[sourcecode]
!
interface FastEthernet3
description WAN to VDSL-Modem
switchport mode trunk
!
interface Vlan7
description VLAN fuer VDSL
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache policy
ip route-cache flow
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username @t-online.de password 0
[/sourcecode]
kerberos und windows xp
Achtung kann üble Probleme machen.
[sourcecode]
ksetup /SetRealm PATRICK-PREUSS.DE
ksetup /AddKdc 10.0.12.32
ksetup /AddKpasswd PATRICK-PREUSS.DE 10.0.12.32
ksetup /SetComputerPassword somethingverysecret
ksetup /MapUser rt01@PATRICK-PREUSS.DE rt01
[/sourcecode]
[sourcecode]
C:Documents and Settingsrt01> ksetup
default realm = PATRICK-PREUSS.DE (external)
10.0.12.32:
(no kdc entries for this realm)
Realm Flags = 0x0 none
PATRICK-PREUSS.DE:
(no kdc entries for this realm)
kpasswd = 10.0.12.32
Realm Flags = 0x0 none
Mapping rt01@PATRICK-PREUSS.DE to rt01.
[/sourcecode]
ksetup /SetRealm PATRICK-PREUSS.DE
ksetup /AddKdc 10.0.12.32
ksetup /AddKpasswd PATRICK-PREUSS.DE 10.0.12.32
ksetup /SetComputerPassword somethingverysecret
ksetup /MapUser rt01@PATRICK-PREUSS.DE rt01
[/sourcecode]
[sourcecode]
C:Documents and Settingsrt01> ksetup
default realm = PATRICK-PREUSS.DE (external)
10.0.12.32:
(no kdc entries for this realm)
Realm Flags = 0x0 none
PATRICK-PREUSS.DE:
(no kdc entries for this realm)
kpasswd = 10.0.12.32
Realm Flags = 0x0 none
Mapping rt01@PATRICK-PREUSS.DE to rt01.
[/sourcecode]
OpenLDAP ppolicy
— snip /etc/ldap/slapd.conf —
# ppolicy schema
include /etc/ldap/schema/ppolicy.schema
moduleload ppolicy.la
overlay ppolicy
ppolicy_default “cn=default,ou=PasswordPolicy,dc=patrick-preuss,dc=de”
ppolicy_use_lockout
— snip /etc/ldap/slapd.conf —
— snip default.ldif —
dn: cn=default,ou=PasswordPolicy,dc=patrick-preuss,dc=de
objectClass: device
objectClass: pwdPolicy
objectClass: top
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdCheckQuality: 1
pwdExpireWarning: 432000
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 0
pwdLockout: FALSE
pwdLockoutDuration: 1920
pwdMaxAge: 7516800
pwdMaxFailure: 4
pwdMinLength: 6
pwdMustChange: TRUE
pwdSafeModify: FALSE
— snip default.ldif —
— snip peruser.ldif —
dn: cn=Patrick Marc Preuss,ou=People,dc=patrick-preuss,dc=de
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=noexpire,ou=PasswordPolicy,dc=patrick-preuss,dc=de
— snip peruser.ldif —
Krb5 und LDAP
http://www.ibm.com/developerworks/db2/library/techarticle/dm-0809govindarajan/
kadmin.local: modpol -maxlife 180days -minlife 1hours -minlength 6 -minclasses 2 -history 10 default
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/multiple_principals.html
MIT Kerberos change password
kadmin.local -q ‘cpw -pw somethingsecert rt01krb5’
mDNS und OpenLDAP
Zur Zeit schein der slapd noch keine API zu avahi zu haben.
Also doch ein wenig Handarbeit:-)
Mein Docu.
Kerberos und LDAP II
Normalerweise werden die Kerberos Attribute unter “cn=Kerberos,…” gespeichert.
Es ist möglich diese unter der “ou=People,….” in einem Account zu speichern.
Kerberos und IOS
Cisco IOS 12.2 Configuring Kerberos
Cisco IOS 12.4 Configuring Kerberos
Cisco IOS 12.4T Configuring Kerberos
moria# kadmin.local -q ‘addprinc -randkey host/ws-c2940-8tt-s.patrick-preuss.de’
moria# kadmin.local -q ‘ktadd -e DES-CBC-CRC:NORMAL -k /var/www/ios.keytab host/ws-c2940-8tt-s.patrick-preuss.de@PATRICK-PREUSS.DE’
— Cisco IOS 121-22.EA11 —
aaa authentication login default krb5-telnet local krb5
aaa authentication login console-override local
aaa authorization exec default local krb5-instance
kerberos local-realm PATRICK-PREUSS.DE
kerberos srvtab entry host/ws-c2940-8tt-s.patrick-preuss.de@PATRICK-PREUSS.DE 1 1224540392 3 1 8 0<=?;79;5:>>:
kerberos realm patrick-preuss.de PATRICK-PREUSS.DE
kerberos realm .patrick-preuss.de PATRICK-PREUSS.DE
kerberos server PATRICK-PREUSS.DE 10.0.12.32
kerberos instance map admin 15
kerberos credentials forward
— cisco —
— Cisco IOS 124-15.T5 —
aaa authentication login default krb5-telnet krb5 local
aaa authentication login console-override local
! Seams so 12.4 15 T 5 some bugs in kerberos code
! we should do some research in this point
! aaa authorization exec default local krb5-instance
kerberos local-realm PATRICK-PREUSS.DE
kerberos srvtab entry host/cisco1721.patrick-preuss.de@PATRICK-PREUSS.DE 1 1224539305 3 1 8 05>9898=?83
kerberos realm patrick-preuss.de PATRICK-PREUSS.DE
kerberos realm .patrick-preuss.de PATRICK-PREUSS.DE
kerberos server PATRICK-PREUSS.DE 10.0.12.32
kerberos instance map admin 15
kerberos credentials forward
— cisco —
Krb5 und LDAP
The Rough Guide to configuring a Solaris KDC to use a LDAP DS for the KDB
# rm /etc/krb5kdc/kdc.conf
# ln -s /etc/krb5.conf /etc/krb5kdc/kdc.conf
— /etc/krb5.conf —
[kdcdefaults]
kdc_ports = 750,88
[libdefaults]
default_realm = PATRICK-PREUSS.DE
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
[realms]
PATRICK-PREUSS.DE = {
kdc = moria
admin_server = moria
acl_file = /etc/krb5kdc/kadm5.acl
database_module = openldap_ldapconf
default_domain = patrick-preuss.de
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
}
[domain_realm]
.patrick-preuss.de = PATRICK-PREUSS.DE
patrick-preuss.de = PATRICK-PREUSS.DE
[login]
krb4_convert = true
krb4_get_tickets = false
[kdc]
database = {
dbname = ldap:ou=Kerberos,dc=patrick-preuss,dc=de
}
[dbdefaults]
ldap_kerberos_container_dn = cn=Kerberos,dc=patrick-preuss,dc=de
database_module = openldap_ldapconf
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = cn=Kerberos,dc=patrick-preuss,dc=de
ldap_kdc_dn = “cn=kdc-service,ou=ITAccounts,dc=patrick-preuss,dc=de”
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = “cn=kdc-adm-service,ou=ITAccounts,dc=patrick-preuss,dc=de”
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldap://moria
ldap_conns_per_server = 5
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
— /etc/krb5.conf —
# kdb5_ldap_util -D “cn=Patrick Marc Preuss,ou=People,dc=patrick-preuss,dc=de” -w “somethingsecret” create -subtrees dc=patrick-preuss,dc=de -r PATRICK-PREUSS.DE -s
# kdb5_ldap_util -H ldap://moria -D “cn=Patrick Marc Preuss,ou=People,dc=patrick-preuss,dc=de” -w “somethingsecret” stashsrvpw -f /etc/krb5kdc/service.keyfile “cn=kdc-adm-service,ou=ITAccounts,dc=patrick-preuss,dc=de”
# kdb5_ldap_util -H ldap://moria -D “cn=Patrick Marc Preuss,ou=People,dc=patrick-preuss,dc=de” -w “somethingsecret” stashsrvpw -f /etc/krb5kdc/service.keyfile “cn=kdc-service,ou=ITAccounts,dc=patrick-preuss,dc=de”
# kadmin.local -q ‘addprinc kadmin/moria’
# kadmin.local -q ‘addprinc kadmin/moria.local’
# kadmin.local -q ‘addprinc kadmin/moria.patrick-preuss.de’
# kadmin.local -q ‘addprinc changepw/moria’
# kadmin.local -q ‘addprinc changepw/moria.local’
# kadmin.local -q ‘addprinc changepw/moria.patrick-preuss.de’
LDAP Authentication unter debain
Zur Docu.