From Fedora Directory Server
Contents |
How to use Kerberos with Fedora Directory Server
How do I configure FDS to use SASL and GSSAPI to authenticate against a local Kerberos realm?
This describes how to configure FDS to allow users to present their Kerberos credentials (their ticket) to FDS for authentication, using the SASL GSSAPI mechanism. This allows FDS to participate in Single Sign On - a user acquires his/her ticket via kinit or login and can use it to authenticate to various services, including FDS.
This requires a previously configured Kerberos realm. We've tested this with MIT Kerberos 5, but other implementations such as Heimdal should also work. You need a key for the LDAP service, an appropriate SASL mapping for GSSAPI, and the cyrus-sasl-gssapi package. FDS uses the cyrus-sasl package to interface to Kerberos.
Keys
First, make sure that you have created a kerberos principal "ldap/fully-qualified-host-name". Assume "${INSTANCE}" is whatever your instance name is and ${fully-qualified-domain} is the lower case domain for your FDS server:
kadmin -q "add_principal -randkey ldap/${INSTANCE}.${fully-qualified-domain}"
Then, export that key to a keytab file. If you've deployed other services which also authenticate users using Kerberos on the same system, it's recommended that you give each one its own keytab file.
kadmin -q "ktadd -k /etc/dirsrv/slapd-${INSTANCE}/${INSTANCE}.keytab ldap/${INSTANCE}.${fully-qualified-domain}"
The keytab file needs to be readable by the account under which the directory server runs (i.e dirsrv):
chown dirsrv:dirsrv /etc/dirsrv/slapd-${INSTANCE}/${INSTANCE}.keytab
chmod 640 /etc/dirsrv/slapd-${INSTANCE}/${INSTANCE}.keytab
Next, set the KRB5_KTNAME environment variable, so your Directory Server can find the keytab file. For FDS 1.1 and later, edit the file
/etc/sysconfig/dirsrv
and add the line below, replacing INSTANCE appropriately:
KRB5_KTNAME=/etc/dirsrv/slapd-INSTANCE/INSTANCE.keytab ; export KRB5_KTNAME
For FDS 1.0 and earlier, you can edit the start-slapd shell script in /etc/init.d/dirsrv and set KRB5_KTNAME in there:
export KRB5_KTNAME=path_to_service_keytab
Maps
Let's assume your entry in the DS has the DN "dn: uid=uid,o=realm.edu". Then, the map would be something like this (as seen in "Introduction to SASL" in the Administrator's Guide) http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165:
dn: cn=mapname,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: \(.*\)@\(.*\) nsSaslMapBaseDNTemplate: uid=\1,o=\2 nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)
This assumes the Kerberos principal name being sent to the DS is in the form "username@domain". If this is not the case, and the realm is not being sent, you may have to use something like the following:
nsSaslMapRegexString: \(.*\) nsSaslMapBaseDNTemplate: uid=\1,dc=myorg,dc=tld
where myorg and tld correspond to your domain and top level domain.
You can use a regex of the form \([^/]+\)/\(.+\) to map kerberos principles with an instance, like service/fqdn or user/admin. For example if you want to map all services from hostname.domain to the uid=hostname.domain,ou=hosts,dc=domain you can use [^/]+/\(.+\) and a map base of uid=\1,ou=hosts,dc=domain or you might want to map all principles with an admin instance to uid=user,ou=Managers,dc=domain so you'll use \([^/]+\)/admin and a mapbase of uid=\1,ou=Managers,dc=domain.
