By installing the KDC and OpenLDAP on the same server you get better performance.
The main steps involved in configuring the KDC and OpenLDAP on the same server are:
Installing the OpenLDAP package
Enabling the LDAP service
Configuring access to the OpenLDAP server
Ensuring that the OpenLDAP daemon is listening on ldapi://
Adding organizational entries to the OpenLDAP server
Adding the OpenLDAP server to the KDC configuration file
Creating LDAP entries in the Kerberos database
Adding the KDC and kadmin roles to the OpenLDAP server
Creating the Kerberos database keys
Synchronizing the master KDC's clock with the clock synchronization server
Enabling the KDC and kadmin services
This procedure configures a KDC master and an OpenLDAP server on the same system. The KDC uses the OpenLDAP client library, as will the Kerberos clients that you configure later.
Before You Begin
Make sure the system is configured to use DNS. For more information about OpenLDAP, see the OpenLDAP Home Page.
You are in the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
# pkg install service/network/ldap/openldap
This step enables the directory server to read the configuration file and be populated.
# svcadm enable ldap/server
Modify access information for the OpenLDAP configuration by creating and loading the access.ldif file.
# cat <<- EOF >access.ldif dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to dn.subtree="cn=example.com,cn=krbcontainer,dc=example,dc=com" by dn.base="cn=kdc service,ou=profile,dc=example,dc=com" write by dn.base="cn=kadmin service,ou=profile,dc=example,dc=com" write by * none - add: olcAccess olcAccess: {1}to dn.subtree="ou=users,dc=example,dc=com" by dn.base="cn=kdc service,ou=profile,dc=example,dc=com" write by dn.base="cn=kadmin service,ou=profile,dc=example,dc=com" write by * none EOF # ldapmodify -D "cn=config" -W -f access.ldif
# ldapsearch -H ldapi:/// -x -b "" -s base '(objectclass=*)' namingContexts
# cat <<- EOF >entries.ldif dn: ou=groups,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: groups dn: ou=users,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: users EOF # ldapadd -D "cn=Manager,dc=example,dc=com" -W -f entries.ldif
# pfedit /etc/krb5/krb5.conf [realms] EXAMPLE.COM = { kdc = krb1.example.com admin_server = krb1.example.com database_module = LDAP } [dbmodules] LDAP = { db_library = kldap ldap_kerberos_container_dn = "cn=krbcontainer,dc=example,dc=com" ldap_kdc_dn = "cn=kdc service,ou=profile,dc=example,dc=com" ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=example,dc=com" ldap_servers = ldapi:/// } ...
# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" create \ -subtrees ou=users,dc=example,dc=com -r EXAMPLE.COM -s
For more information, see the kdb5_ldap_util(1M) man page.
# cat <<- EOF >kdc_roles.ldif dn: cn=kdc service,ou=profile,dc=example,dc=com cn: kdc service sn: kdc service objectclass: top objectclass: person userpassword: nnnnnnnn dn: cn=kadmin service,ou=profile,dc=example,dc=com cn: kadmin service sn: kadmin service objectclass: top objectclass: person userpassword: nnnnnnnn EOF # ldapadd -D "cn=Manager,dc=example,dc=com" -W -f kdc_roles.ldif
The passwords for the kdc service and the kadmin service should be different and difficult to guess. Remember these passwords. You use them in the following step.
# kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" stashsrvpw \ cn="kdc service,ou=profile,dc=example,dc=com" Password for "cn=Manager,dc=example,dc=com": nnnnnnnn Password for "cn=kdc service,ou=profile,dc=example,dc=com": nnnnnnnn Re-enter password for "cn=kdc service,ou=profile,dc=example,dc=com": nnnnnnnn # kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" stashsrvpw \ cn="kadmin service,ou=profile,dc=example,dc=com" Password for "cn=Manager,dc=example,dc=com": nnnnnnnn Password for "cn=kadmin service,ou=profile,dc=example,dc=com": nnnnnnnn Re-enter password for "cn=kadmin service,ou=profile,dc=example,dc=com": nnnnnnnn
For more information and pointers to procedures, see Synchronizing Clocks Between KDCs and Kerberos Clients. See also the krb5.conf(4) man page.
# svcadm enable krb5kdc # svcadm enable kadmin