Saturday, February 5, 2011

Debian OpenLDAP client with Kerberos

Before we proceed with client setup (let assume our client machine name is you need to setup the following:
  • Kerberos Client (look here).
Once the basic installation of the above is complete, here we go:
  1. We need install few packages:
    apt-get -y install ldap-utils libpam-ldap \
    libsasl2-modules-gssapi-mit nscd libnss-ldap kstart
    During installation you will be prompted for few questions:
    • libnss-ldap
      LDAP server URI: ldap://
      Distinguished name of the search base: dc=dev,dc=local
      LDAP version to use: 3
      LDAP account for root: cn=admin,ou=people,dc=dev,dc=local
      LDAP root account password: <just hit enter>
    • libpam-ldap
      Allow LDAP admin account to behave like local root? No
      Does the LDAP database require login? No
  2. Reconfigure libpam-runtime and disable LDAP Authentication:
    dpkg-reconfigure libpam-runtime
  3. Configure kstart, add the following to /etc/inittab (It will check every 10 minutes of the Kerberos ticket needs to be renewed and set the ticket lifetime to 24 hours:
    KS:2345:respawn:/usr/bin/k5start -U -f /etc/krb5.keytab -K 10 -l 24h
    Force init to reload configuration:
    kill -HUP 1
    Ensure /tmp/krb5cc_0 file is created:
    ls -lh /tmp/krb5cc_0
  4. Kerberise libnss-ldap (file /etc/libnss-ldap.conf), ensure the following:
    base dc=dev,dc=local
    uri ldap://
    ldap_version 3
    rootbinddn cn=admin,ou=people,dc=dev,dc=local
    # Use SASL and GSSAPI and where to find the 
    # Kerberos ticket cache.
    use_sasl        on
    sasl_mech       gssapi
    krb5_ccname FILE:/tmp/krb5cc_0
  5. Set defaults for LDAP clients (file /etc/ldap/ldap.conf). Note client configuration changes if ldap is configured via SSL (see here).
    BASE    dc=dev,dc=local
    URI     ldap://
  6. Add LDAP support for login process by nscd (file /etc/nsswitch.conf):
    passwd:         compat ldap
    group:          compat ldap
    shadow:         compat ldap
  7. Restart Name Service Cache daemon:
    /etc/init.d/nscd restart
  8. Configure PAM to automatically create a user home directory (file /etc/pam.d/common-session):
    session  required
You should be ready to login with a user created in LDAP and password set in Kerberos.


  • You might experience the following error while initializing kerberos ticket in Debian Gnome desktop:
    Cannot resolve network address for KDC in realm DEV.LOCAL
    This somehow conflicts with avahi-daemon, you will need disable it:
    rcconf --off avahi-daemon
  • If you are using Debian Gnome desktop, have a look at Troubleshooting: dbus-daemon nss_ldap failed to bind to LDAP server, that you can find here.

No comments :

Post a Comment