Configuring a Master KDC on an Oracle Unified Directory Server

Language:

By installing the KDC and LDAP on the same server you get better performance.

The main steps are:

Installing the OUD package
Configuring the OUD server
Adding the OUD server to the Kerberos configuration file
Creating keys for the KDC and specifying a privileged port for the OUD servers
Configuring KDC roles and services on the OUD server
Creating and installing a certificate and keys for the OUD server
Testing
Synchronizing the master KDC's clock with the clock synchronization server

How to Configure a Master KDC on an Oracle Unified Directory LDAP Directory Server

This procedure configures a KDC master and an Oracle Unified Directory (OUD) server on the same system. The KDC uses the OpenLDAP client library, as will the Kerberos clients that you configure later.

Before You Begin

Make sure the system is configured to use DNS. This procedure uses Oracle Unified Directory (OUD) for LDAP. For more information, see the Oracle Fusion Middleware Installation Guide for Oracle Unified Directory 11g Release 2 (11.1.2) .

You are in the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

Download the OUD package.
Follow the directions on the Oracle Identity Management Downloads web site.
Configure the OUD LDAP server.
Follow the Oracle Unified Directory (OUD) links on the Oracle Identity Management Documentation page to the documentation for your OUD.
- Listener port: 1389
- TLS port: 1636 (privileged port)
- Administrator connector port: 4444
- Password: nnnnnnnn
- Certificates: StartTLS and TLS
- Process: java -server -Dorg.opends.server.scriptName=sta...
```
# cd Oracle/Middleware/Oracle_OUD1
# export JAVA_HOME=/usr/jdk/instances/jdkversion
# ./oud-setup
```

Verify that the LDAP server is listening.

# ldapsearch -x -p 1389 -D "cn=directory manager" -h $HOSTNAME -b "" -s base objectclass='*'

Add the initial profile entries to the OUD configuration.

# pfedit profile.ldif
  dn: ou=profile,dc=example,dc=com
  ou: profile 
  objectclass: top
  objectclass: organizationalUnit
# ldapmodify -a -h $HOSTNAME -D "cn=directory manager" -f profile.ldif

Remove the newlines from all the attribute types in the kerberos.ldif file, then add the file to the OUD configuration.

# pfedit /usr/share/lib/ldif/kerberos.ldif 
# ldapmodify -p 1389 -a -h $HOSTNAME -D "cn=directory manager" \
   -f /usr/share/lib/ldif/kerberos.ldif

Add the OUD server to the Kerberos configuration file.

# pfedit /etc/krb5/krb5.conf
 [realms]
         EXAMPLE.COM = {
                 kdc = krb1.example.com
                 admin_server = krb1.example.com
                 database_module = LDAP
         }

 [dbmodules]
         LDAP = {
                 db_library = kldap
                 ldap_kerberos_container_dn = "cn=krbcontainer,dc=example,dc=com"
                 ldap_kdc_dn = "cn=kdc service,ou=profile,dc=example,dc=com"
                 ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=example,dc=com"
                 ldap_cert_path = /var/ldap
                 ldap_servers = ldap://krb1:1389
         }
  ...

Create the keys and stash files for LDAP binding to the KDC and kadmin services.

# kdb5_ldap_util -D "cn=directory manager" create -P nnnnnnnn -r EXAMPLE.COM -s
# kdb5_ldap_util stashsrvpw "cn=kdc service,ou=profile,dc=example,dc=com"
# kdb5_ldap_util stashsrvpw "cn=kadmin service,ou=profile,dc=example,dc=com"

Modify the ldap_servers entry in the Kerberos configuration file to use a privileged port.
```
# pfedit /etc/krb5/krb5.conf
       ldap_servers = ldaps://krb1:1636
```

Add Kerberos entries to the OUD server.

Create and add KDC roles.

# pfedit kdc_roles.ldif
 dn: cn=kdc service,ou=profile,dc=example,dc=com
 cn: kdc service
 sn: kdc service
 objectclass: top 
 objectclass: person
 userpassword: nnnnnnnn
 
 dn: cn=kadmin service,ou=profile,dc=example,dc=com
 cn: kadmin service
 sn: kadmin service
 objectclass: top
 objectclass: person
 userpassword: nnnnnnnn

# ldapmodify -p 1389 -a -h $HOSTNAME -D "cn=directory manager" -f kdc_roles.ldif

Create and add administrative users.

# pfedit example.ldif 
dn: dc=example,dc=com
changetype: modify
replace: aci
aci: (target ="ldap:///dc=example,dc=com")(targetattr !=
 "userPassword")(version 3.0;acl "Anonymous read-search access";
 allow (read, search, compare)(userdn = "ldap:///anyone");)
aci: (target="ldap:///dc=example,dc=com") (targetattr =
  "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn =
  "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)

dn: ou=Groups, dc=example,dc=com
objectclass: top
objectclass: organizationalunit
ou: Groups

dn: cn=Directory Administrators, ou=Groups, dc=example,dc=com
cn: Directory Administrators
objectclass: top
objectclass: groupofuniquenames
ou: Groups
uniquemember: uid=kvaughan, ou=People, dc=example,dc=com
uniquemember: uid=rdaugherty, ou=People, dc=example,dc=com
uniquemember: uid=hmiller, ou=People, dc=example,dc=com

dn: ou=People, dc=example,dc=com
objectclass: top
objectclass: organizationalunit
ou: People
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr =
 "userpassword || telephonenumber || facsimiletelephonenumber")(version 3.0;
 acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !=
 "cn || sn || uid")(targetfilter ="(ou=Accounting)")(version 3.0;
 acl "Accounting Managers Group Permissions";allow (write) (groupdn =
  "ldap:///cn=Accounting Managers,ou=groups,dc=example,dc=com");)
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !=
 "cn || sn || uid")(targetfilter ="(ou=Human Resources)")(version 3.0;
 acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR Managers,
 ou=groups,dc=example,dc=com
 ");)
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !=
 "cn ||sn || uid")(targetfilter ="(ou=Product Testing)")(version 3.0;
 acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA Managers,
 ou=groups,dc=example,dc=com");)
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr !=
 "cn || sn || uid")(targetfilter ="(ou=Product Development)")(version 3.0;
 acl "Engineering Group Permissions";allow (write)(groupdn = "ldap:///
 cn=PD Managers,ou=groups,dc=example,dc=com");)

dn: ou=Special Users,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
 
# ldapmodify -p 1389 -a -h $HOSTNAME -D "cn=directory manager" -f example.ldif

Create and add ACLs for LDAP entries.

# pfedit kadmin.aci
## Set kadmin ACL for everything under krbcontainer.
dn: cn=krbcontainer,dc=example,dc=com
changetype: modify
replace: aci
aci: (target="ldap:///cn=krbcontainer,dc=example,dc=com") (targetattr="*")
 (version 3.0; acl "kadmin_ACL"; allow (all)
 userdn="ldap:///cn=kadmin service,ou=profile,dc=example,dc=com";)

## Set kadmin ACL for everything under the people subtree if there are
## mix-in entries for krb princs:
dn: ou=people,dc=example,dc=com
changetype: modify
replace: aci
aci: (target="ldap:///ou=people,dc=example,dc=com") (targetattr="*")
 (version 3.0; acl "kadmin_ACL"; allow (all)
 userdn="ldap:///cn=kadmin service,ou=profile,dc=example,dc=com";)

# ldapmodify -h $HOSTNAME -D "cn=directory manager" -f kadmin.aci

Generate and store the TLS certificate for the OUD server.

This set of commands also creates the key manager provider, trust manager provider, and connection handler.

# export LDAPHOME=~OUD-base-location/ORACLE_HOME
# export LDAPHOME=$PWD
# export LDAP_SERVER_DN=krb1.example.com
# export STORE_PASSWD=xxxxxxxx
# export LDAP_BINDPWF=$LDAPHOME/config/keystore.pin
# export LDAP_ADMIN_PORT=4444
# export LDAP_BINDDN="cn=directory manager"
# export LDAP_SERVER=krb1.example.com
# rm $LDAPHOME/config/keystore
# rm $LDAPHOME/config/truststore
# echo $STORE_PASSWD > LDAP_BINDPWF
# keytool -genkeypair -alias server-cert -keyalg rsa \
   -dname "CN=$LDAP_SERVER_DN" -keystore $LDAPHOME/config/keystore \
   -storepass $STORE_PASSWD -keypass $STORE_PASSWD
# keytool -selfcert -alias server-cert -validity 1825 \
   -keystore $LDAPHOME/config/keystore -storetype JKS -storepass $STORE_PASSWD
# keytool -list -alias server-cert -keystore $LDAPHOME/config/keystore \
   -storepass $STORE_PASSWD
# keytool -exportcert -alias server-cert -file $LDAPHOME/config/server-cert.txt \
   -rfc -keystore $LDAPHOME/config/keystore -storepass $STORE_PASSWD
# cp $LDAPHOME/config/server-cert.txt /var/ldap/certdb.pem

Enable the key manager provider, trust manager provider, and connection handler.

# ldapservercfg -X -n -h $LDAP_SERVER -p $LDAP_ADMIN_PORT -D "$LDAP_BINDDN" \
  -j $LDAP_BINDPWF set-connection-handler-prop \
  --handler-name "LDAPS Connection Handler" \
  --set key-manager-provider:JKS --set trust-manager-provider:JKS \
  --set listen-port:1636 --set enabled:true
# bin/stop-ds

(Optional) Verify the configuration with an SSL LDAP query.

# /usr/lib/openldap/bin/ldapsearch -x -v -x -D "$LDAP_BINDDN" -w $LDAP_BINDPW \
   -H ldapi://$LDAP_SERVER_DN:1636 -b "" -s base objectclass='*'

Synchronize this system's clock with other clocks in the realm.
Note - A master KDC cannot be the clock synchronization server.

For more information and pointers to procedures, see Synchronizing Clocks Between KDCs and Kerberos Clients. See also the krb5.conf(4) man page.