Notes on Kerberos / LDAP authentication
From CVL Wiki
(2 intermediate revisions by one user not shown) | |||
Line 25: | Line 25: | ||
Kerberos and to a lesser extent LDAP need to have proper DNS names. If you are using an internal network (192.168.x.y), you will need to setup a DNS for your network. | Kerberos and to a lesser extent LDAP need to have proper DNS names. If you are using an internal network (192.168.x.y), you will need to setup a DNS for your network. | ||
− | + | The topic of DNS is very large. I'm not going to cover it here. I should point you to some external document. | |
+ | |||
+ | I've found that on RHEL5/CentOS5 you can use '''system-config-bind'''. The help is good. I just imported the /etc/hosts file as suggested. This worked very well! | ||
Also, one can use DNS service records to automatically find both the kerberos KDC and the ldap server. | Also, one can use DNS service records to automatically find both the kerberos KDC and the ldap server. | ||
− | |||
− | |||
− | |||
===Setting up Kerberos=== | ===Setting up Kerberos=== | ||
Line 39: | Line 38: | ||
edit /var/kerberos/krb5kdc/kdc.conf | edit /var/kerberos/krb5kdc/kdc.conf | ||
− | /usr/kerberos/sbin/kdb5_util create -s | + | /usr/kerberos/sbin/kdb5_util create -s (can redirect input) |
+ | |||
+ | edit /var/kerberso/krb5kdc/kadm5.acl make it look like | ||
+ | |||
+ | */admin@ECE.VT.EDU * |
Latest revision as of 15:22, 9 April 2009
This will be a scratch space for the beginning of new Kerberos & LDAP page. Initially, this will be a bunch of random notes, hopefully coalesced into a document.
Contents |
[edit] Reference Documents
The main reference by Danang : Building Powerful Central Authentication
[edit] Things that can use Kerberos / LDAP to authenticate
These are the things that we would like to use our K&L auth:
- NFS4 authentication/security
- automount / autofs
- sudo
- ssh / kerberos key forwarding / ldap shared keys?
- Apache web page security
- Netgroups -- limiting logins to specific machines
- AFS -- andrew file system
- radius / 802.1x for wired and wireless networks
- Samba -- be able authenticate windows clients -- perhaps using pgina.
- Mac OS/X clients?
[edit] First setup DNS
Kerberos and to a lesser extent LDAP need to have proper DNS names. If you are using an internal network (192.168.x.y), you will need to setup a DNS for your network.
The topic of DNS is very large. I'm not going to cover it here. I should point you to some external document.
I've found that on RHEL5/CentOS5 you can use system-config-bind. The help is good. I just imported the /etc/hosts file as suggested. This worked very well!
Also, one can use DNS service records to automatically find both the kerberos KDC and the ldap server.
[edit] Setting up Kerberos
yum -y install krb5-server
edit /etc/krb5.conf edit /var/kerberos/krb5kdc/kdc.conf
/usr/kerberos/sbin/kdb5_util create -s (can redirect input)
edit /var/kerberso/krb5kdc/kadm5.acl make it look like
*/admin@ECE.VT.EDU *