Saturday, February 5, 2011

Debian OpenLDAP with Kerberos Authentication

Before we proceed with ldap kerberization (let assume our server name is ldapk1.dev.local) you need to setup the following:
  • OpenLDAP Server (look here).
  • Kerberos Client (look here).
Once the basic installation of the above is complete, here we go:

Remove Authentication from LDAP

  1. Since we are going to authenticate users with Kerberos we need to prohibit users access to password stored in ldap. Add the following to file access-passwd.ldif: 
    dn: olcDatabase={1}hdb,cn=config
changetype: modify
#
# Delete default user access to password
delete: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by dn="cn=admin,dc=dev,dc=local" write
  by * none
-
# Prohibit access to password
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by * none
-
# Only authenticated users have read access 
# Anonymous users have no access. 
add: olcAccess
olcAccess: {1}to *
  by users read
  by * none
    and apply changes: 
    ldapmodify -QY EXTERNAL -H ldapi:/// -f access-passwd.ldif
  2. Delete admin account: 
    ldapdelete -cxWD cn=admin,dc=dev,dc=local cn=admin,dc=dev,dc=local
    and it access rights in the directory (file access-noadmin.ldif): 
    dn: olcDatabase={1}hdb,cn=config
changetype: modify
#
# Revoke admin write rights to the directory
delete: olcAccess
olcAccess: {3}to *
  by self write
  by dn="cn=admin,dc=dev,dc=local" write
  by * read
-
# Move admin account to people unit
replace: olcRootDN
olcRootDN: uid=admin,ou=people,dc=dev,dc=local
-
# Remove admin password
delete: olcRootPW
    and apply changes: 
    ldapmodify -QY EXTERNAL -H ldapi:/// -f access-noadmin.ldif

Setup GSSAPI mapping between OpenLDAP and Kerberos

  1. Install SASL module for Kerberos: 
    apt-get install libsasl2-modules-gssapi-mit
  2. Add ldap principal: 
    kadmin -p admin -q "addprinc -randkey ldap/ldapk1.dev.local"

kadmin -p admin -q "ktadd ldap/ldapk1.dev.local"
  3. Allow openldap group (slapd service is running under openldap account) access kerberos information: 
    chgrp openldap /etc/krb5.keytab
chmod g+r,o= /etc/krb5.keytab
ls -lh /etc/krb5.keytab
  4. Specify authentication mode (file /etc/ldap/ldap.conf): 
    SASL_MECH GSSAPI
  5. Setup SASL mapping between Kerberos and LDAP accounts (file auth-kerberos.ldif): 
    dn: cn=config
changetype: modify
#
# Regular expression that match a simple user name
# provided by SASL and map it to ldap entry
add: olcAuthzRegexp
olcAuthzRegexp: uid=([^,]+),cn=dev.local,cn=gssapi,cn=auth
  uid=$1,ou=people,dc=dev,dc=local
-
# Specify SASL Kerberos realm
add: olcSaslRealm
olcSaslRealm: DEV.LOCAL
    and apply changes: 
    ldapmodify -QY EXTERNAL -H ldapi:/// -f auth-kerberos.ldif
  6. Restart OpenLDAP service: 
    /etc/init.d/slapd restart

Verify settings

Verify above changes by querying config: 
ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b \
cn=config "(|(cn=config)(olcDatabase={1}hdb))"
Here it is: 
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
olcAuthzRegexp: {0}uid=([^,]+),cn=dev.local,cn=gssapi,cn=auth uid=$1,ou=people
 ,dc=dev,dc=local
olcSaslRealm: DEV.LOCAL

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=dev,dc=local
olcAccess: {0}to attrs=userPassword,shadowLastChange by * none
olcAccess: {1}to dn.base="" by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: cn eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcRootDN: uid=admin,ou=people,dc=dev,dc=local

Kerberos Authentication Test

  1. Let ensure anonymous has no access 
    ldapk1:~/ldap# ldapsearch -xLLL
No such object (32)
  2. Authenticate to Kerberos: 
    kinit -p admin
  3. Let make the search as authenticated user (you should be able to see organization units people and groups): 
    ldapsearch -LLL

Troubleshooting

  1. Cannot create replay cache: No such file or directory 
    ldap1:~# ldapsearch -LLL
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) 
error (80) additional info: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information 
(Cannot create replay cache: No such file or directory)
    The only way recover from this error:
    • Restart slapd daemon
    • Consider add cron job on reboot that restarts slapd (file /etc/cron.d/slapd) 
      @reboot root /etc/init.d/slapd restart
While authentication provided by Kerberos is secure now, consider protect communication with OpenLDAP by SSL/TLS encryption (read how here).
Posted by Andriy Kornatskyy at 4:00 PM
Labels: , , , ,

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )