Ldap-sasl-kerberos
slapd
- apt-get install slapd libldap2-dev db-util sasl2-bin
ldaputils
- apt-get install ldap-utils libpam-ldap libnss-ldap ldapscripts
grundkonfiguration
- dpkg-reconfigure -p low slapd
alles löschen
domain = linuggs.de passwd = sysadm server = maria.xinux.org
kontrolle der konfig
- ldapsearch -Y EXTERNAL -LLL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"
- cn=config
sasl changes
- sasl.ldif
- ldapmodify -Y EXTERNAL -H ldapi:/// -f sasl.ldif
struktur anlegen
- struktur.ldif
- ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f struktur.ldif
gruppen anlegen
- gruppen.ldif
- ldapadd -xD cn=admin,dc=linuggs,dc=de -w sysadm -f gruppen.ldif
struktur listen
- ldapsearch -xLLL
dn: dc=linuggs,dc=de objectClass: top objectClass: dcObject objectClass: organization o: linuggs.de dc: linuggs dn: cn=admin,dc=linuggs,dc=de objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator dn: ou=users,dc=linuggs,dc=de objectClass: organizationalUnit ou: users dn: ou=groups,dc=linuggs,dc=de objectClass: organizationalUnit ou: groups dn: ou=hosts,dc=linuggs,dc=de objectClass: organizationalUnit ou: hosts
kerberos
- sudo apt-get install krb5-kdc krb5-admin-server
konfig /etc/krb4kdc/krb.conf
konfig /etc/krb5.conf
make a newrealm
rm /var/lib/krb5kdc/* krb5_newrealm wenn langdauert dauer -> ssh -p 8472 gondor "cat /dev/urandom" > /dev/urandom
apparmor entfernen oder die doku lesen :-)
apt-get remove apparmor
admin user im kerberos anlegen und passwors "sysadm" setzen
- kadmin.local -q "addprinc -pw sysadm admin"
hostkeytab anlegen und verteilen
- kadmin.local -q "addprinc -randkey host/maria"
- kadmin.local -q "ktadd -k /etc/krb5.keytab host/maria"
ldapkeytab anlegen und verteilen
- kadmin.local -q "addprinc -randkey ldap/maria.xinux.org"
- kadmin.local -q "ktadd -k /etc/ldap/ldap.keytab ldap/maria.xinux.org"
tests
- kinit admin
Password for admin@LINUGGS.DE:
- klist
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@LINUGGS.DE Valid starting Expires Service principal 09.12.2014 19:04:36 10.12.2014 05:04:36 krbtgt/LINUGGS.DE@LINUGGS.DE renew until 10.12.2014 19:04:29
slapd mit ticket starten
- echo export KRB5_KTNAME=/etc/ldap/ldap.keytab >> /etc/default/slapd
- service slapd restart
openldap user zur slasl gruppe
- usermod -G sasl openldap
sasl
- sudo apt-get install sasl2-bin libsasl2-modules-gssapi-mit
/etc/default/saslauthd
- START=yes
- MECHANISMS="kerberos5"
restart sasl
- service saslauthd restart
sasl test
- testsaslauthd -u admin -p sysadm -r LINUGGS.DE
0: OK "Success."
sasl ldap aktivieren
- mkdir /etc/ldap/sasl2
- echo "pwcheck_method: saslauthd" > /etc/ldap/sasl2/slapd.conf
- service slapd restart
user anlegen
/usr/local/sbin/uadd
anlegen
- uadd jethru 10001
adding new entry "uid=jethru,ou=users,dc=linuggs,dc=de" Authenticating as principal admin/admin@LINUGGS.DE with password. WARNING: no policy specified for jethru@LINUGGS.DE; defaulting to no policy Principal "jethru@LINUGGS.DE" created.
sasl test
- testsaslauthd -u jethru -p suxer -r LINUGGS.DE
0: OK "Success."
ldap sasl test
- ldapsearch -LLL -D uid=jethru,ou=users,dc=linuggs,dc=de -w suxer ou=it
dn: cn=it,ou=groups,dc=linuggs,dc=de objectClass: posixGroup cn: it gidNumber: 10001 description: Group account