集中认证2 - Kerberos使用LDAP作为后端存储
OpenLDAP作一些必要的调整
ldapadd -D ‘cn=root,ou=Control,dc=intra,dc=wafcloud,dc=cn’ -h 127.0.0.1 -x -W -f add_kerberos_users.ldif
add_kerberos_users.ldif内容如下
1
2
3
4
5
6
7
8
9
10
11
| dn: cn=kdc-srv,ou=Control,dc=intra,dc=wafcloud,dc=cn
cn: kdc-srv
userPassword:: e1NTSEF9UDBjQjBycTdlQjM0ZWJudmpqNnB2MFpueG1YZmlrSU8K
objectClass: simpleSecurityObject
objectClass: organizationalRole
dn: cn=kdc-adm,ou=Control,dc=intra,dc=wafcloud,dc=cn
cn: kdc-adm
userPassword:: e1NTSEF9UDBjQjBycTdlQjM0ZWJudmpqNnB2MFpueG1YZmlrSU8K
objectClass: simpleSecurityObject
objectClass: organizationalRole
|
Kerberos 配置
krb5-kdc和krb5-admin-server使用同一套配置文件krb5.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| [libdefaults]
debug = true
default_realm = INTRA.WAFCLOUD.CN
[logging]
default = SYSLOG:DEBUG
kdc = FILE=/var/tmp/kdc.log
admin_server = FILE=/var/tmp/kadmin.log
[realms]
INTRA.WAFCLOUD.CN = {
#kdc = 127.0.0.1
#admin_server = 127.0.0.1
default_domain = intra.wafcloud.cn
database_module = INTRA.WAFCLOUD.CN
key_stash_file = /etc/krb5.keyfile
max_life = 1d 0h 0m 0s
max_renewable_life = 90d 0h 0m 0s
dict_file = /usr/share/dict/words
}
[domain_realm]
.intra.wafcloud.cn = INTRA.WAFCLOUD.CN
intra.wafcloud.cn = INTRA.WAFCLOUD.CN
[dbmodules]
INTRA.WAFCLOUD.CN = {
db_library = kldap
ldap_servers = ldapi://
ldap_kerberos_container_dn = ou=Kerberos,dc=intra,dc=wafcloud,dc=cn
ldap_kdc_dn = cn=kdc-srv,ou=Control,dc=intra,dc=wafcloud,dc=cn
ldap_kadmind_dn = cn=kdc-adm,ou=Control,dc=intra,dc=wafcloud,dc=cn
ldap_service_password_file = /etc/krb5.ldap
ldap_conns_per_server = 5
}
|
如果有ACL(建议)控制的话
kdc-srv需有读权限kdc-adm需有读写权限
数据库初始化
kdb5_ldap_util -D cn=root,ou=Control,dc=intra,dc=wafcloud,dc=cn -H ldapi:// create -r INTRA.WAFCLOUD.CN -s
syslog大概率会有以下错误
1
| Sep 27 16:26:34 dev slapd[12305]: Entry (ou=Kerberos,dc=intra,dc=wafcloud,dc=cn), attribute 'ou' not allowed
|
查看kerberos.schema有以下信息
1
2
3
4
5
6
7
|
objectclass ( 2.16.840.1.113719.1.301.6.1.1
NAME 'krbContainer'
SUP top
STRUCTURAL
MUST ( cn ) )
|
这时krb5.conf中的ldap_kerberos_container_dn配置需做如下变更
1
| ldap_kerberos_container_dn = cn=Kerberos,dc=intra,dc=wafcloud,dc=cn
|
配置Kerberos连接LDAP的密码
/etc/krb5.ldap文件保存的相关信息
1
2
| kdb5_ldap_util stashsrvpw -f /etc/krb5.ldap cn=kdc-srv,ou=Control,dc=intra,dc=wafcloud,dc=cn
kdb5_ldap_util stashsrvpw -f /etc/krb5.ldap cn=kdc-adm,ou=Control,dc=intra,dc=wafcloud,dc=cn
|
kadmin.local测试ok
1
| kadmin.local -q 'ank -pw 112233 test1'
|
testsaslauthd -u test1 -p 112233测试可能会遇到下面类似错误日志auth.log
1
2
3
| Sep 29 10:29:18 dev saslauthd[27617]: auth_krb5: krb5_kt_read_service_key(): Key table file '/etc/krb5.keytab' not found (2)
Sep 29 10:29:18 dev saslauthd[27617]: auth_krb5: k5support_verify_tgt
Sep 29 10:29:18 dev saslauthd[27617]: : auth failure: [user=test1] [service=imap] [realm=] [mech=kerberos5] [reason=saslauthd internal error]
|
1
2
3
| Sep 29 11:06:55 dev saslauthd[27618]: auth_krb5: krb5_kt_read_service_key(): No key table entry found for host/dev@INTRA.WAFCLOUD.CN (-1765328203)
Sep 29 11:06:55 dev saslauthd[27618]: auth_krb5: k5support_verify_tgt
Sep 29 11:06:55 dev saslauthd[27618]: : auth failure: [user=test1] [service=imap] [realm=] [mech=kerberos5] [reason=saslauthd internal error]
|
解决方式如下: host/dev 根据实际(或日志打印)信息调整
1
2
| kadmin.local -q "ank -clearpolicy -randkey host/dev"
kadmin.local -q "ktadd host/dev"
|
ldap查询测试ok
1
| ldapsearch -D 'uid=test1,ou=People,dc=intra,dc=wafcloud,dc=cn' -b 'dc=intra,dc=wafcloud,dc=cn' -h 127.0.0.1 -x -w 112233 | grep uid
|