LDAP backend on Ubuntu 10.4 (lucid)

Setting up Kerberos v1.9 with LDAP backend on Ubuntu 10.4 (Lucid Lynx)

Prerequisites

Install the following packages: slapd, ldap-utils and libldap2-dev

You can install the necessary packages with these commands:

sudo apt-get install slapd
sudo apt-get install ldap-utils
sudo apt-get install libldap2-dev

Extend the user schema using schemas from standart OpenLDAP distribution: cosine, mics, nis, inetcomperson

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/mics.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetcomperson.ldif

Building Kerberos from source

./configure --with-ldap
make
sudo make install

Setting up Kerberos

Configuration

Update kdc.conf with the LDAP back-end information:

[realms]
    EXAMPLE.COM = {
        database_module = LDAP
    }

[dbmodules]
    LDAP = {
        db_library = kldap
        ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com
        ldap_kdc_dn = cn=admin,dc=example,dc=com
        ldap_kadmind_dn = cn=admin,dc=example,dc=com
        ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash
        ldap_servers = ldapi:///
    }

Schema

From the source tree copy src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema into /etc/ldap/schema

Warning: this step should be done after slapd is installed to avoid problems with slapd installation.

To convert kerberos.schema to run-time configuration (cn=config) do the following:

  1. Create a temporary file /tmp/schema_convert.conf with the following content:

    include /etc/ldap/schema/kerberos.schema
    
  2. Create a temporary directory /tmp/krb5_ldif.

  3. Run:

    slaptest -f /tmp/schema_convert.conf -F /tmp/krb5_ldif
    

    This should in a new file named /tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif.

  4. Edit /tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif by replacing the lines:

    dn: cn={0}kerberos
    cn: {0}kerberos
    

    with

    dn: cn=kerberos,cn=schema,cn=config cn: kerberos

    Also, remove following attribute-value pairs:

    structuralObjectClass: olcSchemaConfig
    entryUUID: ...
    creatorsName: cn=config
    createTimestamp: ...
    entryCSN: ...
    modifiersName: cn=config
    modifyTimestamp: ...
    
  5. Load the new schema with ldapadd (with the proper authentication):

    ldapadd -Y EXTERNAL -H ldapi:/// -f  /tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif
    

    which should result the message adding new entry "cn=kerberos,cn=schema,cn=config".

Create Kerberos database

Using LDAP administrator credentials, create Kerberos database and master key stash:

kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s

Stash the LDAP administrative passwords:

kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=com

Start krb5kdc:

krb5kdc

To destroy database run:

kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// destroy -f

Useful references