Stay hungry,Stay foolish

0%

集中认证2(OpenLDAP + Kerberos)

集中认证2 - Kerberos使用LDAP作为后端存储

OpenLDAP作一些必要的调整

ldapadd -D ‘cn=root,ou=Control,dc=intra,dc=wafcloud,dc=cn’ -h 127.0.0.1 -x -W -f add_kerberos_users.ldif

add_kerberos_users.ldif内容如下

1
2
3
4
5
6
7
8
9
10
11
dn: cn=kdc-srv,ou=Control,dc=intra,dc=wafcloud,dc=cn
cn: kdc-srv
userPassword:: e1NTSEF9UDBjQjBycTdlQjM0ZWJudmpqNnB2MFpueG1YZmlrSU8K
objectClass: simpleSecurityObject
objectClass: organizationalRole

dn: cn=kdc-adm,ou=Control,dc=intra,dc=wafcloud,dc=cn
cn: kdc-adm
userPassword:: e1NTSEF9UDBjQjBycTdlQjM0ZWJudmpqNnB2MFpueG1YZmlrSU8K
objectClass: simpleSecurityObject
objectClass: organizationalRole

Kerberos 配置

krb5-kdckrb5-admin-server使用同一套配置文件krb5.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[libdefaults]
debug = true
default_realm = INTRA.WAFCLOUD.CN

[logging]
default = SYSLOG:DEBUG
kdc = FILE=/var/tmp/kdc.log
admin_server = FILE=/var/tmp/kadmin.log


[realms]
INTRA.WAFCLOUD.CN = {
#kdc = 127.0.0.1
#admin_server = 127.0.0.1
default_domain = intra.wafcloud.cn
database_module = INTRA.WAFCLOUD.CN
key_stash_file = /etc/krb5.keyfile
max_life = 1d 0h 0m 0s
max_renewable_life = 90d 0h 0m 0s
dict_file = /usr/share/dict/words
}

[domain_realm]
.intra.wafcloud.cn = INTRA.WAFCLOUD.CN
intra.wafcloud.cn = INTRA.WAFCLOUD.CN

[dbmodules]
INTRA.WAFCLOUD.CN = {
db_library = kldap
ldap_servers = ldapi://
ldap_kerberos_container_dn = ou=Kerberos,dc=intra,dc=wafcloud,dc=cn
ldap_kdc_dn = cn=kdc-srv,ou=Control,dc=intra,dc=wafcloud,dc=cn
ldap_kadmind_dn = cn=kdc-adm,ou=Control,dc=intra,dc=wafcloud,dc=cn
ldap_service_password_file = /etc/krb5.ldap
ldap_conns_per_server = 5
}

如果有ACL(建议)控制的话

  • kdc-srv需有权限
  • kdc-adm需有读写权限

数据库初始化

kdb5_ldap_util -D cn=root,ou=Control,dc=intra,dc=wafcloud,dc=cn -H ldapi:// create -r INTRA.WAFCLOUD.CN -s

syslog大概率会有以下错误

1
Sep 27 16:26:34 dev slapd[12305]: Entry (ou=Kerberos,dc=intra,dc=wafcloud,dc=cn), attribute 'ou' not allowed

查看kerberos.schema有以下信息

1
2
3
4
5
6
7
#### This is a kerberos container for all the realms in a tree.

objectclass ( 2.16.840.1.113719.1.301.6.1.1
NAME 'krbContainer'
SUP top
STRUCTURAL
MUST ( cn ) )

这时krb5.conf中的ldap_kerberos_container_dn配置需做如下变更

1
ldap_kerberos_container_dn = cn=Kerberos,dc=intra,dc=wafcloud,dc=cn

配置Kerberos连接LDAP的密码

/etc/krb5.ldap文件保存的相关信息

1
2
kdb5_ldap_util stashsrvpw -f /etc/krb5.ldap cn=kdc-srv,ou=Control,dc=intra,dc=wafcloud,dc=cn
kdb5_ldap_util stashsrvpw -f /etc/krb5.ldap cn=kdc-adm,ou=Control,dc=intra,dc=wafcloud,dc=cn

kadmin.local测试ok

1
kadmin.local -q 'ank -pw 112233 test1'

testsaslauthd -u test1 -p 112233测试可能会遇到下面类似错误日志auth.log

1
2
3
Sep 29 10:29:18 dev saslauthd[27617]: auth_krb5: krb5_kt_read_service_key(): Key table file '/etc/krb5.keytab' not found (2)
Sep 29 10:29:18 dev saslauthd[27617]: auth_krb5: k5support_verify_tgt
Sep 29 10:29:18 dev saslauthd[27617]: : auth failure: [user=test1] [service=imap] [realm=] [mech=kerberos5] [reason=saslauthd internal error]
1
2
3
Sep 29 11:06:55 dev saslauthd[27618]: auth_krb5: krb5_kt_read_service_key(): No key table entry found for host/dev@INTRA.WAFCLOUD.CN (-1765328203)
Sep 29 11:06:55 dev saslauthd[27618]: auth_krb5: k5support_verify_tgt
Sep 29 11:06:55 dev saslauthd[27618]: : auth failure: [user=test1] [service=imap] [realm=] [mech=kerberos5] [reason=saslauthd internal error]

解决方式如下: host/dev 根据实际(或日志打印)信息调整

1
2
kadmin.local -q "ank -clearpolicy -randkey host/dev"
kadmin.local -q "ktadd host/dev"

ldap查询测试ok

1
ldapsearch -D 'uid=test1,ou=People,dc=intra,dc=wafcloud,dc=cn' -b 'dc=intra,dc=wafcloud,dc=cn' -h 127.0.0.1 -x -w 112233 | grep uid