Changes for page KerberosAndLDAP
Last modified by Sirius Rayner-Karlsson on 2024/05/09 10:54
From version 35.1
edited by Sirius Rayner-Karlsson
on 2024/05/09 09:59
on 2024/05/09 09:59
Change comment:
There is no comment for this version
To version 36.1
edited by Sirius Rayner-Karlsson
on 2024/05/09 10:00
on 2024/05/09 10:00
Change comment:
There is no comment for this version
Summary
-
Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -27,12 +27,7 @@ 27 27 Now you need to load the kerberos schema into the LDAP server on the Synology. Use the ##cn=config## DN. 28 28 29 29 (% style="color:#400" %) 30 -##{{{ 31 -$ zcat /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz | ldapadd -H ldaps://nas.example.com/ -D cn=config -W 32 -Enter LDAP Password: 33 -adding new entry "cn=kerberos,cn=schema,cn=config" 34 -$ 35 -}}}## 30 +##{{{$ zcat /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz | ldapadd -H ldaps://nas.example.com/ -D cn=config -W Enter LDAP Password: adding new entry "cn=kerberos,cn=schema,cn=config" $}}}## 36 36 37 37 38 38 === Create Index on krbPrincipalName === ... ... @@ -40,21 +40,13 @@ 40 40 Having an index on the ##krbPrincipalName## improves performance. Synology OpenLDAP does not use ##mdb## format, it uses ##bdb##. Debian ##slapd## uses ##mdb## format. It is different database format, but the principle is the same. Again, as you are modifying config, the DN is ##cn=config##. Use the main password you set for the Synology LDAP server. Create a file ##step1.ldif## with the following content: 41 41 42 42 (% style="color:#400" %) 43 -##{{{ 44 -dn: olcDatabase={1}bdb,cn=config 45 -add: olcDbIndex 46 -olcDbIndex: krbPrincipalName eq,pres,sub 47 -}}}## 38 +##{{{dn: olcDatabase={1}bdb,cn=config add: olcDbIndex olcDbIndex: krbPrincipalName eq,pres,sub}}}## 48 48 40 + 49 49 and apply it with 50 50 51 51 (% style="color:#400" %) 52 -##{{{ 53 -$ ldapmodify -H ldaps://nas.example.com/ -D cn=config -W -f step1.ldif 54 -Enter LDAP Password: 55 -modifying entry "olcDatabase={1}bdb,cn=config" 56 -$ 57 -}}}## 44 +##{{{$ ldapmodify -H ldaps://nas.example.com/ -D cn=config -W -f step1.ldif Enter LDAP Password: modifying entry "olcDatabase={1}bdb,cn=config" $}}}## 58 58 59 59 60 60 === Create principals kadmin and kdc === ... ... @@ -63,53 +63,15 @@ 63 63 Generate the passwords upfront with ##slappasswd -h {SSHA}##. Then create a file ##step2.ldif## with the following content: 64 64 65 65 (% style="color:#400" %) 66 -##{{{ 67 -dn: ou=kerberos,dc=example,dc=com 68 -objectClass: organizationalUnit 69 -objectClass: top 70 -ou: kerberos 53 +##{{{dn: ou=kerberos,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: kerberos dn: cn=kdc,ou=kerberos,dc=example,dc=com cn: kdc sn: kdc objectClass: person objectClass: pwdPolicy pwdAttribute: userPassword pwdMinLength: 8 pwdCheckQuality: 2 pwdPolicySubentry: cn=kdc,ou=kerberos,dc=example,dc=com userPassword: {SSHA}<password-hash> description: Kerberos KDC Account dn: cn=kadmin,ou=kerberos,dc=example,dc=com cn: kadmin sn: kadmin objectClass: person objectClass: pwdPolicy pwdAttribute: userPassword pwdMinLength: 8 pwdCheckQuality: 2 pwdPolicySubentry: cn=kadmin,ou=kerberos,dc=example,dc=com userPassword: {SSHA}<password-hash> description: Kerberos KDC Account}}}## 71 71 72 -dn: cn=kdc,ou=kerberos,dc=example,dc=com 73 -cn: kdc 74 -sn: kdc 75 -objectClass: person 76 -objectClass: pwdPolicy 77 -pwdAttribute: userPassword 78 -pwdMinLength: 8 79 -pwdCheckQuality: 2 80 -pwdPolicySubentry: cn=kdc,ou=kerberos,dc=example,dc=com 81 -userPassword: {SSHA}<password-hash> 82 -description: Kerberos KDC Account 83 - 84 -dn: cn=kadmin,ou=kerberos,dc=example,dc=com 85 -cn: kadmin 86 -sn: kadmin 87 -objectClass: person 88 -objectClass: pwdPolicy 89 -pwdAttribute: userPassword 90 -pwdMinLength: 8 91 -pwdCheckQuality: 2 92 -pwdPolicySubentry: cn=kadmin,ou=kerberos,dc=example,dc=com 93 -userPassword: {SSHA}<password-hash> 94 -description: Kerberos KDC Account 95 -}}}## 96 - 97 97 Apply it with 98 98 99 99 (% style="color:#400" %) 100 -##{{{ 101 -$ ldapadd -H ldaps://nas.example.com/ -D uid=root,cn=users,dc=example,dc=com -W -f step2.ldif 102 -Enter LDAP Password: 58 +##{{{$ ldapadd -H ldaps://nas.example.com/ -D uid=root,cn=users,dc=example,dc=com -W -f step2.ldif Enter LDAP Password: adding new entry "ou=kerberos,dc=example,dc=com" adding new entry "cn=kdc,ou=kerberos,dc=example,dc=com" adding new entry "cn=kadmin,ou=kerberos,dc=example,dc=com"}}}## 103 103 104 -adding new entry "ou=kerberos,dc=example,dc=com" 105 105 106 -adding new entry "cn=kdc,ou=kerberos,dc=example,dc=com" 107 107 108 -adding new entry "cn=kadmin,ou=kerberos,dc=example,dc=com" 109 -}}}## 110 - 111 - 112 - 113 113 === Grant kdc and kadmin permissions === 114 114 115 115 This switches back to the ##cn=config## DN as you are changing the permissions.