#format wiki #language fr #acl +All:read <> = Installing OpenLdap + Heimdal Kerberos on Debian Stretch with Multiple Realm = == Setting-up OpenLdap == * `apt install slapd slapd-contrib` * Define the admin password * Run `dpkg-reconfigure slapd` et make initial config. Choose MDB as backend * In the following, we suppose you have the base dn of your db in BASEDN. So if you choose `example.com` as domain in the previous set, set `export BASEDN="dc=example,dc=com"` You can know connect to `dc=example,dc=com` with user `cn=admin,dc=example,dc=com` and the password chosen * Disable anonymous binds et require authentication {{{ cat <<'EOF' | ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon dn: cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcRequires olcRequires: authc EOF }}} * Optionally set a password to access `cn=config` (I use Apache Directory Studio and shelldap) {{{ PASSWORD=$(slappasswd -c '$6$rounds=100001$%.16s') cat < /tmp/schema_convert.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/hdb.schema EOF }}} {{{ slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={1}hdb,cn=schema,cn=config" | sed 's/{1}hdb/hdb/' | grep '^\(dn:\|objectClass:\|cn:\|olc\| \)' > /etc/ldap/schema/hdb.ldif }}} {{{ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/hdb.ldif }}} === KDC Config === The configuration below is based on the Heimdal github wiki https://github.com/heimdal/heimdal/wiki * Generate the master KDC encryption key with `kstash --random-key -e aes256-cts-hmac-sha1-96` and backup securely the created file `/var/lib/heimdal-kdc/m-key`. It's the secret key used to encrypt the kerberos users private keys. * Edit /etc/heimdal-kdc/kdc.conf and change the `database =` section {{{ database = { dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com hdb-ldap-structural-object = inetOrgPerson acl_file = /etc/heimdal-kdc/kadmind.acl mkey_file = /var/lib/heimdal-kdc/m-key } }}} * Create the OU ou=KerberosPrincipals,dc=example,dc=com in the ldap * `service heimdal-kdc restart` * {{{ # kadmin -l init EXAMPLE.COM Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: }}} * Edit /etc/default/heimdal-kdc and set KPASSWDD_ENABLED to no (otherwise password will not be synced between ldap and kerberos) * For each realm, export the kadmin/admin user: {{{ kadmin -l ext kadmin/admin@EXAMPLE.COM kadmin -l ext kadmin/admin@EXAMPLE.NET }}} This will create a keytab file at /etc/krb5.keytab. We move it to /etc/heimdal-kdc/keytab/kadmin.keytab * Edit /etc/inetd.conf add the following options de kadmind: {{{ kerberos-adm stream tcp nowait root /usr/sbin/tcpd /usr/lib/heimdal-servers/kadmind --keytab=/etc/heimdal-kdc/keytab/kadmin.keytab -c /etc/heimdal-kdc/kdc.conf }}} * Edit /etc/heimdal-kdc/kadmind.acl and define a user as admin. For instance {{{ #principal [priv1,priv2,...] [glob-pattern] admin@EXAMPLE.COM all,get-keys }}} ==== Multi REALM ==== Create another realm in the KDC (e.g EXAMPLE.NET) {{{ # kadmin -l init EXAMPLE.NET Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: }}} For users of realm EXAMPLE.COM to be able to auth on apps on realm EXAMPLE.NET: {{{ # kadmin -l add -r krbtgt/EXAMPLE.NET@EXAMPLE.COM Max ticket life [1 day]:unlimited Max renewable life [1 week]:unlimited Principal expiration time [never]: Password expiration time [never]: Attributes []: Policy [default]: }}} = Administration Tasks = == Change a Password == A user can change its password using `ldappasswd`, for instance {{{ $ ldappasswd -H ldaps://ldap.example.com -x -W -S -D "cn=username,ou=Users,dc=example,dc=com" }}} This will prompt for the user new password (`-S`), then the current user password to connect to the ldap server (`-W`) authenticating with binddn (`-D "cn=username,ou=Users,dc=example,dc=com"`) using simple bind (`-x`) == Reset a user password == Just bind with a admin account and give ldappasswd the dn of the user as last parameter. For instance: {{{ ldappasswd -Y EXTERNAL -H ldapi:/// -S "cn=username,ou=Users,dc=example,dc=com" }}} or {{{ ldappasswd -H ldaps://ldap.example.com -x -W -S -D "cn=admin,dc=example,dc=com" "cn=username,ou=Users,dc=example,dc=com" }}} If `-S` is omitted, the ldap server will generate a new password and ldappasswd will display it on stdout. ---- CatégoriePagePublique