Notes on Kerberos / LDAP authentication

From CVL Wiki

(Difference between revisions)
Jump to: navigation, search
(New page: This will be a scratch space for the beginning of new Kerberos & LDAP page. Initially, this will be a bunch of random notes, hopefully coalesced into a document. ===Things that can use K...)
 
 
(5 intermediate revisions by one user not shown)
Line 1: Line 1:
 
This will be a scratch space for the beginning of new Kerberos & LDAP page.  Initially, this will be a bunch of random notes, hopefully coalesced into a document.
 
This will be a scratch space for the beginning of new Kerberos & LDAP page.  Initially, this will be a bunch of random notes, hopefully coalesced into a document.
 +
 +
===Reference Documents===
 +
 +
The main reference by Danang : [http://www.bekatul.info/node/24 Building Powerful Central Authentication]
 +
  
 
===Things that can use Kerberos / LDAP to authenticate===
 
===Things that can use Kerberos / LDAP to authenticate===
Line 15: Line 20:
 
* Samba -- be able authenticate windows clients -- perhaps using pgina.
 
* Samba -- be able authenticate windows clients -- perhaps using pgina.
 
* Mac OS/X clients?
 
* Mac OS/X clients?
 +
 +
===First setup DNS===
 +
 +
Kerberos and to a lesser extent LDAP need to have proper DNS names.  If you are using an internal network (192.168.x.y), you will need to setup a DNS for your network.
 +
 +
The topic of DNS is very large.  I'm not going to cover it here.  I should point you to some external document. 
 +
 +
I've found that on RHEL5/CentOS5 you can use '''system-config-bind'''.  The help is good.  I just imported the /etc/hosts file as suggested.  This worked very well!
 +
 +
Also, one can use DNS service records to automatically find both the kerberos KDC and the ldap server.
 +
 +
===Setting up Kerberos===
 +
 +
yum -y install krb5-server
 +
 +
edit /etc/krb5.conf
 +
edit /var/kerberos/krb5kdc/kdc.conf
 +
 +
/usr/kerberos/sbin/kdb5_util create -s  (can redirect input)
 +
 +
edit /var/kerberso/krb5kdc/kadm5.acl make it look like
 +
 +
*/admin@ECE.VT.EDU    *

Latest revision as of 15:22, 9 April 2009

This will be a scratch space for the beginning of new Kerberos & LDAP page. Initially, this will be a bunch of random notes, hopefully coalesced into a document.

Contents

[edit] Reference Documents

The main reference by Danang : Building Powerful Central Authentication


[edit] Things that can use Kerberos / LDAP to authenticate

These are the things that we would like to use our K&L auth:

  • NFS4 authentication/security
  • automount / autofs
  • sudo
  • ssh / kerberos key forwarding / ldap shared keys?
  • Apache web page security
  • Netgroups -- limiting logins to specific machines
  • AFS -- andrew file system
  • Email
  • radius / 802.1x for wired and wireless networks
  • Samba -- be able authenticate windows clients -- perhaps using pgina.
  • Mac OS/X clients?

[edit] First setup DNS

Kerberos and to a lesser extent LDAP need to have proper DNS names. If you are using an internal network (192.168.x.y), you will need to setup a DNS for your network.

The topic of DNS is very large. I'm not going to cover it here. I should point you to some external document.

I've found that on RHEL5/CentOS5 you can use system-config-bind. The help is good. I just imported the /etc/hosts file as suggested. This worked very well!

Also, one can use DNS service records to automatically find both the kerberos KDC and the ldap server.

[edit] Setting up Kerberos

yum -y install krb5-server

edit /etc/krb5.conf edit /var/kerberos/krb5kdc/kdc.conf

/usr/kerberos/sbin/kdb5_util create -s (can redirect input)

edit /var/kerberso/krb5kdc/kadm5.acl make it look like

*/admin@ECE.VT.EDU    *
Views
Personal tools
Support