Hello everybody
I have a Debian 9.5.0 server. I have LDAP and a MIT Kerberos server installed. My users can log in and actually everything works. However, I have separate user passwords in LDAP and Kerberos. I found out that I need to install SASL (pass through authentication) for this. I have problems with the installation. can someone help me please?
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
LDAP Kerberos and SASL (pass through authentication)
Re: LDAP Kerberos and SASL (pass through authentication)
not before you give us a report on these problems.joe2017 wrote:I have problems with the installation. can someone help me please?
actual full commands & their output, no paraphrasing.
code tags for code.
please.
Re: LDAP Kerberos and SASL (pass through authentication)
Here is my installation and configuration.
sudo apt -y install slapd ldap-utils
sudo dpkg-reconfigure slapd
sudo nano /tempfolder/logging.ldif
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tempfolder/logging.ldif
sudo cp /etc/rsyslog.conf /etc/rsyslog.conf.1st
sudo nano /etc/rsyslog.conf
sudo systemctl restart syslog.service
sudo apt install -y krb5-kdc krb5-admin-server krb5-kdc-ldap
sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/
sudo nano /tempfolder/schema_convert.conf
mkdir /tmp/ldif_output
sudo slapcat -f /tempfolder/schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}kerberos,cn=schema,cn=config" > /tmp/cn=kerberos.ldif
sudo nano /tmp/cn\=kerberos.ldif
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=kerberos.ldif
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///
sudo cp /etc/krb5.conf /etc/krb5.conf.1st
sudo nano /etc/krb5.conf
sudo kdb5_ldap_util -D cn=admin,dc=domain,dc=net create -subtrees \ dc=domain,dc=net -r domain.NET -s -H ldap://LDAPServer.domain.net
sudo kdb5_ldap_util -D cn=admin,dc=domain,dc=net stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=domain,dc=net
kadmin.local
addprinc admin/admin
listprinc
sudo nano /etc/krb5kdc/kadm5.acl
sudo /etc/init.d/krb5-admin-server restart
sudo apt install ssl-cert
sudo gpasswd -a openldap ssl-cert
sudo systemctl restart slapd.service
sudo cp /tmp/CA.crt /etc/ldap/sasl2/CA.crt.pem
sudo cp /tmp/LDAPServer_ecdsa.crt.pem /etc/ldap/sasl2/
sudo cp /tmp/LDAPServer_ecdsa_re.key.pem /etc/ldap/sasl2/
sudo chown openldap. /etc/ldap/sasl2/LDAPServer_ecdsa_re.key.pem \
/etc/ldap/sasl2/LDAPServer_ecdsa.crt.pem \
/etc/ldap/sasl2/CA.crt.pem
sudo nano /tempfolder/certinfo.ldif
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tempfolder/certinfo.ldif
sudo nano /etc/krb5.conf
sudo nano /etc/default/slapd
sudo service slapd restart
sudo nano /etc/ldap/ldap.conf
sudo service slapd restart
sudo systemctl start krb5-kdc.service
sudo systemctl start krb5-admin-server.service
I have problems with the deployment of SASL. Here I already tested some installations.
sudo apt -y install slapd ldap-utils
sudo dpkg-reconfigure slapd
Code: Select all
No
domain.net
domain.net
MDB
No
Yes
No
Code: Select all
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
sudo cp /etc/rsyslog.conf /etc/rsyslog.conf.1st
sudo nano /etc/rsyslog.conf
Code: Select all
# add to the end....
# Disable rate limiting
# (default is 200 messages in 5 seconds; below we make the 5 become 0)
$SystemLogRateLimitInterval 0
sudo apt install -y krb5-kdc krb5-admin-server krb5-kdc-ldap
sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/
sudo nano /tempfolder/schema_convert.conf
Code: Select all
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/kerberos.schema
sudo slapcat -f /tempfolder/schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}kerberos,cn=schema,cn=config" > /tmp/cn=kerberos.ldif
sudo nano /tmp/cn\=kerberos.ldif
Code: Select all
### DELETE THIS###
structuralObjectClass: olcSchemaConfig
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc
creatorsName: cn=config
createTimestamp: 20090111203515Z
entryCSN: 20090111203515.326445Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090111203515Z
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///
Code: Select all
dn: olcDatabase={1}mdb,cn=config
add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub
Code: Select all
dn: olcDatabase={1}mdb,cn=config
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=domain,dc=net" write by anonymous auth by self write by * none
-
add: olcAccess
olcAccess: to dn.base="" by * read
-
add: olcAccess
olcAccess: to * by dn="cn=admin,dc=domain,dc=net" write by * read
sudo nano /etc/krb5.conf
Code: Select all
[libdefaults]
default_realm = DOMAIN.NET
...
[realms]
domain.NET = {
kdc = LDAPServer.domain.net
admin_server = LDAPServer.domain.net
default_domain = domain.net
database_module = openldap_ldapconf
}
...
[domain_realm]
.domain.net = DOMAIN.NET
domain.net = DOMAIN.NET
...
[dbdefaults]
ldap_kerberos_container_dn = cn=krbContainer,dc=domain,dc=net
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=domain,dc=net"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=domain,dc=net"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldap://LDAPServer.domain.net
# ldap_servers = ldaps://LDAPServer.domain.net
ldap_conns_per_server = 5
}
sudo kdb5_ldap_util -D cn=admin,dc=domain,dc=net create -subtrees \ dc=domain,dc=net -r domain.NET -s -H ldap://LDAPServer.domain.net
sudo kdb5_ldap_util -D cn=admin,dc=domain,dc=net stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=domain,dc=net
kadmin.local
addprinc admin/admin
listprinc
sudo nano /etc/krb5kdc/kadm5.acl
Code: Select all
# This file is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
*/admin@domain.NET *
sudo apt install ssl-cert
sudo gpasswd -a openldap ssl-cert
sudo systemctl restart slapd.service
sudo cp /tmp/CA.crt /etc/ldap/sasl2/CA.crt.pem
sudo cp /tmp/LDAPServer_ecdsa.crt.pem /etc/ldap/sasl2/
sudo cp /tmp/LDAPServer_ecdsa_re.key.pem /etc/ldap/sasl2/
sudo chown openldap. /etc/ldap/sasl2/LDAPServer_ecdsa_re.key.pem \
/etc/ldap/sasl2/LDAPServer_ecdsa.crt.pem \
/etc/ldap/sasl2/CA.crt.pem
sudo nano /tempfolder/certinfo.ldif
Code: Select all
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/CA.crt.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/LDAPServer_ecdsa.crt.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/LDAPServer_ecdsa_re.key.pem
sudo nano /etc/krb5.conf
Code: Select all
# ldap_servers = ldap://LDAPServer.domain.net
ldap_servers = ldaps://LDAPServer.domain.net
Code: Select all
# SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
SLAPD_SERVICES="ldaps:///"
sudo nano /etc/ldap/ldap.conf
Code: Select all
BASE dc=domain,dc=net
URI ldaps://LDAPServer
TLS_CACERT /etc/ldap/sasl2/CA.crt.pem
TLS_REQCERT never
sudo systemctl start krb5-kdc.service
sudo systemctl start krb5-admin-server.service
I have problems with the deployment of SASL. Here I already tested some installations.
Re: LDAP Kerberos and SASL (pass through authentication)
that's ... a lot.
but only the first command seems to pertain to actual installation, and also happens to be the only command whose output you did not provide
but only the first command seems to pertain to actual installation, and also happens to be the only command whose output you did not provide
don't use -y until you are 111% sure what you're doing.joe2017 wrote:sudo apt -y install slapd ldap-utils