Differences between revisions 2 and 3
Revision 2 as of 2009-02-23 17:24:16
Size: 627
Editor: StevePomeroy
Comment:
Revision 3 as of 2009-02-23 17:49:00
Size: 1995
Editor: StevePomeroy
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
LDAP and Kerberos together make for a great combination. Kerberos is used to manage credentials securely (authentication) while LDAP is used for determining criteria about the accounts, such as what they're allowed access to (authorization) and other account metadata. Most other LDAP setups involve in storing passwords in the LDAP directory itself using the userPassword attribute, which is ok for a basic setup, but one can do better with just a little effort. LDAP and Kerberos together make for a great combination. Kerberos is used to manage credentials securely (authentication) while LDAP is used for determining criteria about the accounts, such as what they're allowed access to (authorization) and other account metadata. Most other LDAP setups involve in storing passwords in the LDAP directory itself using the userPassword attribute. While this is ok for a basic setup, one can do much better with just a little effort.
Line 8: Line 8:
 1. Kerberos server
 1. Kerberos client
 1. LDAP Server
This guide is intended as a Debian-focused update to excellent guides, such as http://aput.net/~jheiss/krbldap/howto.html . Many of the workarounds have been fixed in recent releases of Debian, however there are still a few places one can easily get snagged.

The goal of this document is to create a Single Sign-On (SSO) system without using NIS. This includes a client setup which can successfully use Kerberos for authentication and LDAP for authorization. A number of common clients are shown, such as a standard shell login and Apache2 integration.

=== Kerberos server ===

There are plenty of guides for setting up a Kerberos server on Debian. Once you have a KDC set up with a test principal, come back to this document.

=== Kerberos client ===

Install the following packages:
 * `libpam-krb5 krb5-config krb5-clients krb5-user`

The Kerberos client setup is pretty straight forward using the `krb5-config` package's config. For `libpam-krb5`, you will have to modify your `/etc/pam.d/common-*` files according to `/usr/share/doc/libpam-krb5/README.Debian`.

If you're having trouble, check the following:
 * ensure `krb5.conf` is set properly. Things to check for:
  * ensure your domain is mapped in the `domain_realm` section at the bottom; this is used by the GSSAPI LDAP integration
  * `default_realm`
  * ensure your realm is defined in the `realms` section

=== LDAP Server ===

LDAP + Kerberos

LDAP and Kerberos together make for a great combination. Kerberos is used to manage credentials securely (authentication) while LDAP is used for determining criteria about the accounts, such as what they're allowed access to (authorization) and other account metadata. Most other LDAP setups involve in storing passwords in the LDAP directory itself using the userPassword attribute. While this is ok for a basic setup, one can do much better with just a little effort.

Overview

this is a work in progress

This guide is intended as a Debian-focused update to excellent guides, such as http://aput.net/~jheiss/krbldap/howto.html . Many of the workarounds have been fixed in recent releases of Debian, however there are still a few places one can easily get snagged.

The goal of this document is to create a Single Sign-On (SSO) system without using NIS. This includes a client setup which can successfully use Kerberos for authentication and LDAP for authorization. A number of common clients are shown, such as a standard shell login and Apache2 integration.

Kerberos server

There are plenty of guides for setting up a Kerberos server on Debian. Once you have a KDC set up with a test principal, come back to this document.

Kerberos client

Install the following packages:

  • libpam-krb5 krb5-config krb5-clients krb5-user

The Kerberos client setup is pretty straight forward using the krb5-config package's config. For libpam-krb5, you will have to modify your /etc/pam.d/common-* files according to /usr/share/doc/libpam-krb5/README.Debian.

If you're having trouble, check the following:

  • ensure krb5.conf is set properly. Things to check for:

    • ensure your domain is mapped in the domain_realm section at the bottom; this is used by the GSSAPI LDAP integration

    • default_realm

    • ensure your realm is defined in the realms section

LDAP Server

  1. PAM / NSS
  2. Apache