Ldap-sasl-kerberos: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(68 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
 +
=daten des servers=
 +
domain = linuggs.de
 +
passwd = sysadm
 +
server = maria.xinux.org
 +
ip = 192.168.244.154
 +
 +
=apparmor entfernen oder die doku lesen :-)=
 +
apt-get remove apparmor
 +
reboot
 +
 
=slapd=
 
=slapd=
 
*apt-get install slapd libldap2-dev  db-util sasl2-bin
 
*apt-get install slapd libldap2-dev  db-util sasl2-bin
 +
 +
=ldaputils=
 +
*apt-get install ldap-utils libpam-ldap libnss-ldap ldapscripts
 +
==/etc/ldap/ldap.conf==
 +
*[[ldap.conf.maria|ldap.conf]]
  
 
=grundkonfiguration=
 
=grundkonfiguration=
 
*dpkg-reconfigure -p low slapd
 
*dpkg-reconfigure -p low slapd
alles löschen  
+
alles löschen  
domain = linuggs.de
+
==kontrolle der konfig==
passwd = sysadm
+
*ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"
server = maria.xinux.org
+
*[[slapd1.maria|cn=config]]
 +
 
 +
==sasl changes==
 +
*[[sasl.ldif.maria|sasl.ldif]]
 +
*ldapmodify -Y EXTERNAL -H ldapi:/// -f sasl.ldif
 +
==struktur anlegen==
 +
*[[struktur.ldif.maria|struktur.ldif]]
 +
*ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif
 +
 
 +
==gruppen anlegen==
 +
*[[gruppen.ldif.maria|gruppen.ldif]]
 +
*ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f gruppen.ldif
 +
 
 +
==struktur listen==
 +
*ldapsearch -xLLL
 +
<pre>
 +
dn: dc=linuggs,dc=de
 +
objectClass: top
 +
objectClass: dcObject
 +
objectClass: organization
 +
o: linuggs.de
 +
dc: linuggs
 +
 
 +
dn: cn=admin,dc=linuggs,dc=de
 +
objectClass: simpleSecurityObject
 +
objectClass: organizationalRole
 +
cn: admin
 +
description: LDAP administrator
 +
 
 +
dn: ou=users,dc=linuggs,dc=de
 +
objectClass: organizationalUnit
 +
ou: users
 +
 
 +
dn: ou=groups,dc=linuggs,dc=de
 +
objectClass: organizationalUnit
 +
ou: groups
  
=kontrolle der konfig=
+
dn: ou=hosts,dc=linuggs,dc=de
ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"
+
objectClass: organizationalUnit
*[[slapd1.maria]]
+
ou: hosts
 +
</pre>
  
 
=kerberos=
 
=kerberos=
 
*sudo apt-get install krb5-kdc krb5-admin-server
 
*sudo apt-get install krb5-kdc krb5-admin-server
 
==konfig /etc/krb4kdc/krb.conf==
 
==konfig /etc/krb4kdc/krb.conf==
*[[krb1.maria|krb.conf]]
+
*[[krb5.maria|krb.conf]]
 +
==konfig /etc/krb4kdc/kadm5.acl==
 +
*/admin *
 +
admin *
  
 
==konfig /etc/krb5.conf==
 
==konfig /etc/krb5.conf==
*[[krb1.maria|krb5.conf]]
+
*[[krb5.maria|krb5.conf]]
 +
 
 
==make a newrealm==
 
==make a newrealm==
rm /var/lib/krb5kdc/*
+
*rm /var/lib/krb5kdc/*
krb5_newrealm  wenn langdauert dauer -> ssh -p 8472 gondor "cat /dev/urandom" > /dev/urandom
+
*krb5_newrealm   
 +
*generiert zufallszahlen wenn es zu lange dauert
 +
*(cat /dev/sda > /dev/urandom)
  
 +
==admin user im kerberos anlegen und passwors "sysadm" setzen==
 +
*kadmin.local -q "addprinc -pw sysadm admin"
 +
*kadmin.local -q "addprinc -pw sysadm root/admin"
  
 +
==hostkeytab anlegen und verteilen==
 +
*kadmin.local -q "addprinc -randkey host/maria.xinux.org"
 +
*kadmin.local -q "ktadd -k /etc/krb5.keytab host/maria.xinux.org"
  
=apparmor entfernen oder die doku lesen :-)=
+
==ldapkeytab anlegen und verteilen==
  apt-get remove apparmor
+
*kadmin.local -q "addprinc -randkey ldap/maria.xinux.org"
 +
*kadmin.local -q "ktadd -k /etc/ldap/ldap.keytab ldap/maria.xinux.org"
 +
 
 +
==tests==
 +
*kinit admin
 +
Password for admin@LINUGGS.DE:
 +
*klist
 +
Ticket cache: FILE:/tmp/krb5cc_0
 +
Default principal: admin@LINUGGS.DE
 +
 +
Valid starting      Expires              Service principal
 +
09.12.2014 19:04:36  10.12.2014 05:04:36  krbtgt/LINUGGS.DE@LINUGGS.DE
 +
  renew until 10.12.2014 19:04:29
 +
 
 +
=slapd mit ticket starten=
 +
*echo export KRB5_KTNAME=/etc/ldap/ldap.keytab >> /etc/default/slapd
 +
*service slapd restart
  
=ldaputils=
+
==openldap user zur slasl gruppe==
apt-get install ldap-utils libpam-ldap libnss-ldap ldapscripts
+
*usermod -G sasl openldap
  
 
=sasl=
 
=sasl=
 
*sudo apt-get install sasl2-bin libsasl2-modules-gssapi-mit
 
*sudo apt-get install sasl2-bin libsasl2-modules-gssapi-mit
==admin user im kerberos anlegen und passwors "sysadm" setzen==
+
==/etc/default/saslauthd==
kadmin.local -q "addprinc -pw sysadm admin"
+
*START=yes
 +
*MECHANISMS="kerberos5"
 +
 
 +
==restart sasl==
 +
*service saslauthd restart
 +
==sasl test==
 +
*testsaslauthd -u admin -p sysadm -r LINUGGS.DE
 +
0: OK "Success."
 +
==sasl ldap aktivieren==
 +
*mkdir /etc/ldap/sasl2
 +
*echo "pwcheck_method: saslauthd" > /etc/ldap/sasl2/slapd.conf
 +
*service slapd restart
 +
=user anlegen=
 +
==/usr/local/sbin/uadd==
 +
*[[uadd.add|uadd]]
 +
==anlegen==
 +
*uadd jethru 10001
 +
adding new entry "uid=jethru,ou=users,dc=linuggs,dc=de"
 +
 +
Authenticating as principal admin/admin@LINUGGS.DE with password.
 +
WARNING: no policy specified for jethru@LINUGGS.DE; defaulting to no policy
 +
Principal "jethru@LINUGGS.DE" created.
 +
==sasl test==
 +
*testsaslauthd -u jethru -p suxer -r LINUGGS.DE
 +
0: OK "Success."
 +
==ldap sasl test==
 +
*ldapsearch -LLL -D uid=jethru,ou=users,dc=linuggs,dc=de -w suxer cn=it
 +
dn: cn=it,ou=groups,dc=linuggs,dc=de
 +
objectClass: posixGroup
 +
cn: it
 +
gidNumber: 10001
 +
description: Group account
 +
=client=
 +
=daten des client=
 +
domain = linuggs.de
 +
passwd = sysadm
 +
server = huey.xinux.org
 +
ip = 192.168.244.151
 +
=kerberos client konf kopieren=
 +
*cd /etc
 +
*scp root@maria:$PWD/krb5.conf .
 +
==konfig /etc/krb5.conf==
 +
*[[krb1.maria|krb5.conf]]
 +
==hostkeytab anlegen und verteilen==
 +
*kadmin
 +
Authenticating as principal root/admin@LINUGGS.DE with password.
 +
Password for root/admin@LINUGGS.DE:
 +
*kadmin:  addprinc -randkey host/huey.xinux.org
 +
WARNING: no policy specified for host/huey.xinux.org@LINUGGS.DE; defaulting to no policy
 +
Principal "host/huey.xinux.org@LINUGGS.DE" created.
 +
*kadmin:  ktadd -k /etc/krb5.keytab host/huey.xinux.org
 +
Entry for principal host/huey.xinux.org with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
 +
Entry for principal host/huey.xinux.org with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
 +
Entry for principal host/huey.xinux.org with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
 +
Entry for principal host/huey.xinux.org with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab.
 +
=installation ldap pam krb5 tools=
 +
*apt-get install ldap-utils libpam-ldap libnss-ldap libpam-krb5
 +
=/etc/ldap/ldap.conf=
 +
*[[ldap.conf.maria|ldap.conf]]
 +
=ich nutze nur eine ldap.conf=
 +
*ln -s /etc/ldap/ldap.conf /etc/
  
 +
=/etc/nsswitch.conf=
 +
*[[nsswitch.conf.ldap|nsswitch.conf]]
 +
=pam.d=
 +
das System nimmt normalerweise Änderungen selbst vor.
 +
*[[common-account.maria|common-account]]
 +
*[[common-a.maria|common-auth]]
 +
*[[common-passwd.maria|common-password]]
 +
man kann hier das automatische homeverzeichniss erstellen aktivieren
 +
session required pam_mkhomedir.so  skel=/etc/skel umask=0022
 +
*[[common-session.maria|common-session]]
 +
=tests=
 +
==einglogen von neutralem rechner==
 +
*thomas@cardassia ~ $ ssh mario@huey
 +
*mario@huey:~$ id
 +
uid=10003(mario) gid=10001(it) Gruppen=10001(it)
 +
*mario@huey:~$ klist
 +
Ticket cache: FILE:/tmp/krb5cc_10003_2yjLSp
 +
Default principal: mario@LINUGGS.DE
 +
 +
Valid starting      Expires              Service principal
 +
10.12.2014 14:02:33  11.12.2014 00:02:33  krbtgt/LINUGGS.DE@LINUGGS.DE
 +
renew until 11.12.2014 14:02:33
 +
==password ändern==
 +
*mario@huey:~$ kpasswd
 +
Password for mario@LINUGGS.DE:
 +
Enter new password:
 +
Enter it again:
 +
Password changed.
 +
=single sign on ssh über keberos=
 +
alle teilnehmenden Rechner anpassen
 +
==sshd anpassen==
 +
*/etc/sshd/sshd_config
 +
GSSAPIAuthentication yes
 +
GSSAPICleanupCredentials yes
 +
==ssh neustart==
 +
service ssh restart
  
==openldap user zur slasl gruppe==
+
==ssh client==
  usermod -G sasl openldap
+
*ssh -k maria
==/etc/default/saslauthd==
+
oder per default
*START=yes
+
  GSSAPIAuthentication yes
*MECHANISMS="keberos5"
+
in der Datei
 +
*/etc/ssh/ssh_config
 +
oder
 +
*~/.ssh/config

Aktuelle Version vom 13. Dezember 2014, 20:19 Uhr

daten des servers

domain = linuggs.de
passwd = sysadm
server = maria.xinux.org
ip = 192.168.244.154

apparmor entfernen oder die doku lesen :-)

apt-get remove apparmor
reboot

slapd

  • apt-get install slapd libldap2-dev db-util sasl2-bin

ldaputils

  • apt-get install ldap-utils libpam-ldap libnss-ldap ldapscripts

/etc/ldap/ldap.conf

grundkonfiguration

  • dpkg-reconfigure -p low slapd
alles löschen

kontrolle der konfig

  • ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"
  • cn=config

sasl changes

  • sasl.ldif
  • ldapmodify -Y EXTERNAL -H ldapi:/// -f sasl.ldif

struktur anlegen

  • struktur.ldif
  • ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif

gruppen anlegen

  • gruppen.ldif
  • ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f gruppen.ldif

struktur listen

  • ldapsearch -xLLL
dn: dc=linuggs,dc=de
objectClass: top
objectClass: dcObject
objectClass: organization
o: linuggs.de
dc: linuggs

dn: cn=admin,dc=linuggs,dc=de
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

dn: ou=users,dc=linuggs,dc=de
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=linuggs,dc=de
objectClass: organizationalUnit
ou: groups

dn: ou=hosts,dc=linuggs,dc=de
objectClass: organizationalUnit
ou: hosts

kerberos

  • sudo apt-get install krb5-kdc krb5-admin-server

konfig /etc/krb4kdc/krb.conf

konfig /etc/krb4kdc/kadm5.acl

*/admin *
admin *

konfig /etc/krb5.conf

make a newrealm

  • rm /var/lib/krb5kdc/*
  • krb5_newrealm
  • generiert zufallszahlen wenn es zu lange dauert
  • (cat /dev/sda > /dev/urandom)

admin user im kerberos anlegen und passwors "sysadm" setzen

  • kadmin.local -q "addprinc -pw sysadm admin"
  • kadmin.local -q "addprinc -pw sysadm root/admin"

hostkeytab anlegen und verteilen

  • kadmin.local -q "addprinc -randkey host/maria.xinux.org"
  • kadmin.local -q "ktadd -k /etc/krb5.keytab host/maria.xinux.org"

ldapkeytab anlegen und verteilen

  • kadmin.local -q "addprinc -randkey ldap/maria.xinux.org"
  • kadmin.local -q "ktadd -k /etc/ldap/ldap.keytab ldap/maria.xinux.org"

tests

  • kinit admin
Password for admin@LINUGGS.DE:
  • klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@LINUGGS.DE

Valid starting       Expires              Service principal
09.12.2014 19:04:36  10.12.2014 05:04:36  krbtgt/LINUGGS.DE@LINUGGS.DE
renew until 10.12.2014 19:04:29

slapd mit ticket starten

  • echo export KRB5_KTNAME=/etc/ldap/ldap.keytab >> /etc/default/slapd
  • service slapd restart

openldap user zur slasl gruppe

  • usermod -G sasl openldap

sasl

  • sudo apt-get install sasl2-bin libsasl2-modules-gssapi-mit

/etc/default/saslauthd

  • START=yes
  • MECHANISMS="kerberos5"

restart sasl

  • service saslauthd restart

sasl test

  • testsaslauthd -u admin -p sysadm -r LINUGGS.DE
0: OK "Success."

sasl ldap aktivieren

  • mkdir /etc/ldap/sasl2
  • echo "pwcheck_method: saslauthd" > /etc/ldap/sasl2/slapd.conf
  • service slapd restart

user anlegen

/usr/local/sbin/uadd

anlegen

  • uadd jethru 10001
adding new entry "uid=jethru,ou=users,dc=linuggs,dc=de"

Authenticating as principal admin/admin@LINUGGS.DE with password.
WARNING: no policy specified for jethru@LINUGGS.DE; defaulting to no policy
Principal "jethru@LINUGGS.DE" created.

sasl test

  • testsaslauthd -u jethru -p suxer -r LINUGGS.DE
0: OK "Success."

ldap sasl test

  • ldapsearch -LLL -D uid=jethru,ou=users,dc=linuggs,dc=de -w suxer cn=it
dn: cn=it,ou=groups,dc=linuggs,dc=de
objectClass: posixGroup
cn: it
gidNumber: 10001
description: Group account

client

daten des client

domain = linuggs.de
passwd = sysadm
server = huey.xinux.org
ip = 192.168.244.151

kerberos client konf kopieren

  • cd /etc
  • scp root@maria:$PWD/krb5.conf .

konfig /etc/krb5.conf

hostkeytab anlegen und verteilen

  • kadmin
Authenticating as principal root/admin@LINUGGS.DE with password.
Password for root/admin@LINUGGS.DE:
  • kadmin: addprinc -randkey host/huey.xinux.org
WARNING: no policy specified for host/huey.xinux.org@LINUGGS.DE; defaulting to no policy
Principal "host/huey.xinux.org@LINUGGS.DE" created.
  • kadmin: ktadd -k /etc/krb5.keytab host/huey.xinux.org
Entry for principal host/huey.xinux.org with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/huey.xinux.org with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/huey.xinux.org with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/huey.xinux.org with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/krb5.keytab.

installation ldap pam krb5 tools

  • apt-get install ldap-utils libpam-ldap libnss-ldap libpam-krb5

/etc/ldap/ldap.conf

ich nutze nur eine ldap.conf

  • ln -s /etc/ldap/ldap.conf /etc/

/etc/nsswitch.conf

pam.d

das System nimmt normalerweise Änderungen selbst vor.

man kann hier das automatische homeverzeichniss erstellen aktivieren 

session required pam_mkhomedir.so  skel=/etc/skel umask=0022

tests

einglogen von neutralem rechner

  • thomas@cardassia ~ $ ssh mario@huey
  • mario@huey:~$ id
uid=10003(mario) gid=10001(it) Gruppen=10001(it)
  • mario@huey:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10003_2yjLSp
Default principal: mario@LINUGGS.DE

Valid starting       Expires              Service principal
10.12.2014 14:02:33  11.12.2014 00:02:33  krbtgt/LINUGGS.DE@LINUGGS.DE
	renew until 11.12.2014 14:02:33

password ändern

  • mario@huey:~$ kpasswd
Password for mario@LINUGGS.DE: 
Enter new password: 
Enter it again: 
Password changed.

single sign on ssh über keberos

alle teilnehmenden Rechner anpassen

sshd anpassen

  • /etc/sshd/sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

ssh neustart

service ssh restart

ssh client

  • ssh -k maria

oder per default 

GSSAPIAuthentication yes

in der Datei

  • /etc/ssh/ssh_config

oder

  • ~/.ssh/config
Abgerufen von „http://wiki.ixheim.de/index.php?title=Ldap-sasl-kerberos&oldid=6207