- 论坛徽章:
- 0
|
(原创)
上一篇只讲到了安装,这一篇讲讲如何配置吧;(过了一年多了,有个朋友希望贴一个配置简例看看)
1,首先在/etc/下建立或修改krb5.conf,如下:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = false
encrypt = true
[realms]
TEST.COM = {
kdc = kerberos.test.com:88
admin_server = kerberos.test.com:749
default_domain = test.com
}
[domain_realm]
.test.com = TEST.COM
test.com = TEST.COM
[kdc]
profile = /var/lib/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
2,修改/etc/openldap/slapd.conf,添加:
access to *
by sockurl="^ldapi:///$" write
3,用slappasswd -h {MD5} 产生MD5密码
4,增加帐号ldap
ldaps是支持tls的ldap服务,配置好OpenLDAP之后,启动它:slapd -h "ldap:/// ldapi:/// ldaps:///"
5,增加支持kdc的LDIF文件
6,修改krb5.conf以使用ldap。
7,运行kstash以产生m-key
server root # kstash
Master key:<type master key>
Verifying - Master key:<type master key>
kstash: writing key to `/var/heimdal/m-key'
8,运行kadmin -l 初始化域,添加帐号
kadmin>init TEST.COM
kadmin>add frank
kadmin>add --random-key host/kerberos.test.com
kadmin>add --random-key ldap/kerberos.test.com
kadmin>ext_keytab host/kerberos.test.com
kadmin>ext_keytab ldap/kerberos.test.com
kadmin>exit
9,导出到keytab,以便slapd在启动中使用sasl时使用
ktutil -k /etc/openldap/ldap.keytab get ldap/kerberos.test.com
export KRB5_KTNAME=/etc/openldap/ldap.keytab
提示:导出KDC库使用dump命令
#kadmin -l
kadmin>dump /root/kdcbackup
10,第一次运行检查
ldapsearch -x -L -b 'ou=KerberosPrincipals,dc=test,dc=com' 'objectclass=krb5KDCEntry' |more
11,重启slapd,检查
ldapsearch -H ldap://kerberos.test.com/ -x -b "" -s base -LLL supportedSASLMechanisms
ldapsearch校验能否查询
作以下检查
比较一下使用sasl规则表达式前后的不同:
修改slapd.conf中sasl规则表达式
root:~# ldapwhoami
SASL/GSSAPI authentication started
SASL username: frank@TEST.COM
SASL SSF: 56
SASL installing layers
dn:uid=frank,cn=test.com,cn=gssapi,cn=auth
12,继续检查ldap->sasl->kerberos验证
root:/# ldapwhoami(使用sasl之后)
SASL/GSSAPI authentication started
SASL username: frank@TEST.COM
SASL SSF: 56
SASL installing layers
dn:uid=frank,cn=gssapi,cn=auth
13,继续检查ldapi内部
root:/# ldapwhoami -Y EXTERNAL -H ldapi://
SASL/EXTERNAL authentication started
SASL username: uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=manager,dc=test,dc=com
ldapwhoami -Y GSSAPI -H ldap://
14,检验SASL验证机制
ldapwhoami -x -D "cn=nssproxy,ou=KerberosPrincipals,dc=test,dc=com" -W
如果以上所有检验步骤通过,那么恭喜你,kerberos+LDAP验证已经可以工作了。
下面可以安装openssh,postfix等可以使用kerberos认证的程序来测试它的工作了。
[ 本帖最后由 miceleo 于 2006-1-8 15:53 编辑 ] |
|