1 Configuring Kerberos with OpenLDAP back-end
2 ===========================================
5 1. Set up SSL on the OpenLDAP server and client to ensure secure
6 communication when the KDC service and LDAP server are on different
7 machines. ``ldapi://`` can be used if the LDAP server and KDC
8 service are running on the same machine.
10 A. Setting up SSL on the OpenLDAP server:
12 i) Get a CA certificate using OpenSSL tools
13 ii) Configure OpenLDAP server for using SSL/TLS
15 For the latter, you need to specify the location of CA
16 certificate location in *slapd.conf* file.
18 Refer to the following link for more information:
19 http://www.openldap.org/doc/admin23/tls.html
21 B. Setting up SSL on OpenLDAP client:
23 i) For the KDC and Admin Server, you need to do the client-side
24 configuration in ldap.conf. For example::
26 TLS_CACERT /etc/openldap/certs/cacert.pem
28 2. Include the Kerberos schema file (kerberos.schema) in the
29 configuration file (slapd.conf) on the LDAP Server, by providing
30 the location where it is stored::
32 include /etc/openldap/schema/kerberos.schema
34 3. Choose DNs for the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` servers
35 to bind to the LDAP server, and create them if necessary. These DNs
36 will be specified with the **ldap_kdc_dn** and **ldap_kadmind_dn**
37 directives in :ref:`kdc.conf(5)`; their passwords can be stashed
38 with "``kdb5_ldap_util stashsrvpw``" and the resulting file
39 specified with the **ldap_service_password_file** directive.
41 4. Choose a DN for the global Kerberos container entry (but do not
42 create the entry at this time). This DN will be specified with the
43 **ldap_kerberos_container_dn** directive in :ref:`kdc.conf(5)`.
44 Realm container entries will be created underneath this DN.
45 Principal entries may exist either underneath the realm container
46 (the default) or in separate trees referenced from the realm
49 5. Configure the LDAP server ACLs to enable the KDC and kadmin server
50 DNs to read and write the Kerberos data. If
51 **disable_last_success** and **disable_lockout** are both set to
52 true in the :ref:`dbmodules` subsection for the realm, then the
53 KDC DN only requires read access to the Kerberos data.
55 Sample access control information::
60 access to dn.base="cn=Subschema"
63 access to attrs=userPassword,userPKCS12
67 access to attrs=shadowLastChange
71 # Providing access to realm container
72 access to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com"
73 by dn.exact="cn=kdc-service,dc=example,dc=com" write
74 by dn.exact="cn=adm-service,dc=example,dc=com" write
77 # Providing access to principals, if not underneath realm container
78 access to dn.subtree= "ou=users,dc=example,dc=com"
79 by dn.exact="cn=kdc-service,dc=example,dc=com" write
80 by dn.exact="cn=adm-service,dc=example,dc=com" write
86 If the locations of the container and principals or the DNs of
87 the service objects for a realm are changed then this
88 information should be updated.
90 6. Start the LDAP server as follows::
92 slapd -h "ldapi:/// ldaps:///"
94 7. Modify the :ref:`kdc.conf(5)` file to include LDAP specific items
105 ldap_service_password_file
107 ldap_conns_per_server
109 8. Create the realm using :ref:`kdb5_ldap_util(8)` (see
110 :ref:`ldap_create_realm`)::
112 kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees ou=users,dc=example,dc=com -r EXAMPLE.COM -s
114 Use the **-subtrees** option if the principals are to exist in a
115 separate subtree from the realm container. Before executing the
116 command, make sure that the subtree mentioned above
117 ``(ou=users,dc=example,dc=com)`` exists. If the principals will
118 exist underneath the realm container, omit the **-subtrees** option
119 and do not worry about creating the principal subtree.
121 For more information, refer to the section :ref:`ops_on_ldap`.
123 The realm object is created under the
124 **ldap_kerberos_container_dn** specified in the configuration file.
125 This operation will also create the Kerberos container, if not
126 present already. This will be used to store information related to
129 9. Stash the password of the service object used by the KDC and
130 Administration service to bind to the LDAP server using the
131 :ref:`kdb5_ldap_util(8)` **stashsrvpw** command (see
132 :ref:`stash_ldap`). The object DN should be the same as
133 **ldap_kdc_dn** and **ldap_kadmind_dn** values specified in the
134 :ref:`kdc.conf(5)` file::
136 kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/kerberos/service.keyfile cn=krbadmin,dc=example,dc=com
138 10. Add ``krbPrincipalName`` to the indexes in slapd.conf to speed up
141 With the LDAP back end it is possible to provide aliases for principal
142 entries. Currently we provide no mechanism provided for creating
143 aliases, so it must be done by direct manipulation of the LDAP
146 An entry with aliases contains multiple values of the
147 *krbPrincipalName* attribute. Since LDAP attribute values are not
148 ordered, it is necessary to specify which principal name is canonical,
149 by using the *krbCanonicalName* attribute. Therefore, to create
150 aliases for an entry, first set the *krbCanonicalName* attribute of
151 the entry to the canonical principal name (which should be identical
152 to the pre-existing *krbPrincipalName* value), and then add additional
153 *krbPrincipalName* attributes for the aliases.
155 Principal aliases are only returned by the KDC when the client
156 requests canonicalization. Canonicalization is normally requested for
157 service principals; for client principals, an explicit flag is often
158 required (e.g., ``kinit -C``) and canonicalization is only performed
159 for initial ticket requests.
161 .. seealso:: :ref:`ldap_be_ubuntu`