By installing the KDC and LDAP on the same server you get better performance.
The main steps are:
Installing the OUD package
Configuring the OUD server
Adding the OUD server to the Kerberos configuration file
Creating keys for the KDC and specifying a privileged port for the OUD servers
Configuring KDC roles and services on the OUD server
Creating and installing a certificate and keys for the OUD server
Testing
Synchronizing the master KDC's clock with the clock synchronization server
This procedure configures a KDC master and an Oracle Unified Directory (OUD) server on the same system. The KDC uses the OpenLDAP client library, as will the Kerberos clients that you configure later.
Before You Begin
Make sure the system is configured to use DNS. This procedure uses Oracle Unified Directory (OUD) for LDAP. For more information, see the Oracle Fusion Middleware Installation Guide for Oracle Unified Directory 11g Release 2 (11.1.2) .
You are in the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
Follow the directions on the Oracle Identity Management Downloads web site.
Follow the Oracle Unified Directory (OUD) links on the Oracle Identity Management Documentation page to the documentation for your OUD.
This sample configuration uses the following parameters:
Listener port: 1389
TLS port: 1636 (privileged port)
Administrator connector port: 4444
Password: nnnnnnnn
Certificates: StartTLS and TLS
Process: java -server -Dorg.opends.server.scriptName=sta...
# cd Oracle/Middleware/Oracle_OUD1 # export JAVA_HOME=/usr/jdk/instances/jdkversion # ./oud-setup
# ldapsearch -x -p 1389 -D "cn=directory manager" -h $HOSTNAME -b "" -s base objectclass='*'
# pfedit profile.ldif dn: ou=profile,dc=example,dc=com ou: profile objectclass: top objectclass: organizationalUnit # ldapmodify -a -h $HOSTNAME -D "cn=directory manager" -f profile.ldif
# pfedit /usr/share/lib/ldif/kerberos.ldif # ldapmodify -p 1389 -a -h $HOSTNAME -D "cn=directory manager" \ -f /usr/share/lib/ldif/kerberos.ldif
# pfedit /etc/krb5/krb5.conf [realms] EXAMPLE.COM = { kdc = krb1.example.com admin_server = krb1.example.com database_module = LDAP } [dbmodules] LDAP = { db_library = kldap ldap_kerberos_container_dn = "cn=krbcontainer,dc=example,dc=com" ldap_kdc_dn = "cn=kdc service,ou=profile,dc=example,dc=com" ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=example,dc=com" ldap_cert_path = /var/ldap ldap_servers = ldap://krb1:1389 } ...
# kdb5_ldap_util -D "cn=directory manager" create -P nnnnnnnn -r EXAMPLE.COM -s # kdb5_ldap_util stashsrvpw "cn=kdc service,ou=profile,dc=example,dc=com" # kdb5_ldap_util stashsrvpw "cn=kadmin service,ou=profile,dc=example,dc=com"
# pfedit /etc/krb5/krb5.conf ldap_servers = ldaps://krb1:1636
# pfedit kdc_roles.ldif dn: cn=kdc service,ou=profile,dc=example,dc=com cn: kdc service sn: kdc service objectclass: top objectclass: person userpassword: nnnnnnnn dn: cn=kadmin service,ou=profile,dc=example,dc=com cn: kadmin service sn: kadmin service objectclass: top objectclass: person userpassword: nnnnnnnn # ldapmodify -p 1389 -a -h $HOSTNAME -D "cn=directory manager" -f kdc_roles.ldif
# pfedit example.ldif dn: dc=example,dc=com changetype: modify replace: aci aci: (target ="ldap:///dc=example,dc=com")(targetattr != "userPassword")(version 3.0;acl "Anonymous read-search access"; allow (read, search, compare)(userdn = "ldap:///anyone");) aci: (target="ldap:///dc=example,dc=com") (targetattr = "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";) dn: ou=Groups, dc=example,dc=com objectclass: top objectclass: organizationalunit ou: Groups dn: cn=Directory Administrators, ou=Groups, dc=example,dc=com cn: Directory Administrators objectclass: top objectclass: groupofuniquenames ou: Groups uniquemember: uid=kvaughan, ou=People, dc=example,dc=com uniquemember: uid=rdaugherty, ou=People, dc=example,dc=com uniquemember: uid=hmiller, ou=People, dc=example,dc=com dn: ou=People, dc=example,dc=com objectclass: top objectclass: organizationalunit ou: People aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr = "userpassword || telephonenumber || facsimiletelephonenumber")(version 3.0; acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");) aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr != "cn || sn || uid")(targetfilter ="(ou=Accounting)")(version 3.0; acl "Accounting Managers Group Permissions";allow (write) (groupdn = "ldap:///cn=Accounting Managers,ou=groups,dc=example,dc=com");) aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr != "cn || sn || uid")(targetfilter ="(ou=Human Resources)")(version 3.0; acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR Managers, ou=groups,dc=example,dc=com ");) aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr != "cn ||sn || uid")(targetfilter ="(ou=Product Testing)")(version 3.0; acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA Managers, ou=groups,dc=example,dc=com");) aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr != "cn || sn || uid")(targetfilter ="(ou=Product Development)")(version 3.0; acl "Engineering Group Permissions";allow (write)(groupdn = "ldap:/// cn=PD Managers,ou=groups,dc=example,dc=com");) dn: ou=Special Users,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: Special Users description: Special Administrative Accounts # ldapmodify -p 1389 -a -h $HOSTNAME -D "cn=directory manager" -f example.ldif
# pfedit kadmin.aci ## Set kadmin ACL for everything under krbcontainer. dn: cn=krbcontainer,dc=example,dc=com changetype: modify replace: aci aci: (target="ldap:///cn=krbcontainer,dc=example,dc=com") (targetattr="*") (version 3.0; acl "kadmin_ACL"; allow (all) userdn="ldap:///cn=kadmin service,ou=profile,dc=example,dc=com";) ## Set kadmin ACL for everything under the people subtree if there are ## mix-in entries for krb princs: dn: ou=people,dc=example,dc=com changetype: modify replace: aci aci: (target="ldap:///ou=people,dc=example,dc=com") (targetattr="*") (version 3.0; acl "kadmin_ACL"; allow (all) userdn="ldap:///cn=kadmin service,ou=profile,dc=example,dc=com";) # ldapmodify -h $HOSTNAME -D "cn=directory manager" -f kadmin.aci
This set of commands also creates the key manager provider, trust manager provider, and connection handler.
# export LDAPHOME=~OUD-base-location/ORACLE_HOME # export LDAPHOME=$PWD # export LDAP_SERVER_DN=krb1.example.com # export STORE_PASSWD=xxxxxxxx # export LDAP_BINDPWF=$LDAPHOME/config/keystore.pin # export LDAP_ADMIN_PORT=4444 # export LDAP_BINDDN="cn=directory manager" # export LDAP_SERVER=krb1.example.com # rm $LDAPHOME/config/keystore # rm $LDAPHOME/config/truststore # echo $STORE_PASSWD > LDAP_BINDPWF # keytool -genkeypair -alias server-cert -keyalg rsa \ -dname "CN=$LDAP_SERVER_DN" -keystore $LDAPHOME/config/keystore \ -storepass $STORE_PASSWD -keypass $STORE_PASSWD # keytool -selfcert -alias server-cert -validity 1825 \ -keystore $LDAPHOME/config/keystore -storetype JKS -storepass $STORE_PASSWD # keytool -list -alias server-cert -keystore $LDAPHOME/config/keystore \ -storepass $STORE_PASSWD # keytool -exportcert -alias server-cert -file $LDAPHOME/config/server-cert.txt \ -rfc -keystore $LDAPHOME/config/keystore -storepass $STORE_PASSWD # cp $LDAPHOME/config/server-cert.txt /var/ldap/certdb.pem
# ldapservercfg -X -n -h $LDAP_SERVER -p $LDAP_ADMIN_PORT -D "$LDAP_BINDDN" \ -j $LDAP_BINDPWF set-connection-handler-prop \ --handler-name "LDAPS Connection Handler" \ --set key-manager-provider:JKS --set trust-manager-provider:JKS \ --set listen-port:1636 --set enabled:true # bin/stop-ds
# /usr/lib/openldap/bin/ldapsearch -x -v -x -D "$LDAP_BINDDN" -w $LDAP_BINDPW \ -H ldapi://$LDAP_SERVER_DN:1636 -b "" -s base objectclass='*'
For more information and pointers to procedures, see Synchronizing Clocks Between KDCs and Kerberos Clients. See also the krb5.conf(4) man page.