In this tutorial, I am Configuring Kerberos with LDAP, In my scenario, I have three Machines as following:
ldap1.example.com = LDAP Server and Kerberos server
ldap2.example.com = client of LDAP Server and kerberos server
client1.example.com = client of LDAP Server and kerberos server
Note-: I used /etc/hosts file for resolving host name into IP address.
Domain Name = example.com
LDAP Base DN = dc=example,dc=com
Ldap Server Name = ldap1.example.com
Kerberos realm = EXAMPLE.COM
KDC Server = ldap1.example.com
admin Server = ldap1.example.com
Step 1: First You have to install kerberos Server Package
Install krb5-server package
[root@ldap1.example.com ~]#yum install krb5-server
Step 2: Now you have to create or initialize kerberos database
[root@ldap1.example.com ~]#kdb5_util create -s -r EXAMPLE.COM
Enter KDC Database master key:redhat@123
Re-enter KDC Database master key to verify:redhat@123
Step 3: Now you have to Configuring /etc/krb5.conf file
[root@ldap1.example.com ~]#vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = ldap1.example.com
admin_server = ldap1.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
:wq (save and exit)
Step 4: Now You have to start/restart services and enable to start at boot time.
[root@ldap1.example.com ~]#service krb5kdc restart
[root@ldap1.example.com ~]#chkconfig krb5kdc on
Step 5: Now create principals for users/hosts and service on Kerberos server
[root@ldap1.example.com ~]#kadmin.local
kadmin.local:listprincs
kadmin.local:addprinc ldapuser1@EXAMPLE.COM
Enter the password for principal "ldapuser1@EXAMPLE.COM":kerberos@123
Re-enter the password for principal "ldapuser1@EXAMPLE.COM":kerberos@123
kadmin.local:quit
Note: I have some ldap users like "ldapuser1, ldapuser2,ldapuser3 etc." on LDAP Server.
Step 6. Now Open some log files on kerberos server to see the logs
[root@ldap1.example.com ~]#tail -f /var/log/messages /var/log/kadmin.log /var/log/krb5kdc.log
Step 7: Now go to the client machine and Configure it to use kerberos authentication with LDAP.
On the client machine
[root@client1.example.com ~]#yum install pam_krb5
[root@client1.example.com ~]#yum install krb5-workstation
Step 8: Now Configure client machine to get user information from LDAP and password information from kerberos.
for LDAP Configuration, settings are following:
LDAP Base DN dc=example,dc=com
LDAP server Name ldap1.example.com
for kerberos configuration, settings are following:
Realm: EXAMPLE.COM
KDC: ldap1.example.com
Admin Server: ldap1.example.com
Now login as "ldapuser1" with the password of "kerberos@123"
[root@client1.example.com ~]#ssh ldapuser1@client1.example.com
password:kerberos@123
[root@client1.example.com ~]#klist
Note: I created a "student" user in local database to test the password of "ldapuser1" only.
Now see the log file on kerberos server. you will have your ticket in log file.
Step 9: Now Configure "ldap2.example.com" as a LDAP client and authentication from kerberos and check the same user is able to login or not
Note: I have another machine "ldap2.example.com" which I am using as a LDAP Client and password authentication from kerberos server.
so go to "ldap2.example.com" and configure it as a ldap client and authentication from kerberos.
#authconfig-gtk
for LDAP Configuration, settings are following:
LDAP Base DN dc=example,dc=com
LDAP server Name ldap1.example.com
for kerberos configuration, settings are following:
Realm: EXAMPLE.COM
KDC: ldap1.example.com
Admin Server: ldap1.example.com
Now login as "ldapuser1" with the password of "kerberos@123"
[root@client1.example.com ~]#ssh ldapuser1@client1.example.com
password:kerberos@123
[root@client1.example.com ~]#klist
Note: Configure this machine as a client of LDAP server and password authentication from kerberos server
Step 10: Now from the "client1.example.com" machine try to access "ldap2.example.com" "sshd" service, that is not have principal in kerberos server but it also the client of ldap1.example.com "LDAP SERVER".
Note: in this case you have to enter your password again to use sshd service from ldap2.example.com
[root@client1.example.com ~]#ssh ldapuser1@client1.example.com
[root@client1.example.com ~]#ssh ldapuser1@ldap2.example.com
Note: You have to supply your password again
Step 11: Now Configuring Kerberos to providing "single sign on"
go to kerberos server and create principal for root user so that you can access your kerberos server from network and configure it from remote machine also
[root@ldap1.example.com ~]#kadmin.local
kadmin.local:listprinces
kadmin.local:addprinc root/admin@EXAMPLE.COM
Enter the password for principal "root/admin@EXAMPLE.COM":root@123
Re-enter the password for principal "root/admin@EXAMPLE.COM":root@123
kadmin.local:quit
[root@ldap1.example.com ~]#service kadmin restart
Step 12: Now go to ldap2.example.com and access kerberos server to create principal for sshd service on it.
[root@ldap2.example.com ~]#kadmin
password for root/admin@EXAMPLE.COM:root@123
kadmin:addprinc -randkey host/ldap2.example.com@EXAMPLE.COM
kadmin:ktadd -k /etc/krb5.keytab host/ldap2.example.com@EXAMPLE.COM
kadmin:quit
Step 13: Now access sshd service from "client1.example.com" to "ldap2.example.com" using the "ldapuser1" user account. at this time it should not be ask to supply password for "ldapuser1"
[root@client1.example.com ~]#ssh ldapuser1@client1.example.com
[root@client1.example.com ~]#ssh ldapuser1@ldap2.example.com
Note: you should login on "ldap2.example.com" as "ldapuser1" without password. because you have still valid kerberos ticket.
Hello Suresh,
ReplyDeleteWe are trying to setup a Kerberos KDC using Oracle Directory Server Enterprise Edition as the Principal Database. Do you know where can I find the correct Oracle Directory Server Enterprise Edition (ODSEE) LDAP Schema Extensions for this?