Notes on Kerberos / LDAP authentication

From CVL Wiki

(Difference between revisions)
Jump to: navigation, search
 
(2 intermediate revisions by one user not shown)
Line 25: Line 25:
 
Kerberos and to a lesser extent LDAP need to have proper DNS names.  If you are using an internal network (192.168.x.y), you will need to setup a DNS for your network.
 
Kerberos and to a lesser extent LDAP need to have proper DNS names.  If you are using an internal network (192.168.x.y), you will need to setup a DNS for your network.
  
How to do this is not covered here.  I should point you to some external document.   
+
The topic of DNS is very large.  I'm not going to cover it here.  I should point you to some external document.   
 +
 
 +
I've found that on RHEL5/CentOS5 you can use '''system-config-bind'''.  The help is good.  I just imported the /etc/hosts file as suggested.  This worked very well!
  
 
Also, one can use DNS service records to automatically find both the kerberos KDC and the ldap server.
 
Also, one can use DNS service records to automatically find both the kerberos KDC and the ldap server.
 
I've found that on RHEL5/CentOS5 you can use system-config-bind.  The help is good.  I just imported the /etc/hosts file as suggested.
 
 
  
 
===Setting up Kerberos===
 
===Setting up Kerberos===
Line 39: Line 38:
 
edit /var/kerberos/krb5kdc/kdc.conf
 
edit /var/kerberos/krb5kdc/kdc.conf
  
/usr/kerberos/sbin/kdb5_util create -s
+
/usr/kerberos/sbin/kdb5_util create -s (can redirect input)
 +
 
 +
edit /var/kerberso/krb5kdc/kadm5.acl make it look like
 +
 
 +
*/admin@ECE.VT.EDU    *

Latest revision as of 15:22, 9 April 2009

This will be a scratch space for the beginning of new Kerberos & LDAP page. Initially, this will be a bunch of random notes, hopefully coalesced into a document.

Contents

[edit] Reference Documents

The main reference by Danang : Building Powerful Central Authentication


[edit] Things that can use Kerberos / LDAP to authenticate

These are the things that we would like to use our K&L auth:

  • NFS4 authentication/security
  • automount / autofs
  • sudo
  • ssh / kerberos key forwarding / ldap shared keys?
  • Apache web page security
  • Netgroups -- limiting logins to specific machines
  • AFS -- andrew file system
  • Email
  • radius / 802.1x for wired and wireless networks
  • Samba -- be able authenticate windows clients -- perhaps using pgina.
  • Mac OS/X clients?

[edit] First setup DNS

Kerberos and to a lesser extent LDAP need to have proper DNS names. If you are using an internal network (192.168.x.y), you will need to setup a DNS for your network.

The topic of DNS is very large. I'm not going to cover it here. I should point you to some external document.

I've found that on RHEL5/CentOS5 you can use system-config-bind. The help is good. I just imported the /etc/hosts file as suggested. This worked very well!

Also, one can use DNS service records to automatically find both the kerberos KDC and the ldap server.

[edit] Setting up Kerberos

yum -y install krb5-server

edit /etc/krb5.conf edit /var/kerberos/krb5kdc/kdc.conf

/usr/kerberos/sbin/kdb5_util create -s (can redirect input)

edit /var/kerberso/krb5kdc/kadm5.acl make it look like

*/admin@ECE.VT.EDU    *
Views
Personal tools
Support