Saturday, February 5, 2011

Debian OpenLDAP with Kerberos Authentication

Before we proceed with ldap kerberization (let assume our server name is you need to setup the following:
  • OpenLDAP Server (look here).
  • Kerberos Client (look here).
Once the basic installation of the above is complete, here we go:

Remove Authentication from LDAP

  1. Since we are going to authenticate users with Kerberos we need to prohibit users access to password stored in ldap. Add the following to file access-passwd.ldif:
    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    # Delete default user access to password
    delete: olcAccess
    olcAccess: {0}to attrs=userPassword,shadowLastChange
      by self write
      by anonymous auth
      by dn="cn=admin,dc=dev,dc=local" write
      by * none
    # Prohibit access to password
    add: olcAccess
    olcAccess: {0}to attrs=userPassword,shadowLastChange
      by * none
    # Only authenticated users have read access 
    # Anonymous users have no access. 
    add: olcAccess
    olcAccess: {1}to *
      by users read
      by * none
    and apply changes:
    ldapmodify -QY EXTERNAL -H ldapi:/// -f access-passwd.ldif
  2. Delete admin account:
    ldapdelete -cxWD cn=admin,dc=dev,dc=local cn=admin,dc=dev,dc=local
    and it access rights in the directory (file access-noadmin.ldif):
    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    # Revoke admin write rights to the directory
    delete: olcAccess
    olcAccess: {3}to *
      by self write
      by dn="cn=admin,dc=dev,dc=local" write
      by * read
    # Move admin account to people unit
    replace: olcRootDN
    olcRootDN: uid=admin,ou=people,dc=dev,dc=local
    # Remove admin password
    delete: olcRootPW
    and apply changes:
    ldapmodify -QY EXTERNAL -H ldapi:/// -f access-noadmin.ldif

Setup GSSAPI mapping between OpenLDAP and Kerberos

  1. Install SASL module for Kerberos:
    apt-get install libsasl2-modules-gssapi-mit
  2. Add ldap principal:
    kadmin -p admin -q "addprinc -randkey ldap/"
    kadmin -p admin -q "ktadd ldap/"
  3. Allow openldap group (slapd service is running under openldap account) access kerberos information:
    chgrp openldap /etc/krb5.keytab
    chmod g+r,o= /etc/krb5.keytab
    ls -lh /etc/krb5.keytab 
  4. Specify authentication mode (file /etc/ldap/ldap.conf):
  5. Setup SASL mapping between Kerberos and LDAP accounts (file auth-kerberos.ldif):
    dn: cn=config
    changetype: modify
    # Regular expression that match a simple user name
    # provided by SASL and map it to ldap entry
    add: olcAuthzRegexp
    olcAuthzRegexp: uid=([^,]+),cn=dev.local,cn=gssapi,cn=auth
    # Specify SASL Kerberos realm
    add: olcSaslRealm
    olcSaslRealm: DEV.LOCAL
    and apply changes:
    ldapmodify -QY EXTERNAL -H ldapi:/// -f auth-kerberos.ldif
  6. Restart OpenLDAP service:
    /etc/init.d/slapd restart

Verify settings

Verify above changes by querying config:
ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b \
cn=config "(|(cn=config)(olcDatabase={1}hdb))"
Here it is:
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: stats
olcPidFile: /var/run/slapd/
olcToolThreads: 1
olcAuthzRegexp: {0}uid=([^,]+),cn=dev.local,cn=gssapi,cn=auth uid=$1,ou=people
olcSaslRealm: DEV.LOCAL

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=dev,dc=local
olcAccess: {0}to attrs=userPassword,shadowLastChange by * none
olcAccess: {1}to dn.base="" by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: cn eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcRootDN: uid=admin,ou=people,dc=dev,dc=local

Kerberos Authentication Test

  1. Let ensure anonymous has no access
    ldapk1:~/ldap# ldapsearch -xLLL
    No such object (32)
  2. Authenticate to Kerberos:
    kinit -p admin
  3. Let make the search as authenticated user (you should be able to see organization units people and groups):
    ldapsearch -LLL


  1. Cannot create replay cache: No such file or directory
    ldap1:~# ldapsearch -LLL
    SASL/GSSAPI authentication started
    ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) 
    error (80) additional info: SASL(-1): generic failure: GSSAPI Error: 
    Unspecified GSS failure.  Minor code may provide more information 
    (Cannot create replay cache: No such file or directory)
    The only way recover from this error:
    • Restart slapd daemon
    • Consider add cron job on reboot that restarts slapd (file /etc/cron.d/slapd)
      @reboot root /etc/init.d/slapd restart
While authentication provided by Kerberos is secure now, consider protect communication with OpenLDAP by SSL/TLS encryption (read how here).

No comments :

Post a Comment