Install kerberos
We need to install kerberos workstation and server packages.
# yum -y install krb5-{workstation,server}
Configure krb5.conf
dc=openldap,dc=yourdomain,dc=com
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_realm = OPENLDAP.YOURDOMAIN.COM [realms] OPENLDAP.YOURDOMAIN.COM = { kdc = openldap.yourdomain.com admin_server = openldap.yourdomain.com } [domain_realm] .openldap.yourdomain.com = OPENLDAP.YOURDOMAIN.COM openldap.yourdomain.com = OPENLDAP.YOURDOMAIN.COM
Configure kerberos
Create kerberos database.
# cd /var/kerberos/krb5kdc # kdb5_util create -s
Configure correct realm.
# sed -i s/EXAMPLE.COM/OPENLDAP.YOURDOMAIN.COM/g /var/kerberos/krb5kdc.conf
# sed -i s/EXAMPLE.COM/OPENLDAP.YOURDOMAIN.COM/g /var/kerberos/krb5kdc/kadm5.acl
Create root/admin principal.
# kadmin.local Authenticating as principal root/admin@OPENLDAP.YOURDOMAIN.COM with password. kadmin.local: add_principal root/admin WARNING: no policy specified for root/admin@OPENLDAP.YOURDOMAIN.COM; Enter password for principal "root/admin@OPENLDAP.YOURDOMAIN.COM": Re-enter password for principal "root/admin@OPENLDAP.YOURDOMAIN.COM": Principal "root/admin@OPENLDAP.YOURDOMAIN.COM" created.
Enable and start kerberos services.
# systemctl start krb5kdc # systemctl enable krb5kdc # systemctl start kadmin # systemctl enable kadmin Add users into kerberos database. # kadmin.local kadmin: add_principal user0 kadmin: add_principal user1
Login as user0.
# kinit user0 Password for user0@OPENLDAP.YOURDOMAIN.COM: Create principal for ldap and extract keytab for it. # kadmin kadmin: add_principal -randkey ldap/openldap.yourdomain.com kadmin: ktadd -keytab /etc/openldap/ldap.keytab
Set keytab permissions and ownership.
# chgrp ldap /etc/openldap/ldap.keytab # chmod 640 /etc/openldap/ldap.keytab
Set KRB5_KTNAME to our keytab. # sed -ri s/^#?KRB5_KTNAME=/"KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab"/g
/etc/sysconfig/slapd Test kerberos with ldap # kinit user0 # Password for user0@OPENLDAP.YOURDOMAIN.COM # ldapsearch -h localhost -Y GSSAPI -b 'dc=openldap,dc=yourdomain,dc=com'
'(uid=user0)'
If this command works for you, then everything is fine, if it's not,
then check logs, check correct permissions and ownership of keytab.
Žádné komentáře:
Okomentovat