Changes for page KerberosAndLDAP
Last modified by Sirius Rayner-Karlsson on 2024/05/09 10:54
From version 36.1
edited by Sirius Rayner-Karlsson
on 2024/05/09 10:00
on 2024/05/09 10:00
Change comment:
There is no comment for this version
To version 35.1
edited by Sirius Rayner-Karlsson
on 2024/05/09 09:59
on 2024/05/09 09:59
Change comment:
There is no comment for this version
Summary
-
Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -27,7 +27,12 @@ 27 27 Now you need to load the kerberos schema into the LDAP server on the Synology. Use the ##cn=config## DN. 28 28 29 29 (% style="color:#400" %) 30 -##{{{$ zcat /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz | ldapadd -H ldaps://nas.example.com/ -D cn=config -W Enter LDAP Password: adding new entry "cn=kerberos,cn=schema,cn=config" $}}}## 30 +##{{{ 31 +$ zcat /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz | ldapadd -H ldaps://nas.example.com/ -D cn=config -W 32 +Enter LDAP Password: 33 +adding new entry "cn=kerberos,cn=schema,cn=config" 34 +$ 35 +}}}## 31 31 32 32 33 33 === Create Index on krbPrincipalName === ... ... @@ -35,13 +35,21 @@ 35 35 Having an index on the ##krbPrincipalName## improves performance. Synology OpenLDAP does not use ##mdb## format, it uses ##bdb##. Debian ##slapd## uses ##mdb## format. It is different database format, but the principle is the same. Again, as you are modifying config, the DN is ##cn=config##. Use the main password you set for the Synology LDAP server. Create a file ##step1.ldif## with the following content: 36 36 37 37 (% style="color:#400" %) 38 -##{{{dn: olcDatabase={1}bdb,cn=config add: olcDbIndex olcDbIndex: krbPrincipalName eq,pres,sub}}}## 43 +##{{{ 44 +dn: olcDatabase={1}bdb,cn=config 45 +add: olcDbIndex 46 +olcDbIndex: krbPrincipalName eq,pres,sub 47 +}}}## 39 39 40 - 41 41 and apply it with 42 42 43 43 (% style="color:#400" %) 44 -##{{{$ ldapmodify -H ldaps://nas.example.com/ -D cn=config -W -f step1.ldif Enter LDAP Password: modifying entry "olcDatabase={1}bdb,cn=config" $}}}## 52 +##{{{ 53 +$ ldapmodify -H ldaps://nas.example.com/ -D cn=config -W -f step1.ldif 54 +Enter LDAP Password: 55 +modifying entry "olcDatabase={1}bdb,cn=config" 56 +$ 57 +}}}## 45 45 46 46 47 47 === Create principals kadmin and kdc === ... ... @@ -50,15 +50,53 @@ 50 50 Generate the passwords upfront with ##slappasswd -h {SSHA}##. Then create a file ##step2.ldif## with the following content: 51 51 52 52 (% style="color:#400" %) 53 -##{{{dn: ou=kerberos,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: kerberos dn: cn=kdc,ou=kerberos,dc=example,dc=com cn: kdc sn: kdc objectClass: person objectClass: pwdPolicy pwdAttribute: userPassword pwdMinLength: 8 pwdCheckQuality: 2 pwdPolicySubentry: cn=kdc,ou=kerberos,dc=example,dc=com userPassword: {SSHA}<password-hash> description: Kerberos KDC Account dn: cn=kadmin,ou=kerberos,dc=example,dc=com cn: kadmin sn: kadmin objectClass: person objectClass: pwdPolicy pwdAttribute: userPassword pwdMinLength: 8 pwdCheckQuality: 2 pwdPolicySubentry: cn=kadmin,ou=kerberos,dc=example,dc=com userPassword: {SSHA}<password-hash> description: Kerberos KDC Account}}}## 66 +##{{{ 67 +dn: ou=kerberos,dc=example,dc=com 68 +objectClass: organizationalUnit 69 +objectClass: top 70 +ou: kerberos 54 54 72 +dn: cn=kdc,ou=kerberos,dc=example,dc=com 73 +cn: kdc 74 +sn: kdc 75 +objectClass: person 76 +objectClass: pwdPolicy 77 +pwdAttribute: userPassword 78 +pwdMinLength: 8 79 +pwdCheckQuality: 2 80 +pwdPolicySubentry: cn=kdc,ou=kerberos,dc=example,dc=com 81 +userPassword: {SSHA}<password-hash> 82 +description: Kerberos KDC Account 83 + 84 +dn: cn=kadmin,ou=kerberos,dc=example,dc=com 85 +cn: kadmin 86 +sn: kadmin 87 +objectClass: person 88 +objectClass: pwdPolicy 89 +pwdAttribute: userPassword 90 +pwdMinLength: 8 91 +pwdCheckQuality: 2 92 +pwdPolicySubentry: cn=kadmin,ou=kerberos,dc=example,dc=com 93 +userPassword: {SSHA}<password-hash> 94 +description: Kerberos KDC Account 95 +}}}## 96 + 55 55 Apply it with 56 56 57 57 (% style="color:#400" %) 58 -##{{{$ ldapadd -H ldaps://nas.example.com/ -D uid=root,cn=users,dc=example,dc=com -W -f step2.ldif Enter LDAP Password: adding new entry "ou=kerberos,dc=example,dc=com" adding new entry "cn=kdc,ou=kerberos,dc=example,dc=com" adding new entry "cn=kadmin,ou=kerberos,dc=example,dc=com"}}}## 100 +##{{{ 101 +$ ldapadd -H ldaps://nas.example.com/ -D uid=root,cn=users,dc=example,dc=com -W -f step2.ldif 102 +Enter LDAP Password: 59 59 104 +adding new entry "ou=kerberos,dc=example,dc=com" 60 60 106 +adding new entry "cn=kdc,ou=kerberos,dc=example,dc=com" 61 61 108 +adding new entry "cn=kadmin,ou=kerberos,dc=example,dc=com" 109 +}}}## 110 + 111 + 112 + 62 62 === Grant kdc and kadmin permissions === 63 63 64 64 This switches back to the ##cn=config## DN as you are changing the permissions.