Work in progress
This site is in the process of being reviewed and updated.
Introduction
These instructions are specific to Fedora Core 6. Interoperability with other clients is possible, but is not addressed here. The goal of this document is to describe how to setup a network so that Apache Directory is used for "realm control":
- User information (UID/GID/home directories) accessible using LDAP.
- Automount information accessible using LDAP.
- User authentication using Kerberos.
- Password changes using Change Password.
- NFSv4 file sharing using Kerberos and Automount.
- Network time synchronization using NTP.
Software Requirements
You'll need the following software.
Server
- Apache Directory 1.5.2
Client
- krb5-libs
- krb5-workstation
- cyrus-sasl-gssapi
- openldap-clients
- pam_krb5
- nss_ldap
pam_krb5 lets you use Kerberos for authentication, while nss_ldap uses LDAP to centralize user and group information. The getpwnam and related routines used by pam_krb5 all use nsswitch.conf. For example, a simple "ls" needs to map uid to names and will, therefore, use LDAP. If you have performance problems with the continuous use of LDAP to retrieve user and group information, there is a service called nscd that will cache information obtained via nsswitch.
Prerequisites
- Time synchronization - Must be within clockskew.
- Hostname resolution - All hosts must have their hostname set to the fully qualified hostname as reported by DNS. Both forward and reverse mapping must work properly. The host may be referenced by a CNAME, but the official host name (as reported by hostname) must be an 'A' record.
Firewall Configuration
It is highly recommended that a firewall (for example iptables) be used to restrict access. The following ports must be opened.
Protocol |
IP Port |
Description. |
---|---|---|
Kerberos |
88 |
Authentication. |
Change Password |
464 |
Password changing. |
LDAP |
389 |
Directory access. |
LDAPS |
636 |
LDAP-over-SSL |
NTP |
123 |
Time synchronization. |
NFS |
2049 |
File sharing. |
Kerberos Servers
The first thing to setup is your Kerberos servers (called KDCs).
- Edit /etc/krb5.conf
- Replace EXAMPLE.COM with your realm
- Replace example.com with your domain
Create KDC host principal.
Test kinit, klist.
Kerberos Clients
- Edit /etc/krb5.conf
- Replace EXAMPLE.COM with your realm
- Replace example.com with your domain
Configuring Kerberos logon without LDAP
Once you have Kerberos working, you'll be able to log into your system using your Kerberos password. Since we don't have LDAP working yet, you can add a local entry for your username to the passwd and shadow files, but set your crypted password in /etc/shadow to K, the convention for indicating that the password comes from Kerberos.
We can now configure PAM. By configuring PAM, we'll be able to use Kerberos with console login methods (/bin/login, Gnome, etc.).
Run authconfig, or edit /etc/pam.d/system-auth and add lines for pam_krb5 to each section.
Windows Kerberos Clients
Windows 2000 and newer versions of Windows can be Kerberos clients of Apache Directory.
- Extract ksetup.exe from \support\tools\support.cab on the Window 2000 CD-ROM
- ksetup /setrealm EXAMPLE.COM
o Note that this will also set the DNS domain for your computer to EXAMPLE.COM. For Windows, the DNS domain and the Kerberos realm must be identical. - ksetup /addkdc EXAMPLE.COM kdc1.example.com
- ksetup /mapuser * *
In case you make a mistake, the Kerberos configuration is stored in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
Kerberized Services
For any network service which accepts native Kerberos authentication (instead of taking a username and password and authenticating the user via PAM), you need to have a service principal stored in a keytab. Some common ones are:
Service |
Service principal name |
Description |
---|---|---|
OpenSSH, pam_krb5 |
host/hostname |
Remote console access. |
LDAP |
ldap/hostname |
Directory access. |
NFSv4 |
nfs/hostname |
File sharing. |
HTTP |
HTTP/hostname |
Web server. |
Kerberos Wrap-up
At this point you should have a fully functional Kerberos setup. Make sure everything is working perfectly before you move on to configuring LDAP.
LDAP Server
Add ldap service principal.
Add LDAP SSL certificate.
LDAP Clients
Copy Files
Copy the following files from the KDC or LDAP server.
- /etc/krb5.conf
- /etc/ldap.conf
- /etc/openldap/ldap.conf
- /etc/openldap/cacerts/cacert.pem
PADL nss_ldap
The configuration file for the PADL nss_ldap module is /etc/ldap.conf. You need only a few options.
host ldap1.example.com base dc=example,dc=com ssl start_tls tls_checkpeer yes tls_cacertfile /etc/ssl/ca-cert.pem
The configuration file for the OpenLDAP clients, such as ldapsearch and ldapadd, is /etc/openldap/ldap.conf.
URI ldaps://ldap1.example.com/ BASE dc=example,dc=com TLS_CACERT /etc/ssl/ca.pem
Users can use the passwd command to change their password.
If you have a PAM environment you should make sure you have an entry like the following in your PAM configuration:
password required /lib/security/pam_krb5.so
Whether it should be required, sufficient, etc. and the order relative to other PAM modules will depend on your environment.
If you don't have a PAM environment then users can use kpasswd to change their password.
NFSv4
(Pointer to NFSv4 doco)