Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: November 2020
 
 

Configuring a Master KDC on an OpenLDAP Directory Server

By installing the KDC and OpenLDAP on the same server you get better performance.

    The main steps involved in configuring the KDC and OpenLDAP on the same server are:

  1. Installing the OpenLDAP package

  2. Enabling the LDAP service

  3. Configuring access to the OpenLDAP server

  4. Ensuring that the OpenLDAP daemon is listening on ldapi://

  5. Adding organizational entries to the OpenLDAP server

  6. Adding the OpenLDAP server to the KDC configuration file

  7. Creating LDAP entries in the Kerberos database

  8. Adding the KDC and kadmin roles to the OpenLDAP server

  9. Creating the Kerberos database keys

  10. Synchronizing the master KDC's clock with the clock synchronization server

  11. Enabling the KDC and kadmin services

How to Configure a Master KDC on an OpenLDAP Directory Server

This procedure configures a KDC master and an OpenLDAP server on the same system. The KDC uses the OpenLDAP client library, as will the Kerberos clients that you configure later.

Before You Begin

Make sure the system is configured to use DNS. For more information about OpenLDAP, see the OpenLDAP Home Page.

You are in the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Install the openldap server package. 
    # pkg install service/network/ldap/openldap
  2. Enable the OpenLDAP service.

    This step enables the directory server to read the configuration file and be populated.

    # svcadm enable ldap/server
  3. Configure access to the OpenLDAP server.

    Modify access information for the OpenLDAP configuration by creating and loading the access.ldif file.

    # cat <<- EOF >access.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to dn.subtree="cn=example.com,cn=krbcontainer,dc=example,dc=com"  
   by dn.base="cn=kdc service,ou=profile,dc=example,dc=com" write
   by dn.base="cn=kadmin service,ou=profile,dc=example,dc=com" write
   by * none
-
add: olcAccess
olcAccess: {1}to dn.subtree="ou=users,dc=example,dc=com"
   by dn.base="cn=kdc service,ou=profile,dc=example,dc=com" write
   by dn.base="cn=kadmin service,ou=profile,dc=example,dc=com" write
   by * none
EOF
# ldapmodify -D "cn=config" -W -f access.ldif
    Note -  In the "Providing access to" sections, kdc service needs write access to any accounts that account lockout should apply to. Write access enables the service to lock out an account after its account password has expired.
  4. Ensure that the slapd daemon is listening on the ldapi:// UNIX domain socket. 
    # ldapsearch -H ldapi:/// -x -b "" -s base '(objectclass=*)' namingContexts
  5. Add organizational entries to the OpenLDAP server. 
    # cat <<- EOF >entries.ldif
dn: ou=groups,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: groups

dn: ou=users,dc=example,dc=com
objectClass: top
objectClass: organizationalunit
ou: users
EOF
# ldapadd -D "cn=Manager,dc=example,dc=com" -W -f entries.ldif
  6. Add the OpenLDAP server to the Kerberos configuration file. 
    # pfedit /etc/krb5/krb5.conf
[realms]
        EXAMPLE.COM = {
                kdc = krb1.example.com
                admin_server = krb1.example.com
                database_module = LDAP
        }

[dbmodules]
        LDAP = {
                db_library = kldap
                ldap_kerberos_container_dn = "cn=krbcontainer,dc=example,dc=com"
                ldap_kdc_dn = "cn=kdc service,ou=profile,dc=example,dc=com"
                ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=example,dc=com"
                ldap_servers = ldapi:///
        }
...
  7. Create the LDAP entries in the Kerberos database. 
    # kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" create \
   -subtrees ou=users,dc=example,dc=com -r EXAMPLE.COM -s

    For more information, see the kdb5_ldap_util(8) man page.

  8. Create and add KDC and kadmin roles. 
    # cat <<- EOF >kdc_roles.ldif
dn: cn=kdc service,ou=profile,dc=example,dc=com
cn: kdc service
sn: kdc service
objectclass: top
objectclass: person
userpassword: nnnnnnnn

dn: cn=kadmin service,ou=profile,dc=example,dc=com
cn: kadmin service
sn: kadmin service
objectclass: top
objectclass: person
userpassword: nnnnnnnn
EOF
# ldapadd -D "cn=Manager,dc=example,dc=com" -W -f kdc_roles.ldif

    The passwords for the kdc service and the kadmin service should be different and difficult to guess. Remember these passwords. You use them in the following step.

  9. Create stash files for LDAP binding to the KDC and kadmin services. 
    # kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" stashsrvpw \
   cn="kdc service,ou=profile,dc=example,dc=com"
Password for "cn=Manager,dc=example,dc=com": nnnnnnnn
Password for "cn=kdc service,ou=profile,dc=example,dc=com": nnnnnnnn
Re-enter password for "cn=kdc service,ou=profile,dc=example,dc=com": nnnnnnnn
# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" stashsrvpw \
   cn="kadmin service,ou=profile,dc=example,dc=com"
Password for "cn=Manager,dc=example,dc=com": nnnnnnnn
Password for "cn=kadmin service,ou=profile,dc=example,dc=com": nnnnnnnn
Re-enter password for "cn=kadmin service,ou=profile,dc=example,dc=com": nnnnnnnn
  10. Synchronize this system's clock with other clocks in the realm.
    Note -  A master KDC cannot be the clock synchronization server.

    For more information and pointers to procedures, see Synchronizing Clocks Between KDCs and Kerberos Clients. See also the krb5.conf(5) man page.

  11. Enable the KDC and kadmin services. 
    # svcadm enable krb5kdc
# svcadm enable kadmin
Copyright © 2002, 2020, Oracle and/or its affiliates.  
Previous
Next