Uncategorized

Krb5 und LDAP

Leave a comment

MIT Kerberos 1.6.3

The Rough Guide to configuring a Solaris KDC to use a LDAP DS for the KDB

# rm /etc/krb5kdc/kdc.conf
# ln -s /etc/krb5.conf /etc/krb5kdc/kdc.conf

— /etc/krb5.conf —

[kdcdefaults]
kdc_ports = 750,88

[libdefaults]
default_realm = PATRICK-PREUSS.DE
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
[realms]
PATRICK-PREUSS.DE = {
kdc = moria
admin_server = moria
acl_file = /etc/krb5kdc/kadm5.acl
database_module = openldap_ldapconf
default_domain = patrick-preuss.de
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3

}
[domain_realm]
.patrick-preuss.de = PATRICK-PREUSS.DE
patrick-preuss.de = PATRICK-PREUSS.DE

[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
database = {
dbname = ldap:ou=Kerberos,dc=patrick-preuss,dc=de
}

[dbdefaults]
ldap_kerberos_container_dn = cn=Kerberos,dc=patrick-preuss,dc=de
database_module = openldap_ldapconf
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = cn=Kerberos,dc=patrick-preuss,dc=de
ldap_kdc_dn = “cn=kdc-service,ou=ITAccounts,dc=patrick-preuss,dc=de”
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = “cn=kdc-adm-service,ou=ITAccounts,dc=patrick-preuss,dc=de”
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldap://moria
ldap_conns_per_server = 5
}

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
— /etc/krb5.conf —

# kdb5_ldap_util -D “cn=Patrick Marc Preuss,ou=People,dc=patrick-preuss,dc=de” -w “somethingsecret” create -subtrees dc=patrick-preuss,dc=de -r PATRICK-PREUSS.DE -s
# kdb5_ldap_util -H ldap://moria -D “cn=Patrick Marc Preuss,ou=People,dc=patrick-preuss,dc=de” -w “somethingsecret” stashsrvpw -f /etc/krb5kdc/service.keyfile “cn=kdc-adm-service,ou=ITAccounts,dc=patrick-preuss,dc=de”
# kdb5_ldap_util -H ldap://moria -D “cn=Patrick Marc Preuss,ou=People,dc=patrick-preuss,dc=de” -w “somethingsecret” stashsrvpw -f /etc/krb5kdc/service.keyfile “cn=kdc-service,ou=ITAccounts,dc=patrick-preuss,dc=de”
# kadmin.local -q ‘addprinc kadmin/moria’
# kadmin.local -q ‘addprinc kadmin/moria.local’
# kadmin.local -q ‘addprinc kadmin/moria.patrick-preuss.de’
# kadmin.local -q ‘addprinc changepw/moria’
# kadmin.local -q ‘addprinc changepw/moria.local’
# kadmin.local -q ‘addprinc changepw/moria.patrick-preuss.de’

Leave a Reply