#format wiki
#language fr
#acl +All:read

= Installing OpenLdap + Heimdal Kerberos on Debian Stretch with Multiple Realm =

== Setting-up OpenLdap ==

 * `apt install slapd`

 * Define the admin password

 * Run `dpkg-reconfigure slapd` et make initial config. Choose MDB as backend

 * In the following, we suppose you have the base dn of your db in BASEDN. So if you choose `example.com` as domain in the previous set, set `export BASEDN="dc=example,dc=com"`

   You can know connect to `dc=example,dc=com` with user `cn=admin,dc=example,dc=com` and the password chosen

 * Disable anonymous binds et require authentication

{{{
cat <<'EOF' | ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF
}}}
 * Optionally set a password to access `cn=config` (I use Apache Directory Studio and shelldap)
{{{
PASSWORD=$(slappasswd -c '$6$rounds=100001$%.16s')
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: $PASSWORD
EOF
unset PASSWORD
}}}
   You can known connect to `cn=config` with user `cn=admin,cn=config`

=== OpenLdap + TLS with Letsencrypt certificate ===

We suppose you have already a letsencrypt certificat for ldap.example.com.

 * Connect to `cn=config` using shelldap: `shelldap --server ldapi:// --basedn cn=config -Y EXTERNAL`
 * Edit .: `vi .`
   * `olcTLSCACertificateFile` to `chain.pem`
   * `olcTLSCertificateFile` to `cert.pem`
   * `olcTLSCertificateKeyFile` to `privkey.pem`
   * `olcTLSVerifyClient: never`
 * Edit `/etc/default/slapd` et set `SLAPD_SERVICES="ldaps:/// ldapi:///"`
 * `service slapd restart`

=== ACL ===

We just use ldap as a auth db and not as an address book, so we need to restric acls more than just the default.
We already restrict access to the directory only to authenticated user.

For Heimdal, add `{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break` to `olcDatabase={1}mdb,cn=config`

== Installing Heimdal KDC ==

 * `apt install heimdal-kdc`
    Set the default realm and the list of kerberos servers and other parameters empty (we will configure it later)

=== Ldap Config ===

==== Add hdb schema ====
We need to import the Heimdal ldap schema. To do so, we first need to convert the schema to ldif.

{{{
mkdir /tmp/ldif_output
}}}

{{{
cat <<EOF > /tmp/schema_convert.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/hdb.schema
EOF
}}}

{{{
slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={1}hdb,cn=schema,cn=config"  | sed 's/{1}hdb/hdb/' | grep '^\(dn:\|objectClass:\|cn:\|olc\| \)' > /etc/ldap/schema/hdb.ldif
}}}

{{{
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/hdb.ldif
}}}


=== KDC Config ===


The configuration below is based on the Heimdal github wiki https://github.com/heimdal/heimdal/wiki

 * Generate the master KDC encryption key with `kstash --random-key -e aes256-cts-hmac-sha1-96` and backup securely the created file `/var/lib/heimdal-kdc/m-key`. It's the secret key used to encrypt the kerberos users private keys.
 * Edit /etc/heimdal-kdc/kdc.conf and change the `database =` section
   {{{
database = {
  dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com   
  hdb-ldap-structural-object = inetOrgPerson
  acl_file = /etc/heimdal-kdc/kadmind.acl
  mkey_file = /var/lib/heimdal-kdc/m-key
}
}}}
 * Create the OU ou=KerberosPrincipals,dc=example,dc=com in the ldap
 * `service heimdal-kdc restart`
 * kadmin -l init EXAMPLE.COM

----
CatégoriePagePublique