Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020
 
 

Configuring a Master KDC on an OpenLDAP Directory Server

By installing the KDC and OpenLDAP on the same server you get better performance.

    The main steps involved in configuring the KDC and OpenLDAP on the same server are:

  1. Installing the OpenLDAP package

  2. Enabling the LDAP service

  3. Configuring access to the OpenLDAP server

  4. Ensuring that the OpenLDAP daemon is listening on ldapi://

  5. Adding organizational entries to the OpenLDAP server

  6. Adding the OpenLDAP server to the KDC configuration file

  7. Creating LDAP entries in the Kerberos database

  8. Adding the KDC and kadmin roles to the OpenLDAP server

  9. Creating the Kerberos database keys

  10. Synchronizing the master KDC's clock with the clock synchronization server

  11. Enabling the KDC and kadmin services

How to Configure a Master KDC on an OpenLDAP Directory Server

This procedure configures a KDC master and an OpenLDAP server on the same system. The KDC uses the OpenLDAP client library, as will the Kerberos clients that you configure later.

Before You Begin

Make sure the system is configured to use DNS. For more information about OpenLDAP, see the OpenLDAP Home Page.

You are in the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Install the openldap server package.
    # pkg install service/network/ldap/openldap
  2. Enable the OpenLDAP service.

    This step enables the directory server to read the configuration file and be populated.

    # svcadm enable ldap/server
  3. Configure access to the OpenLDAP server.

    Modify access information for the OpenLDAP configuration by creating and loading the access.ldif file.

    # cat <<- EOF >access.ldif
    dn: olcDatabase={1}mdb,cn=config
    changetype: modify
    add: olcAccess
    olcAccess: {0}to dn.subtree="cn=example.com,cn=krbcontainer,dc=example,dc=com"  
       by dn.base="cn=kdc service,ou=profile,dc=example,dc=com" write
       by dn.base="cn=kadmin service,ou=profile,dc=example,dc=com" write
       by * none
    -
    add: olcAccess
    olcAccess: {1}to dn.subtree="ou=users,dc=example,dc=com"
       by dn.base="cn=kdc service,ou=profile,dc=example,dc=com" write
       by dn.base="cn=kadmin service,ou=profile,dc=example,dc=com" write
       by * none
    EOF
    # ldapmodify -D "cn=config" -W -f access.ldif

    Note -  In the "Providing access to" sections, kdc service needs write access to any accounts that account lockout should apply to. Write access enables the service to lock out an account after its account password has expired.
  4. Ensure that the slapd daemon is listening on the ldapi:// UNIX domain socket.
    # ldapsearch -H ldapi:/// -x -b "" -s base '(objectclass=*)' namingContexts
  5. Add organizational entries to the OpenLDAP server.
    # cat <<- EOF >entries.ldif
    dn: ou=groups,dc=example,dc=com
    objectClass: top
    objectClass: organizationalunit
    ou: groups
    
    dn: ou=users,dc=example,dc=com
    objectClass: top
    objectClass: organizationalunit
    ou: users
    EOF
    # ldapadd -D "cn=Manager,dc=example,dc=com" -W -f entries.ldif
  6. Add the OpenLDAP server to the Kerberos configuration file.
    # pfedit /etc/krb5/krb5.conf
    [realms]
            EXAMPLE.COM = {
                    kdc = krb1.example.com
                    admin_server = krb1.example.com
                    database_module = LDAP
            }
    
    [dbmodules]
            LDAP = {
                    db_library = kldap
                    ldap_kerberos_container_dn = "cn=krbcontainer,dc=example,dc=com"
                    ldap_kdc_dn = "cn=kdc service,ou=profile,dc=example,dc=com"
                    ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=example,dc=com"
                    ldap_servers = ldapi:///
            }
    ...
  7. Create the LDAP entries in the Kerberos database.
    # kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" create \
       -subtrees ou=users,dc=example,dc=com -r EXAMPLE.COM -s

    For more information, see the kdb5_ldap_util(8) man page.

  8. Create and add KDC and kadmin roles.
    # cat <<- EOF >kdc_roles.ldif
    dn: cn=kdc service,ou=profile,dc=example,dc=com
    cn: kdc service
    sn: kdc service
    objectclass: top
    objectclass: person
    userpassword: nnnnnnnn
    
    dn: cn=kadmin service,ou=profile,dc=example,dc=com
    cn: kadmin service
    sn: kadmin service
    objectclass: top
    objectclass: person
    userpassword: nnnnnnnn
    EOF
    # ldapadd -D "cn=Manager,dc=example,dc=com" -W -f kdc_roles.ldif

    The passwords for the kdc service and the kadmin service should be different and difficult to guess. Remember these passwords. You use them in the following step.

  9. Create stash files for LDAP binding to the KDC and kadmin services.
    # kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" stashsrvpw \
       cn="kdc service,ou=profile,dc=example,dc=com"
    Password for "cn=Manager,dc=example,dc=com": nnnnnnnn
    Password for "cn=kdc service,ou=profile,dc=example,dc=com": nnnnnnnn
    Re-enter password for "cn=kdc service,ou=profile,dc=example,dc=com": nnnnnnnn
    # kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" stashsrvpw \
       cn="kadmin service,ou=profile,dc=example,dc=com"
    Password for "cn=Manager,dc=example,dc=com": nnnnnnnn
    Password for "cn=kadmin service,ou=profile,dc=example,dc=com": nnnnnnnn
    Re-enter password for "cn=kadmin service,ou=profile,dc=example,dc=com": nnnnnnnn
  10. Synchronize this system's clock with other clocks in the realm.

    Note -  A master KDC cannot be the clock synchronization server.

    For more information and pointers to procedures, see Synchronizing Clocks Between KDCs and Kerberos Clients. See also the krb5.conf(5) man page.

  11. Enable the KDC and kadmin services.
    # svcadm enable krb5kdc
    # svcadm enable kadmin