Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

LDAP Kerberos and SASL (pass through authentication)

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
joe2017
Posts: 7
Joined: 2018-06-11 09:59

LDAP Kerberos and SASL (pass through authentication)

#1 Post by joe2017 »

Hello everybody

I have a Debian 9.5.0 server. I have LDAP and a MIT Kerberos server installed. My users can log in and actually everything works. However, I have separate user passwords in LDAP and Kerberos. I found out that I need to install SASL (pass through authentication) for this. I have problems with the installation. can someone help me please?
Top
User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: LDAP Kerberos and SASL (pass through authentication)

#2 Post by debiman »

joe2017 wrote:I have problems with the installation. can someone help me please?
not before you give us a report on these problems.
actual full commands & their output, no paraphrasing.
code tags for code.
please.
Top
joe2017
Posts: 7
Joined: 2018-06-11 09:59

Re: LDAP Kerberos and SASL (pass through authentication)

#3 Post by joe2017 »

Here is my installation and configuration.

sudo apt -y install slapd ldap-utils

sudo dpkg-reconfigure slapd

Code: Select all

No
domain.net
domain.net
MDB
No
Yes
No
sudo nano /tempfolder/logging.ldif

Code: Select all

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tempfolder/logging.ldif


sudo cp /etc/rsyslog.conf /etc/rsyslog.conf.1st
sudo nano /etc/rsyslog.conf

Code: Select all

# add to the end....

# Disable rate limiting
# (default is 200 messages in 5 seconds; below we make the 5 become 0)
$SystemLogRateLimitInterval 0
sudo systemctl restart syslog.service

sudo apt install -y krb5-kdc krb5-admin-server krb5-kdc-ldap

sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/

sudo nano /tempfolder/schema_convert.conf

Code: Select all

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/kerberos.schema
mkdir /tmp/ldif_output
sudo slapcat -f /tempfolder/schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}kerberos,cn=schema,cn=config" > /tmp/cn=kerberos.ldif

sudo nano /tmp/cn\=kerberos.ldif

Code: Select all

### DELETE THIS###
structuralObjectClass: olcSchemaConfig
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc
creatorsName: cn=config
createTimestamp: 20090111203515Z
entryCSN: 20090111203515.326445Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090111203515Z
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=kerberos.ldif

sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///

Code: Select all

dn: olcDatabase={1}mdb,cn=config
add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///

Code: Select all

dn: olcDatabase={1}mdb,cn=config
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=domain,dc=net" write by anonymous auth by self write by * none
-
add: olcAccess
olcAccess: to dn.base="" by * read
-
add: olcAccess
olcAccess: to * by dn="cn=admin,dc=domain,dc=net" write by * read
sudo cp /etc/krb5.conf /etc/krb5.conf.1st
sudo nano /etc/krb5.conf

Code: Select all

[libdefaults]
        default_realm = DOMAIN.NET

...

[realms]
        domain.NET = {
                kdc = LDAPServer.domain.net
                admin_server = LDAPServer.domain.net
                default_domain = domain.net
                database_module = openldap_ldapconf
        }

...

[domain_realm]
        .domain.net = DOMAIN.NET
        domain.net = DOMAIN.NET

...

[dbdefaults]
        ldap_kerberos_container_dn = cn=krbContainer,dc=domain,dc=net

[dbmodules]
        openldap_ldapconf = {
                db_library = kldap
                ldap_kdc_dn = "cn=admin,dc=domain,dc=net"

                # this object needs to have read rights on
                # the realm container, principal container and realm sub-trees
                ldap_kadmind_dn = "cn=admin,dc=domain,dc=net"

                # this object needs to have read and write rights on
                # the realm container, principal container and realm sub-trees
                ldap_service_password_file = /etc/krb5kdc/service.keyfile
                ldap_servers = ldap://LDAPServer.domain.net
                # ldap_servers = ldaps://LDAPServer.domain.net
                ldap_conns_per_server = 5
        }

sudo kdb5_ldap_util -D cn=admin,dc=domain,dc=net create -subtrees \ dc=domain,dc=net -r domain.NET -s -H ldap://LDAPServer.domain.net

sudo kdb5_ldap_util -D cn=admin,dc=domain,dc=net stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=domain,dc=net

kadmin.local
addprinc admin/admin
listprinc

sudo nano /etc/krb5kdc/kadm5.acl

Code: Select all

# This file is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/admin@domain.NET	*
sudo /etc/init.d/krb5-admin-server restart

sudo apt install ssl-cert

sudo gpasswd -a openldap ssl-cert
sudo systemctl restart slapd.service

sudo cp /tmp/CA.crt /etc/ldap/sasl2/CA.crt.pem
sudo cp /tmp/LDAPServer_ecdsa.crt.pem /etc/ldap/sasl2/
sudo cp /tmp/LDAPServer_ecdsa_re.key.pem /etc/ldap/sasl2/

sudo chown openldap. /etc/ldap/sasl2/LDAPServer_ecdsa_re.key.pem \
/etc/ldap/sasl2/LDAPServer_ecdsa.crt.pem \
/etc/ldap/sasl2/CA.crt.pem

sudo nano /tempfolder/certinfo.ldif

Code: Select all

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/CA.crt.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/LDAPServer_ecdsa.crt.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/LDAPServer_ecdsa_re.key.pem
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tempfolder/certinfo.ldif

sudo nano /etc/krb5.conf

Code: Select all

                # ldap_servers = ldap://LDAPServer.domain.net
                ldap_servers = ldaps://LDAPServer.domain.net
sudo nano /etc/default/slapd

Code: Select all

# SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
SLAPD_SERVICES="ldaps:///"
sudo service slapd restart


sudo nano /etc/ldap/ldap.conf

Code: Select all

BASE	dc=domain,dc=net
URI	ldaps://LDAPServer

TLS_CACERT	/etc/ldap/sasl2/CA.crt.pem
TLS_REQCERT	never
sudo service slapd restart
sudo systemctl start krb5-kdc.service
sudo systemctl start krb5-admin-server.service

I have problems with the deployment of SASL. Here I already tested some installations.
Top
User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: LDAP Kerberos and SASL (pass through authentication)

#4 Post by debiman »

that's ... a lot.

but only the first command seems to pertain to actual installation, and also happens to be the only command whose output you did not provide :?
joe2017 wrote:sudo apt -y install slapd ldap-utils
don't use -y until you are 111% sure what you're doing.
Top
Post Reply

Return to “System and Network configuration”