Installing OpenLdap + Heimdal Kerberos on Debian Stretch with Multiple Realm
Setting-up OpenLdap
apt install slapd
- Define the admin password
Run dpkg-reconfigure slapd et make initial config. Choose MDB as backend
In the following, we suppose you have the base dn of your db in BASEDN. So if you choose example.com as domain in the previous set, set export BASEDN="dc=example,dc=com"
You can know connect to dc=example,dc=com with user cn=admin,dc=example,dc=com and the password chosen
- Disable anonymous binds et require authentication
cat <<'EOF' | ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOFOptionally set a password to access cn=config (I use Apache Directory Studio and shelldap)
PASSWORD=$(slappasswd -c '$6$rounds=100001$%.16s')
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: $PASSWORD
EOF
unset PASSWORDYou can known connect to cn=config with user cn=admin,cn=config
OpenLdap + TLS with Letsencrypt certificate
We suppose you have already a letsencrypt certificat for ldap.example.com.
Connect to cn=config using shelldap: shelldap --server ldapi:// --basedn cn=config -Y EXTERNAL
Edit .: vi .
olcTLSCACertificateFile to chain.pem
olcTLSCertificateFile to cert.pem
olcTLSCertificateKeyFile to privkey.pem
olcTLSVerifyClient: never
Edit /etc/default/slapd et set SLAPD_SERVICES="ldaps:/// ldapi:///"
service slapd restart
ACL
We just use ldap as a auth db and not as an address book, so we need to restric acls more than just the default. We already restrict access to the directory only to authenticated user.
For Heimdal, add {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break to olcDatabase={1}mdb,cn=config
Installing Heimdal KDC
apt install heimdal-kdc
- Set the default realm and the list of kerberos servers and other parameters empty (we will configure it later)
Ldap Config
Add hdb schema
We need to import the Heimdal ldap schema. To do so, we first need to convert the schema to ldif.
mkdir /tmp/ldif_output
cat <<EOF > /tmp/schema_convert.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/hdb.schema EOF
slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={1}hdb,cn=schema,cn=config" | sed 's/{1}hdb/hdb/' | grep '^\(dn:\|objectClass:\|cn:\|olc\| \)' > /etc/ldap/schema/hdb.ldifldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/hdb.ldif
KDC Config
The configuration below is based on the Heimdal github wiki https://github.com/heimdal/heimdal/wiki
Generate the master KDC encryption key with kstash --random-key -e aes256-cts-hmac-sha1-96 and backup securely the created file /var/lib/heimdal-kdc/m-key. It's the secret key used to encrypt the kerberos users private keys.
Edit /etc/heimdal-kdc/kdc.conf and change the database = section
database = { dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com hdb-ldap-structural-object = inetOrgPerson acl_file = /etc/heimdal-kdc/kadmind.acl mkey_file = /var/lib/heimdal-kdc/m-key }
Create the OU ou=KerberosPrincipals,dc=example,dc=com in the ldap
service heimdal-kdc restart
- kadmin -l init EXAMPLE.COM