Kerberos and LDAP
-
Upload
acton-pruitt -
Category
Documents
-
view
46 -
download
5
description
Transcript of Kerberos and LDAP
![Page 1: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/1.jpg)
Kerberos and LDAP
Jason Heiss
February 2002
![Page 2: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/2.jpg)
Why is everybody still using NIS?
• NIS is easy to setup
• Easy to administer
• Scales fairly well
• Widely supported (clients and servers)
![Page 3: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/3.jpg)
Goals
• Replace NIS with something secure– Weakly crypted passwords (and everything
else) sent over the network in the clear– Difficult to firewall– No system authentication
• Provide additional directory services– Replace/supplement paper staff directory
![Page 4: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/4.jpg)
Other Options
• Copy local passwd file– Error-prone– Requires root-level trust between clients and
server
• NIS+– Complicated– Limited client support– Dead
![Page 5: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/5.jpg)
LDAP
• LDAP is a directory access protocol
• Up to the implementation to use whatever backend it wants
• LDAP can be used to store any form of information, but designed for directories– Small bits of data– Mostly read access
![Page 6: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/6.jpg)
Goals Revisited
• Security– Clients authenticate server– Encrypt data in transit– Simplify firewalling
• Administration– Easy to configure– Easy to maintain
• Scalability• Widespread client support
![Page 7: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/7.jpg)
LDAP Security
• Authentication– LDAP clients authenticate server by ensuring server
has an SSL certificate signed by a CA they trust
• Encryption– SSL
• Access control– ACLs based on Kerberos principal user authenticates
with
– Useful for non-NIS data like home phone number
![Page 8: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/8.jpg)
Scalability and Client Support
• Scalability– Similar model to NIS for simple situations
• Master and replicas
– Hierarchical relationships possible in larger environments
• Client support– nss_ldap module for any OS which supports
Name Service Switch (Solaris or GNU)– BIND IRS (NSS work-alike from BIND 8)
![Page 9: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/9.jpg)
Why not LDAP?
• Administration– Initial configuration complicated
• SSL certificate management
• Schemas
• Kerberos
– Ongoing management complicated• NIS+ itis
– No vi; add/change/delete via command line utilities
– Command line utilities take bewildering array of options
![Page 10: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/10.jpg)
Why Kerberos
• LDAP is designed for public information– ACLs can protect userPassword, but…
• Kerberos supports password security– Dictionary checks of new passwords– Password expiration
• Kerberos useful for other services– Windows authentication– NFS authentication and encryption– AFS
![Page 11: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/11.jpg)
Kerberos Client Support
• System logins– pam_krb5 for any OS/application which supports PAM
(Pluggable Authentication Modules)• Many common applications require a recompile to enable
PAM (OpenSSH, sudo, xlockmore)
– Replacement binaries for /bin/login, etc.
• Many applications with native Kerberos support– Quite a few only support Kerberos IV, which requires
enabling Kerberos IV support on server
![Page 12: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/12.jpg)
Summary of Pros and Cons
• Vastly improved security
• Complicated configuration and management
• Do you have time to invest in initial setup?– Can you afford not to?
• Friendly tools can ease ongoing administration
![Page 13: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/13.jpg)
Kerberos Basics
![Page 14: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/14.jpg)
Kerberos
• Stores username/password pairs– Usernames are called principals– Kerberos database equivalent to /etc/shadow
• Passwords, encrypted or not, are almost never sent across the network
• Server encrypts keys with user’s password, other folks can’t decrypt/use them without the password
![Page 15: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/15.jpg)
Kerberos
• When user authenticates, they are given a “ticket”– Tickets are generally good for 8 hours
– Useful for things like authenticated NFS, IMAP, etc.
• Kerberos performs authentication, not authorization– Kerberos tells you if user claiming to be X really is or
not
– It is up to the client to decide if user X is allowed to do something
![Page 16: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/16.jpg)
Terms
• Principal– name/instance@realm– Examples
• [email protected]• jheiss/admin• host/foobar.example.com• ldap/ldap1.example.com
• Realm– Typically domain name in all caps
![Page 17: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/17.jpg)
Example Kerberos Transaction
KerberosServer
Service
User“Usernam
e”
TGT, encrypted with
user’s passwordTGT
“Service”
Service ticket, encrypted
with service password
Encryptedservice ticket
Userpassword
Userpassword
Servicepassword
Servicepassword
Service request andservice ticket
![Page 18: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/18.jpg)
LDAP Basics
![Page 19: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/19.jpg)
Schemas
• LDAP uses schemas to define what attributes an object can and must have– posixAccount object class corresponds to an entry in a
passwd file
– posixGroup corresponds to a group
• The same object can implement multiple object classes– uid=jheiss,ou=people,dc=example,dc=com might be a
posixAccount, inetOrgPerson and pilotPerson
![Page 20: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/20.jpg)
Schema Examples
attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'RFC1274: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )
![Page 21: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/21.jpg)
Distinguished Names
• Each object in the LDAP directory has a DN– uid=jheiss,ou=people,dc=example,dc=com
– cn=users,ou=group,dc=example,dc=com
![Page 22: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/22.jpg)
LDIF Example: User
dn: uid=jheiss,ou=people,dc=example,dc=comobjectClass: personobjectClass: inetOrgPersonobjectClass: posixAccountcommonName: Jason Heissmail: [email protected]: 111-222-3333givenName: Jasonsurname: Heissuid: jheissuserPassword: {KERBEROS}[email protected]: /bin/bashuidNumber: 500gidNumber: 100homeDirectory: /home/jheiss
![Page 23: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/23.jpg)
LDIF Example: Group
dn: cn=users,ou=group,dc=example,dc=com
cn: users
objectClass: posixGroup
userPassword: {crypt}*
gidNumber: 100
memberUid: jheiss
memberUid: bob
![Page 24: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/24.jpg)
Alphabet Soup
• LDAP– Lightweight Directory Access Protocol
• SASL– Simple Authentication and Security Layer
• GSSAPI– Generic Security Services Application Programming Interface
• PAM– Pluggable Authentication Module
• NSS– Name Service Switch
![Page 25: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/25.jpg)
Kerberos Implementation
![Page 26: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/26.jpg)
Software
• Servers– Kerberos
• MIT (Recommended)• Heimdal• SEAM
• Clients– pam_krb5
• Included with Red Hat, FreeBSD, Solaris, possibly others• Open Source versions available from Red Hat (recommended),
Linux PAM project– See references
![Page 27: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/27.jpg)
Kerberos Servers
• Edit /etc/krb5.conf – Realm, servers– Generally identical on all Kerberized systems in realm
• Edit /var/kerberos/krb5kdc/kdc.conf– Realm– Needed on KDCs only
• /usr/kerberos/sbin/kdb5_util create –s• Edit /var/kerberos/krb5kdc/kadm5.acl
*/admin@REALM *
![Page 28: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/28.jpg)
Kerberos Servers, cont.
• Configure init to start daemons– kadmin (master KDC only)– krb5kdc (all KDCs)
• /usr/kerberos/sbin/kadmin.local –q “addprinc jheiss/admin”
• Add additional principals as needed with kadmin• Logs
– /var/log/krb5kdc.log– /var/log/kadmind.log
![Page 29: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/29.jpg)
Kerberos Replication
• Create host principals for slave KDCs– addprinc –randkey host/hostname
• Edit /var/kerberos/krb5kdc/kpropd.conf on slave KDCs– Add entry for every KDC host principal
• Configure init to start kpropd -S on slave KDCs• Add cronjob on master KDC to dump database
and run kprop regularly– See references for link to example script
![Page 30: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/30.jpg)
Kerberos Packet Filtering
• 88/udp– Clients <-> KDCs– Regular authentication traffic
• 749/tcp– Clients -> master KDC– Password changes, add/change/delete principals
• 754/tcp– Master KDC -> Slave KDCs– Database replication
![Page 31: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/31.jpg)
Kerberos Client
• Copy /etc/krb5.conf from server– /etc/krb5/krb5.conf on Solaris using SEAM
![Page 32: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/32.jpg)
PAM on Kerberos Clients
• Red Hat– Copy files as needed from
/usr/share/doc/pam_krb5*/pam.d to /etc/pam.d– gdm, login, passwd, sshd, su, sudo, xdm, xlock
• Solaris– SEAM– See references for example pam.conf
![Page 33: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/33.jpg)
Host Principal for PAM
• Some references that without it, PAM can’t verify Kerberos server
• Support– Red Hat’s pam_krb5 supports it
• keytab and required_tgs config options
• No evidence that RH does anything different when configured to use it
– No evidence that SEAM support it
![Page 34: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/34.jpg)
Testing
• As user:– kinit– klist
• Test admin functionality– kadmin
• addprinc
• delprinc
![Page 35: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/35.jpg)
Kerberos Management
• kadmin– addprinc
– delprinc
– listprincs
– ktadd
– ktremove
• ktutil– rkt
– list
– quit
• Easy to integrate into existing user management tool– See references for details
![Page 36: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/36.jpg)
User Password Management
• Custom centralized password program– Least confusing if you have more than one password
database (NIS, Windows, Samba, etc.)
– See references for more information on integrating Kerberos into one of these
• PAM– PAM configured to change password in Kerberos
• Non-PAM– Users need to use kpasswd
![Page 37: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/37.jpg)
LDAP Implementation
![Page 38: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/38.jpg)
Software
• Servers– Kerberos– OpenSSL– SASL (1.x until OpenLDAP 2.1.x is available)– OpenLDAP
• Clients– All of the above plus nss_ldap and pam_krb5
![Page 39: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/39.jpg)
LDAP Servers, Prep Work
• Create user and group (ldap/ldap)• Make/buy signed SSL certificate
– CN in SSL certificate should be canonical name of server as reported by reverse DNS
• I.e. moonshine.example.com
– If possible, list user-friendly name in x509v3 Subject Alternative Name field
• Within usr_cert section of openssl.cnf:– subjectAltName=DNS:ldap1.example.com
• OpenSSL doesn’t have support for prompting for this field, so you’ll have to edit openssl.cnf for each cert you generate
– chmod 640 slapd-key.pem; chgrp ldap slapd-key.pem
![Page 40: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/40.jpg)
LDAP Servers, Prep Work
• Create service principal– kadmin –q “addprinc ldap/hostname”– kadmin –q “ktadd –k /etc/openldap/ldap.keytab
ldap/hostname”– chmod 640 ldap.keytab; chgrp ldap ldap.keytab
![Page 41: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/41.jpg)
LDAP Server Configuration
• Edit /etc/openldap/slapd.conf– ACLs
– SSL cert
– suffix
– rootdn and rootpw
• Configure init to start slapd– KRB5_KTNAME="FILE:/etc/openldap/
ldap.keytab“ /usr/sbin/slapd -u ldap -g ldap -h "ldap:/// ldaps:///"
![Page 42: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/42.jpg)
SSL and TLS
• SSL/TLS is a generic method of encrypting application-layer network traffic using x.509 certs for authentication
• “Netscape” way of connecting– Application connects to alternate port for SSL
communication• I.e. HTTPS
• IETF-approved way of connecting– Application connects to standard port, requests SSL– Commonly called “StartTLS”
![Page 43: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/43.jpg)
Additional LDAP Server Config
• Packet Filtering– LDAP, LDAP w/ TLS
• 389/tcp
– LDAPS• 636/tcp
![Page 44: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/44.jpg)
LDAP Replication
• slurpd watches for changes, pushes to replicas
• Acts as LDAP client, and thus needs Kerberos ticket, not keytab– Need cronjob to keep ticket current
• Replicas must have ACLs which allow modification by whatever principal slurpd is configured to use
![Page 45: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/45.jpg)
LDIF Example
dn: dc=example,dc=comobjectclass: organizationo: Example, Inc.
dn: ou=people,dc=example,dc=comobjectclass: organizationalUnitou: People
dn: uid=jheiss,ou=people,dc=example,dc=comobjectClass: posixAccountcommonName: Jason Heisssurname: Heissuid: jheissuserPassword: {KERBEROS}[email protected]: /bin/bashuidNumber: 500gidNumber: 100homeDirectory: /home/jheiss
![Page 46: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/46.jpg)
Initial Database Population
• ldapadd -x -D “cn=Manager,dc=example,dc=com” -W -f initial.ldif
• Remove rootdn and rootpw from slapd.conf and restart
• All future edits should be authorized via ACLs in slapd.conf
![Page 47: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/47.jpg)
Testing Server
• Test in stages– kinit– ldapsearch -H ldap://hostname/ -x– ldapsearch -H ldaps://hostname/ -x– ldapsearch -H ldap://hostname/ -ZZ -x– ldapsearch -H ldap://hostname/– ldapsearch -H ldaps://hostname/– ldapsearch -H ldap://hostname/ -ZZ
![Page 48: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/48.jpg)
LDAP Clients
• Install nss_ldap• Edit /etc/ldap.conf
host ldap1.example.com ldap2.example.combase dc=example,dc=comssl start_tlstls_checkpeer yestls_cacertfile /etc/ssl/ca-cert.pem
• Edit /etc/openldap/ldap.confURI ldaps://ldap1.example.com/
ldaps://ldap2.example.com/BASE dc=example,dc=com
![Page 49: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/49.jpg)
Testing Client
• ldapsearch– Makes sure /etc/openldap/ldap.conf is setup properly
and that connection to server is good
• id username• getent passwd username• If things don’t work
– Try turning of checkpeer in /etc/ldap.conf– Try setting ssl to no in /etc/ldap.conf– Try turning off nscd
![Page 50: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/50.jpg)
Troubleshooting
• Sample error messages– ldap_sasl_interactive_bind_s: Local error
• ldap/hostname service principal not setup
• User doesn’t have ticket or ticket has expired
– ldap_sasl_interactive_bind_s: Can't contact LDAP server
• Checking hostname from CN field of SSL cert failed
• See my web page in references for more
![Page 51: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/51.jpg)
Controlling Access
• Linux– Add to /etc/pam.d/whatever
account required /lib/security/pam_access.so– Edit /etc/security/access.conf
• See /usr/share/doc/pam-*/txts/README.pam_access for syntax
• Solaris– Add entries to /etc/project after removing default
entries (except user.root)user.username:uid::::
![Page 52: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/52.jpg)
LDAP Management
• OpenLDAP tools– ldapadd, ldapmodify, ldapdelete
– Not very user friendly
• Jason’s tools– ldapcat, ldapedit, ldapposixadd
– Useful for folks used to NIS
• Integration into centralized tools– Perl and Net::LDAP
• Sample code on web page
![Page 53: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/53.jpg)
Support
• Kerberos– comp.protocols.kerberos
• OpenLDAP– echo subscribe | mail openldap-software-
• nss_ldap– echo subscribe | mail nssldap-
![Page 54: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/54.jpg)
References
• http://ofb.net/~jheiss/krbldap/– Kerberos replication script– Sample SEAM pam.conf– Examples of integrating Kerberos management into
existing tools– Sample slapd.conf– Sample nss_ldap and OpenLDAP ldap.conf’s– Sample LDIF– List of OpenLDAP error messages– LDAP tools and sample Net::LDAP code
![Page 55: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/55.jpg)
References
• Friendly Kerberos introduction: http://web.mit.edu/kerberos/www/dialogue.html
![Page 56: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/56.jpg)
References
• Kerberos– MIT: http://web.mit.edu/kerberos/www/
– Heimdal: http://www.pdc.kth.se/heimdal/
– SEAM: http://www.sun.com/software/solaris/ds/ds-seam/
• Encryption modules necessary for Kerberized NFS: http://www.sun.com/software/solaris/encryption/download.html
• Full SEAM package: http://www.sun.com/bigadmin/content/adminPack/
![Page 57: Kerberos and LDAP](https://reader037.fdocuments.in/reader037/viewer/2022102522/56812cab550346895d915bc0/html5/thumbnails/57.jpg)
References
• pam_krb5– Red Hat
• /usr/share/doc/pam_krb5-*/README on a Red Hat box
– Linux PAM Project: http://www.advogato.org/proj/pam_krb5/
• SASL: http://asg.web.cmu.edu/sasl/sasl-library.html
• LDAP– OpenLDAP: http://www.openldap.org/