Installing OpenLdap + Heimdal Kerberos on Debian Stretch with Multiple Realm

Setting-up OpenLdap

apt install slapd
Define the admin password
Run dpkg-reconfigure slapd et make initial config. Choose MDB as backend
In the following, we suppose you have the base dn of your db in BASEDN. So if you choose example.com as domain in the previous set, set export BASEDN="dc=example,dc=com"
- You can know connect to dc=example,dc=com with user cn=admin,dc=example,dc=com and the password chosen
Disable anonymous binds et require authentication

cat <<'EOF' | ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF

Optionally set a password to access cn=config (I use Apache Directory Studio and shelldap)

PASSWORD=$(slappasswd -c '$6$rounds=100001$%.16s')
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: $PASSWORD
EOF
unset PASSWORD

You can known connect to cn=config with user cn=admin,cn=config

Change the default hash from SSHA to CRYPT SHA512 with 10001 rounds

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {CRYPT}
-
dn: cn=config
changetype: modify
add: olcPasswordCryptSaltFormat
olcPasswordCryptSaltFormat: $6$rounds=100001$%.16s
EOF

OpenLdap + TLS with Letsencrypt certificate

We suppose you have already a letsencrypt certificat for ldap.example.com.

Connect to cn=config using shelldap: shelldap --server ldapi:// --basedn cn=config -Y EXTERNAL
Edit .: vi .
- olcTLSCACertificateFile to chain.pem
- olcTLSCertificateFile to cert.pem
- olcTLSCertificateKeyFile to privkey.pem
- olcTLSVerifyClient: never
Edit /etc/default/slapd et set SLAPD_SERVICES="ldaps:/// ldapi:///"
service slapd restart

ACL

We just use ldap as a auth db and not as an address book, so we need to restric acls more than just the default. We already restrict access to the directory only to authenticated user.

For Heimdal, add {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break to olcDatabase={1}mdb,cn=config

Overlay

cf https://www.openldap.org/doc/admin24/overlays.html

Unique

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: unique
EOF

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}unique
olcUniqueAttribute: cn mail krb5PrincipalName
EOF

MemberOf

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof
EOF

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: error
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
EOF

RefInt

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad:refint
EOF

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
EOF

Ppolicy

cf http://www.zytrax.com/books/ldap/ch6/ppolicy.html

ldapadd -Y EXTERNAL -H ldapi:/// -f  /etc/ldap/schema/ppolicy.ldif
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad:ppolicy
EOF

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {3}ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=example,dc=com
olcPPolicyUseLockout: FALSE
olcPPolicyHashCleartext: TRUE
EOF

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=default,ou=Policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAllowUserChange: FALSE
pwdAttribute: userPassword
pwdFailureCountInterval: 900
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdMaxFailure: 10
pwdMinLength: 12
pwdSafeModify: TRUE
EOF

Installing Heimdal KDC

apt install heimdal-kdc
- Set the default realm and the list of kerberos servers and other parameters empty (we will configure it later)

Ldap Config

Add hdb schema

We need to import the Heimdal ldap schema. To do so, we first need to convert the schema to ldif.

mkdir /tmp/ldif_output

cat <<EOF > /tmp/schema_convert.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/hdb.schema
EOF

slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={1}hdb,cn=schema,cn=config"  | sed 's/{1}hdb/hdb/' | grep '^\(dn:\|objectClass:\|cn:\|olc\| \)' > /etc/ldap/schema/hdb.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/hdb.ldif

KDC Config

The configuration below is based on the Heimdal github wiki https://github.com/heimdal/heimdal/wiki

Generate the master KDC encryption key with kstash --random-key -e aes256-cts-hmac-sha1-96 and backup securely the created file /var/lib/heimdal-kdc/m-key. It's the secret key used to encrypt the kerberos users private keys.

Edit /etc/heimdal-kdc/kdc.conf and change the database = section

database = {
  dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com   
  hdb-ldap-structural-object = inetOrgPerson
  acl_file = /etc/heimdal-kdc/kadmind.acl
  mkey_file = /var/lib/heimdal-kdc/m-key
}

Create the OU ou=KerberosPrincipals,dc=example,dc=com in the ldap
service heimdal-kdc restart

# kadmin -l init EXAMPLE.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:

CatégoriePagePublique

-  ⇤ ← Version 2 à la date du 2019-04-28 13:53:27 → 
  Taille: 1841
  Éditeur: ValentinSamir
  Commentaire:
+   ← Version 8 à la date du 2019-04-28 17:10:59 → ⇥
  Taille: 7036
  Éditeur: ValentinSamir
  Commentaire:
-Texte supprimé.
+Texte ajouté.
 Ligne 4:
+<<TableOfContents()>>
-Ligne 15:
+Ligne 16:
- * In the following, we suppose you have the root dn of your db in ROOTDN. So if you choose `example.com` as domain in the previous set, set `export ROOTDN="dc=example,dc=com"`
+ * In the following, we suppose you have the base dn of your db in BASEDN. So if you choose `example.com` as domain in the previous set, set `export BASEDN="dc=example,dc=com"`

   You can know connect to `dc=example,dc=com` with user `cn=admin,dc=example,dc=com` and the password chosen
-Ligne 52:
+Ligne 55:
+}}}
   You can known connect to `cn=config` with user `cn=admin,cn=config`


Change the default hash from SSHA to CRYPT SHA512 with 10001 rounds
{{{
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {CRYPT}
-
dn: cn=config
changetype: modify
add: olcPasswordCryptSaltFormat
olcPasswordCryptSaltFormat: $6$rounds=100001$%.16s
EOF
-Ligne 67:
+Ligne 87:
+=== ACL ===

We just use ldap as a auth db and not as an address book, so we need to restric acls more than just the default.
We already restrict access to the directory only to authenticated user.

For Heimdal, add `{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break` to `olcDatabase={1}mdb,cn=config`

=== Overlay ===

cf https://www.openldap.org/doc/admin24/overlays.html

==== Unique ====
{{{
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: unique
EOF
}}}
{{{
cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}unique
olcUniqueAttribute: cn mail krb5PrincipalName
EOF
}}}

==== MemberOf ====

{{{
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof
EOF
}}}

{{{
cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: error
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
EOF
}}}

==== RefInt ====

{{{
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad:refint
EOF
}}}

{{{
cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
EOF
}}}

==== Ppolicy ====

cf http://www.zytrax.com/books/ldap/ch6/ppolicy.html

{{{
ldapadd -Y EXTERNAL -H ldapi:/// -f  /etc/ldap/schema/ppolicy.ldif
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad:ppolicy
EOF
}}}

{{{
cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {3}ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=example,dc=com
olcPPolicyUseLockout: FALSE
olcPPolicyHashCleartext: TRUE
EOF
}}}

{{{
cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=default,ou=Policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAllowUserChange: FALSE
pwdAttribute: userPassword
pwdFailureCountInterval: 900
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdMaxFailure: 10
pwdMinLength: 12
pwdSafeModify: TRUE
EOF
}}}

== Installing Heimdal KDC ==

 * `apt install heimdal-kdc`
    Set the default realm and the list of kerberos servers and other parameters empty (we will configure it later)

=== Ldap Config ===

==== Add hdb schema ====
We need to import the Heimdal ldap schema. To do so, we first need to convert the schema to ldif.

{{{
mkdir /tmp/ldif_output
}}}

{{{
cat <<EOF > /tmp/schema_convert.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/hdb.schema
EOF
}}}

{{{
slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={1}hdb,cn=schema,cn=config"  | sed 's/{1}hdb/hdb/' | grep '^\(dn:\|objectClass:\|cn:\|olc\| \)' > /etc/ldap/schema/hdb.ldif
}}}

{{{
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/hdb.ldif
}}}


=== KDC Config ===


The configuration below is based on the Heimdal github wiki https://github.com/heimdal/heimdal/wiki

 * Generate the master KDC encryption key with `kstash --random-key -e aes256-cts-hmac-sha1-96` and backup securely the created file `/var/lib/heimdal-kdc/m-key`. It's the secret key used to encrypt the kerberos users private keys.
 * Edit /etc/heimdal-kdc/kdc.conf and change the `database =` section
   {{{
database = {
  dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com   
  hdb-ldap-structural-object = inetOrgPerson
  acl_file = /etc/heimdal-kdc/kadmind.acl
  mkey_file = /var/lib/heimdal-kdc/m-key
}
}}}
 * Create the OU ou=KerberosPrincipals,dc=example,dc=com in the ldap
 * `service heimdal-kdc restart`
 * {{{
# kadmin -l init EXAMPLE.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
}}}