Skip to Content
0 Votes

KerberosAndLDAP

Version 12.1 by Sirius Rayner-Karlsson on 2024/05/01 17:10

Debian

The guide I followed was https://wiki.debian.org/LDAP/OpenLDAPSetup#Kerberos which while it worked required some minor tweaks. I obtained edit privileges for the Debian Wiki and updated the guide with the fixes that I found. I however have a Synology NAS and that can run an LDAP Server. So this guide differs a little from the upstream Debian Guide.

First, install the packages containing the LDAP-enabled Kerberos servers (krb5-kdc-ldap and krb5-admin-server) and the schema2ldif tool:

$ sudo apt install krb5-kdc-ldap krb5-admin-server schema2ldif

Then load the kerberos schema:

$ zcat /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz | ldapadd -H ldap:~/~/nas.fqdn/ -D uid=root,cn=users,dc=example,dc=com Password: adding new entry "cn=kerberos,cn=schema,cn=config" $

And add an index on the krbPrincipalName (improves performance and also suppresses some log messages if slapd is configured to log more than default) for the database(s) where you intend to store Kerberos data:

# ldapmodify -H ldap:~/~/nas.fqhn <<EOF

dn: olcDatabase={1}bdb,cn=config

add: olcDbIndex

olcDbIndex: krbPrincipalName eq,pres,sub

EOF

modifying entry "olcDatabase={1}bdb,cn=config"

Next, you need to create and configure two entries which will be used by the Kerberos servers to connect to OpenLDAP. If you are running Kerberos and OpenLDAP on the same system, these steps are optional, but recommended. In order to keep things nicely separated, everything will be created under a separate organizationalUnit. Note that a simple bind (-x -D) is used instead of an EXTERNAL bind since write access to the dc=example,dc=com DIT is necessary:

# ldapadd -x -D cn=admin,dc=example,dc=com -W <<EOF
dn: ou=Services,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Services

dn: ou=kerberos,ou=Services,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: kerberos

dn: uid=kdc,ou=kerberos,ou=Services,dc=example,dc=com
uid: kdc
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Kerberos KDC Account

dn: uid=kadmin,ou=kerberos,ou=Services,dc=example,dc=com
uid: kadmin
objectClass: account
objectClass: simpleSecurityObject
userPassword: {CRYPT}x
description: Kerberos Admin Server Account
EOF
Enter LDAP Password: SECRET

adding new entry "ou=Services,dc=example,dc=com"

adding new entry "ou=kerberos,ou=Services,dc=example,dc=com"

adding new entry "uid=kdc,ou=kerberos,ou=Services,dc=example,dc=com"

adding new entry "uid=kadmin,ou=kerberos,ou=Services,dc=example,dc=com"