java -server -Dorg.opends.server.scriptName=sta...

    # cd Oracle/Middleware/Oracle_OUD1
    # export JAVA_HOME=/usr/jdk/instances/jdkversion
    # ./oud-setup
  3. Verify that the LDAP server is listening.
    # ldapsearch -x -p 1389 -D "cn=directory manager" -h $HOSTNAME -b "" -s base objectclass='*'
  4. Add the initial profile entries to the OUD configuration.
    # pfedit profile.ldif
      dn: ou=profile,dc=example,dc=com
      ou: profile 
      objectclass: top
      objectclass: organizationalUnit
    # ldapmodify -a -h $HOSTNAME -D "cn=directory manager" -f profile.ldif
  5. Remove the newlines from all the attribute types in the kerberos.ldif file, then add the file to the OUD configuration.
    # pfedit /usr/share/lib/ldif/kerberos.ldif 
    # ldapmodify -p 1389 -a -h $HOSTNAME -D "cn=directory manager" \
       -f /usr/share/lib/ldif/kerberos.ldif
  6. Add the OUD server to the Kerberos configuration file.
    # pfedit /etc/krb5/krb5.conf
     [realms]
             EXAMPLE.COM = {
                     kdc = krb1.example.com
                     admin_server = krb1.example.com
                     database_module = LDAP
             }
    
     [dbmodules]
             LDAP = {
                     db_library = kldap
                     ldap_kerberos_container_dn = "cn=krbcontainer,dc=example,dc=com"
                     ldap_kdc_dn = "cn=kdc service,ou=profile,dc=example,dc=com"
                     ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=example,dc=com"
                     ldap_cert_path = /var/ldap
                     ldap_servers = ldap://krb1:1389
             }
      ...
  7. Create the keys and stash files for LDAP binding to the KDC and kadmin services.
    # kdb5_ldap_util -D "cn=directory manager" create -P nnnnnnnn -r EXAMPLE.COM -s
    # kdb5_ldap_util stashsrvpw "cn=kdc service,ou=profile,dc=example,dc=com"
    # kdb5_ldap_util stashsrvpw "cn=kadmin service,ou=profile,dc=example,dc=com"
  8. Modify the ldap_servers entry in the Kerberos configuration file to use a privileged port.
    # pfedit /etc/krb5/krb5.conf
           ldap_servers = ldaps://krb1:1636
  9. Add Kerberos entries to the OUD server.
    1. Create and add KDC roles.
      # pfedit kdc_roles.ldif
       dn: cn=kdc service,ou=profile,dc=example,dc=com
       cn: kdc service
       sn: kdc service
       objectclass: top 
       objectclass: person
       userpassword: nnnnnnnn
       
       dn: cn=kadmin service,ou=profile,dc=example,dc=com
       cn: kadmin service
       sn: kadmin service
       objectclass: top
       objectclass: person
       userpassword: nnnnnnnn
      
      # ldapmodify -p 1389 -a -h $HOSTNAME -D "cn=directory manager" -f kdc_roles.ldif
    2. Create and add administrative users.
      # pfedit example.ldif 
      dn: dc=example,dc=com
      changetype: modify
      replace: aci
      aci: (target ="ldap:///dc=example,dc=com")(targetattr !=
       "userPassword")(version 3.0;acl "Anonymous read-search access";
       allow (read, search, compare)(userdn = "ldap:///anyone");)
      aci: (target="ldap:///dc=example,dc=com") (targetattr =
        "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn =
        "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
      
      dn: ou=Groups, dc=example,dc=com
      objectclass: top
      objectclass: organizationalunit
      ou: Groups
      
      dn: cn=Directory Administrators, ou=Groups, dc=example,dc=com
      cn: Directory Administrators
      objectclass: top
      objectclass: groupofuniquenames
      ou: Groups
      uniquemember: uid=kvaughan, ou=People, dc=example,dc=com
      uniquemember: uid=rdaugherty, ou=People, dc=example,dc=com
      uniquemember: uid=hmiller, ou=People, dc=example,dc=com
      
      dn: ou=People, dc=example,dc=com
      objectclass: top
      objectclass: organizationalunit
      ou: People
      aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr =
       "userpassword || telephonenumber || facsimiletelephonenumber")(version 3.0;
       acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)
      aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !=
       "cn || sn || uid")(targetfilter ="(ou=Accounting)")(version 3.0;
       acl "Accounting Managers Group Permissions";allow (write) (groupdn =
        "ldap:///cn=Accounting Managers,ou=groups,dc=example,dc=com");)
      aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !=
       "cn || sn || uid")(targetfilter ="(ou=Human Resources)")(version 3.0;
       acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR Managers,
       ou=groups,dc=example,dc=com
       ");)
      aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !=
       "cn ||sn || uid")(targetfilter ="(ou=Product Testing)")(version 3.0;
       acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA Managers,
       ou=groups,dc=example,dc=com");)
      aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !=
       "cn || sn || uid")(targetfilter ="(ou=Product Development)")(version 3.0;
       acl "Engineering Group Permissions";allow (write)(groupdn = "ldap:///
       cn=PD Managers,ou=groups,dc=example,dc=com");)
      
      dn: ou=Special Users,dc=example,dc=com
      objectclass: top
      objectclass: organizationalUnit
      ou: Special Users
      description: Special Administrative Accounts
       
      # ldapmodify -p 1389 -a -h $HOSTNAME -D "cn=directory manager" -f example.ldif
    3. Create and add ACLs for LDAP entries.
      # pfedit kadmin.aci
      ## Set kadmin ACL for everything under krbcontainer.
      dn: cn=krbcontainer,dc=example,dc=com
      changetype: modify
      replace: aci
      aci: (target="ldap:///cn=krbcontainer,dc=example,dc=com") (targetattr="*")
       (version 3.0; acl "kadmin_ACL"; allow (all)
       userdn="ldap:///cn=kadmin service,ou=profile,dc=example,dc=com";)
      
      ## Set kadmin ACL for everything under the people subtree if there are
      ## mix-in entries for krb princs:
      dn: ou=people,dc=example,dc=com
      changetype: modify
      replace: aci
      aci: (target="ldap:///ou=people,dc=example,dc=com") (targetattr="*")
       (version 3.0; acl "kadmin_ACL"; allow (all)
       userdn="ldap:///cn=kadmin service,ou=profile,dc=example,dc=com";)
      
      # ldapmodify -h $HOSTNAME -D "cn=directory manager" -f kadmin.aci
  10. Generate and store the TLS certificate for the OUD server.

    This set of commands also creates the key manager provider, trust manager provider, and connection handler.

    # export LDAPHOME=~OUD-base-location/ORACLE_HOME
    # export LDAPHOME=$PWD
    # export LDAP_SERVER_DN=krb1.example.com
    # export STORE_PASSWD=xxxxxxxx
    # export LDAP_BINDPWF=$LDAPHOME/config/keystore.pin
    # export LDAP_ADMIN_PORT=4444
    # export LDAP_BINDDN="cn=directory manager"
    # export LDAP_SERVER=krb1.example.com
    # rm $LDAPHOME/config/keystore
    # rm $LDAPHOME/config/truststore
    # echo $STORE_PASSWD > LDAP_BINDPWF
    # keytool -genkeypair -alias server-cert -keyalg rsa \
       -dname "CN=$LDAP_SERVER_DN" -keystore $LDAPHOME/config/keystore \
       -storepass $STORE_PASSWD -keypass $STORE_PASSWD
    # keytool -selfcert -alias server-cert -validity 1825 \
       -keystore $LDAPHOME/config/keystore -storetype JKS -storepass $STORE_PASSWD
    # keytool -list -alias server-cert -keystore $LDAPHOME/config/keystore \
       -storepass $STORE_PASSWD
    # keytool -exportcert -alias server-cert -file $LDAPHOME/config/server-cert.txt \
       -rfc -keystore $LDAPHOME/config/keystore -storepass $STORE_PASSWD
    # cp $LDAPHOME/config/server-cert.txt /var/ldap/certdb.pem
  11. Enable the key manager provider, trust manager provider, and connection handler.
    # ldapservercfg -X -n -h $LDAP_SERVER -p $LDAP_ADMIN_PORT -D "$LDAP_BINDDN" \
      -j $LDAP_BINDPWF set-connection-handler-prop \
      --handler-name "LDAPS Connection Handler" \
      --set key-manager-provider:JKS --set trust-manager-provider:JKS \
      --set listen-port:1636 --set enabled:true
    # bin/stop-ds
  12. (Optional) Verify the configuration with an SSL LDAP query.
    # /usr/lib/openldap/bin/ldapsearch -x -v -x -D "$LDAP_BINDDN" -w $LDAP_BINDPW \
       -H ldapi://$LDAP_SERVER_DN:1636 -b "" -s base objectclass='*'
  13. Synchronize this system's clock with other clocks in the realm.

    Note -  A master KDC cannot be the clock synchronization server.

    For more information and pointers to procedures, see Synchronizing Clocks Between KDCs and Kerberos Clients. See also the krb5.conf(5) man page.