Changes for page KerberosAndLDAP
Last modified by Sirius Rayner-Karlsson on 2024/05/09 10:54
From version 14.1
edited by Sirius Rayner-Karlsson
on 2024/05/01 17:15
on 2024/05/01 17:15
Change comment:
There is no comment for this version
To version 15.1
edited by Sirius Rayner-Karlsson
on 2024/05/01 17:28
on 2024/05/01 17:28
Change comment:
There is no comment for this version
Summary
-
Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -10,67 +10,60 @@ 10 10 11 11 Then load the ##kerberos## schema: 12 12 13 -##{{{$ zcat /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz | ldapadd -H ldap:~/~/nas.fqdn/ -D uid=root,cn=users,dc=example,dc=com}}}## 14 - 13 +##{{{$ zcat /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz | ldapadd -H ldap://nas.fqdn/ -D uid=root,cn=users,dc=example,dc=com -W}}}## 15 15 ##{{{Password:}}}## 16 - 17 17 ##{{{adding new entry "cn=kerberos,cn=schema,cn=config"}}}## 18 - 19 19 ##{{{$}}}## 20 20 21 21 22 -Having an index on the ##krbPrincipalName## improves performance and also suppresses some log messages if ##slapd## is configured to log more than default for the database(s) where you intend to store Kerberos data. As this is OpenLDAP on the Synology, it does not use mdb format, it uses bdb: 19 +Having an index on the ##krbPrincipalName## improves performance and also suppresses some log messages if ##slapd## is configured to log more than default for the database(s) where you intend to store Kerberos data. As this is OpenLDAP on the Synology, it does not use ##mdb## format, it uses ##bdb##: 23 23 24 -##{{{$ sudo ldapmodify -H ldap://nas.fqhn <<EOF 25 -dn: olcDatabase={1}bdb,cn=config 26 -add: olcDbIndex 27 -olcDbIndex: krbPrincipalName eq,pres,sub 28 -EOF 29 -Password: 21 +##{{{$ sudo ldapmodify -H ldap://nas.fqhn/ -D uid=root,cn=users,dc=example,dc=com -W <<EOF}}}## 22 +##{{{dn: olcDatabase={1}bdb,cn=config}}}## 23 +##{{{add: olcDbIndex}}}## 24 +##{{{olcDbIndex: krbPrincipalName eq,pres,sub}}}## 25 +##{{{EOF}}}## 26 +##{{{Password:}}}## 27 +##{{{modifying entry "olcDatabase={1}bdb,cn=config"}}}## 28 +##{{{$}}}## 30 30 31 -modifying entry "olcDatabase={1}bdb,cn=config" 32 -$ 33 -}}}## 34 34 31 +Next, you need to create and configure two entries which will be used by the Kerberos servers to connect to OpenLDAP. As you will not run the Kerberos KDC and Admin Server on the same host as OpenLDAP, these steps are required. In order to keep things nicely separated, everything will be created under a separate ##organizationalUnit##. 35 35 33 +##{{{# ldapadd -H ldap://nas.fqhn/ -D uid=root,cn=users,dc=example,dc=com -W <<EOF}}}## 34 +##{{{dn: ou=Services,dc=example,dc=com}}}## 35 +##{{{objectClass: organizationalUnit}}}## 36 +##{{{objectClass: top}}}## 37 +##{{{ou: Services}}}## 38 +## ## 39 +##{{{dn: ou=kerberos,ou=Services,dc=example,dc=com}}}## 40 +##{{{objectClass: organizationalUnit}}}## 41 +##{{{objectClass: top}}}## 42 +##{{{ou: kerberos}}}## 43 +## ## 44 +##{{{dn: uid=kdc,ou=kerberos,ou=Services,dc=example,dc=com}}}## 45 +##{{{uid: kdc}}}## 46 +##{{{objectClass: account}}}## 47 +##{{{objectClass: simpleSecurityObject}}}## 48 +##{{{userPassword: {CRYPT}x}}}## 49 +##{{{description: Kerberos KDC Account}}}## 50 +## ## 51 +##{{{dn: uid=kadmin,ou=kerberos,ou=Services,dc=example,dc=com}}}## 52 +##{{{uid: kadmin}}}## 53 +##{{{objectClass: account}}}## 54 +##{{{objectClass: simpleSecurityObject}}}## 55 +##{{{userPassword: {CRYPT}x}}}## 56 +##{{{description: Kerberos Admin Server Account}}}## 57 +##{{{EOF}}}## 58 +##{{{Enter LDAP Password: SECRET}}}## 59 +## ## 60 +##{{{adding new entry "ou=Services,dc=example,dc=com"}}}## 61 +## ## 62 +##{{{adding new entry "ou=kerberos,ou=Services,dc=example,dc=com"}}}## 63 +## ## 64 +##{{{adding new entry "uid=kdc,ou=kerberos,ou=Services,dc=example,dc=com"}}}## 65 +## ## 66 +##{{{adding new entry "uid=kadmin,ou=kerberos,ou=Services,dc=example,dc=com"}}}## 36 36 37 -Next, you need to create and configure two entries which will be used by the Kerberos servers to connect to OpenLDAP. If you are running Kerberos and OpenLDAP on the same system, these steps are optional, but recommended. In order to keep things nicely separated, everything will be created under a separate ##organizationalUnit##. Note that a simple bind (##-x -D##) is used instead of an ##EXTERNAL## bind since write access to the dc=example,dc=com DIT is necessary: 38 38 39 - 40 -{{{# ldapadd -x -D cn=admin,dc=example,dc=com -W <<EOF 41 -dn: ou=Services,dc=example,dc=com 42 -objectClass: organizationalUnit 43 -objectClass: top 44 -ou: Services 45 - 46 -dn: ou=kerberos,ou=Services,dc=example,dc=com 47 -objectClass: organizationalUnit 48 -objectClass: top 49 -ou: kerberos 50 - 51 -dn: uid=kdc,ou=kerberos,ou=Services,dc=example,dc=com 52 -uid: kdc 53 -objectClass: account 54 -objectClass: simpleSecurityObject 55 -userPassword: {CRYPT}x 56 -description: Kerberos KDC Account 57 - 58 -dn: uid=kadmin,ou=kerberos,ou=Services,dc=example,dc=com 59 -uid: kadmin 60 -objectClass: account 61 -objectClass: simpleSecurityObject 62 -userPassword: {CRYPT}x 63 -description: Kerberos Admin Server Account 64 -EOF 65 -Enter LDAP Password: SECRET 66 - 67 -adding new entry "ou=Services,dc=example,dc=com" 68 - 69 -adding new entry "ou=kerberos,ou=Services,dc=example,dc=com" 70 - 71 -adding new entry "uid=kdc,ou=kerberos,ou=Services,dc=example,dc=com" 72 - 73 -adding new entry "uid=kadmin,ou=kerberos,ou=Services,dc=example,dc=com"}}} 74 - 75 - 76 76