Sommaire

Installing OpenLdap + Heimdal Kerberos on Debian Stretch with Multiple Realm
1. Setting-up OpenLdap
2. Installing Heimdal KDC
  1. Ldap Config
    1. Add hdb schema
  2. KDC Config
    1. Multi REALM
Administration Tasks
1. Change a Password
2. Reset a user password

Installing OpenLdap + Heimdal Kerberos on Debian Stretch with Multiple Realm

Setting-up OpenLdap

apt install slapd slapd-contrib
Define the admin password
Run dpkg-reconfigure slapd et make initial config. Choose MDB as backend
In the following, we suppose you have the base dn of your db in BASEDN. So if you choose example.com as domain in the previous set, set export BASEDN="dc=example,dc=com"
- You can know connect to dc=example,dc=com with user cn=admin,dc=example,dc=com and the password chosen
Disable anonymous binds et require authentication

cat <<'EOF' | ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF

Optionally set a password to access cn=config (I use Apache Directory Studio and shelldap)

PASSWORD=$(slappasswd -c '$6$rounds=100001$%.16s')
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: $PASSWORD
EOF
unset PASSWORD

You can known connect to cn=config with user cn=admin,cn=config

Change the default hash from SSHA to CRYPT SHA512 with 10001 rounds

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {CRYPT}
-
dn: cn=config
changetype: modify
add: olcPasswordCryptSaltFormat
olcPasswordCryptSaltFormat: $6$rounds=100001$%.16s
EOF

OpenLdap + TLS with Letsencrypt certificate

We suppose you have already a letsencrypt certificat for ldap.example.com.

Connect to cn=config using shelldap: shelldap --server ldapi:// --basedn cn=config -Y EXTERNAL
Edit .: vi .
- olcTLSCACertificateFile to chain.pem
- olcTLSCertificateFile to cert.pem
- olcTLSCertificateKeyFile to privkey.pem
- olcTLSVerifyClient: never
Edit /etc/default/slapd et set SLAPD_SERVICES="ldaps:/// ldapi:///"
service slapd restart

ACL

We just use ldap as a auth db and not as an address book, so we need to restric acls more than just the default. We already restrict access to the directory only to authenticated user.

For Heimdal, add {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break to olcDatabase={1}mdb,cn=config

Overlay

cf https://www.openldap.org/doc/admin24/overlays.html

Unique

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: unique
EOF

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: unique
olcUniqueAttribute: cn mail krb5PrincipalName
EOF

MemberOf

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof
EOF

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: error
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
EOF

RefInt

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad:refint
EOF

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof member manager owner
EOF

smbk5pwd

To do only after KDC initialization. This overlay allow to keep ldap password and kerberos key in sync. cf https://github.com/openldap/openldap/tree/master/contrib/slapd-modules/smbk5pwd

apt install samba
setfacl -m 'u:openldap:r' /var/lib/heimdal-kdc/m-key
zcat /usr/share/doc/samba/examples/LDAP/samba.ldif.gz | ldapadd -Y EXTERNAL -H ldapi:///

cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: smbk5pwd
EOF

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config
objectClass: olcSmbK5PwdConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: smbk5pwd

Ppolicy

Order of overlay are important (last added called first) so this one must be after smbk5pwd (so we check the password before smbk5pwd edit related password attributes)

cf http://www.zytrax.com/books/ldap/ch6/ppolicy.html

ldapadd -Y EXTERNAL -H ldapi:/// -f  /etc/ldap/schema/ppolicy.ldif
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad:ppolicy
EOF

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=example,dc=com
olcPPolicyUseLockout: FALSE
olcPPolicyHashCleartext: TRUE
EOF

cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=default,ou=Policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdFailureCountInterval: 900
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdMaxFailure: 10
pwdMinLength: 12
pwdCheckQuality: 1
pwdSafeModify: FALSE
pwdMaxAge: 0
pwdMinAge: 0
pwdInHistory: 0
EOF

Installing Heimdal KDC

apt install heimdal-kdc
- Set the default realm and the list of kerberos servers and other parameters empty (we will configure it later)

Ldap Config

Add hdb schema

We need to import the Heimdal ldap schema. To do so, we first need to convert the schema to ldif.

mkdir /tmp/ldif_output

cat <<EOF > /tmp/schema_convert.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/hdb.schema
EOF

slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={1}hdb,cn=schema,cn=config"  | sed 's/{1}hdb/hdb/' | grep '^\(dn:\|objectClass:\|cn:\|olc\| \)' > /etc/ldap/schema/hdb.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/hdb.ldif

KDC Config

The configuration below is based on the Heimdal github wiki https://github.com/heimdal/heimdal/wiki

Generate the master KDC encryption key with kstash --random-key -e aes256-cts-hmac-sha1-96 and backup securely the created file /var/lib/heimdal-kdc/m-key. It's the secret key used to encrypt the kerberos users private keys.

Edit /etc/heimdal-kdc/kdc.conf and change the database = section

database = {
  dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com   
  hdb-ldap-structural-object = inetOrgPerson
  acl_file = /etc/heimdal-kdc/kadmind.acl
  mkey_file = /var/lib/heimdal-kdc/m-key
}

Create the OU ou=KerberosPrincipals,dc=example,dc=com in the ldap
service heimdal-kdc restart

# kadmin -l init EXAMPLE.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:

Edit /etc/default/heimdal-kdc and set KPASSWDD_ENABLED to no (otherwise password will not be synced between ldap and kerberos)
For each realm, export the kadmin/admin user:
```
kadmin -l ext kadmin/admin@EXAMPLE.COM
kadmin -l ext kadmin/admin@EXAMPLE.NET
```
This will create a keytab file at /etc/krb5.keytab. We move it to /etc/heimdal-kdc/keytab/kadmin.keytab

Edit /etc/inetd.conf add the following options de kadmind:

kerberos-adm    stream  tcp     nowait  root    /usr/sbin/tcpd /usr/lib/heimdal-servers/kadmind --keytab=/etc/heimdal-kdc/keytab/kadmin.keytab -c /etc/heimdal-kdc/kdc.conf

Edit /etc/heimdal-kdc/kadmind.acl and define a user as admin. For instance

#principal       [priv1,priv2,...]       [glob-pattern]
admin@EXAMPLE.COM all,get-keys

Multi REALM

Create another realm in the KDC (e.g EXAMPLE.NET)

# kadmin -l init EXAMPLE.NET
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:

For users of realm EXAMPLE.COM to be able to auth on apps on realm EXAMPLE.NET:

# kadmin -l add -r krbtgt/EXAMPLE.NET@EXAMPLE.COM
Max ticket life [1 day]:unlimited
Max renewable life [1 week]:unlimited
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:

Administration Tasks

Change a Password

A user can change its password using ldappasswd, for instance

$ ldappasswd -H ldaps://ldap.example.com -x -W -S -D "cn=username,ou=Users,dc=example,dc=com"

This will prompt for the user new password (-S), then the current user password to connect to the ldap server (-W) authenticating with binddn (-D "cn=username,ou=Users,dc=example,dc=com") using simple bind (-x)

Reset a user password

Just bind with a admin account and give ldappasswd the dn of the user as last parameter. For instance:

ldappasswd -Y EXTERNAL -H ldapi:/// -S "cn=username,ou=Users,dc=example,dc=com"

ldappasswd -H ldaps://ldap.example.com -x -W -S -D "cn=admin,dc=example,dc=com" "cn=username,ou=Users,dc=example,dc=com"

If -S is omitted, the ldap server will generate a new password and ldappasswd will display it on stdout.

CatégoriePagePublique