daten des servers

domain = linuggs.de
passwd = sysadm
server = maria.xinux.org
ip = 192.168.244.154

apparmor entfernen oder die doku lesen :-)

apt-get remove apparmor
reboot

slapd

• apt-get install slapd libldap2-dev db-util sasl2-bin

ldaputils

• apt-get install ldap-utils libpam-ldap libnss-ldap ldapscripts

grundkonfiguration

• dpkg-reconfigure -p low slapd

alles löschen 

kontrolle der konfig

• ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"
• cn=config

sasl changes

• sasl.ldif
• ldapmodify -Y EXTERNAL -H ldapi:/// -f sasl.ldif

struktur anlegen

• struktur.ldif
• ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif

gruppen anlegen

• gruppen.ldif
• ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f gruppen.ldif

struktur listen

• ldapsearch -xLLL

dn: dc=linuggs,dc=de
objectClass: top
objectClass: dcObject
objectClass: organization
o: linuggs.de
dc: linuggs

dn: cn=admin,dc=linuggs,dc=de
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

dn: ou=users,dc=linuggs,dc=de
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=linuggs,dc=de
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=linuggs,dc=de
objectClass: organizationalUnit
ou: hosts

kerberos

• sudo apt-get install krb5-kdc krb5-admin-server

konfig /etc/krb4kdc/krb.conf

• krb.conf

konfig /etc/krb5.conf

• krb5.conf

make a newrealm

• rm /var/lib/krb5kdc/*
• krb5_newrealm
• generiert zufallszahlen wenn es zu lange dauert
• (cat /dev/sda > /dev/urandom)

admin user im kerberos anlegen und passwors "sysadm" setzen

• kadmin.local -q "addprinc -pw sysadm admin"
• kadmin.local -q "addprinc -pw sysadm root/admin"

hostkeytab anlegen und verteilen

• kadmin.local -q "addprinc -randkey host/maria"
• kadmin.local -q "ktadd -k /etc/krb5.keytab host/maria"

ldapkeytab anlegen und verteilen

• kadmin.local -q "addprinc -randkey ldap/maria.xinux.org"
• kadmin.local -q "ktadd -k /etc/ldap/ldap.keytab ldap/maria.xinux.org"

tests

• kinit admin

Password for admin@LINUGGS.DE:

• klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@LINUGGS.DE

Valid starting       Expires              Service principal
09.12.2014 19:04:36  10.12.2014 05:04:36  krbtgt/LINUGGS.DE@LINUGGS.DE
renew until 10.12.2014 19:04:29

slapd mit ticket starten

• echo export KRB5_KTNAME=/etc/ldap/ldap.keytab >> /etc/default/slapd
• service slapd restart

openldap user zur slasl gruppe

• usermod -G sasl openldap

sasl

• sudo apt-get install sasl2-bin libsasl2-modules-gssapi-mit

/etc/default/saslauthd

• START=yes
• MECHANISMS="kerberos5"

restart sasl

• service saslauthd restart

sasl test

• testsaslauthd -u admin -p sysadm -r LINUGGS.DE

0: OK "Success."

sasl ldap aktivieren

• mkdir /etc/ldap/sasl2
• echo "pwcheck_method: saslauthd" > /etc/ldap/sasl2/slapd.conf
• service slapd restart

user anlegen

/usr/local/sbin/uadd

• uadd

anlegen

• uadd jethru 10001

adding new entry "uid=jethru,ou=users,dc=linuggs,dc=de"

Authenticating as principal admin/admin@LINUGGS.DE with password.
WARNING: no policy specified for jethru@LINUGGS.DE; defaulting to no policy
Principal "jethru@LINUGGS.DE" created.

sasl test

• testsaslauthd -u jethru -p suxer -r LINUGGS.DE

0: OK "Success."

ldap sasl test

• ldapsearch -LLL -D uid=jethru,ou=users,dc=linuggs,dc=de -w suxer cn=it

dn: cn=it,ou=groups,dc=linuggs,dc=de
objectClass: posixGroup
cn: it
gidNumber: 10001
description: Group account

client

daten des client

domain = linuggs.de
passwd = sysadm
server = huey.xinux.org
ip = 192.168.244.151

kerberos client konf kopieren

• cd /etc
• scp root@maria:$PWD/krb5.conf .

konfig /etc/krb5.conf

• krb5.conf