Kerberos Authorization Directory |
||
Heimdal configurationIt is extremely easy, just adding a database definition specifying the basedn for the principals to be created.
database = {
dbname = ldap:ou=Kerberos,ou=Applications,dc=organization,dc=com
# mkey_file = /var/lib/heimdal-kdc/m-key
# acl_file = /etc/heimdal-kdc/kadmind.acl
}
The KDC stores all the principals on the configured basedn, and is only able
to search below that point. To get a cleaner tree, we just use the specific
basedn until we initialize the realm. Once the basic pricipals are created,
we modify dbname to point to the top of the LDAP tree (dc=organization,dc=com),
remembering that any principal created using kadmin will be located also at
the top of the tree.
At least on debian etch, the builtin default for the ACL file is
Extra principalsBesides the basic principals created during realm initialization, we will add an extra principal to perform administrative work. Using kadmin to create principals is usually not a good idea, but in this case we have the Administrator user already created during the KAD initialization. What we will do is just to make it visible for KDC, adding the required attributes objectClass: krb5Principal objectClass: krb5KDCEntry krb5PrincipalName: Administrator@ORGANIZATION.COM krb5KDCFlags: 126 krb5KeyVersionNumber: 0This effectively turns any LDAP entry into a principal, and now we can set the password using kadmin as usual.
The same process can be applied to the any other entry (as nss-proxy) just
modifying the krb5PrincipalName attribute. For the ldap service and any other
host based service, the principal name must fit on a fixed scheme. Most of
the kerberized servers and clients expect service principals in the form
service/fqdn, where service is the service name (ldap in this case)
and fqdn is the complete DNS name of the server (kad.organization.com).
|
||
| Powered by SHARK | ||