sobota 27. prosince 2014

[PART 2] Ovirt with SSO - kerberos

Install kerberos

We need to install kerberos workstation and server packages.  
# yum -y install krb5-{workstation,server} 

Configure krb5.conf

dc=openldap,dc=yourdomain,dc=com 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_realm = OPENLDAP.YOURDOMAIN.COM

[realms]
 OPENLDAP.YOURDOMAIN.COM = {
  kdc = openldap.yourdomain.com
  admin_server = openldap.yourdomain.com
 }

[domain_realm]
 .openldap.yourdomain.com = OPENLDAP.YOURDOMAIN.COM
 openldap.yourdomain.com = OPENLDAP.YOURDOMAIN.COM

Configure kerberos

Create kerberos database.

# cd /var/kerberos/krb5kdc
# kdb5_util create -s 

Configure correct realm.

# sed -i s/EXAMPLE.COM/OPENLDAP.YOURDOMAIN.COM/g /var/kerberos/krb5kdc.conf
# sed -i s/EXAMPLE.COM/OPENLDAP.YOURDOMAIN.COM/g /var/kerberos/krb5kdc/kadm5.acl

Create root/admin principal. 

# kadmin.local
Authenticating as principal root/admin@OPENLDAP.YOURDOMAIN.COM with password.
kadmin.local:  add_principal root/admin
WARNING: no policy specified for root/admin@OPENLDAP.YOURDOMAIN.COM;
Enter password for principal "root/admin@OPENLDAP.YOURDOMAIN.COM": 
Re-enter password for principal "root/admin@OPENLDAP.YOURDOMAIN.COM": 
Principal "root/admin@OPENLDAP.YOURDOMAIN.COM" created. 

Enable and start kerberos services. 

# systemctl start krb5kdc
# systemctl enable krb5kdc
# systemctl start kadmin
# systemctl enable kadmin

Add users into kerberos database.

# kadmin.local
kadmin: add_principal user0
kadmin: add_principal user1 

Login as user0.

# kinit user0
Password for user0@OPENLDAP.YOURDOMAIN.COM:

Create principal for ldap and extract keytab for it.

# kadmin
kadmin:  add_principal -randkey ldap/openldap.yourdomain.com
kadmin:  ktadd -keytab /etc/openldap/ldap.keytab

Set keytab permissions and ownership. 

# chgrp ldap /etc/openldap/ldap.keytab
# chmod 640 /etc/openldap/ldap.keytab 

Set KRB5_KTNAME to our keytab.

# sed -ri s/^#?KRB5_KTNAME=/"KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab"/g
/etc/sysconfig/slapd

Test kerberos with ldap

# kinit user0
# Password for user0@OPENLDAP.YOURDOMAIN.COM

# ldapsearch -h localhost -Y GSSAPI -b 'dc=openldap,dc=yourdomain,dc=com'
'(uid=user0)' 

If this command works for you, then everything is fine, if it's not,
then check logs, check correct permissions and ownership of keytab.

Žádné komentáře:

Okomentovat