Configure OpenLDAP to use Kerberos as password backend
This text reports what I've done to use Kerberos as password backend for my OpenLDAP installation. It was tried on a Debian Stretch 9.
Kerberos
Install
apt install krb5-kdc krb5-admin-server
apt will ask you the name of your default kerberos realm.
I've decided to use example.org (in lowercase), because,
even if it's not the usual case as explained by apt, I know I'll forgot
to use the uppercase notation. Furthermore, I have a specific domain
which is only used by LDAP and Kerberos, so I think I'll have no
confusion.
Configure Kerberos
I've just followed my Kerberos Installation resource (linked at the end of the article). So I notice here just what I've done, I can't fully explain every steps.
First, we need to configure the Kerberos server by modifying
/etc/krb5.conf to add our realm:
[libdefaults]
default_realm = example.org
...
[realms]
example.org = {
kdc = kdc.example.org
admin_server = kdc.example.org
default_domain = example.org
}
...
[domain_realm]
.example.com = example.org
example.com = example.org
...
To define the kdc and admin_server, you can
also simply use the localhost domain. If you do as me,
you'll need to create DNS resources for
kdc.example.org.
Then, you need to check the realm has been well installed in
/etc/krb5conf/kdc.conf. For me, apt has put:
[kdcdefaults]
kdc_ports = 750,88
[realms]
example.org = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
Now, the kerberos is well configured, we can create the realm:
kdb5_util create -s
Then, we use the kadmin.local shell to list principals and
create first users:
kadmin.local: listprincs
K/M@example.org
kadmin/admin@example.org
kadmin/changepw@example.org
kadmin/localhost@example.org
kiprop/localhost@example.org
krbtgt/example.org@example.org
kadmin.local: ank adrien/admin@example.org
WARNING: no policy specified for adrien/admin@example.org; defaulting to no policy
Enter password for principal "adrien/admin@example.org":
Re-enter password for principal "adrien/admin@example.org":
Principal "adrien/admin@example.org" created.
kadmin.local: ank adrien@example.org
WARNING: no policy specified for adrien@example.org; defaulting to no policy
Enter password for principal "adrien@example.org":
Re-enter password for principal "adrien@example.org":
Principal "adrien@example.org" created.
Create the kadmin keytab as explained in the MIT documentation:
kadmin.local: ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Finally, edit the file /etc/krb5kdc/kadm5.acl to set up
users with admin rights:
*/admin@example.org *
Restart kerberos services:
systemctl restart krb5-kdc krb5-admin-server
Check with a client
On another computer, try to get a kerberos ticket with the client.
First, install the client: apt install krb5-user
Then, try to authenticate: kinit adrien@example.org
On success, you can list current tickets with klist:
# klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: adrien@example.org
Valid starting Expires Service principal
01. 02. 19 11:30:25 01. 02. 19 21:30:25 krbtgt/example.org@example.org
renew until 02. 02. 19 11:30:03
To clean the ticket from the client, use: kdestroy.
Cyrus SASL
Install
apt install sasl2-bin libsasl2-modules-gssapi-mit
Configure Cryus SASL
Edit the service environment variables in
/etc/default/saslauthd with:
START=yes
MECHANISMS="kerberos5"
KRB5_KTNAME="/etc/localhost.keytab"
export KRB5_KTNAME
According to the value of KRB5_KTNAME above, we'll create a
new user and its keytab file with kadmin.local:
kadmin.local: addprinc -randkey host/localhost
WARNING: no policy specified for host/localhost@example.org; defaulting to no policy
Principal "host/localhost@example.org" created.
kadmin.local: ktadd -k /etc/localhost.keytab host/localhost
Entry for principal host/localhost with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/localhost.keytab.
Entry for principal host/localhost with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/localhost.keytab.
Finally, restart the saslauthd service:
systemctl restart saslauthd
Check saslauthd configuration
There's a little command to check if you can connect with your user through Cyrus SASL:
# testsaslauthd -u adrien@example.org -p 'your password in clear text'
0: OK "Success."
On authentication error, the output will be
0: NO "authentication failed".
If you see other errors, like one with connect() fail,
check the daemon saslauthd use the right keytab file and it
has access to it.
OpenLDAP
Finally, we are in the final part of the documentation. We just need now
to say to OpenLDAP that it can use saslauthd as external
authentication mechanism and configure our first user to use it.
Enable Cyrus SASL backend
We need to create a /etc/ldap/sasl2/slapd.conf with these
values:
# PLAIN is used by saslauthd
# EXTERNAL is required for local root auth
mech_list: PLAIN EXTERNAL
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
Note that OpenLDAP will need access to
/var/run/saslauthd/mux. On my installation, the access to
the content of /var/run/saslauthd/ is allowed only to users
inside the sasl group, so we add openldap to this group:
adduser openldap sasl
Finally, restart the slapd service:
systemctl restart slapd
Modify user to use the SASL backend
Now, we need to modify the adrien@example.org user to
authenticate through SASL. That's simply done by setting the prefix
{SASL} followed by the kerberos user name (with realm)
inside the userPassword attribute.
For example, I've made this ldif file:
# adrien, people, example.org
dn: uid=adrien,ou=people,dc=example,dc=org
changetype: modify
replace: userPassword
userPassword: {SASL}adrien@example.org
Note that to apply this ldif you need to use a user with modification rights on userPassword attribute (the user itself or an administrator).
ldapmodify -f 01_adrien_password.ldif -D "uid=adrien,ou=people,dc=example,dc=org" -w 'your old LDAP password in clear text'
Finally, to check the new password is well set, you can simply try to do a search inside your LDAP directory:
# ldapsearch -D "uid=adrien,ou=people,dc=example,dc=org" -w 'your new password in clear text' -b '' -s base
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Well done, that was a big job to retrieve every steps to do, thanks a lot of people who documented their steps ! I hope this document will help someone in the future :)